Introduction
Cross-border fintech services in Turkey have become a major legal issue for foreign payment companies, electronic money institutions, digital wallet providers, crypto asset platforms, open banking providers, embedded finance businesses, online investment platforms, money transfer companies, and financial technology startups. Turkey has a large digital population, strong demand for mobile financial services, high card and payment usage, significant crypto adoption, and a rapidly developing fintech regulatory environment. For foreign platforms, this creates commercial opportunity. However, it also creates regulatory risk.
The key legal question is simple: Can a foreign fintech platform serve Turkish customers without obtaining a Turkish license or establishing a local entity? The answer depends on the exact business model. There is no single rule that applies to every fintech activity. A foreign software company that provides back-end technology to a Turkish bank may have a different legal position from a foreign crypto exchange directly targeting Turkish residents. A foreign payment company processing Turkish domestic payments is different from a foreign service provider cooperating with a licensed Turkish payment institution for cross-border remittance. A foreign open banking platform accessing Turkish payment accounts is different from a personal finance app where users manually enter information.
Turkey’s fintech regulatory framework is activity-based. Regulators focus on what the platform actually does, how it targets customers, whether it handles funds or assets, whether it uses Turkish payment infrastructure, whether it markets to Turkish residents, whether customer data is processed in or transferred from Turkey, and whether the service falls within payment services, electronic money, banking, capital markets, crypto asset, AML, consumer protection, or personal data protection rules.
The main Turkish regulators include the Central Bank of the Republic of Türkiye, known as the CBRT, for payment services and electronic money; the Banking Regulation and Supervision Agency, known as the BRSA, for banking, digital banking, and Banking-as-a-Service; the Capital Markets Board, known as the CMB, for capital markets and crypto asset service providers; MASAK, the Financial Crimes Investigation Board, for AML/CFT compliance; and the Personal Data Protection Authority for KVKK compliance.
This article explains when foreign fintech platforms may trigger Turkish regulation, what licensing risks exist, how cross-border payment and e-money services are treated, how foreign crypto platforms are assessed, how KVKK applies to data transfers, what MASAK obligations may arise, and what practical steps foreign fintech companies should take before serving Turkish customers.
1. Why Cross-Border Fintech Is Legally Sensitive in Turkey
A foreign fintech platform may assume that it is not subject to Turkish law because it is incorporated abroad, hosts its servers abroad, and does not have a physical office in Turkey. This assumption can be legally dangerous. Turkish regulatory analysis does not depend only on where the company is incorporated. It may also depend on whether the platform targets Turkish residents, provides services in Turkish, accepts Turkish customers, processes transactions connected to Turkey, cooperates with Turkish financial institutions, or performs a regulated activity in relation to users located in Turkey.
Cross-border fintech is sensitive because it may involve customer funds, electronic money, payment accounts, crypto assets, investment products, bank account data, identity documents, AML risk, cybersecurity risk, and consumer protection issues. A foreign fintech company serving Turkish customers may create local legal consequences even if its corporate headquarters are abroad.
Foreign fintech platforms should therefore avoid a “launch first, analyze later” approach. In regulated financial services, the cost of operating without proper authorization can be much higher than the cost of pre-launch legal analysis.
2. Main Regulatory Framework for Cross-Border Fintech in Turkey
Cross-border fintech services may trigger several Turkish legal regimes at the same time.
The most important legal framework for payment and e-money activities is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. Law No. 6493 regulates payment systems, payment services, payment institutions, and electronic money institutions. The CBRT’s official payment services page states that regulation and supervision in the payment services area are governed by Law No. 6493 and related secondary legislation.
Digital banking and Banking-as-a-Service models are regulated by the BRSA under the Regulation on the Operating Principles of Digital Banks and Banking as a Service Model. This framework is relevant where a foreign technology platform wants to provide banking-like services through a Turkish bank, or where a platform’s customer-facing interface is used for bank-provided services.
Crypto asset services are now regulated under the Turkish capital markets framework. The CMB’s crypto asset service provider communiqués regulate the establishment and operation of crypto asset service providers and the services and activities they may provide.
Personal data processing is governed by Law No. 6698 on the Protection of Personal Data, known as the KVKK. Article 9 of the KVKK was amended in 2024 and now sets out a revised framework for transferring personal data abroad, including adequacy decisions, appropriate safeguards, standard contracts, binding corporate rules, and limited incidental transfer grounds.
AML/CFT obligations are governed mainly by Law No. 5549 on Prevention of Laundering Proceeds of Crime and MASAK secondary legislation. Foreign fintech platforms that provide services through Turkish regulated entities, onboard Turkish customers, or handle transactions connected to Turkey may need to consider MASAK-related customer due diligence, suspicious transaction, and recordkeeping expectations depending on the structure.
3. The Core Test: Is the Foreign Platform Targeting Turkish Customers?
A central issue in cross-border fintech is whether the foreign platform is merely accessible from Turkey or actively targeting Turkish customers. A website or mobile application may be globally accessible, but active targeting creates a stronger legal link with Turkey.
Indicators of targeting may include:
Turkish-language website or application interface
Turkish-language customer support
Marketing campaigns directed at Turkish residents
Use of Turkish influencers, advertisements, or social media campaigns
Pricing in Turkish lira
Acceptance of Turkish identity documents during onboarding
Integration with Turkish banks or payment institutions
Use of Turkish IBANs or local payment methods
Local representatives, agents, or business partners
Promotion of services specifically to Turkish users
Opening accounts for Turkish residents
Providing Turkish-law consumer documentation
Offering local dispute or support channels
The more Turkish-facing the platform is, the greater the regulatory risk. A foreign fintech company should not assume that adding a disclaimer such as “services are provided from abroad” will be sufficient if the platform is in practice directed at Turkey.
This issue is especially important in crypto regulation. Current expert guidance on Turkey’s crypto framework notes that crypto-asset platforms based abroad may be considered to provide unauthorized services if they engage in activities directed at Turkish residents, with Turkish-language websites, marketing toward Turkish residents, or establishing a workplace in Turkey being treated as indicators.
4. Cross-Border Payment Services
Foreign platforms providing payment services to Turkish customers face one of the highest licensing risks. Payment services in Turkey are regulated under Law No. 6493 and CBRT secondary legislation. The CBRT is the main authority responsible for regulation and supervision of payment and e-money services.
Payment services may include money remittance, operation of payment accounts, execution of payment transactions, issuance or acceptance of payment instruments, payment initiation services, account information services, merchant payment collection, digital wallets, virtual POS-like services, and electronic money issuance.
A foreign platform may trigger Turkish payment services regulation if it:
Processes payments between Turkish users
Collects funds from Turkish customers
Transfers funds to Turkish merchants
Operates payment accounts for Turkish residents
Offers a digital wallet to Turkish customers
Provides payment initiation from Turkish payment accounts
Aggregates Turkish account information
Provides Turkish merchants with online payment acceptance
Uses Turkish local payment infrastructure
Provides domestic payment services inside Turkey
A 2026 market guide states that payment services may only be offered to persons residing in Turkey by payment institutions licensed by the CBRT, and that CBRT licenses are activity-specific rather than general authorizations for all payment services. This is a critical point for foreign platforms. A license in another country does not automatically authorize the company to provide regulated payment services to Turkish residents.
5. Cooperation with Turkish Payment and E-Money Institutions
Foreign fintech companies may sometimes enter the Turkish market through cooperation with a licensed Turkish payment institution or electronic money institution. However, this cooperation is also regulated.
Legal commentary on the 2021 payment services regulation states that payment and electronic money institutions resident in Turkey may cooperate with legal entities resident abroad only if the foreign legal entity obtains permission from the CBRT and at least one party to the payment transaction is located abroad.
This is especially relevant for remittance, cross-border money transfer, international payment collection, marketplace payouts, and foreign merchant settlement models. A foreign entity cannot simply route Turkish payment flows through a Turkish licensed institution without reviewing the CBRT permission requirement and the “one party abroad” condition.
A legally sound cooperation model should address:
Whether the transaction is domestic or cross-border
Whether the foreign entity needs CBRT permission
Whether the Turkish institution’s license scope covers the service
Who contracts with the customer
Who handles customer funds
Who performs KYC
Who monitors suspicious transactions
Who is responsible for refunds and disputes
Where transaction records are stored
How data is transferred abroad
What happens if the partnership terminates
The foreign platform should also ensure that it does not create the impression that it is itself licensed in Turkey unless it holds the relevant authorization.
6. Cross-Border Electronic Money and Digital Wallets
Electronic money and digital wallet services are particularly sensitive in cross-border fintech. A foreign wallet provider may believe that it can simply onboard Turkish users through an overseas entity. However, if Turkish users can load funds, hold value, make payments, transfer balances, or pay merchants through the wallet, Turkish e-money and payment services regulation may be triggered.
Electronic money under Law No. 6493 involves monetary value issued upon receipt of funds, stored electronically, used for payment transactions, and accepted by persons other than the issuer. A foreign wallet platform serving Turkish customers should therefore ask:
Can Turkish customers load funds into the wallet?
Is the wallet balance monetary value?
Can the balance be used to pay third-party merchants?
Can users transfer balances to others?
Can Turkish merchants accept the wallet?
Are customer funds held in Turkey or abroad?
Is a licensed Turkish e-money institution involved?
Is the wallet marketed in Turkish?
Are refunds or withdrawals available to Turkish bank accounts?
If the wallet functions as electronic money or a payment instrument for Turkish customers, a Turkish licensing analysis is essential. The legal risk is higher if the wallet supports local merchant payments, Turkish lira balances, Turkish customer onboarding, or Turkish domestic transfers.
7. Open Banking and Account Information Services
Foreign open banking platforms must also be careful. A personal finance application that allows users to manually upload information may be less regulated than an application that connects to Turkish banks or payment accounts through APIs and accesses account data or initiates payments.
Open banking services may include account information services and payment initiation services. These are connected to Turkish payment services regulation under Law No. 6493 and CBRT secondary legislation. A foreign platform may trigger Turkish rules if it accesses Turkish payment account information, initiates payments from Turkish accounts, or provides API-based financial dashboards to Turkish customers.
Open banking also creates major KVKK issues because account data may reveal sensitive financial behavior. If a foreign provider processes Turkish users’ bank account information abroad, cross-border data transfer rules under Article 9 of the KVKK must be reviewed. The amended Article 9 framework allows transfers abroad where processing conditions are met and there is an adequacy decision; absent adequacy, appropriate safeguards such as standard contracts, binding corporate rules, or written commitments with approval may be required depending on the structure.
Foreign open banking platforms should therefore analyze both financial licensing and data protection before accessing Turkish account information.
8. Cross-Border Crypto Asset Services
Crypto asset services are one of the most important cross-border fintech issues in Turkey. Foreign crypto exchanges, custody providers, hosted wallet services, token launch platforms, and crypto advisory services may all be affected by Turkish capital markets regulation if they target Turkish residents.
Turkey’s crypto asset framework changed significantly after the introduction of crypto-related amendments to the Capital Markets Law and the CMB’s 2025 secondary regulations. The CMB communiqués regulate procedures and principles for crypto asset service providers, including establishment, operation, services, activities, and capital adequacy.
Foreign crypto platforms should be especially cautious if they:
Provide a Turkish-language platform
Accept Turkish residents as users
Run marketing campaigns targeting Turkey
Use Turkish social media influencers
Offer Turkish lira trading pairs
Integrate Turkish bank transfers
Provide customer support in Turkish
Open local representative offices
Advertise to Turkish investors
Provide custody for Turkish users
Offer crypto asset transfers, trading, or investment advice
Guidance on Turkey’s crypto regulatory framework states that foreign crypto-asset platforms engaging in activities directed at Turkish residents may be considered to be providing unauthorized crypto-asset services; Turkish-language websites, promotional activities toward Turkish residents, and establishing a workplace in Turkey are listed as indicators.
This is a major issue for global crypto exchanges. A foreign license, such as an EU, UK, Dubai, Singapore, or US registration, does not automatically authorize the platform to target Turkish residents.
9. Crypto Payments Are Restricted
Foreign fintech companies should distinguish crypto trading from crypto payments. Turkey restricts the use of crypto assets in payments. The CBRT includes the Regulation on the Disuse of Crypto Assets in Payments within its payment services framework.
This matters for foreign platforms offering:
Crypto debit cards
Stablecoin payment products
Merchant crypto checkout
Crypto-to-fiat instant settlement
Crypto-funded wallets
Crypto-linked prepaid products
Payment gateways using crypto assets
E-money balances backed by crypto
Even if a foreign crypto platform is regulated abroad, a product that allows Turkish customers or Turkish merchants to use crypto assets directly or indirectly as a payment method may create Turkish regulatory risk. The platform should review CBRT restrictions before offering crypto-payment functionality in Turkey.
10. Banking, Digital Banking, and BaaS
Foreign fintech platforms may wish to offer banking-like services in Turkey through a digital interface. This can create banking law risk. Under Turkish law, banking activities are heavily regulated. A foreign platform cannot accept deposits, present itself as a bank, or provide banking services to Turkish customers without appropriate authorization or a compliant partnership structure.
The BRSA’s digital banking framework regulates branchless banking and Banking-as-a-Service models. In a BaaS model, a licensed service bank provides banking services through an interface provider. However, the customer relationship, disclosures, data security, authentication, and regulatory responsibility must be carefully structured.
A foreign fintech platform considering BaaS in Turkey should ask:
Is there a licensed Turkish service bank?
Is the foreign platform acting as an interface provider?
Does the BRSA framework permit the structure?
Will the customer contract be established with the bank?
Will the platform process customer banking data?
Will data be transferred abroad?
How will customer authentication work?
Who handles complaints?
Does the platform also provide payment or e-money services?
BaaS can be a useful market-entry model, but it is not an unregulated shortcut into banking.
11. Cross-Border Personal Data Transfers and KVKK
Data protection is one of the biggest issues for foreign fintech platforms. A foreign company serving Turkish customers may process identity documents, payment records, bank account data, transaction history, wallet addresses, device data, IP addresses, biometric verification data, risk scores, sanctions screening results, and customer support records.
Under KVKK, data controllers and processors must comply with lawful processing, transparency, purpose limitation, data minimization, security, retention, and data subject rights obligations. Article 12 of the KVKK requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security and prevent unlawful processing or access to personal data.
Cross-border data transfer requires special attention. The amended Article 9 framework provides a tiered structure: adequacy decisions, appropriate safeguards such as standard contracts or binding corporate rules, and limited incidental transfer grounds where safeguards are unavailable. The KVKK Authority also announced English translations of the by-law and standard contract texts for personal data transfers abroad in August 2024.
Foreign fintech platforms should map:
What Turkish customer data is collected
Where the data is stored
Which group companies access it
Which cloud vendors process it
Whether KYC/AML vendors are abroad
Whether customer support is abroad
Whether blockchain analytics tools receive data
Whether standard contracts or other safeguards are needed
Whether Turkish customers are properly informed
KVKK compliance should be built before launch. Retrofitting data transfer compliance after onboarding customers can be difficult.
12. AML and MASAK Risk for Foreign Platforms
Cross-border fintech services often involve AML risk. Foreign platforms may process money transfers, wallet balances, crypto assets, merchant payments, remittances, or investment transactions involving Turkish customers. Depending on the model, MASAK obligations may apply directly or indirectly.
Even where a foreign fintech company is not directly treated as an obliged party in Turkey, Turkish banks, payment institutions, e-money institutions, or crypto asset service providers working with the foreign company may impose MASAK-related contractual requirements. These may include customer identification, transaction monitoring, sanctions screening, suspicious transaction escalation, recordkeeping, and cooperation with regulatory requests.
Foreign platforms should prepare AML procedures for Turkey-facing activity, especially where the service involves:
Cross-border remittance
Merchant payment collection
Crypto deposits and withdrawals
Stablecoin transfers
Digital wallets
High-volume account activity
Corporate customers
Marketplace payouts
Turkish bank integrations
Use of local payment methods
Turkey has continued to strengthen supervision over payment and crypto sectors in connection with AML risks. Reuters reported increased scrutiny of payment companies after Turkey’s FATF grey-list exit, and it also reported crypto transaction measures targeting laundering through illegal betting and fraud proceeds.
13. Consumer Protection and Dispute Resolution
Foreign fintech platforms serving Turkish consumers should also consider Turkish consumer protection law. If a Turkish resident uses a foreign app for payment, wallet, crypto, lending, or financial services, disputes may arise over unauthorized transactions, hidden fees, failed withdrawals, account freezing, refunds, misleading advertising, or data breaches.
Consumer-facing documents should clearly explain:
The identity and jurisdiction of the provider
Whether the provider is licensed in Turkey
The nature of the service
Fees and commissions
Risks and limitations
Complaint channels
Refund and cancellation rules
Account suspension rules
Data processing practices
Applicable law and dispute resolution
Security obligations of the user
A foreign platform should not rely only on foreign-law terms of service. Turkish consumer protection principles may become relevant where the platform targets Turkish consumers or provides services connected to Turkey.
14. Tax and Foreign Exchange Considerations
Cross-border fintech models may also create Turkish tax and foreign exchange issues. The analysis depends on the business model, revenue structure, customer base, local presence, and transaction flow.
Questions may include:
Does the foreign platform have a permanent establishment in Turkey?
Are service fees earned from Turkish customers taxable in Turkey?
Are withholding taxes relevant?
Is VAT or digital services tax relevant?
Are payment flows treated as merchant settlement, commission, software fees, or financial service income?
Are Turkish lira transactions involved?
Are crypto asset gains or platform fees subject to future tax rules?
Are group company charges transfer-pricing compliant?
For crypto, tax policy remains an evolving area. Reuters reported in March 2026 that a draft law proposed a 10% withholding tax on income and gains from crypto transactions conducted on authorized platforms and a 0.03% transaction levy on crypto asset service providers. Because this was reported as a proposal, platforms should verify whether any such measure has entered into force before relying on it.
15. Local Entity, Representative, Partnership, or Pure Cross-Border Model?
Foreign fintech companies generally consider four market-entry models.
The first model is a local licensed entity. This may be required for payment institutions, e-money institutions, digital banks, and crypto asset service providers depending on the activity. It gives the platform stronger local regulatory standing but requires capital, governance, compliance infrastructure, audits, personnel, and licensing time.
The second model is a partnership with a licensed Turkish institution. This may be used for payment, e-money, remittance, card, open banking, BaaS, or merchant services. It may reduce time to market, but the foreign platform must comply with the licensed partner’s regulatory obligations and contractual controls.
The third model is a technology-only model. A foreign company may provide software, analytics, fraud tools, KYC tools, cybersecurity, or back-end infrastructure to a licensed Turkish institution without directly serving Turkish customers. This may reduce licensing risk but does not eliminate KVKK, cybersecurity, confidentiality, and outsourcing concerns.
The fourth model is a pure cross-border customer-facing model. This is the riskiest where the platform actively targets Turkish residents in a regulated activity. It may be possible in some limited circumstances, but it requires careful legal analysis and should not be assumed to be lawful.
16. Practical Red Flags for Foreign Fintech Platforms
A foreign fintech platform should seek Turkish legal review if any of the following apply:
The app or website is available in Turkish.
The platform advertises to Turkish residents.
Turkish users can open accounts.
Turkish identity documents are accepted.
Turkish lira transactions are supported.
Turkish bank transfers are supported.
Turkish merchants can use the platform.
The platform holds customer funds or balances.
The platform operates a wallet or stored-value product.
The platform initiates payments from Turkish accounts.
The platform accesses Turkish bank account information.
The platform provides crypto trading or custody to Turkish users.
The platform offers Turkish customer support.
The platform uses local representatives or influencers.
The platform processes Turkish customer data abroad.
The platform cooperates with a Turkish bank, payment institution, or e-money institution.
The more red flags exist, the stronger the case for local regulatory analysis.
17. Common Mistakes by Foreign Fintech Platforms
Foreign platforms often make similar mistakes when entering Turkey.
They assume that a foreign license is enough.
They rely on global terms of service without Turkish law review.
They translate the website into Turkish before checking licensing risk.
They market to Turkish residents without regulatory analysis.
They process Turkish domestic payments without CBRT review.
They offer wallets or stored balances without e-money analysis.
They offer crypto services to Turkish users without CMB analysis.
They transfer Turkish customer data abroad without KVKK safeguards.
They ignore MASAK risks in payment or crypto flows.
They use local partners without clear responsibility allocation.
They treat customer support as non-regulatory.
They fail to preserve Turkish transaction and consent records.
They use misleading phrases such as “licensed,” “bank,” or “guaranteed” without legal basis.
The safest strategy is to classify the business before launch and adapt the model to Turkish law.
18. Compliance Checklist for Cross-Border Fintech Services in Turkey
A foreign fintech platform should consider the following steps before serving Turkish customers:
Map the exact business model.
Identify whether Turkish residents are targeted.
Review whether the service is payment, e-money, banking, BaaS, crypto, investment, lending, or open banking.
Assess whether CBRT, BRSA, CMB, MASAK, or KVKK rules apply.
Determine whether a Turkish license, approval, permission, or partnership is required.
Review whether a local entity is needed.
Review Turkish-language marketing and app content.
Analyze fund flow and asset custody.
Analyze data flow and cross-border data transfers.
Prepare KVKK privacy notices and transfer safeguards.
Prepare AML/KYC procedures for Turkey-related risks.
Review consumer-facing contracts.
Review refund, complaint, and account-freezing procedures.
Review cybersecurity and incident response.
Review vendor and outsourcing contracts.
Review tax and foreign exchange implications.
Document the legal classification and compliance decisions.
Monitor regulatory changes continuously.
This checklist should be adapted to the specific service. A foreign crypto exchange, wallet provider, remittance company, open banking app, payment gateway, BaaS interface provider, or investment platform will not have the same legal profile.
19. Why Legal Support Is Important
Cross-border fintech services require a coordinated legal strategy. Turkish law may apply even where the company is foreign, the servers are abroad, and the contracts are governed by foreign law. The decisive issues are activity, targeting, customer location, fund flow, asset flow, data flow, and regulatory classification.
A fintech lawyer in Turkey can assist with:
Regulatory perimeter analysis
CBRT payment and e-money licensing review
Foreign cooperation permission analysis
CMB crypto asset service provider analysis
BRSA banking and BaaS structuring
Open banking compliance
KVKK cross-border transfer documentation
MASAK AML/KYC risk assessment
Customer agreement localization
Marketing and advertising review
Turkish partner contract drafting
Tax and corporate structuring coordination
Regulatory correspondence
Administrative sanction defense
Fintech dispute resolution
Legal support should begin before the platform is launched in Turkey or marketed to Turkish users. Once customers are onboarded, regulatory remediation becomes more difficult.
Conclusion
Foreign fintech platforms can access significant opportunities in Turkey, but they cannot assume that cross-border delivery automatically avoids Turkish regulation. Turkish law may apply where a foreign platform targets Turkish residents, handles funds or assets connected to Turkey, provides payment or e-money services, offers crypto asset services, accesses Turkish payment accounts, processes Turkish customer data, or cooperates with Turkish regulated institutions.
The most important legal question is not where the company is incorporated. The real question is what service is provided, to whom it is provided, how it is marketed, how funds and data move, and whether the activity falls within Turkish financial regulation.
Payment services and electronic money may require CBRT authorization or a compliant partnership. Digital banking and BaaS models may require BRSA analysis. Crypto asset services directed at Turkish residents may trigger CMB regulation. Personal data transfers abroad must comply with the amended KVKK Article 9 framework. AML, consumer protection, cybersecurity, tax, and contract law must also be considered.
A successful cross-border fintech strategy for Turkey should be legally structured before launch. Foreign platforms that build compliance into their market-entry plan will be better positioned to obtain partnerships, protect customers, satisfy regulators, avoid enforcement risk, and grow sustainably in Turkey’s fintech market.
Yanıt yok