Introduction
Fintech licensing in Turkey is one of the most important legal issues for startups, investors, founders, software companies, payment platforms, crypto asset businesses, digital wallet providers, embedded finance projects, and foreign fintech companies entering the Turkish market. A fintech startup may look like a technology company at first glance, but if its business model involves customer funds, payments, stored value, crypto asset services, investment products, lending, banking infrastructure, account information, or financial intermediation, it may need regulatory authorization before launch.
The key question is not whether the company calls itself a “fintech startup,” “software platform,” “marketplace,” “wallet,” “payment gateway,” “crypto platform,” or “financial technology provider.” The key question is what the company actually does. Turkish regulators look at the real economic and technical function of the service. If the startup receives funds, executes payment transactions, issues electronic money, provides banking-like services, operates a crypto asset platform, intermediates capital markets products, or handles regulated customer assets, licensing requirements may arise.
Fintech regulation in Turkey is not controlled by a single authority. The Central Bank of the Republic of Türkiye, also known as the CBRT or TCMB, supervises payment services, payment institutions, and electronic money institutions under Law No. 6493. The CBRT states that payment services regulation and supervision in Turkey are governed by Law No. 6493 and related secondary legislation.
The Banking Regulation and Supervision Agency, known as the BRSA or BDDK, regulates banks, digital banks, electronic banking services, and Banking-as-a-Service models. The BRSA’s digital banking regulation determines the procedures and principles for branchless banks and Banking-as-a-Service models.
The Capital Markets Board of Türkiye, known as the CMB or SPK, regulates capital markets activities and crypto asset service providers. The CMB has published communiqués on the establishment, operation, activities, and capital adequacy of crypto asset service providers.
Fintech startups must also consider MASAK obligations under anti-money laundering law and KVKK obligations under personal data protection law. Law No. 5549 determines the principles and procedures for preventing laundering proceeds of crime, while Law No. 6698 protects fundamental rights and freedoms in relation to the processing of personal data.
This article explains when a fintech startup in Turkey may need regulatory authorization, how to classify fintech business models, which licenses may be relevant, and what legal risks arise if a startup launches before obtaining the required permission.
1. Why Fintech Licensing Matters in Turkey
Fintech licensing is not merely a bureaucratic formality. It determines whether the business can legally operate, receive customer funds, partner with banks, onboard merchants, raise investment, advertise its services, process transactions, and scale its product.
A startup that launches without the required license may face serious risks, including:
Administrative sanctions
Suspension of activities
Termination of banking relationships
Customer claims
Regulatory investigation
Criminal law exposure in serious cases
Investor due diligence problems
Difficulty obtaining future authorization
Reputational harm
Contract invalidity or enforceability disputes
For regulated fintech businesses, licensing is part of the product architecture. A payment startup must design its fund flow around payment services law. An e-money startup must design its wallet structure around electronic money rules. A crypto platform must design custody, listing, and order execution processes around CMB rules. A Banking-as-a-Service platform must structure customer relationships around the licensed service bank.
Therefore, the licensing analysis should be completed before launch, not after the product is already live.
2. The First Legal Question: Is the Startup Providing a Regulated Financial Service?
The most important step is legal classification. A fintech startup should examine whether its business model involves any of the following regulated elements:
Receiving or holding customer funds
Executing payment transactions
Operating payment accounts
Issuing electronic money
Operating digital wallets
Providing money remittance
Offering payment initiation or account information services
Operating a crypto asset trading platform
Providing crypto asset custody
Managing private keys
Facilitating crypto asset transfers
Providing investment services
Operating a crowdfunding platform
Providing banking services through digital channels
Acting as a Banking-as-a-Service interface provider
Offering credit or lending products
Providing financial advisory or portfolio-related services
Handling customer financial data through open banking tools
If any of these elements exists, the company should not assume that it is merely a software business. A detailed regulatory review is necessary.
A useful practical test is this: if the startup disappeared tomorrow, would customer funds, crypto assets, payment instructions, account access, settlement, or financial rights be affected? If yes, regulatory authorization may be relevant.
3. Payment Services License: When Is It Needed?
A startup may need a payment services license if it provides regulated payment services in Turkey. Payment services may include money remittance, execution of payment transactions, operation of payment accounts, issuance or acceptance of payment instruments, payment initiation services, account information services, merchant payment solutions, and other activities falling within Law No. 6493.
Law No. 6493 regulates payment and securities settlement systems, payment services, payment institutions, and electronic money institutions. The CBRT identifies Law No. 6493 and secondary legislation as the main framework for payment services regulation in Turkey.
A startup may need payment services authorization if it:
Transfers funds between users
Collects money from buyers and transfers it to sellers
Operates a payment gateway beyond purely technical support
Initiates payments from customer accounts
Provides account information services
Manages payment accounts
Provides merchant acquiring services
Handles settlement flows between parties
Offers payment links or wallet-based merchant payments
Processes cross-border money transfers
Offers financial infrastructure where it enters the payment flow
The most common mistake is assuming that a marketplace or SaaS platform does not need authorization because it is “only facilitating transactions.” If the platform receives funds, controls settlement, or acts between payer and payee, payment services law must be reviewed carefully.
A startup that only provides technical infrastructure may not need a payment license, but the boundary between technical service and regulated payment service can be narrow. The legal analysis must examine fund flow, customer contracts, settlement accounts, control over transaction execution, and whether the startup has possession or control of customer funds.
4. Electronic Money License: When Does a Wallet Become Regulated?
A startup may need authorization as an electronic money institution if it receives funds and issues electronically stored monetary value that can be used for payment transactions.
Electronic money is especially relevant for:
Digital wallets
Prepaid balances
App-based stored value
Merchant wallet systems
User-to-user balance transfers
Closed or semi-open payment ecosystems
Prepaid cards
Reward balances convertible into payment value
Marketplace balances
Embedded finance wallet products
Not every digital balance is electronic money. Loyalty points, discount credits, internal accounting units, and limited closed-loop credits may fall outside electronic money depending on their design. However, if the balance represents money received from the customer and can be used to make payments to third parties, electronic money rules may apply.
Electronic money institutions in Turkey are authorized and supervised under the CBRT framework. The CBRT publishes information about electronic money institutions and their authorization scopes under Law No. 6493.
For startups, the key legal questions are:
Does the customer load money into the system?
Is the loaded amount represented as a balance?
Can the balance be used for payments?
Can merchants accept the balance?
Can the balance be transferred to other users?
Can the balance be redeemed?
Does the startup hold customer funds?
Is there a licensed bank, payment institution, or e-money institution behind the model?
If the answer suggests electronic money issuance, the startup should not launch without a licensing analysis.
5. Digital Banking License: When Is a Startup Actually a Bank?
Some fintech startups aim to offer banking-like products through mobile applications. However, banking is one of the most heavily regulated activities in Turkey. A company cannot operate as a bank merely by building a mobile application.
Digital banking in Turkey is regulated under the BRSA’s Regulation on the Operating Principles of Digital Banks and Banking as a Service Model. The regulation applies to branchless banks and Banking-as-a-Service models and sets rules for digital banks operating through electronic banking channels.
A startup may trigger banking licensing issues if it:
Accepts deposits or participation funds
Provides banking products in its own name
Offers bank accounts without a licensed bank structure
Provides credit as a bank
Markets itself as a bank
Uses banking terminology misleadingly
Operates a branchless banking model
Controls customer banking relationships directly
A digital bank is still a bank. It must satisfy banking law requirements, capital requirements, governance rules, risk management standards, internal systems requirements, information systems obligations, and BRSA supervision.
Many startups do not need to become banks. Instead, they may work with a licensed bank through a Banking-as-a-Service model. However, that structure also requires careful legal planning.
6. Banking-as-a-Service and Interface Provider Authorization
Banking-as-a-Service, or BaaS, allows a licensed bank to offer banking services through the digital interface of another company. The fintech company may act as the interface provider, while the bank remains the regulated service provider.
The BRSA digital banking regulation sets out rules for BaaS and defines how service banks and interface providers may operate. The regulation states that its purpose is to determine the procedures and principles regarding branchless banks and Banking-as-a-Service models.
A startup may need BRSA-related authorization or approval if it acts as an interface provider in a BaaS structure. The legal issue is not only whether the startup is a bank. The issue is whether the startup is mediating access to banking services through its own interface.
A BaaS startup should examine:
Who provides the banking service?
Is there a licensed service bank?
Is the customer contract established with the bank?
Does the startup clearly disclose that it is not the bank?
Does the startup process customer banking data?
Does the startup participate in onboarding?
Does the startup’s interface comply with electronic banking security rules?
Is BRSA permission required for the interface provider role?
Does the startup also provide payment or e-money services?
BaaS is not a shortcut to operating like a bank without a license. It is a regulated cooperation model. The startup must avoid misleading customers and must ensure that contracts, disclosures, data processing, authentication, and complaint channels are properly structured.
7. Crypto Asset Service Provider Authorization
Crypto asset businesses in Turkey now operate under a more detailed capital markets framework. A startup may need CMB authorization if it provides crypto asset services, operates a crypto trading platform, provides custody, manages private keys, facilitates crypto transfers, provides crypto investment advisory services, or supports initial sale or distribution of crypto assets.
The CMB’s crypto asset communiqués regulate the establishment, operation, activities, and capital adequacy of crypto asset service providers.
A startup may fall within crypto asset service provider rules if it:
Operates a crypto exchange
Receives and executes crypto asset orders
Provides crypto custody
Stores or manages private keys
Operates hosted wallets
Facilitates crypto transfers
Provides crypto asset investment advice
Lists crypto assets for trading
Facilitates initial sale or distribution of crypto assets
Provides infrastructure that effectively controls customer crypto assets
The most important distinction is between non-custodial technology and regulated crypto asset services. A startup that simply develops blockchain software may not need authorization. However, a platform that controls customer assets, executes transactions, manages private keys, or facilitates trading may need CMB authorization.
Crypto startups must also consider MASAK obligations, cybersecurity, customer asset segregation, listing procedures, order execution policies, stablecoin risks, and restrictions on using crypto assets in payments.
8. Crypto Payments Are a Separate Risk
A crypto startup may be authorized for certain crypto asset services but still face restrictions if its model uses crypto assets for payments. Turkey has a specific regulation on the disuse of crypto assets in payments. The CBRT’s annual report explains that the regulation prohibits payment service providers from adopting business models that directly or indirectly use crypto assets in payment services or electronic money issuance.
This is highly relevant for startups designing:
Crypto debit cards
Merchant crypto checkout tools
Stablecoin payment products
Crypto-to-fiat instant payment systems
Crypto-linked wallets
E-money balances backed by crypto assets
Payment gateways for crypto-funded purchases
A startup should not confuse crypto trading with crypto payments. Even if a crypto asset platform is regulated under the CMB framework, using crypto assets as a payment method may raise CBRT-related restrictions.
9. Crowdfunding and Investment Platform Licensing
Fintech startups may also require authorization if they operate investment, crowdfunding, securities, or capital markets platforms. A platform that connects investors with companies, facilitates securities-based investment, tokenized investment rights, equity crowdfunding, debt-like products, or investment advisory may fall within capital markets regulation.
The key issue is whether the startup is merely providing information or whether it is intermediating investment activity. If users are investing money with an expectation of financial return through instruments regulated under capital markets law, CMB rules must be reviewed.
Startups should be careful with:
Equity crowdfunding
Debt crowdfunding
Tokenized investment products
Revenue-sharing investment models
Robo-advisory
Portfolio management tools
Securities trading interfaces
Investment recommendations
Financial influencer platforms connected to execution services
The use of technology does not remove the need for capital markets authorization. If the activity is regulated in substance, the startup must obtain the appropriate permission or work with licensed institutions.
10. Lending, BNPL, and Credit Products
Fintech startups often build digital lending, credit scoring, installment payment, merchant financing, invoice financing, or buy-now-pay-later products. These models can trigger banking, financing company, consumer credit, payment services, or e-money issues depending on structure.
A startup should ask:
Who provides the credit?
Is the startup lending from its own balance sheet?
Is a licensed bank or financing company involved?
Is the startup only a technology provider?
Does the startup make credit decisions?
Does it collect repayments?
Does it charge interest or credit-like fees?
Is the customer a consumer or business?
Are installment or deferred payment features involved?
Does the model involve payment services?
Credit-related fintech products are legally sensitive because they may affect consumers, merchants, financial stability, and debt collection rights. If the startup effectively provides financing, it should not assume that a technology label removes licensing requirements.
11. Open Banking and Account Information Services
Open banking allows third-party providers to access account information or initiate payments through secure channels, subject to customer consent and regulatory requirements. In Turkey, account information services and payment initiation services are relevant under payment services regulation.
A startup may need authorization if it:
Accesses customer payment account data
Aggregates account information
Initiates payments from customer accounts
Provides API-based financial dashboards connected to bank accounts
Offers financial management tools that rely on regulated account access
Acts as an intermediary between customers and payment account providers
A startup that only displays manually entered financial data may be outside the regulated perimeter. However, if it connects to banks or payment service providers and accesses regulated account data or initiates payment transactions, licensing analysis is required.
Open banking also raises personal data protection, customer consent, cybersecurity, API security, and liability issues.
12. When Is a Startup Only a Technology Provider?
Not every fintech-related software company needs a financial license. A startup may operate as an unregulated technology provider if it does not perform regulated financial activity.
Examples may include:
Software development for banks
Fraud detection tools
KYC software sold to regulated institutions
Cybersecurity products
Accounting software without fund movement
Analytics dashboards using non-regulated data
Cloud or infrastructure services
Merchant management software
Non-custodial blockchain software
Educational financial content without advice or execution
However, the startup must be careful not to cross the line into regulated activity. A technology provider may become regulated if it starts controlling funds, executing transactions, onboarding customers on its own behalf, providing financial products directly, managing private keys, or making regulated decisions.
The distinction depends on contractual role, technical control, customer-facing presentation, and actual operations.
13. Foreign Fintech Startups Entering Turkey
Foreign fintech companies often ask whether they can serve Turkish customers from abroad without obtaining a Turkish license. The answer depends on the exact structure.
A foreign startup may trigger Turkish regulatory requirements if it:
Targets Turkish residents
Uses Turkish-language marketing
Accepts Turkish customers
Processes payments in Turkey
Works with Turkish banks or payment institutions
Provides crypto asset services to Turkish users
Offers Turkish customer support
Uses local agents or representatives
Markets investment or banking products in Turkey
Handles customer funds connected to Turkey
A foreign company should not assume that being incorporated abroad avoids Turkish law. If the service is effectively offered into Turkey, local licensing, data protection, AML, consumer protection, tax, and advertising rules may apply.
Cross-border fintech projects require careful analysis of customer targeting, fund flow, data flow, marketing activity, local partnerships, and regulatory perimeter.
14. AML and MASAK Obligations Even Before Full Scale
Fintech startups often focus on licensing but underestimate AML obligations. A startup dealing with payment services, e-money, crypto assets, banking interfaces, lending, or investment products may need to comply with MASAK rules.
Law No. 5549 sets out the legal framework for preventing laundering proceeds of crime and includes obligations such as suspicious transaction reporting, information and document provision, retention of records, training, internal audit, control, risk management, and compliance programs.
AML obligations may include:
Customer identification
KYC procedures
Beneficial ownership checks
Sanctions screening
Politically exposed person screening
Transaction monitoring
Suspicious transaction reporting
Record retention
Employee training
Compliance officer functions
Risk-based controls
Enhanced due diligence
For crypto, payment, and e-money startups, AML systems should be built before launch. Retrofitting compliance after onboarding thousands of users can become costly and risky.
15. KVKK and Data Protection as a Licensing-Adjacent Issue
Fintech startups process large amounts of personal data, including identity documents, transaction histories, bank account data, device information, wallet addresses, risk scores, credit data, and biometric verification data.
Law No. 6698 on the Protection of Personal Data aims to protect fundamental rights and freedoms, particularly privacy, and sets obligations for natural and legal persons processing personal data.
Data protection does not replace financial licensing, but it is closely connected to authorization readiness. Regulators, banks, investors, and business partners expect fintech startups to have proper data governance.
A startup should prepare:
Privacy notices
Data processing inventory
Customer consent flows where required
Cross-border data transfer analysis
Data processing agreements
Retention and deletion policies
Cybersecurity measures
Breach response procedures
Access control rules
Vendor data protection clauses
Fintech licensing and data protection should be designed together because customer onboarding, KYC, AML monitoring, fraud detection, open banking, and transaction records all involve personal data.
16. Regulatory Red Flags for Fintech Startups
A startup should seek legal review immediately if its model includes any of the following red flags:
Customers load money into the app.
The platform holds balances for users.
The platform transfers money between users.
Merchants receive settlement through the platform.
The startup operates a wallet.
The startup issues prepaid value.
The platform connects to bank accounts.
The startup initiates payments.
The startup accesses customer account information.
The startup uses crypto assets.
The startup holds private keys.
The platform lists crypto assets.
The startup offers investment opportunities.
The startup makes credit decisions.
The startup advertises banking-like services.
The startup works with a bank through a customer-facing interface.
The startup targets Turkish customers from abroad.
The startup processes high-risk financial data.
The startup earns fees from regulated transaction flows.
If several of these red flags exist, licensing analysis is not optional. It is a necessary step before launch.
17. Common Licensing Mistakes
Fintech startups frequently make similar legal mistakes. These mistakes can delay licensing, damage bank partnerships, or lead to enforcement risks.
Common mistakes include:
Calling the business “software” even though it controls funds
Launching a wallet before analyzing e-money rules
Using a marketplace model without reviewing payment services law
Offering crypto payment features despite payment restrictions
Assuming foreign licensing is sufficient for Turkey
Using bank-like branding without banking authorization
Failing to identify beneficial owners in corporate onboarding
Launching before AML procedures are operational
Copying user agreements from foreign platforms
Failing to align contracts with technical fund flow
Using vendors without data protection and audit clauses
Ignoring cybersecurity and recordkeeping requirements
Applying for a license after building a non-compliant structure
Not separating regulated and unregulated activities
Making investment or return promises without capital markets analysis
The best time to solve licensing problems is before product launch and before investor fundraising. Once a structure is already live, changing it may require customer migration, contract revisions, banking renegotiation, and regulatory remediation.
18. Practical Fintech Licensing Checklist in Turkey
A fintech startup should follow a structured licensing review before launch:
Define the exact product.
Map the customer journey.
Map the fund flow.
Map the data flow.
Identify who holds customer funds or assets.
Identify who executes transactions.
Identify whether balances are created.
Determine whether payment services are provided.
Determine whether electronic money is issued.
Determine whether crypto asset services are provided.
Determine whether banking or BaaS rules apply.
Determine whether capital markets rules apply.
Determine whether lending or credit rules apply.
Determine whether MASAK obligations apply.
Review KVKK compliance.
Review customer contracts and disclosures.
Review marketing language.
Review bank and vendor contracts.
Assess cybersecurity and audit requirements.
Prepare licensing or partnership strategy.
Document the legal classification.
This checklist should be applied before launch, before signing major bank partnerships, and before fundraising.
19. License, Partnership, or Technology-Only Model?
A fintech startup usually has three strategic options.
The first option is to obtain its own license. This may be necessary for payment institutions, electronic money institutions, crypto asset service providers, digital banks, and other regulated businesses. The advantage is independence and long-term value. The disadvantage is cost, time, capital, compliance burden, and regulatory supervision.
The second option is to partner with a licensed institution. This may work for BaaS, payment facilitation, card programs, open banking integrations, or embedded finance models. The advantage is faster market entry. The disadvantage is dependency on the licensed partner and stricter contractual control.
The third option is to remain a technology-only provider. This may be suitable for software, analytics, fraud tools, KYC technology, cybersecurity, accounting, and infrastructure services. The advantage is lower regulatory burden. The disadvantage is limited ability to control financial services directly.
The right model depends on the startup’s commercial goals, funding capacity, regulatory appetite, risk tolerance, and long-term strategy.
20. Why Legal Support Is Essential
Fintech licensing in Turkey requires knowledge of financial regulation, corporate law, technology contracts, AML compliance, data protection, consumer law, crypto regulation, banking law, and capital markets law. A startup may need support not only for obtaining a license but also for deciding whether a license is required at all.
A fintech lawyer can assist with:
Regulatory classification
Payment services licensing analysis
Electronic money licensing analysis
Crypto asset service provider authorization
Digital banking and BaaS structuring
Open banking compliance
AML and KYC policies
KVKK documentation
Customer agreement drafting
Bank partnership contracts
Vendor and outsourcing contracts
Investor due diligence preparation
Regulatory correspondence
Administrative sanction defense
Fintech litigation and dispute resolution
Legal advice should be obtained at the design stage. In fintech, legal structure, technical structure, and commercial structure must be built together.
Conclusion
Fintech licensing in Turkey depends on the real function of the startup’s business model. A company may need regulatory authorization if it provides payment services, issues electronic money, operates a digital wallet, provides banking services, acts as a Banking-as-a-Service interface provider, operates a crypto asset platform, provides custody, facilitates investment activity, or handles regulated customer funds or assets.
The most important question is not what the startup calls itself. The real question is what the startup does. If the startup enters the flow of money, value, assets, financial data, investment decisions, or regulated financial services, Turkish licensing rules must be carefully reviewed.
Turkey offers strong opportunities for fintech innovation, including payments, electronic money, digital wallets, open banking, embedded finance, crypto asset services, digital lending, and financial infrastructure. However, these opportunities come with regulatory responsibility. Startups that build compliance into their business model from the beginning are more likely to obtain bank partnerships, attract investors, satisfy regulators, protect customers, and scale sustainably.
Fintech licensing should not be seen as an obstacle to innovation. Properly handled, it is the legal foundation that allows fintech companies to grow safely, transparently, and credibly in Turkey.
Yanıt yok