Introduction
Fintech companies in Turkey operate in a highly regulated environment where business growth, investor exit, insolvency risk, and customer protection are legally connected. A fintech platform may appear to be a technology company from the outside, but under Turkish law its activities may involve payment services, electronic money issuance, crypto asset services, data processing, anti-money laundering obligations, consumer protection duties, outsourced technology infrastructure, and custody-like responsibilities over customer assets.
For this reason, exit planning for a fintech company in Turkey is not limited to selling shares, transferring a customer portfolio, shutting down a mobile application, or announcing the end of operations. A proper exit or wind-down process must protect user funds, preserve customer data lawfully, comply with regulatory notification obligations, manage operational continuity, prevent unauthorized use of client assets, and minimize personal liability risks for directors and shareholders.
This is particularly important for payment institutions and electronic money institutions regulated under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. Law No. 6493 applies to payment systems, payment services, payment institutions, and electronic money institutions in Turkey, making it one of the central legal sources for regulated fintech businesses.
Why Wind-Down Planning Matters for Fintech Companies in Turkey
A fintech company may need a wind-down plan for several reasons: failure to raise investment, loss of a major banking partner, regulatory investigation, cyber incident, negative audit findings, insolvency, merger, acquisition, license surrender, or strategic market exit. In each case, the key legal question is not merely whether the company can stop operating, but how it can stop operating without damaging customers, breaching regulatory duties, or exposing management to claims.
Unlike ordinary software companies, fintech companies frequently hold or process assets and information belonging to users. These may include customer balances, electronic money, payment transaction data, identity documents, IBAN information, card-related data, wallet records, device identifiers, IP logs, AML/KYC files, risk scores, customer complaints, chargeback files, and suspicious transaction review records. Therefore, an uncontrolled shutdown may create serious legal exposure even if the company has no intention to harm customers.
A proper wind-down plan should be prepared before financial distress becomes irreversible. In practice, the most dangerous scenario is not bankruptcy itself, but a late and disorderly reaction: customer withdrawals are delayed, bank accounts are frozen, data access is lost, outsourcing providers terminate services, regulatory reports are missed, and management cannot demonstrate where customer funds are held. A Turkish fintech lawyer should therefore treat wind-down planning as a governance, regulatory, insolvency, and data protection project at the same time.
Main Exit Scenarios for Fintech Companies in Turkey
Fintech exit planning usually falls into five categories.
The first scenario is a share sale or investor exit. In this structure, the company continues operating, but shareholders change. For regulated fintech companies, the buyer will normally conduct enhanced legal due diligence on licensing, customer funds, AML compliance, information systems, customer complaints, outsourcing contracts, data protection, and regulatory correspondence. If the company is a payment or electronic money institution, changes in ownership and control may also trigger regulatory approval or notification requirements depending on the structure.
The second scenario is an asset sale. This may involve the transfer of software, brand, customer contracts, merchant agreements, IP rights, databases, and operational assets. This structure is more sensitive from a data protection perspective because customer data cannot be treated as a freely transferable commercial asset. Any transfer of customer data must have a lawful basis, must be consistent with the original privacy notices, and must be limited to what is necessary for the relevant transaction.
The third scenario is a merger or restructuring. A fintech company may merge with another group company, combine with a licensed entity, or restructure its technology and regulated activities. This requires careful separation between regulated activities and unregulated technology services.
The fourth scenario is voluntary liquidation. The company decides to cease operations, settle liabilities, return user funds, terminate customer relationships, and close its corporate existence. In a regulated fintech business, voluntary liquidation must be aligned with customer protection and regulatory expectations.
The fifth scenario is insolvency or compulsory liquidation. This is the most sensitive scenario because customer claims, regulatory claims, employee claims, tax claims, bank claims, vendor claims, and shareholder expectations may conflict. For fintech companies, the protection of user funds and customer data must remain the central priority.
Protection of User Funds Under Turkish Fintech Law
The protection of user funds is the most critical legal issue in the wind-down of payment institutions and electronic money institutions in Turkey. Law No. 6493 expressly regulates safeguarding of funds and collateral. Article 22 provides that funds received by payment institutions for the execution of payment services and funds collected by electronic money institutions in exchange for issuing electronic money must be safeguarded under procedures and principles determined by regulation.
The same article is especially important in liquidation scenarios. It provides that funds received by payment and electronic money institutions, and the accounts in which those funds are held, shall be used to compensate fund holders and fulfil liabilities arising from Law No. 6493 regardless of priorities under other laws in the event of voluntary or compulsory liquidation or cancellation of the operating permission. This means that customer fund protection has a special statutory function in a wind-down process.
In practical terms, this requires fintech companies to separate customer funds from their own operational money. Customer funds should not be used to pay salaries, vendors, tax debts, shareholder loans, marketing expenses, office rent, or group company debts. Any commingling of customer funds with the company’s own assets may create civil, regulatory, and potentially criminal risk.
Industry guidance published by the Payment and Electronic Money Institutions Association of Turkey explains that funds collected for payment services and electronic money issuance must be protected under regulatory procedures, and that payment and electronic money institutions operate with a CBRT license. It also notes that these institutions are subject to CBRT supervision and MASAK audits.
Safeguarding Accounts, Reconciliation, and Daily Control
A fintech company preparing for exit or wind-down must be able to answer three questions immediately: how much customer money is owed, where that money is held, and whether the records reconcile with bank statements.
For payment institutions, redemption funds must be followed separately from other funds and may only be used for payment transactions. If the payment has not been made by the end of the business day following receipt, the unpaid redemption funds must be deposited into preservation accounts opened before banks within the scope of Banking Law No. 5411. The institution must keep records in a way that allows customer-level tracking and must reconcile its own records with bank statements daily.
For electronic money institutions, funds received in exchange for electronic money must be transferred to electronic money preservation accounts, and the end-of-day balance of the electronic money preservation account is blocked before the Central Bank by the bank holding the account. The electronic money institution must follow these funds separately from all other funds and cannot use them for another purpose.
This daily reconciliation duty becomes even more important during financial distress. If a fintech company delays reconciliation until after insolvency symptoms appear, it may become impossible to prove which funds belong to which users. That failure may damage customers, prevent a clean liquidation, reduce buyer confidence in an M&A transaction, and expose directors to allegations of mismanagement.
Customer Refunds and Redemption During Wind-Down
A wind-down plan should include a detailed refund and redemption process. Customers must be informed about the closure timeline, withdrawal methods, identity verification requirements, complaint channels, unresolved transaction disputes, and any deadline for claiming balances. However, communications must be drafted carefully. A fintech company should not mislead customers by suggesting that funds are available if operational or banking restrictions prevent immediate redemption.
The refund process should include at least the following stages: customer balance calculation, reconciliation with safeguarding accounts, fraud and AML screening, confirmation of customer identity, return to verified accounts, exception management for deceased customers or closed bank accounts, complaint handling, and final reporting.
Where funds are blocked, disputed, subject to suspicious transaction review, or connected to fraud claims, the company should document the legal basis for withholding or delaying payment. The aim is not only to return funds but to create a defensible legal record showing that the company acted fairly, transparently, and in compliance with applicable laws.
Customer Data Protection During Exit and Insolvency
Customer data is the second major legal risk in fintech wind-down planning. Turkish Personal Data Protection Law No. 6698 applies to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or as part of a data filing system. The law defines personal data broadly as any information relating to an identified or identifiable natural person.
Fintech companies typically process large volumes of sensitive operational data. Even where the data is not “special category” personal data, it may still be highly sensitive from a financial privacy perspective. Identity documents, financial transaction history, customer risk scores, device information, fraud flags, sanctions screening results, and complaint records must be handled with strict access controls.
Under Article 4 of Law No. 6698, personal data processing must comply with principles such as lawfulness and fairness, accuracy, specified and legitimate purposes, proportionality, and storage only for the period required by legislation or processing purposes. These principles become directly relevant in exit transactions. A seller cannot simply transfer an entire customer database to a buyer “because it has commercial value.” The transfer must be legally justified, necessary, transparent, and limited.
Information Notices, Customer Rights, and Data Security
A fintech company undergoing exit or wind-down should review its privacy notices before any customer migration, asset transfer, outsourcing change, or data room disclosure. Under Article 10 of Law No. 6698, data controllers must inform data subjects about the identity of the controller, purposes of processing, recipients of transferred data, method and legal basis of collection, and data subject rights.
Customers also have rights under Article 11, including the right to learn whether their personal data is processed, request information, learn the purpose of processing, know third-party recipients, request rectification, request erasure or destruction under applicable conditions, and claim compensation for unlawful processing.
Data security remains mandatory during wind-down. Article 12 requires data controllers to take necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. It also states that where processing is carried out by another person on behalf of the controller, the controller remains jointly responsible for these measures.
This matters because distressed fintech companies often reduce staff, terminate vendors, or lose internal IT capacity. A company may be closing, but its data security obligations continue. Weakening access controls, failing to revoke employee credentials, leaving cloud storage unmanaged, or transferring customer files through unsecured channels may create serious KVKK exposure.
Cross-Border Data Transfers in Fintech Exits
Many Turkish fintech companies use foreign cloud providers, analytics tools, fraud prevention vendors, identity verification providers, group company infrastructure, or overseas investors’ data rooms. Therefore, cross-border data transfer analysis is essential in exit planning.
Article 9 of Law No. 6698 was amended in 2024. Under the amended rule, personal data may be transferred abroad if one of the processing conditions in Articles 5 or 6 is met and there is an adequacy decision for the relevant country, sector, or international organization. In the absence of an adequacy decision, transfer may be possible with appropriate safeguards, including binding corporate rules, standard contracts published by the Board, or written undertakings approved by the Board.
Where standard contracts are used, the contract must be notified to the Personal Data Protection Authority within five business days following signature. This is particularly relevant for M&A due diligence, migration to a foreign buyer’s systems, international cloud storage, and group-level restructuring.
Record Retention and Access to Transaction History
Fintech companies should not confuse data minimization with premature destruction of legally required records. Law No. 6493 requires system operators, payment institutions, and electronic money institutions to keep all documents and records relating to matters within the scope of the law for at least ten years in Turkey, in a secure and accessible manner.
Therefore, a wind-down plan must include a record retention matrix. Certain customer data may need to be erased, destroyed, or anonymized when processing reasons cease to exist, but transaction records, regulatory records, accounting documents, AML files, dispute records, and audit materials may need to be retained for statutory periods. The legal team should separate “data no longer needed” from “data that must be retained due to legal obligation, dispute defense, accounting, AML, or regulatory audit.”
AML and Suspicious Transaction Risks During Wind-Down
Financial distress may increase AML risk. Customers may attempt unusual withdrawals, fraudsters may exploit operational weakness, insiders may try to move funds, or suspicious transactions may be overlooked because compliance staff has been reduced. This is why fintech wind-down planning must include AML continuity.
Payment and electronic money institutions are subject to MASAK-related compliance expectations, and suspicious transaction reporting is a key element of the Turkish AML framework. MASAK guidance states that suspicious transaction reports are conveyed through compliance officers.
During wind-down, the company should preserve its compliance function until the final customer balance is returned and regulatory closure steps are completed. Management should avoid any instruction that could be interpreted as prioritizing speed of exit over AML controls.
Crypto Asset Service Providers and Customer Asset Protection
Crypto-related fintech companies in Turkey face additional issues. Law No. 7518 introduced a legal framework for crypto asset service providers by amending the Capital Markets Law and bringing crypto asset service providers under the authority of the Capital Markets Board. The new framework covers definitions such as crypto assets, platforms, crypto asset custody services, and service providers.
For crypto platforms, exit planning must address custody, private keys, customer wallets, transfer rights, cybersecurity, asset reconciliation, blockchain transaction records, fiat balances, and customer notifications. CMB materials and secondary regulations emphasize custody and separation of customer crypto assets from platform assets, including rules on wallets and custody structures.
A crypto platform’s wind-down plan should be technically executable. It is not enough to state that customers may withdraw assets. The platform must ensure wallet access, network fee planning, private key control, cold wallet governance, multi-signature authority, customer identity verification, fraud review, and support for users who cannot access accounts. If the platform loses technical control over wallets, legal compliance may become practically impossible.
Insolvency Duties of Directors and Management
Directors of fintech companies should be especially careful when insolvency symptoms appear. Warning signs include inability to meet customer withdrawal requests, mismatch between customer balances and safeguarding accounts, unpaid tax or social security debts, loss of key banking partner, negative equity, unpaid vendors providing critical infrastructure, regulatory warnings, and unresolved audit findings.
Once distress appears, management should avoid preferential treatment, insider payments, undocumented transfers to shareholders, use of customer funds for corporate expenses, and misleading public statements. Board minutes should clearly record financial status, customer fund reconciliation, regulatory steps, professional advice received, and reasons for each material decision.
Directors should also ensure that the company does not continue accepting new customers or new funds if it cannot perform its obligations. Continuing operations while knowing that the company cannot safely execute transactions may create significant liability risk.
Practical Wind-Down Checklist for Turkish Fintech Companies
A strong wind-down plan should include the following legal and operational components.
First, the board should adopt a formal wind-down decision and appoint a responsible committee. The decision should identify the reason for exit, the expected timeline, the regulated activities affected, and the protection measures for customers.
Second, the company should prepare a full customer funds reconciliation. This should compare ledger balances, safeguarding accounts, bank statements, electronic money in circulation, pending transactions, disputed amounts, chargebacks, blocked amounts, and fees.
Third, the company should stop risky new activity. Depending on the situation, this may include suspending new customer onboarding, limiting new deposits, disabling certain payment functions, or restricting high-risk transactions.
Fourth, regulators and key stakeholders should be handled carefully. Depending on the license and activity, this may involve the CBRT, CMB, MASAK, TÖDEB, banks, auditors, payment scheme partners, and outsourcing providers.
Fifth, customer communications should be clear and legally reviewed. Messages should explain what is happening, what customers must do, how funds will be returned, how data will be processed, how complaints can be submitted, and where official updates will be published.
Sixth, customer data must be mapped. The company should identify which data will be retained, deleted, anonymized, transferred, archived, or disclosed in due diligence. Access rights should be limited to essential personnel.
Seventh, outsourcing contracts must be reviewed. Critical providers should not be terminated before data export, record retention, security transition, and customer refund operations are completed.
Eighth, disputes and complaints must remain manageable. Closing a fintech company does not eliminate customer claims. Complaint channels should remain active for a reasonable period and records should be preserved.
Ninth, final reports should be prepared. These may include customer funds reconciliation reports, data deletion reports, vendor termination reports, AML closure files, regulatory correspondence files, and board decision files.
M&A Due Diligence: What Buyers Should Check
For investors or buyers acquiring a Turkish fintech company, due diligence should focus on customer protection risks. The buyer should verify whether all customer funds are properly segregated, whether safeguarding accounts reconcile with ledger balances, whether customer complaints reveal systemic issues, whether there are unresolved regulatory notices, and whether the company has used customer funds for operational needs.
Data protection due diligence is equally important. The buyer should examine privacy notices, explicit consent records, data processing inventory, VERBIS status where applicable, cross-border transfer mechanisms, vendor agreements, breach history, data subject requests, and retention policies.
A buyer should also review whether the target’s technology systems can produce reliable customer-level records. In fintech M&A, inaccurate data is not merely a commercial defect; it may become a regulatory and customer liability problem.
Customer Communication Strategy During Shutdown
A fintech shutdown can trigger panic if communication is unclear. Customers may fear losing money or data. Therefore, communication should be transparent, consistent, and legally controlled.
The company should avoid vague phrases such as “temporary maintenance” if the real issue is wind-down. It should also avoid making promises that depend on bank approvals, regulatory permissions, or unresolved reconciliation. A good customer notice should explain the legal entity involved, affected services, refund method, data handling, complaint channel, timeline, and fraud warnings.
The company should also monitor impersonation risk. During fintech closures, fraudsters may contact customers pretending to help recover balances. Customer notices should warn users not to share passwords, SMS codes, private keys, or card information.
Conclusion
Exit, insolvency, and wind-down planning for fintech companies in Turkey requires more than corporate liquidation documents. It requires a coordinated legal strategy covering regulatory permissions, user fund safeguarding, customer refunds, data protection, AML continuity, record retention, outsourcing, customer communications, and director liability.
The central principle is simple: a fintech company may exit the market, but it cannot exit its obligations to users. Customer funds must remain protected, customer data must remain secure, and management must be able to prove that every step of the process was lawful, documented, and proportionate.
For payment institutions, electronic money institutions, crypto asset service providers, and other fintech businesses in Turkey, early wind-down planning is not a sign of failure. It is a core governance tool that protects customers, directors, shareholders, investors, and the integrity of the financial technology ecosystem.
FAQ
Can a fintech company in Turkey simply shut down its platform?
No. A regulated fintech company must consider customer funds, regulatory duties, customer data, transaction records, complaints, AML obligations, and contractual commitments before shutting down operations.
What is the most important issue in fintech insolvency?
The most important issue is the protection and reconciliation of customer funds. Payment and electronic money institutions must ensure that customer funds are separated, safeguarded, traceable, and returned in accordance with applicable law.
Can customer data be transferred to a buyer in a fintech acquisition?
Customer data may be transferred only if there is a lawful basis, proper information notice, compliance with data protection principles, and where necessary, a valid cross-border transfer mechanism. It should not be treated as an ordinary commercial asset.
Should fintech companies prepare a wind-down plan before financial distress?
Yes. A wind-down plan should be prepared while the company is still operational and able to reconcile funds, maintain IT access, communicate with regulators, and protect customer data.
Do data protection obligations continue after liquidation starts?
Yes. Data protection, confidentiality, security, retention, and lawful destruction obligations may continue during and after the operational shutdown, depending on the nature of the data and applicable legal retention periods.
Yanıt yok