Compliance due diligence in mergers and acquisitions in Turkey is no longer a secondary workstream that runs behind financial and legal review. In many transactions, it is the part of the diligence process that determines whether the deal can close on time, whether the buyer can integrate the target safely, and whether the purchase price really reflects the target’s regulatory exposure. The official Investment Office glossary defines due diligence as the process of conducting thorough research and analysis to assess the risks and benefits of an investment opportunity. In the Turkish M&A context, that definition should be read broadly: a buyer is not only assessing earnings quality or corporate title, but also whether the target has complied with competition, data protection, AML, tax, labor, licensing, and other public-law requirements that can affect value after signing and after closing.
This is particularly important in Turkey because the legal environment is layered rather than centralized. Türkiye’s FDI framework is based on equal treatment, and international investors generally have the same rights and liabilities as local investors. But that does not mean acquisitions are approval-free or compliance-light in practice. Once the target operates in Turkey, it remains subject to Turkish competition law, tax reporting, data protection, work-permit rules, sectoral licensing, and—in regulated sectors—activity-specific supervision. As a result, compliance due diligence in Turkish M&A is not about finding one fatal defect; it is about mapping a cluster of regulatory risks that may change the structure, timing, economics, and integration plan of the transaction.
A useful way to approach this subject is to separate the diligence exercise into two questions. The first is whether the transaction itself triggers a Turkish compliance issue, such as merger-control notification, regulatory approval, or data-transfer restrictions during pre-closing planning. The second is whether the target carries historical or ongoing compliance liabilities that will survive the acquisition. The Turkish Competition Authority’s current M&A materials show why this distinction matters. Under Communiqué No. 2010/4, the question is whether the transaction leads to a permanent change in control. Share transfers that do not lead to a change in control, or transactions within the same economic entity, are not notifiable under the merger-control rules. But where control changes and the turnover thresholds are met, the transaction requires authorization to become legally valid.
That first-stage merger-control analysis should be done very early. The Competition Authority’s 2025 Mergers and Acquisitions Overview Report states that authorization is required where the total Turkish turnovers of the transaction parties exceed TRY 750 million and the Turkish turnovers of at least two parties each exceed TRY 250 million, or where the Turkish turnover of the target company, asset, or business exceeds TRY 250 million and at least one of the other parties has worldwide turnover exceeding TRY 3 billion. The same report also states that foreign-to-foreign transactions must be notified if the thresholds are exceeded. In practical due diligence terms, this means a buyer cannot assume that a deal signed abroad or between non-Turkish parent companies falls outside Turkish merger control if the target business has the required Turkish nexus.
Merger-control diligence in Turkey should also examine timing risk and signing behavior. Turkish competition law gives the Authority strong investigative powers and a structured investigation process under Article 43, and the modern statute also contains commitment and settlement mechanisms. But those mechanisms are not substitutes for upfront transaction planning. In M&A work, the real risk is often not the final substance of the competition assessment, but premature integration, unlawful coordination before clearance, or a signing timetable that ignores the need for regulatory approval. As a practical inference from the current Turkish regime, buyers should build the merger-control assessment into the letter of intent and signing phase, not postpone it until closing documentation is nearly complete.
The next layer is corporate and structural due diligence. Türkiye’s investment framework allows international investors to establish or acquire businesses on an equal footing with local investors, and company establishment runs through formal registry systems. But in acquisition work, the structural question is not only whether the target exists validly; it is whether the target’s constitutional documents, management structure, signature authorities, and shareholding records match reality. The Investment Office’s “Establishing a Business” guidance confirms the equal-treatment principle, while work-permit application guidance from the Ministry of Labour shows the practical importance of current trade-registry records by expressly requiring the latest Turkish Trade Registry Gazette showing the capital and partnership structure of the organization in many foreign-workforce filings. That combination illustrates a broader Turkish M&A lesson: corporate housekeeping defects often surface first through another regulatory process.
Regulatory-license diligence is even more important where the target operates in a supervised sector. In banking, Banking Law No. 5411 places establishment and operation within a permission-based regime, and BDDK’s internal-systems regulation states that the internal control system exists to ensure that a bank’s activities are conducted efficiently, effectively, and in accordance with the law and applicable internal policies. In payments, the Central Bank publicly lists authorized payment institutions and electronic money institutions together with the scope of their operating licenses under Law No. 6493. In insurance, SEDDK’s 2024 annual report shows that insurance experts must hold a license and be recorded in the relevant register before commencing practice. In M&A due diligence, these sources point to the same conclusion: where the target is regulated, the buyer must verify not only that a license exists, but also that the target is operating strictly within the published scope of that authorization and maintaining the internal systems required by the relevant regulator.
That sector-focused review should not be limited to financial institutions. EMRA’s English site shows that Turkish energy regulation is structured by market segment, including electricity, natural gas, petroleum, and LPG. TİTCK’s official site shows that the life-sciences space includes medicines, medical devices, inspections, recalls, and product-safety announcements. In practical M&A work, this means that a buyer in an energy or healthcare deal should test the target’s real operating perimeter against the regulator’s own public structure: which activity is licensed, which products are authorized, which inspections have occurred, which recalls or unsafe-product notices exist, and whether there are regulatory dependencies that would make post-closing integration harder than the financial model assumes.
AML and financial-crime diligence are another core Turkish workstream. MASAK states that the objective of Law No. 5549 is to determine the principles and procedures for preventing laundering of crime proceeds, and its compliance-program regulation is built around institutional policies and procedures, risk management, monitoring and control, training, and internal audit. For an acquisition buyer, that matters in two ways. First, if the target is an obliged entity, the buyer must verify whether the target has a functioning AML compliance program, not just a policy manual. Second, even where the target is not at the center of the formal AML regime, the buyer should still examine beneficial ownership transparency, unusual payment flows, cash-heavy patterns, and suspicious-transaction escalation history because banking, insurance, and regulated counterparties in Turkey may already have treated those issues as red flags.
In financial services transactions, buyers should be especially careful about the operational reality of the target’s controls. MASAK’s framework is risk-based, and the compliance-program structure itself shows what Turkish regulators expect to see: designated responsibility, internal reporting, monitoring, and auditability. A target that has filed returns and remained licensed can still be weak from an M&A perspective if its onboarding files are incomplete, its suspicious-transaction processes are unclear, or its compliance function is formal rather than functional. In Turkish acquisition practice, such deficiencies often translate into post-closing remediation cost, regulator engagement risk, and sometimes purchase-price protection through indemnities or holdbacks. That is a commercial inference, but it is strongly grounded in the structure of MASAK’s official rules.
Data protection diligence under the KVKK has become one of the most important M&A topics in Turkey, especially in transactions involving technology, retail, healthcare, insurance, fintech, logistics, and employer-heavy targets. The Personal Data Protection Law states that personal data may be transferred abroad only if one of the relevant processing conditions exists and there is an adequacy decision or another recognized safeguard, and Article 9 now expressly states that a standard contract must be notified to the Authority within five business days following signature. That means Turkish data-protection diligence should not focus only on privacy notices. It must also examine whether the target has lawful transfer mechanisms for customer, employee, supplier, and group-company data—and whether those mechanisms will still work once the buyer changes group structure, hosting, reporting lines, or regional service arrangements after closing.
Pre-closing conduct matters here too. In many transactions, the buyer wants early access to customer data, employee data, contracts, or incident logs in order to price the deal or prepare integration. But Turkish data-protection law does not disappear during diligence. The transfer rules in Articles 8 and 9 still apply, and the Authority’s public materials continue to emphasize that all transfers between controllers, or between controller and processor, must comply with the law. This means that Turkish diligence teams should minimize personal-data exposure where possible, use redaction and aggregation where appropriate, and plan clean-team or staged-disclosure approaches in sensitive deals rather than assume that signing a confidentiality agreement solves the problem. That conclusion is a practical inference, but it follows directly from the statutory transfer framework.
Past cyber and data-security events should also be part of Turkish M&A diligence. The Authority’s breach-notification decision and data-security guidance state that data controllers must notify the Board without delay and no later than 72 hours after becoming aware of a breach, and that breaches and the measures taken must be documented and kept ready for Board review. For a buyer, this means due diligence should test not only whether the target suffered incidents, but whether the target responded lawfully. A target that experienced breaches but failed to notify on time, lacked a response plan, or cannot produce its breach records may carry hidden administrative-fine exposure and reputational risk that do not appear in a standard financial room.
Employment and immigration diligence are equally important in Turkish M&A, particularly in founder-led businesses, labor-intensive targets, and companies using foreign executives or specialists. Ministry of Labour guidance states that work-permit applications require an employment contract signed by employer and foreigner, and it also requires corporate documents such as the latest Trade Registry Gazette and financial statements. Separate Ministry guidance states that foreigners granted work permits must begin working and fulfill their social-security obligations within one month from the permit start date for domestic applications, and within one month from entry for foreign applications, while foreigners whose overseas-based permits are granted must enter Türkiye within six months or the permit is canceled. For acquisition buyers, these rules mean that workforce diligence in Turkey should verify permit validity, employer matching, timely social-security setup, and sector-specific preliminary permissions where relevant—not merely headcount and salary cost.
Work-permit diligence also has a direct sanctions angle. The Ministry of Labour’s current administrative-fine schedule states that, for 2026, employers employing foreigners without a work permit face an administrative fine of TRY 102,503 for each foreigner. The same official materials also show the current evaluation criteria, including the general rule that workplaces using the balance-sheet basis should employ at least five Turkish citizens for each foreigner for whom a work-permit application is made, subject to the listed exceptions. In Turkish M&A practice, these are not merely HR details. They can affect continuity of management, the legality of ongoing employment arrangements, and the buyer’s immediate post-closing remediation burden.
Tax compliance due diligence in Turkey should be treated as a red-flag exercise rather than a backward-looking accounting exercise only. The Investment Office’s tax guide confirms that Turkish tax legislation is built around income taxes, expenditure taxes, and wealth taxes, while GİB’s current corporate-tax materials state that the corporate income tax return for 2025 income is filed between 1 and 30 April 2026 and that the general corporate tax rate for the 2025 and 2026 accounting periods is 25%, with 30% for certain financial institutions. Those current rules matter because they show how active and time-sensitive Turkish tax compliance is. A buyer should therefore test whether the target’s returns, payments, reconciliations, and e-document processes are current, not just whether the last audited accounts tie out mathematically.
Transfer pricing deserves separate attention in Turkish acquisition work, especially for multinational targets or founder groups with related-party transactions. GİB’s transfer-pricing materials state that the purpose of the regime is to ensure that income is declared fully and correctly and to prevent erosion of the tax base through related-party pricing, while the current communiqué text explains who counts as a related party and reiterates the arm’s-length principle. The Revenue Administration’s 2024 mutual agreement guide also states that only corporate taxpayers with cross-border related-party transactions may apply for advance pricing arrangements and that such arrangements may be unilateral, bilateral, or multilateral. In due diligence terms, this means buyers should review management fees, licensing charges, intragroup financing, procurement arrangements, and any unusual margins in founder or group-company transactions, because these items often carry both tax and corporate-governance implications in Turkish deals.
A broader lesson emerges from all of these workstreams: in Turkish M&A, compliance due diligence should be tied directly to deal architecture. If the buyer identifies a merger-control filing requirement, the share purchase agreement should reflect it as a condition precedent. If the target’s data-transfer model is weak, the integration plan should avoid premature foreign-system migration and may require new Article 9 safeguards or standard-contract notifications. If the target uses foreign employees with questionable permit status, the buyer may need a signing-to-closing remediation covenant or a specific indemnity. If the target is a regulated entity, the buyer may need to match the deal timeline to the relevant sector regulator’s processes and not only to the parties’ commercial timetable. These are practical inferences, but they are the natural contractual consequences of the official Turkish compliance frameworks described above.
For the same reason, Turkish compliance due diligence should not end with a red-flag memo. It should feed into valuation, warranty drafting, indemnities, escrow or holdback design, closing conditions, and post-closing integration sequencing. A buyer that finds a weak AML system, a risky data-transfer architecture, or unresolved regulatory-scope questions but still documents the deal as if the target were fully clean is not doing meaningful compliance diligence. In Turkey, the value of the diligence exercise lies in converting regulatory findings into transaction mechanics. That is particularly true because official sources across competition, KVKK, AML, tax, and sector regulation all show that regulatory obligations are active, procedural, and often time-sensitive.
Conclusion
Compliance due diligence in mergers and acquisitions in Turkey should be approached as a transaction-critical discipline, not as a late-stage appendix to legal review. The buyer must first test whether the transaction itself triggers Turkish merger-control or regulatory-approval issues, and then evaluate whether the target carries hidden compliance exposure in competition, data protection, AML, tax, employment, and sectoral licensing. Official Turkish sources make clear that these are not marginal issues: control-changing deals may require Competition Board authorization, cross-border data transfers require a lawful Article 9 mechanism, obliged entities must operate AML systems under MASAK rules, foreign-worker status is formal and sanction-backed, and regulated sectors operate within permission-based frameworks.
For that reason, the strongest M&A buyers in Turkey are usually not the ones that ask for the longest disclosure bundle. They are the ones that ask the right compliance questions early, understand how Turkish public-law risk affects deal validity and post-closing integration, and translate diligence findings into pricing, conditions precedent, covenants, and remediation planning. In the Turkish market, that is what real compliance due diligence looks like
Yanıt yok