Introduction
Crypto asset regulation in Turkey has entered a new and much stricter phase. For many years, crypto exchanges and wallet-related businesses operated in a developing legal environment where anti-money laundering duties and payment restrictions existed, but there was no detailed capital markets framework specifically designed for crypto asset service providers. This changed significantly with the amendments introduced to the Turkish Capital Markets Law and the secondary regulations published by the Capital Markets Board of Türkiye, known as the CMB or SPK.
The most important legal turning point was Law No. 7518, which amended Capital Markets Law No. 6362 and introduced crypto assets and crypto asset service providers into Turkish capital markets legislation. The law was published in the Official Gazette on 2 July 2024 and brought crypto asset service providers under the regulatory and supervisory authority of the CMB.
Following this legislative change, the CMB published two major communiqués in the Official Gazette No. 32840 dated 13 March 2025: Communiqué No. III-35/B.1 on the Establishment and Operating Principles of Crypto Asset Service Providers and Communiqué No. III-35/B.2 on Operating Procedures and Principles and Capital Adequacy of Crypto Asset Service Providers. These communiqués regulate the establishment, authorization, operational principles, governance, activities, capital adequacy, custody, listing, and compliance duties of crypto asset service providers.
This article explains the legal duties of crypto asset service providers in Turkey, including licensing, CMB authorization, corporate structure, capital requirements, custody rules, listing principles, prohibited activities, AML and KYC duties, personal data protection, crypto payment restrictions, stablecoin risks, customer protection, and legal liability.
1. What Is a Crypto Asset Service Provider?
A crypto asset service provider, often called a CASP, is a regulated entity that provides services relating to crypto assets. In Turkey, CASPs may include crypto trading platforms, crypto custody institutions, wallet-related service providers, and other entities authorized by the CMB to provide crypto asset services.
The legal classification of a business is based on what the company actually does. A company may describe itself as a software provider, blockchain company, exchange, wallet provider, OTC desk, custody provider, token launch platform, or digital asset platform. However, if its activity falls within the scope of crypto asset services under Turkish law, it may require CMB authorization.
Under the CMB’s secondary regulations, crypto asset service activities include receiving and executing orders related to crypto assets, exchanging crypto assets, transferring crypto assets, providing custody services required for such activities, facilitating initial sale or distribution of crypto assets, storing or managing crypto assets or private keys, providing crypto asset investment advisory services, and other services determined by the CMB.
This means that the Turkish regulatory framework is not limited to classical spot exchanges. Custody, private key management, transfer infrastructure, crypto asset listing, initial distribution, and advisory services may also fall within the regulated perimeter.
2. Main Legal Framework for Crypto Assets in Turkey
The legal framework for crypto assets in Turkey consists of several layers.
The first layer is the Capital Markets Law No. 6362, as amended by Law No. 7518. This law gives the CMB regulatory and supervisory authority over crypto asset service providers.
The second layer is the CMB’s secondary legislation, especially Communiqué No. III-35/B.1 and Communiqué No. III-35/B.2. The CMB’s own legal framework page lists these communiqués as part of the capital markets legislation applicable to crypto asset service providers.
The third layer is anti-money laundering and counter-terrorist financing law, mainly Law No. 5549 and MASAK regulations. The Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism states that its objective is to regulate obliged parties, their obligations, supervision of compliance, and other measures for preventing laundering proceeds of crime and terrorist financing.
The fourth layer is personal data protection law, especially Law No. 6698 on the Protection of Personal Data. The official KVKK text states that the purpose of the law is to protect fundamental rights and freedoms, particularly privacy, with respect to the processing of personal data.
The fifth layer is the CBRT Regulation on the Disuse of Crypto Assets in Payments, which prohibits crypto assets from being used directly or indirectly in payments and restricts payment service providers from building payment or e-money models using crypto assets.
Therefore, a crypto business in Turkey must not examine only the CMB rules. It must also consider MASAK, KVKK, CBRT payment restrictions, tax law, consumer law, cybersecurity, advertising law, and general civil and criminal liability.
3. CMB Authorization and Licensing Duties
One of the most important duties of crypto asset service providers is obtaining the required authorization from the CMB. Under Communiqué No. III-35/B.2, authorization from the CMB is mandatory for carrying out regulated crypto asset services as a regular, commercial, or professional activity.
This is critical for businesses entering the Turkish market. A foreign crypto exchange, Turkish platform, custody provider, wallet operator, token launch platform, or digital asset service company cannot safely rely on informal market practice. If the activity is regulated, the company must assess whether it needs CMB establishment permission, operating permission, an authorization certificate, or additional regulatory approval.
The authorization process is not merely a registration formality. The CMB examines the company’s legal structure, shareholders, capital, management, internal control systems, risk management, information systems, custody arrangements, business model, and compliance capacity.
A crypto business should conduct a licensing analysis before launch. The analysis should answer these questions:
Does the company receive or execute crypto asset orders?
Does it operate a trading platform?
Does it hold customer crypto assets?
Does it control or manage private keys?
Does it facilitate token sales or initial distributions?
Does it provide investment advice on crypto assets?
Does it operate from Turkey or target Turkish residents?
Does it use Turkish-language marketing?
Does it provide custody, transfer, listing, settlement, or wallet services?
Does it rely on a foreign group company for infrastructure or custody?
If the answer to any of these questions indicates regulated activity, CMB authorization may be required.
4. Establishment Conditions for Crypto Asset Service Providers
The CMB framework requires crypto asset service providers to satisfy strict establishment conditions. According to summaries of Communiqué No. III-35/B.1, CASPs must be established as joint-stock companies, their shares must be registered shares, shares must be issued against cash contributions, their articles of association must comply with the Capital Markets Law and relevant regulations, and their shareholding structure must be transparent and clear.
The scope of activity in the articles of association must be limited to activities authorized by the CMB. This prevents a regulated crypto asset service provider from mixing unrelated commercial activities with regulated crypto services.
Trade names are also regulated. Platforms must include the phrase “crypto asset trading platform” in their trade names, while institutions providing crypto asset custody services must include the phrase “crypto asset custody institution” in their trade names.
These rules are important for customer transparency. A customer should be able to understand whether the company is a trading platform, custody institution, or another type of crypto asset service provider. Misleading branding can create regulatory and consumer law risk.
5. Capital Requirements and Financial Strength
Crypto asset service providers must satisfy capital and equity requirements. According to the 2025 secondary regulations, platforms must have initial share capital of at least TRY 150 million, while crypto asset custody institutions must have initial share capital of at least TRY 500 million. Custody institutions may also be subject to additional equity requirements depending on the total amount of client assets they hold.
Capital requirements are not merely technical. They reflect the risk profile of crypto asset services. Platforms may handle large transaction volumes, volatile assets, cybersecurity risks, customer complaints, operational failures, and market integrity issues. Custody institutions face even higher risks because they may hold private keys or customer crypto assets.
For founders and investors, this means that a crypto platform in Turkey should not be structured as a lightly capitalized startup. It must be financed as a regulated financial services business. Compliance costs, audit costs, information security investments, legal costs, staffing, internal control systems, and custody infrastructure must be included in the business plan from the beginning.
6. Internal Control, Risk Management, and Governance
Crypto asset service providers must establish a professional governance structure. Under the CMB framework, CASPs are required to establish internal audit, internal control, and risk management units within their organizational structure.
This is one of the most important differences between an unregulated crypto business and a regulated crypto asset service provider. A regulated platform cannot operate only with founders, developers, and customer support personnel. It must have compliance, audit, risk, legal, finance, cybersecurity, and operational control functions.
A proper governance structure should include:
Board-level supervision
Internal control procedures
Risk management policies
Compliance officer functions
AML and KYC controls
Cybersecurity governance
Market surveillance procedures
Complaint handling units
Operational risk controls
Custody risk management
Segregation of duties
Incident reporting procedures
Independent audit mechanisms
For crypto platforms, governance failures can quickly become legal problems. If a platform lists risky assets without adequate review, fails to monitor market manipulation, loses private keys, allows suspicious transactions, or misleads customers, directors and managers may face serious liability.
7. Permitted Activities of Crypto Asset Service Providers
The CMB framework defines the main services and activities that CASPs may provide with authorization. These include receiving and executing orders related to crypto assets, exchange and transfer of crypto assets, custody services required for those activities, facilitation of initial sale or distribution of crypto assets, storage and management of crypto assets or private keys, investment advisory services related to crypto assets, and other activities determined by the CMB.
This activity-based structure means that authorization must match the actual service. A company authorized only for certain activities should not expand into custody, advisory, token launch, or other services without reviewing whether additional approval is required.
For example, a trading platform may also want to provide custody. A custody institution may want to support staking-like products. A wallet company may want to integrate trading. A platform may want to offer investment recommendations. Each expansion must be legally analyzed.
The legal rule is simple: in crypto regulation, the business model must follow the license, not the other way around.
8. Listing Duties and Listing Committee
Crypto asset listing is now a regulated compliance function in Turkey. Platforms are required to establish a listing committee and written procedures for determining which crypto assets may be traded and when trading should be terminated.
The listing committee must include at least three members, and the majority of its members must have at least seven years of experience in fields such as finance, law, information technologies, information security, and distributed ledger technologies. At least one board member must serve on the listing committee.
The listing committee is responsible for making decisions regarding listing and delisting and checking whether the crypto assets comply with the applicable rules. Platforms must publish their current list of crypto assets eligible for trading and the current version of their listing procedure on their websites, and the procedure must be reviewed at least once a year.
This creates several legal duties:
The platform must conduct due diligence before listing.
The platform must evaluate technological, legal, market, liquidity, and security risks.
The platform must monitor listed assets after listing.
The platform must have delisting procedures.
The platform must publish transparent listing information.
The platform must avoid conflicts of interest.
The platform must keep records of listing committee decisions.
Listing is not merely a commercial decision anymore. It is a regulated process that may create liability if handled carelessly.
9. Prohibited Transactions and Market Integrity
The CMB rules restrict certain transactions in order to protect market integrity. According to the 2025 framework, crypto assets listed on platforms cannot be traded on a leveraged basis, and they cannot be subject to derivative contracts, purchases on credit, short sales, or lending transactions.
These prohibitions are very important. They show that Turkish crypto regulation currently focuses on spot crypto asset services and customer protection rather than allowing high-risk derivative or leveraged products in the regulated platform environment.
A platform should therefore carefully review whether any of its services resemble:
Margin trading
Futures trading
Options trading
Leveraged token products
Short selling
Crypto lending
Credit-based purchases
Portfolio management products
Yield products involving customer assets
Even if a product is popular in foreign markets, it may not be permitted under Turkish crypto rules. A global crypto exchange entering Turkey must localize its product offering to Turkish law rather than assuming that its international product suite can be offered unchanged.
10. Crypto Asset Custody Duties
Custody is one of the most sensitive areas of crypto asset regulation. In the crypto sector, custody is not only about holding records. It may involve control over private keys, wallet infrastructure, transaction signing, cold storage, hot wallet limits, cybersecurity, operational segregation, and recovery procedures.
The CMB framework regulates custody services, including custody of crypto assets, management of private keys, execution of transfer orders, and service agreements between platforms and custody institutions. The rules also require platforms and custody institutions to integrate with the Central Securities Depository system regarding client crypto asset balance information and to submit requested reports.
Custody agreements should regulate:
Which assets are held
Where and how private keys are stored
Cold wallet and hot wallet procedures
Transfer approval mechanisms
Customer asset segregation
Reconciliation and reporting
Cybersecurity standards
Incident response
Insurance, if available
Liability for loss or theft
Business continuity
Regulatory access
Audit rights
Termination and migration procedures
Crypto custody failures can lead to severe customer losses. If private keys are compromised, assets may be irreversibly transferred. Therefore, custody duties should be treated as a core legal and technical risk area.
11. Order Execution and Transfer Policies
Crypto platforms must establish clear order execution policies. The CMB framework requires platforms to establish an order execution policy by board resolution and review it at least once a year.
An order execution policy should explain how orders are received, matched, executed, cancelled, prioritized, rejected, recorded, and reported. It should also address system outages, extreme volatility, erroneous transactions, market disruptions, suspicious activity, and customer complaints.
A legally strong order execution framework should include:
Order types
Execution priority
Price monitoring
Cancellation rules
System failure procedures
Market disruption rules
Customer notification duties
Error correction procedures
Conflict of interest controls
Audit logs
API access rules
Market manipulation monitoring
Complaint review procedures
In disputes, order logs and execution records will be decisive. A platform must be able to prove how and when an order was received, whether the customer authorized it, what price was applied, whether the transaction was executed correctly, and whether platform rules were followed.
12. AML, KYC, and MASAK Compliance
Crypto asset service providers are exposed to serious anti-money laundering and counter-terrorist financing risks. Crypto assets can be used for fraud proceeds, illegal betting, sanctions evasion, ransomware, darknet transactions, tax evasion, and cross-border movement of criminal proceeds.
MASAK regulations are therefore central to crypto compliance. The Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism expressly regulates obliged parties, obligations, compliance supervision, and measures for preventing laundering and terrorist financing.
A CASP should establish a comprehensive AML/KYC program, including:
Customer identification
Remote identity verification
Beneficial ownership checks
Sanctions screening
Politically exposed person screening
Wallet risk screening
Blockchain analytics
Transaction monitoring
Suspicious transaction reporting
Travel Rule compliance
Record retention
Enhanced due diligence
Compliance officer oversight
Employee training
Internal audit
Turkey has also increased AML scrutiny in the crypto sector. In 2025, Turkish authorities announced new steps against laundering proceeds of illegal betting and fraud through crypto transactions, including withdrawal waiting periods where Travel Rule information is not applied and caps on certain stablecoin transfers.
This shows that crypto compliance is not limited to onboarding. Platforms must monitor transactions continuously and be prepared to restrict, delay, report, or reject transactions when AML risk arises.
13. Stablecoin Compliance Risks
Stablecoins are particularly important in Turkey because they are frequently used for trading, value preservation, and transfer purposes. However, stablecoins also raise serious legal and AML concerns, especially where they are used for rapid cross-border value transfer.
In 2025, Turkish authorities focused on stablecoin-related laundering risks and announced daily and monthly limits for stablecoin transfers in connection with broader AML measures. Reuters reported that the planned measures included a daily limit of USD 3,000 and a monthly limit of USD 50,000 for stablecoin transfers, alongside waiting periods for crypto withdrawals where Travel Rule requirements are not applied.
Crypto platforms should therefore treat stablecoins as a high-risk product category. Compliance procedures should consider:
Issuer risk
Reserve transparency
Sanctions exposure
Cross-border transfer risk
Large withdrawal patterns
Multiple account abuse
Use in illegal betting or fraud proceeds
Travel Rule data availability
Wallet clustering and blockchain analytics
Customer source of funds
A platform that ignores stablecoin risks may face AML sanctions, banking relationship problems, regulatory investigation, and reputational damage.
14. Personal Data Protection and KVKK Duties
Crypto asset service providers process extensive personal data. This may include identity documents, biometric verification data, phone numbers, e-mail addresses, national ID numbers, tax numbers, bank account details, wallet addresses, transaction history, IP addresses, device fingerprints, location data, blockchain analytics data, risk scores, and customer support records.
Under Turkish personal data protection law, personal data must be processed lawfully, for specific purposes, and in a proportionate manner. Law No. 6698 aims to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing.
A CASP must prepare:
Privacy notices
Data processing inventory
Explicit consent mechanisms where required
Cross-border data transfer analysis
Data retention and deletion policies
Vendor data processing agreements
Customer rights procedures
Breach response plans
Access control procedures
Cybersecurity measures
Internal data governance rules
Crypto businesses often use foreign cloud systems, blockchain analytics tools, KYC vendors, transaction monitoring providers, customer support platforms, and group company infrastructure. These arrangements may create cross-border transfer and data processor issues. A CASP should not assume that global crypto compliance documentation is automatically sufficient under Turkish KVKK rules.
15. Crypto Assets Cannot Be Used as Payment Instruments
One of the most important restrictions in Turkish crypto law is the prohibition on using crypto assets directly or indirectly in payments. The CBRT Regulation on the Disuse of Crypto Assets in Payments states that crypto assets cannot be used directly or indirectly in payments and that no services can be provided for the direct or indirect use of crypto assets in payments.
The regulation also prohibits payment service providers from developing business models that directly or indirectly use crypto assets in payment services or electronic money issuance.
This has major consequences for product design. A CASP or fintech company must be careful with:
Crypto cards
Merchant payment solutions
Crypto-to-fiat instant checkout models
Stablecoin payment products
Wallets used for retail payments
Payment gateway integrations
E-money products linked to crypto assets
Reward systems convertible into payment value
Crypto trading and investment services may be regulated, but using crypto assets as a payment method is restricted. A company that confuses investment/trading activity with payment activity may create serious regulatory risk.
16. Advertising, Customer Disclosures, and Consumer Protection
Crypto asset service providers must be transparent with customers. Crypto assets are volatile, technologically complex, and vulnerable to cybersecurity, liquidity, market manipulation, custody, and regulatory risks.
Customer-facing documentation should clearly explain:
The legal identity of the platform
Authorization status
Listed assets
Fees and commissions
Custody structure
Transfer rules
Withdrawal limits
AML-related restrictions
Risk of price volatility
Risk of loss
Complaint procedures
Order execution rules
Delisting consequences
Data processing rules
Platform liability limits
Marketing materials should not create unrealistic expectations. A platform should avoid statements suggesting guaranteed profit, risk-free investment, bank-like deposit protection, state guarantee, or automatic suitability for every investor.
Consumer disputes may arise from account freezes, failed withdrawals, unauthorized transfers, delisted assets, market volatility, system outages, phishing, and AML reviews. Clear disclosures and reliable records are essential for defending against such claims.
17. Tax Issues and Developing Legislative Risk
Crypto taxation in Turkey remains an area that must be monitored carefully. The tax treatment of crypto asset gains, platform commissions, custody fees, token distributions, and cross-border transactions may depend on the nature of the transaction and the applicable tax rules at the relevant time.
In 2026, Reuters reported that a draft law was proposed to introduce a 10% withholding tax on income and gains from crypto asset transactions conducted on authorized platforms and a 0.03% transaction levy on crypto asset service providers for sale or transfer transactions they conduct or intermediate. Because this was reported as a proposal, companies should verify whether any such measure has entered into force before relying on it.
For crypto businesses, tax compliance should cover:
Platform commissions
Corporate income tax
VAT analysis
Withholding tax exposure
Customer reporting obligations
Foreign exchange issues
Transfer pricing
Group company service fees
Token-related income
Accounting treatment of crypto assets
Cross-border payments
Tax planning should be coordinated with capital markets, AML, and accounting compliance.
18. Legal Liability of Crypto Asset Service Providers
Crypto asset service providers may face liability from customers, regulators, business partners, shareholders, vendors, and criminal authorities. Common disputes include:
Unauthorized account access
Stolen crypto assets
Phishing-related losses
Failure to execute withdrawal requests
Account freezes
AML-related restrictions
Incorrect order execution
System outages
Delisting disputes
Misleading listing statements
Market manipulation allegations
Data breaches
Custody failures
Private key compromise
Inadequate customer disclosures
Unlawful payment models
Operating without authorization
Evidence is especially important in crypto disputes. Platforms should maintain detailed logs of customer onboarding, login activity, device information, IP addresses, order records, wallet transfers, blockchain transaction IDs, internal approvals, customer notices, AML alerts, and complaint responses.
A platform that cannot reconstruct events may struggle to defend itself in litigation, arbitration, regulatory audits, or criminal investigations.
19. Compliance Checklist for Crypto Asset Service Providers in Turkey
A crypto asset service provider operating in Turkey should consider the following compliance steps:
Classify the business model under Turkish law.
Determine whether CMB authorization is required.
Review establishment and operating license conditions.
Confirm minimum capital and equity requirements.
Prepare corporate governance documents.
Establish internal audit, internal control, and risk management units.
Prepare AML and KYC policies.
Implement transaction monitoring and Travel Rule systems.
Establish wallet screening and blockchain analytics processes.
Prepare custody agreements and wallet procedures.
Create listing and delisting procedures.
Establish a listing committee.
Prepare order execution policies.
Review prohibited activities such as leverage, derivatives, lending, short sales, and purchases on credit.
Prepare customer agreements and risk disclosures.
Review advertising and marketing materials.
Prepare KVKK privacy documentation.
Review cross-border data transfers.
Establish cybersecurity and incident response plans.
Review crypto payment restrictions.
Monitor MASAK, CMB, CBRT, and tax developments continuously.
This checklist should be adapted to the specific business model. A trading platform, custody institution, wallet provider, token launch platform, and investment advisory service do not have identical compliance duties.
Conclusion
Crypto asset regulation in Turkey has moved from a limited and fragmented framework to a structured supervisory model centered on the Capital Markets Board. Law No. 7518 and the CMB’s 2025 communiqués now require crypto asset service providers to operate with authorization, capital strength, transparent governance, internal controls, custody safeguards, listing procedures, order execution policies, AML systems, and customer protection measures.
For crypto exchanges, custody institutions, wallet providers, foreign platforms, fintech companies, and investors, the most important legal issue is correct classification. A business that receives orders, operates a platform, holds customer crypto assets, manages private keys, facilitates token distributions, or provides crypto investment advisory services may fall within the CMB regime.
At the same time, CMB regulation is only one part of the legal picture. MASAK compliance, Travel Rule obligations, stablecoin transfer risks, KVKK data protection duties, CBRT payment restrictions, cybersecurity, consumer protection, taxation, and contractual liability must all be addressed.
Turkey’s crypto market offers significant opportunities, but it is now a regulated financial market. Companies that build strong legal and compliance systems from the beginning will be better positioned to obtain regulatory approval, protect customer trust, reduce enforcement risk, and scale sustainably.
Yanıt yok