Introduction
Digital wallets have become one of the most important products in the fintech market. Consumers use mobile applications to store payment instruments, hold balances, pay merchants, transfer funds, receive refunds, manage loyalty benefits, access prepaid products, and sometimes connect bank accounts or cards through a single interface. For businesses, digital wallets create opportunities in e-commerce, marketplaces, subscription services, gaming, transportation, retail, embedded finance, and cross-border fintech models.
However, a digital wallet is not merely a mobile application. In Turkey, a wallet may fall within the scope of payment services law, electronic money regulation, anti-money laundering rules, personal data protection law, cybersecurity obligations, consumer protection legislation, and even crypto asset restrictions depending on its structure. The legal risk depends on how the wallet actually functions: whether it stores payment credentials only, whether it creates a payment account, whether it holds customer funds, whether it issues electronic money, whether it enables peer-to-peer transfers, whether merchants accept the balance, and whether the provider controls fund flows.
The main statute governing payment services and electronic money in Turkey is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. The official English version states that the objective of the law is to regulate payment and securities settlement systems, payment services, payment institutions, and electronic money institutions. The Central Bank of the Republic of Türkiye, known as the CBRT, is the key authority for payment services and electronic money regulation and supervision.
This article explains the legal risks of digital wallets in Turkey, focusing on payment accounts, electronic money, user funds, licensing, safeguarding duties, AML/KYC, KVKK, cybersecurity, consumer disputes, and liability management.
1. What Is a Digital Wallet?
A digital wallet is generally an electronic device, online service, or mobile application that allows users to store payment-related information or value and use it for payment transactions. Some wallets only store card details or payment credentials. Others allow users to load funds, hold balances, make payments, transfer value to other users, or pay merchants.
This distinction is legally critical. A simple wallet that only stores payment instrument information may create different legal consequences from a wallet that receives customer money and converts it into a usable balance. Recent Turkish payment regulations expressly introduced digital wallet services into the payment legislation framework and recognized digital wallets as payment instruments that may be provided by payment service providers.
In practice, digital wallets may include several different models:
A card-storage wallet that allows users to save card details.
A payment instrument wallet that enables payment transactions through stored credentials.
A prepaid wallet that allows users to load funds before spending.
An electronic money wallet where the balance represents e-money issued against received funds.
A marketplace wallet that holds buyer or seller balances.
A closed-loop wallet accepted only by one merchant or a limited network.
An open-loop wallet accepted by multiple merchants.
A wallet connected to bank accounts through open banking.
A crypto-linked wallet, which may raise separate regulatory issues.
Because these models differ legally, every digital wallet project should begin with a regulatory classification analysis.
2. Why Legal Classification Matters
The most common mistake in digital wallet projects is assuming that “wallet” is a single legal category. It is not. The word “wallet” may describe many different business models. Turkish law focuses on the actual function of the product, not the marketing name.
The core questions are:
Does the provider receive customer funds?
Does the wallet create a balance?
Is the balance monetary value?
Can the balance be used for payment transactions?
Can the balance be transferred to another user?
Can merchants accept the balance?
Does the provider operate payment accounts?
Does the provider issue electronic money?
Does the provider merely store card or payment instrument information?
Does a licensed bank, payment institution, or electronic money institution provide the underlying regulated service?
If the wallet allows users to load money, hold value, and spend it with third parties, the model may involve electronic money issuance. If the wallet allows payment initiation, fund transfer, merchant payment, or operation of payment accounts, payment services law may apply. If the wallet is merely a technical interface, licensing risk may be lower, but only if the provider does not control funds or perform regulated payment functions.
Legal classification affects licensing, contracts, AML, customer disclosures, fund protection, data processing, cybersecurity, accounting, tax, and liability.
3. Digital Wallets and Payment Services Law in Turkey
Law No. 6493 regulates payment services, payment institutions, and electronic money institutions. A digital wallet provider may need authorization if the wallet performs regulated payment services. Payment services may include execution of payment transactions, money remittance, operation of payment accounts, issuance or acceptance of payment instruments, payment initiation services, and account information services.
A wallet may trigger payment services regulation if it:
Enables users to make payments to merchants.
Allows transfers between users.
Receives funds from users for payment purposes.
Stores payment instruments and initiates payment transactions.
Operates payment accounts.
Provides payment initiation services.
Connects to customer bank accounts for account information services.
Supports marketplace settlement between buyers and sellers.
Provides merchant payment collection.
Allows wallet-to-bank or bank-to-wallet transfers.
The CBRT’s payment services framework is activity-based. A provider cannot avoid regulation simply by calling itself a technology platform. If the provider enters the payment flow, controls payment execution, or holds customer funds, licensing obligations may arise. The Turkish payment services regime is therefore central to digital wallet compliance.
4. Digital Wallets as Payment Instruments
Recent amendments introduced digital wallet services into Turkish payment legislation more explicitly. Legal updates explain that digital wallets were recognized as payment instruments and that digital wallet services may be provided by payment service providers subject to specific requirements.
This has an important practical consequence: a company that offers a digital wallet may need to be a licensed payment service provider or electronic money institution depending on the structure of the wallet. If the wallet provider only stores information related to a payment account or payment instrument, one type of authorization analysis may be required. If the wallet directly enables payments or holds monetary value, broader authorization may be needed.
For example, a wallet that stores debit card credentials and redirects the user to the card issuer may have a different risk profile from a wallet that allows users to load Turkish lira, hold a balance, pay merchants, and transfer money to other users. The second model is much more likely to involve payment services and electronic money issues.
A fintech startup should therefore not launch a wallet product before answering this question: Is the wallet only an interface, or is it itself a regulated payment instrument or e-money product?
5. Electronic Money Risk
Electronic money is one of the biggest legal risks for digital wallets. Under Law No. 6493, electronic money generally involves monetary value issued against funds, stored electronically, used for payment transactions, and accepted by persons other than the issuer. The official law also regulates electronic money institutions as part of the Turkish payment services framework.
A wallet may involve electronic money where:
The user loads funds into the wallet.
The provider credits the user with a digital balance.
The balance represents monetary value.
The user can use that balance for payments.
The balance is accepted by third-party merchants.
The balance can be transferred to other users.
The user can redeem or withdraw the balance.
The provider holds funds received from users.
If these elements exist, the wallet provider may need authorization as an electronic money institution or may need to cooperate with a licensed institution. Electronic money regulation is not optional; it is designed to protect users whose money is converted into electronically stored value.
A wallet provider must also be careful with terminology. Words such as “balance,” “credit,” “points,” “stored value,” “wallet money,” and “in-app cash” may have legal significance. If the product functions like money and is used for payments, calling it “points” will not necessarily remove it from regulation.
6. Payment Accounts and Wallet Accounts
A digital wallet may also involve payment accounts. A payment account is generally an account used for payment transactions. If a wallet allows users to receive funds, store funds for payment purposes, send money, or make recurring transactions, it may create payment account issues.
The legal risk depends on the nature of the account. A purely technical user profile is not necessarily a payment account. However, if the user profile is linked to funds, payment instructions, transaction history, settlement, and balance management, payment account regulation should be reviewed.
Important questions include:
Can the user receive funds into the wallet?
Can the user send funds from the wallet?
Can the wallet account be used to pay merchants?
Is the wallet account linked to an IBAN or bank account?
Can the wallet hold funds for more than a short settlement period?
Can the user maintain a balance?
Can the account be suspended, frozen, or closed by the provider?
What happens to user funds if the provider becomes insolvent?
Payment accounts create contractual and regulatory obligations. The provider must define the user relationship clearly and maintain accurate records of transactions, balances, fees, refunds, and restrictions.
7. Safeguarding User Funds
User funds are the most sensitive part of digital wallet regulation. If a wallet provider receives customer money, the law expects those funds to be protected against misuse, commingling, operational failure, insolvency risk, and unauthorized transactions.
TÖDEB, the Turkish Payment and Electronic Money Institutions Association, explains that payment institutions and electronic money institutions require an operating license from the CBRT and are subject to CBRT supervision, MASAK liability audits, independent financial audits, and information systems audits. It also emphasizes principles and procedures for protection of funds, showing that fund safeguarding is a central regulatory concern.
For wallet providers, fund protection should include:
Segregation of user funds from company operating funds.
Use of safeguarding accounts where required.
Daily reconciliation of wallet balances and bank balances.
Clear accounting treatment of user funds.
Restricted internal access to fund movement systems.
Audit trails for loading, spending, refunding, and withdrawing balances.
Controls against unauthorized transfers.
Business continuity arrangements.
Clear rules in user agreements about fund use and redemption.
The provider must not treat user funds as ordinary company revenue. Fees belong to the company; user balances do not. Mixing these concepts creates serious regulatory and civil liability risk.
8. User Funds Are Not Automatically Bank Deposits
A common consumer misunderstanding is that wallet balances are the same as bank deposits. This is not always correct. A digital wallet balance may be electronic money, a prepaid value, a payment account balance, or another contractual claim depending on the structure. Unless a licensed bank deposit relationship exists, the user should not be misled into believing that the wallet is a bank account.
This distinction is important for advertising and contracts. A wallet provider should not use phrases such as “deposit,” “savings,” “interest,” “bank account,” or “guaranteed balance” unless the legal structure supports those statements. Misleading users about the legal nature of funds may create consumer protection and regulatory risk.
User agreements should explain:
Who holds the funds.
Whether the balance is electronic money.
Whether the provider is licensed.
Whether a bank is involved.
Whether the funds earn interest.
How funds are safeguarded.
How the user can withdraw or redeem funds.
What happens if the account is frozen or terminated.
What fees apply.
The clearer the legal explanation, the lower the risk of disputes.
9. Licensing Risks for Digital Wallet Providers
Licensing is one of the most serious risks for digital wallet companies. If a wallet performs regulated activities without authorization, the provider may face administrative sanctions, business interruption, contract problems, investor due diligence issues, banking partner termination, customer claims, and reputational harm.
Legal updates on Turkey’s digital wallet regime note that providers offering wallet services without an operating license were required to apply to the CBRT for the necessary permissions under transition rules, and later amendments extended certain deadlines. As of 2026, digital wallet operators should not rely on past transition periods; they should verify current authorization status before operating.
A wallet provider should obtain legal review if:
Users can load funds.
Users can hold balances.
The wallet can be used with merchants.
Funds can be transferred between users.
The wallet works as a payment instrument.
The wallet connects to bank accounts.
The provider receives merchant settlement funds.
The provider operates a marketplace payment flow.
The provider uses crypto assets in any payment-related function.
The provider targets Turkish customers from abroad.
The safest approach is to classify the model before launch and obtain the appropriate license or structure the service through a licensed institution.
10. Wallets, Marketplaces, and Merchant Funds
Digital wallets are frequently used in marketplaces. A platform may collect money from buyers, hold it temporarily, and later release it to sellers. This structure may look like ordinary marketplace settlement, but it can create payment services and user fund risks.
Key questions include:
Does the marketplace receive buyer funds?
Does it hold funds before releasing them to sellers?
Can sellers maintain balances?
Can sellers use balances inside the platform?
Can buyers receive refunds into a wallet?
Can users transfer balances outside the platform?
Does the platform deduct commissions before settlement?
Are funds held in the platform’s own account?
Marketplace operators often assume that they are merely facilitating sales. However, if the platform controls fund flows between buyers and sellers, payment services law must be reviewed. A marketplace wallet may require a licensed payment institution, electronic money institution, or bank partnership.
Contracts should clearly distinguish between purchase price, commission, user funds, seller receivables, refund amounts, and wallet balances.
11. AML and KYC Obligations
Digital wallets can be misused for money laundering, fraud, illegal betting proceeds, mule account activity, sanctions evasion, and terrorist financing. Wallets are attractive to criminals because they may enable fast onboarding, small-value but high-frequency transfers, multiple accounts, prepaid balances, and peer-to-peer movement.
Turkey’s main AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime, whose official English version states that its objective is to determine principles and procedures for preventing laundering proceeds of crime. MASAK obligations may include customer identification, suspicious transaction reporting, information and document provision, record retention, training, internal control, risk management, and compliance programs.
A wallet provider should build AML/KYC controls into the product. These controls may include:
Identity verification before activating certain wallet functions.
Risk-based customer classification.
Beneficial ownership checks for merchant accounts.
Sanctions and politically exposed person screening.
Transaction monitoring.
Velocity limits.
Wallet-to-wallet transfer monitoring.
Suspicious refund and chargeback detection.
Monitoring of linked accounts and shared devices.
Suspicious transaction escalation.
Record retention.
A wallet business should not treat AML as a back-office formality. If AML controls are not embedded in onboarding, limits, monitoring, and transaction review, the wallet may become vulnerable to abuse.
12. Account Freezing and User Complaints
Wallet providers may need to freeze accounts, restrict transactions, request documents, or delay withdrawals for AML, fraud, chargeback, cybersecurity, or regulatory reasons. These actions often create consumer disputes.
The provider must balance two duties: preventing misuse of the platform and avoiding arbitrary restriction of legitimate users. A user may complain that their money is being unlawfully withheld. The provider may respond that the restriction is required by AML, fraud, or security obligations.
To reduce disputes, wallet providers should maintain:
Clear account suspension clauses.
Internal rules for freezing and unfreezing accounts.
Documentation of the reason for restriction.
Escalation procedures.
Time limits for review where possible.
Secure evidence preservation.
Customer communication templates.
Procedures that avoid disclosing confidential suspicious transaction information.
The provider should not give misleading explanations, but it must also avoid revealing suspicious transaction reporting details. This is a delicate area requiring legal and compliance coordination.
13. KVKK and Wallet Data
Digital wallets process extensive personal data. This may include identity information, phone numbers, e-mail addresses, bank account details, transaction histories, merchant preferences, location indicators, device data, IP addresses, customer support records, AML risk scores, and fraud alerts.
The Turkish Personal Data Protection Law No. 6698 aims to protect fundamental rights and freedoms, particularly privacy, and sets obligations for persons processing personal data. Wallet providers must therefore process data lawfully, transparently, securely, and proportionately.
A wallet provider should prepare:
Privacy notices.
Data processing inventory.
Lawful basis analysis.
Explicit consent mechanisms where required.
Data retention and deletion policies.
Data processing agreements with vendors.
Cross-border transfer assessment.
Security measures.
Data breach response procedures.
Customer rights procedures.
Wallet data should not be freely reused for unrelated marketing or profiling. A user’s payment history can reveal private life, financial habits, health-related purchases, travel patterns, family transfers, or business relationships. Using such data for unrelated analytics or advertising without proper legal basis may create serious KVKK risk.
14. Cybersecurity and Unauthorized Wallet Transactions
Cybersecurity is one of the most important legal risks for digital wallets. A wallet may be targeted through phishing, credential stuffing, malware, SIM swap attacks, fake customer support scams, API vulnerabilities, weak authentication, insider abuse, or cloud misconfiguration.
Unauthorized wallet transactions commonly lead to disputes over liability. The user may argue that the wallet provider failed to protect the account. The provider may argue that the user shared credentials or approved the transaction. The result often depends on evidence.
A wallet provider should maintain:
Strong customer authentication.
Device binding.
Risk-based transaction monitoring.
Push notification and SMS alert controls.
Transaction limits.
Suspicious login detection.
Account takeover detection.
Secure API infrastructure.
Encrypted sensitive data.
Tamper-resistant logs.
Incident response procedures.
Fast account-freeze channels.
In litigation or regulatory review, logs may determine the outcome. The provider should be able to show when the account was accessed, from which device, what authentication method was used, what transaction was approved, and whether any suspicious alerts existed.
15. Consumer Protection and Wallet Agreements
Digital wallets are usually provided through standard-form contracts. Consumers do not negotiate these terms. Therefore, wallet agreements must be clear, balanced, and legally defensible.
A strong wallet agreement should explain:
The identity of the provider.
License or regulatory status.
The nature of the wallet.
Whether the wallet includes electronic money.
How users load funds.
How payments are made.
How refunds are processed.
How users can withdraw or redeem balances.
Fees and commissions.
Transaction limits.
Security obligations of users.
Unauthorized transaction reporting.
Account suspension and termination.
Data processing.
Complaint channels.
Dispute resolution.
Unfair, vague, or overly broad clauses may create consumer law risk. For example, a clause allowing the provider to freeze funds indefinitely without explanation or review may be challenged. A clause excluding all provider liability for technical failures may also be problematic.
Wallet contracts must reflect the actual product. A contract that says the provider does not hold funds while the technical flow shows that the provider controls user balances creates legal risk.
16. Refunds, Chargebacks, and Merchant Disputes
Wallets often sit between consumers and merchants. This creates complex disputes involving failed purchases, refunds, chargebacks, fraudulent merchants, delivery problems, and balance reversals.
A wallet provider should define whether it is:
Only a payment service provider.
A marketplace operator.
A merchant of record.
An electronic money issuer.
A technical service provider.
A refund processor.
A settlement intermediary.
This classification affects liability. If the wallet only executes payment transactions, it may not be liable for every merchant dispute. However, if the wallet provider controls marketplace sales, advertises merchant goods, holds funds in escrow-like structures, or promises buyer protection, its liability may increase.
The user agreement and merchant agreement should align. Refund rules should be clear. Users should know whether refunds return to the original payment instrument, wallet balance, bank account, or e-money balance.
17. Crypto-Linked Wallet Risks
Crypto-linked wallets require special caution in Turkey. Turkey restricts the use of crypto assets in payments. The CBRT includes the Regulation on the Disuse of Crypto Assets in Payments within the payment services regulatory framework.
A wallet provider should be careful with:
Crypto-funded merchant payments.
Stablecoin payment features.
Crypto-to-fiat instant checkout.
Crypto debit cards.
Crypto-linked prepaid products.
Wallet balances backed by crypto assets.
Merchant settlement in crypto.
Even if crypto asset trading is regulated separately under capital markets rules, using crypto assets directly or indirectly for payments may create CBRT-related risk. A wallet provider must distinguish between crypto custody or trading and payment functionality.
18. Cross-Border Wallets Serving Turkish Users
Foreign wallet providers may also face Turkish regulatory risk. A foreign company may believe it is outside Turkish law because it is incorporated abroad. However, if it targets Turkish customers, supports Turkish lira, uses Turkish-language marketing, accepts Turkish identity documents, connects with Turkish banks, or enables payments involving Turkish users, Turkish regulation may apply.
Cross-border wallet providers should review:
Whether Turkish customers are targeted.
Whether the wallet stores Turkish user funds.
Whether Turkish merchants accept the wallet.
Whether Turkish bank transfers are supported.
Whether Turkish personal data is transferred abroad.
Whether CBRT authorization is required.
Whether MASAK obligations arise.
Whether consumer protection rules apply.
Whether crypto payment restrictions are triggered.
A foreign license does not automatically authorize wallet services in Turkey. Local regulatory analysis is essential.
19. Evidence and Dispute Management
Digital wallet disputes are evidence-heavy. The key evidence may be technical rather than narrative.
Providers should preserve:
User onboarding records.
KYC documents.
Wallet loading records.
Payment instructions.
Authentication records.
Device and IP logs.
Transaction timestamps.
Merchant settlement records.
Refund records.
Customer complaint tickets.
AML review notes.
Account restriction decisions.
System incident logs.
User notifications.
Users should also preserve screenshots, receipts, app notifications, correspondence, bank statements, and complaint records.
A wallet provider with strong evidence management is better positioned in consumer complaints, court proceedings, regulatory audits, MASAK inquiries, and bank partner reviews.
20. Practical Compliance Checklist for Digital Wallet Providers in Turkey
A digital wallet provider should consider the following checklist:
Classify the wallet model before launch.
Determine whether the wallet is a payment instrument.
Determine whether payment services are provided.
Determine whether electronic money is issued.
Assess whether CBRT authorization is required.
Review whether a licensed partner is needed.
Map all fund flows.
Map all data flows.
Separate user funds from company funds.
Prepare safeguarding and reconciliation procedures.
Draft clear user agreements.
Draft merchant agreements where relevant.
Prepare AML/KYC policies.
Implement transaction monitoring.
Prepare KVKK privacy notices.
Assess cross-border data transfers.
Implement strong cybersecurity controls.
Create account freeze and complaint procedures.
Review refund and chargeback rules.
Avoid misleading marketing language.
Review crypto-related features carefully.
Maintain audit-ready records.
Monitor CBRT, MASAK, KVKK, CMB, and consumer law updates.
This checklist should be adapted to the exact product. A card-storage wallet, prepaid wallet, e-money wallet, marketplace wallet, open banking wallet, and crypto-linked wallet do not have identical obligations.
Why Legal Support Is Important
Digital wallet law in Turkey combines payment services regulation, electronic money law, AML compliance, data protection, consumer protection, cybersecurity, contract law, and sometimes crypto asset regulation. A wallet may appear simple to users, but legally it can be one of the most complex fintech products.
A fintech lawyer can assist with:
Wallet regulatory classification.
CBRT licensing analysis.
Electronic money assessment.
Payment account analysis.
User fund safeguarding structure.
AML/KYC policy design.
KVKK compliance.
User agreement drafting.
Merchant agreement drafting.
Crypto payment risk review.
Cross-border wallet analysis.
Consumer dispute strategy.
Regulatory correspondence.
Administrative sanction defense.
Legal review should begin before launch. Once users have loaded funds and transactions have started, restructuring the wallet can become costly and risky.
Conclusion
Digital wallets create major opportunities in Turkey’s fintech market, but they also create serious legal risks. The key issue is classification. A wallet may be a simple payment credential interface, a regulated payment instrument, a payment account structure, an electronic money product, a marketplace settlement tool, or a crypto-linked product. Each structure has different legal consequences.
The most important legal questions are whether the provider holds user funds, whether electronic money is issued, whether payment services are performed, whether merchants accept the wallet, and whether users can transfer or redeem balances. If the wallet enters the regulated payment flow, CBRT authorization and compliance obligations may arise.
User funds must be protected. Wallet providers must avoid commingling customer funds with company funds, must maintain accurate records, must prepare clear contractual terms, and must build AML, data protection, cybersecurity, and complaint systems into the product.
A successful digital wallet business in Turkey is not only a good app. It is a legally structured financial service. Companies that design their wallet model with proper licensing, fund protection, consumer transparency, cybersecurity, and compliance controls will be better positioned to gain user trust, satisfy regulators, secure banking partnerships, and grow sustainably.
Yanıt yok