Introduction
Crypto custody services have become one of the most important legal issues in Turkey’s digital asset market. As crypto asset trading platforms, wallet providers, investors, institutional clients, family offices, fintech companies, and foreign exchanges enter the Turkish market, the question of who safely holds crypto assets and private keys has become legally critical.
In traditional finance, custody usually means safekeeping securities, cash, or financial instruments through regulated institutions. In crypto markets, custody is more complex. A crypto custodian may control private keys, manage wallet infrastructure, execute transfer orders, segregate client assets, reconcile blockchain balances, protect cold wallets, operate hot wallets, and respond to cyber incidents. If custody fails, crypto assets may be irreversibly lost, stolen, transferred, frozen, or misappropriated.
Turkey has moved from a relatively limited crypto regulatory environment to a more structured framework. Law No. 7518 amended the Capital Markets Law and brought crypto asset service providers under the supervision of the Capital Markets Board of Türkiye, known as the CMB or SPK. The CMB later published Communiqué No. III-35/B.1 on the establishment and operation of crypto asset service providers and Communiqué No. III-35/B.2 on operating procedures, activities, and capital adequacy. The CMB’s official materials identify these communiqués as part of the legal framework for crypto asset service providers.
This article explains crypto custody services in Turkey, including licensing, legal responsibility, investor protection, private key management, custody agreements, client asset segregation, cybersecurity, AML/KYC obligations, data protection, operational risk, and dispute liability.
1. What Is Crypto Custody?
Crypto custody refers to the safekeeping, storage, administration, or control of crypto assets or the private keys that allow those assets to be transferred. In a non-custodial model, the user controls their own private keys. In a custodial model, a platform, wallet provider, exchange, bank, or custody institution holds or controls the keys or technical infrastructure necessary to move the assets.
Crypto custody may include:
Cold wallet storage
Hot wallet operations
Private key generation
Private key storage
Multi-signature approval systems
Transfer order execution
Wallet address management
Client asset reconciliation
Blockchain transaction monitoring
Custody recordkeeping
Institutional custody reporting
Recovery and business continuity procedures
Segregation of client and platform assets
The legal importance of custody comes from control. A platform that merely provides software may not have custody. However, if it controls private keys, approves withdrawals, stores client assets, signs transactions, or manages wallets on behalf of customers, it may be providing regulated custody services.
2. Why Crypto Custody Is Legally Sensitive
Crypto custody is legally sensitive because crypto assets can be transferred quickly, globally, and often irreversibly. If a custodian’s private keys are compromised, assets may disappear within minutes. If internal controls are weak, employees may approve unauthorized withdrawals. If client assets are mixed with platform assets, insolvency or enforcement disputes may arise. If records are inaccurate, investors may not be able to prove ownership.
Custody risk may arise from:
Private key theft
Hot wallet compromise
Insider fraud
Poor wallet segregation
Misleading ownership records
Cybersecurity failure
Incorrect transfer execution
Failure to process withdrawal requests
Loss of seed phrases or key shards
Inadequate disaster recovery
Lack of independent reconciliation
Unclear custody terms
Insolvency of the platform
AML-related account freezes
Regulatory suspension
Because of these risks, crypto custody should not be treated as a simple technology service. In Turkey, it is now part of the regulated crypto asset services framework.
3. Main Legal Framework for Crypto Custody in Turkey
The Turkish crypto custody framework is mainly based on the Capital Markets Law as amended by Law No. 7518, CMB secondary legislation, MASAK anti-money laundering rules, KVKK personal data protection rules, and cybersecurity requirements.
The Capital Markets Law now contains provisions on crypto asset service providers, transfer of crypto assets, and custody of crypto assets. The CMB’s official English version of the Capital Markets Law includes Article 35/C on principles regarding activities of crypto asset service providers and transfer and custody of crypto assets.
The CMB’s Communiqué No. III-35/B.1 regulates the establishment and operation of crypto asset service providers, while Communiqué No. III-35/B.2 regulates activities, services, custody principles, settlement, and capital adequacy. These communiqués are central for platforms and crypto asset custody institutions operating in Turkey.
Crypto custody is also affected by the CBRT’s Regulation on the Disuse of Crypto Assets in Payments. This regulation prohibits the direct or indirect use of crypto assets in payments and also restricts payment service providers from developing business models using crypto assets in payment services or electronic money issuance.
4. Who Can Provide Crypto Custody Services in Turkey?
Crypto custody services in Turkey are not ordinary commercial services. They require regulatory analysis and, where applicable, authorization from the CMB. Current guidance on Turkey’s crypto framework states that crypto asset service providers offering custody services must obtain a license from the CMB.
The CMB framework recognizes crypto asset trading platforms and crypto asset custody institutions. Search results from the CMB’s official Communiqué No. III-35/B.1 show that institutions intending to offer crypto asset custody services must include the phrase “crypto asset depository institution” in their trade name under the English translation.
In practice, custody may be provided by authorized crypto asset custody institutions and, in certain structures, banks that meet the regulatory requirements. Legal summaries of the 2025 rules state that only authorized custody institutions and banks may provide custody services, and that safeguarding client crypto assets is a central regulatory priority.
This means a crypto trading platform cannot automatically provide custody merely because it operates an exchange. Its custody model, authorization scope, infrastructure, internal controls, and agreements must comply with CMB rules.
5. Licensing and Authorization Requirements
Crypto custody providers must carefully determine whether they need establishment permission, operating permission, authorization certificates, or other CMB approvals. The CMB’s 2025 communiqués introduced a structured licensing regime for crypto asset service providers.
A custody provider should assess:
Whether it stores or controls customer crypto assets
Whether it manages private keys
Whether it executes transfer orders
Whether it provides wallet infrastructure
Whether it acts for retail or institutional clients
Whether it provides custody for a trading platform
Whether it is a bank offering custody-related services
Whether it uses outsourced technology
Whether customer assets are held on-chain, off-chain, or through omnibus wallets
Operating custody services without proper authorization may create administrative, civil, contractual, and potentially criminal exposure. It may also prevent the provider from maintaining banking relationships, attracting institutional clients, or passing investor due diligence.
6. Capital and Financial Strength Requirements
Crypto custody institutions must have sufficient financial strength. Legal summaries of the CMB’s 2025 framework state that crypto asset trading platforms must have minimum share capital of TRY 150 million, while crypto asset custody institutions must have minimum share capital of TRY 500 million. Custody institutions holding more than TRY 1 billion in client assets may also face additional equity requirements calculated by reference to client assets above that threshold.
These capital requirements reflect the high-risk nature of custody. A custodian may hold assets with substantial value and may be exposed to operational, cybersecurity, legal, and market risks. Capital does not replace technical security, but it shows that crypto custody is expected to be performed by financially serious institutions, not lightly capitalized technology startups.
For investors and institutional clients, the financial capacity of the custodian should be reviewed together with insurance coverage, governance, audit reports, custody architecture, and regulatory standing.
7. Custody of Private Keys
The most important technical issue in crypto custody is private key control. A private key is the cryptographic credential that allows a crypto asset to be moved. Whoever controls the private key may effectively control the asset. Therefore, custody law must be understood together with cryptographic control.
A legally sound custody system should address:
How private keys are generated
Whether keys are stored in cold or hot wallets
Whether hardware security modules are used
Whether multi-signature approval is required
Whether key shards are geographically separated
Who can approve transfers
How emergency access works
How lost keys are handled
How compromised keys are rotated
How internal access is logged
How withdrawal approvals are documented
A custody agreement should not simply state that the custodian “keeps assets safe.” It should explain the custody model in commercially understandable language while protecting security-sensitive details.
8. Cold Wallets, Hot Wallets, and Operational Risk
Crypto custodians usually use a combination of cold wallets and hot wallets. Cold wallets are kept offline or highly restricted, while hot wallets are connected to operational systems for faster withdrawals and transfers. Each model has advantages and risks.
Cold wallets reduce hacking exposure but may slow withdrawals. Hot wallets improve liquidity and customer experience but increase cyber risk. A professional custodian must balance speed, liquidity, operational continuity, and security.
A custody policy should define:
Maximum hot wallet limits
Cold wallet replenishment rules
Approval levels for withdrawals
Emergency suspension procedures
Daily reconciliation
Internal transfer approvals
Incident escalation
Withdrawal delay rules
Client notification principles
Business continuity measures
The custodian’s legal responsibility may depend on whether these procedures existed, whether they were followed, and whether they were proportionate to the risk.
9. Segregation of Client Assets
Investor protection requires clear segregation between client assets and the custodian’s own assets. If customer assets are mixed with platform assets, legal disputes may arise in insolvency, enforcement, fraud, regulatory intervention, or internal accounting failure.
Segregation should exist at both legal and operational levels. The custodian’s records should clearly identify which assets belong to which client. Wallet architecture should support separation or reliable client-level accounting. Reconciliation should compare on-chain balances, internal ledgers, platform records, and custody reports.
Client asset segregation should be addressed in:
Custody agreements
Internal accounting policies
Wallet architecture
Daily reconciliation reports
Audit procedures
Insolvency planning
Client reporting
Regulatory reporting
Access controls
Transfer approval systems
A custodian that cannot prove client asset ownership records may face serious liability.
10. Integration, Reporting, and Recordkeeping
Crypto custody institutions must maintain accurate and auditable records. Legal summaries of the 2025 framework state that platforms and custody institutions must integrate their records with the Central Securities Depository system and submit requested reports.
Recordkeeping is essential because crypto disputes are evidence-heavy. The custodian should be able to prove:
Who opened the account
Which KYC documents were obtained
Which wallet addresses were assigned
Which assets were deposited
Which transfer orders were received
Which approvals were given
Which blockchain transaction IDs correspond to withdrawals
Which internal controls were applied
Which alerts were generated
Which customer notices were sent
Which assets remain under custody
A custody provider should maintain records in a way that can be used in regulatory audits, customer disputes, criminal investigations, insolvency proceedings, and civil litigation.
11. Custody Agreements
A crypto custody agreement is one of the most important documents in the legal structure. It should define the rights and obligations of the custodian and the client with precision.
A proper custody agreement should address:
Identity and regulatory status of the custodian
Scope of custody services
Supported crypto assets
Wallet model
Private key control
Deposit and withdrawal procedures
Transfer approval rules
Fees and commissions
Client asset segregation
Reconciliation and reporting
Cybersecurity obligations
AML/KYC obligations
Account freezing or restriction
Forks, airdrops, staking, and protocol changes
Loss events and liability
Insurance, if any
Force majeure and cyber incidents
Termination and asset return
Complaint procedures
Governing law and dispute resolution
Institutional custody agreements may require additional clauses on service levels, audit rights, insurance, liability caps, reporting frequency, operational due diligence, and regulatory cooperation.
12. Investor Protection
Investor protection is the core policy reason behind crypto custody regulation. Investors may not understand whether their assets are held in an omnibus wallet, segregated wallet, exchange-controlled wallet, third-party custodian wallet, or self-custody address. They may also not understand who bears the risk of cyber theft, wrong transfer, insolvency, or protocol failure.
A custody provider should clearly disclose:
Who holds the private keys
Whether assets are segregated
Whether assets are held on-chain
Whether assets are lent, pledged, or reused
Whether staking is offered
Whether assets are insured
What happens in insolvency
What withdrawal restrictions may apply
What risks exist for each supported asset
How complaints are handled
Investor protection also requires avoiding misleading marketing. A custodian should not state that crypto assets are “guaranteed,” “risk-free,” “bank-deposit equivalent,” or “state-protected” unless there is a clear legal basis.
13. Cybersecurity and Custodian Liability
Cybersecurity is central to crypto custody liability. A custodian may face claims if assets are lost because of poor security, weak access controls, insider abuse, phishing, unpatched vulnerabilities, compromised admin accounts, or inadequate incident response.
A crypto custodian should implement:
Multi-factor authentication
Privileged access management
Multi-signature transfer controls
Cold wallet procedures
Hot wallet limits
Penetration testing
Security monitoring
Insider risk controls
Separation of duties
Secure software development
Incident response plans
Disaster recovery plans
Independent security audits
Vendor security review
Employee training
Tamper-resistant logs
Legal updates on CMB information technology rules for crypto asset service providers state that information systems requirements include resilience, domestic primary and secondary systems, and internal audits by persons holding information systems independent audit licenses within transition periods.
In a dispute, the question will often be whether the custodian applied reasonable and sector-appropriate security measures before the incident occurred.
14. AML, KYC, and Travel Rule Compliance
Crypto custody services are exposed to money laundering, terrorist financing, sanctions evasion, fraud proceeds, ransomware, illegal betting proceeds, and high-risk cross-border transfers. Custodians must therefore maintain strong AML and KYC procedures.
MASAK’s Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism requires suspicious transactions to be reported to MASAK within ten working days from the date suspicion occurred.
For crypto custody, AML/KYC controls should include:
Customer identification
Beneficial ownership checks
Sanctions screening
Politically exposed person screening
Wallet address screening
Blockchain analytics
Travel Rule data collection
Source of funds review
Source of wealth review for high-risk clients
Suspicious transaction escalation
Record retention
Withdrawal monitoring
Stablecoin risk controls
Turkey has also increased scrutiny over crypto transfers. Reuters reported in June 2025 that Turkish authorities were preparing measures including waiting periods for crypto withdrawals where Travel Rule information is not applied and stablecoin transfer caps of USD 3,000 daily and USD 50,000 monthly.
15. Data Protection and KVKK
Crypto custody providers process significant personal data. This may include identity documents, address information, biometric onboarding data, device information, IP logs, wallet addresses, transaction histories, risk scores, sanctions screening results, and suspicious activity records.
Under Law No. 6698 on the Protection of Personal Data, personal data must be processed lawfully, securely, transparently, and proportionately. The law’s official text states that it aims to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing.
A custody provider should prepare:
Privacy notices
Data processing inventory
Lawful basis analysis
Explicit consent mechanisms where required
Cross-border transfer assessment
Data processing agreements
Retention and deletion policies
Access control rules
Breach response procedures
Customer rights procedures
Vendor due diligence
Crypto custody data is especially sensitive because wallet data and identity data together may expose customers to phishing, extortion, account takeover, and targeted theft.
16. Outsourcing and Technology Providers
Crypto custody often depends on technology vendors. A custodian may use cloud providers, wallet infrastructure vendors, blockchain analytics tools, KYC providers, cybersecurity vendors, call centers, software developers, and data storage services.
However, outsourcing does not remove legal responsibility. A custody institution remains responsible for ensuring that outsourced services comply with regulatory, contractual, cybersecurity, and data protection standards.
Vendor contracts should include:
Scope of services
Security obligations
Confidentiality
Audit rights
Subcontracting restrictions
Incident notification
Data protection clauses
Regulatory cooperation
Business continuity
Data return and deletion
Service levels
Liability and indemnity
Termination assistance
A custodian should not outsource core regulatory judgment, internal control, or risk management functions in a way that undermines supervision or investor protection.
17. Staking, Lending, Airdrops, and Forks
Crypto custody becomes more complex when assets generate rewards or are affected by protocol events. Investors may ask whether custodians support staking, airdrops, forks, governance voting, token migrations, or protocol upgrades.
These issues should be addressed clearly in the custody agreement. The agreement should state:
Whether staking is supported
Who receives staking rewards
Whether the custodian may delegate assets
Whether assets may be lent or pledged
How forks are handled
Whether airdrops are supported
How token migrations are processed
Who bears protocol risk
Whether additional fees apply
If the agreement is silent, disputes may arise when a token fork occurs or when an airdrop is not credited to the client. Custodians should avoid discretionary and unclear practices.
18. Account Freezing and Withdrawal Restrictions
Custodians may need to freeze accounts or delay withdrawals for AML, sanctions, court orders, regulatory instructions, cybersecurity incidents, technical failures, or suspicious activity. These restrictions may lead to investor disputes.
The custodian should maintain internal procedures for:
Triggering account restrictions
Documenting the legal basis
Escalating to compliance or legal teams
Avoiding disclosure of suspicious transaction reports
Communicating with customers lawfully
Reviewing restrictions periodically
Preserving evidence
Executing court or regulatory orders
Releasing assets when restrictions end
Investors should understand that crypto custody does not always guarantee instant withdrawal. Withdrawal timing may depend on AML review, blockchain congestion, wallet liquidity, security controls, and regulatory restrictions.
19. Liability in Crypto Custody Disputes
Crypto custody disputes may involve several legal theories, including breach of contract, negligence, consumer protection, capital markets regulation, data protection, unjust enrichment, tort liability, and criminal complaints in serious cases.
Common disputes include:
Unauthorized withdrawals
Wrong wallet address transfers
Loss of private keys
Failure to process withdrawal requests
Cyber theft
Insider fraud
Misleading custody disclosures
Failure to segregate client assets
Inaccurate account balances
Failure to credit forks or airdrops
AML-related freezes
Data breaches
Custodian insolvency
Platform-custodian responsibility conflicts
Liability often depends on evidence. Custodians should preserve logs, transfer approvals, blockchain transaction IDs, wallet records, customer instructions, compliance decisions, security alerts, and incident reports.
For investors, the most important evidence includes account statements, screenshots, correspondence, wallet addresses, transaction hashes, support tickets, and contractual documents.
20. Compliance Checklist for Crypto Custody Providers in Turkey
A crypto custody provider in Turkey should consider the following checklist:
Determine whether CMB authorization is required.
Confirm whether the institution may legally provide custody services.
Review capital and equity requirements.
Establish internal audit, internal control, and risk management units.
Prepare custody policies and procedures.
Design private key management controls.
Separate hot wallet and cold wallet operations.
Implement multi-signature approval systems.
Segregate client assets from platform assets.
Maintain accurate client-level records.
Prepare custody agreements.
Define withdrawal and transfer rules.
Establish AML/KYC and Travel Rule procedures.
Implement blockchain analytics and wallet screening.
Prepare KVKK privacy documentation.
Review cross-border data transfers.
Conduct cybersecurity audits.
Prepare incident response procedures.
Review vendor contracts.
Clarify rules on staking, airdrops, forks, and protocol events.
Create account freeze and complaint procedures.
Monitor CMB, MASAK, KVKK, CBRT, and tax developments.
This checklist should be adapted to the exact model. A bank custody model, exchange custody model, institutional cold storage provider, hosted wallet provider, and third-party custody institution will not have identical obligations.
Why Legal Support Is Important
Crypto custody law combines capital markets regulation, technology law, cybersecurity, AML, data protection, contract law, investor protection, and dispute resolution. A custody provider must build a legally defensible structure before holding customer assets.
A crypto lawyer can assist with:
CMB licensing analysis
Custody service classification
Custody agreement drafting
Private key risk allocation
Investor disclosure documents
AML/KYC policy design
MASAK compliance
KVKK compliance
Cybersecurity legal review
Vendor contract drafting
Institutional client agreements
Account freeze procedures
Regulatory correspondence
Administrative sanction defense
Crypto custody litigation
Legal support is especially important before launch. Once a custodian already holds client assets, restructuring the custody model may create operational, regulatory, and customer communication challenges.
Conclusion
Crypto custody services in Turkey are now part of a regulated and rapidly developing legal framework. Custody is not merely a technical wallet function. It involves control of client assets, private key management, investor protection, cybersecurity, AML compliance, data protection, and contractual liability.
The most important legal issue is control. If a company controls private keys, stores crypto assets, executes transfer orders, or manages wallets on behalf of customers, it may be providing regulated custody services. In Turkey, such activity must be assessed under the CMB’s crypto asset service provider framework.
Investor protection requires strong custody agreements, clear disclosures, asset segregation, accurate records, reliable reconciliation, cybersecurity controls, AML monitoring, and lawful account restriction procedures. Custodians must also comply with KVKK rules, MASAK obligations, and restrictions on the use of crypto assets in payments.
Turkey’s crypto custody market offers significant opportunities for exchanges, banks, fintech companies, institutional custodians, and infrastructure providers. However, the sector is high-risk and highly regulated. Companies that build custody services with strong legal, technical, and compliance foundations will be better positioned to gain investor trust, satisfy regulators, protect assets, and grow sustainably.
Yanıt yok