Introduction
Robo-advisory services are becoming an important part of the global wealth management and fintech industry. A robo-advisor generally uses algorithms, digital questionnaires, automated portfolio models, risk scoring, and data-driven tools to provide investment recommendations, asset allocation suggestions, portfolio monitoring, or automated portfolio management. In simple terms, robo-advisory allows investors to receive digital investment guidance with limited or no direct human interaction.
In Turkey, robo-advisory services create significant legal questions because investment advice, portfolio management, order transmission, execution, custody, and investment research are regulated under Turkish capital markets law. A fintech company cannot avoid capital markets regulation merely by saying that its advice is generated by an algorithm. If the digital system recommends capital market instruments, builds personalized portfolios, rebalances assets, or guides users toward specific investment decisions, the activity may fall within the jurisdiction of the Capital Markets Board of Türkiye, known as the CMB or SPK.
The Turkish Investment and Finance Office’s fintech glossary defines robo-advisory as methods and applications that provide financial planning services to financial users by offering investment advice based on algorithms. This definition reflects the core regulatory issue: when algorithm-based output becomes investment advice, the provider must consider licensing and investor protection rules.
Turkey does not currently have a separate standalone robo-advisory statute. However, robo-advisory services may fall under existing capital markets legislation, especially Capital Markets Law No. 6362, Communiqué No. III-37.1 on Principles Regarding Investment Services, Activities and Ancillary Services, Communiqué No. III-39.1 on Investment Firms, Communiqué No. III-55.1 on Portfolio Management Companies, personal data protection law, consumer protection principles, cybersecurity rules, and contract law. The Capital Markets Law states that its purpose is to regulate and supervise capital markets in a secure, transparent, efficient, stable, fair, and competitive environment and to protect investor rights and interests.
This article explains the legal framework for robo-advisory services in Turkey, including licensing, investment advice, portfolio management, suitability tests, appropriateness tests, algorithmic recommendations, investor classification, KVKK compliance, AI governance, cybersecurity, platform liability, and legal risks for fintech companies.
1. What Is a Robo-Advisor?
A robo-advisor is a digital system that uses algorithms to provide financial or investment-related guidance. In a simple model, the user completes a questionnaire about investment objectives, risk tolerance, age, income, investment horizon, loss capacity, financial knowledge, and preferences. The system then recommends a portfolio or investment strategy.
More advanced robo-advisory models may:
Recommend mutual funds, equities, bonds, ETFs, crypto assets, or other instruments
Create model portfolios
Automatically rebalance portfolios
Monitor market conditions
Adjust portfolio allocation according to risk profile
Provide automated alerts
Offer tax-related portfolio optimization
Provide retirement planning tools
Use AI to analyze investor behavior
Combine human advisory with algorithmic portfolio construction
Execute transactions after receiving user authorization
Not every digital financial tool is a robo-advisor. A simple educational calculator, market news platform, or general financial information website may not constitute investment advice. However, if the tool gives personalized recommendations about specific capital market instruments or portfolio allocation, the legal risk increases significantly.
The legal classification depends on the substance of the service, not the technology used.
2. Why Robo-Advisory Is Legally Sensitive
Robo-advisory is legally sensitive because it can influence investment decisions. A user may rely on an algorithm’s recommendation to buy a fund, sell shares, invest in a risky asset, enter a derivative position, or allocate savings into a portfolio that may lose value. This creates investor protection concerns.
The main legal risks include:
Unauthorized investment advice
Unlicensed portfolio management
Unsuitable investment recommendations
Insufficient risk profiling
Misleading performance projections
Algorithmic bias
Lack of explainability
Inaccurate data input
Improper use of personal data
Conflicts of interest
Hidden commissions
Failure to update investor profiles
Cybersecurity failures
Automated decisions without adequate control
Unclear contractual disclaimers
Investor claims after losses
The fact that a recommendation is generated by software does not reduce the provider’s legal responsibility. On the contrary, automation may increase risk because the same flawed algorithm can affect thousands of users at the same time.
3. Turkish Capital Markets Framework
Robo-advisory services must be analyzed under Turkish capital markets law. Article 37 of the Capital Markets Law lists investment services and activities, including reception and transmission of orders, execution of orders, dealing on own account, portfolio management, investment advice, underwriting, placing, operation of trading systems, custody, and other services determined by the CMB.
This matters because robo-advisory may fall into more than one regulated activity. For example:
A system that only gives personalized investment recommendations may involve investment advice.
A system that automatically manages a user’s portfolio may involve portfolio management.
A system that transmits user orders to an intermediary institution may involve order transmission.
A system that executes orders may require additional authorization.
A platform that holds customer assets may trigger custody rules.
A fintech company that provides investment advice as a regular commercial activity must examine whether it needs authorization from the CMB or whether it must operate through an authorized investment institution. Under Turkish capital markets legislation, investment advisory services are generally provided by authorized institutions such as brokerage firms, investment and development banks, and portfolio management companies, provided they have the relevant CMB license.
4. Investment Advice vs. General Investment Information
One of the most important distinctions in robo-advisory law is the difference between general investment information and personalized investment advice.
General information may include:
Market news
Educational articles
Macroeconomic analysis
General portfolio theory explanations
Risk warnings
General asset class descriptions
Publicly available price data
Non-personalized research reports
Investment glossary content
Generic calculators
Personalized investment advice may include:
Recommendation to buy, sell, or hold a specific instrument
Portfolio allocation based on the user’s financial profile
Fund selection based on risk score
Asset allocation based on investment objective
Recommendation generated after a user questionnaire
Risk-based product matching
Personalized rebalancing advice
Algorithmic ranking of instruments for a particular user
A robo-advisor may start as a general educational tool but become regulated advice when it moves from “this is how diversification works” to “based on your answers, you should invest 40% in this fund and 60% in that instrument.”
Disclaimers alone are not enough. A platform cannot avoid investment advisory rules simply by stating that its output is “not investment advice” if the actual service provides personalized investment recommendations.
5. Investment Advice vs. Portfolio Management
Robo-advisory may also overlap with portfolio management. Investment advice usually involves recommendations, while portfolio management involves managing a portfolio on behalf of the client. If the user makes the final decision after receiving a recommendation, the service may be closer to investment advice. If the platform automatically executes or rebalances the portfolio according to a mandate, it may be closer to portfolio management.
The distinction is critical because portfolio management is a regulated capital markets activity. The CMB’s Communiqué on Portfolio Management Companies states that a portfolio management company may engage in portfolio management and investment advisory services subject to receiving a license from the CMB.
A robo-advisory platform may involve portfolio management if it:
Automatically selects assets for the user
Automatically rebalances the portfolio
Executes changes without separate user approval
Manages discretionary mandates
Controls allocation according to algorithmic strategy
Provides ongoing management for a fee
Monitors and adjusts portfolio risk continuously
A fintech company should not describe an automated portfolio management product as a simple recommendation tool if it actually controls investment decisions.
6. Licensing Requirements
Licensing is the central issue for robo-advisory platforms in Turkey. If the service falls within investment advice, portfolio management, order transmission, execution, or custody, the provider must consider CMB authorization.
Under the Capital Markets Law and related communiqués, investment services and activities are not freely offered by ordinary companies. They are subject to CMB authorization. Legal commentary on Turkish investment services explains that investment services are regulated by the Capital Markets Law, Communiqué III-37.1, and Communiqué III-39.1, and that authorization is mandatory for investment services performed as a regular occupation, commercial, or professional activity.
A robo-advisory business may need legal review if it:
Provides personalized advice about capital market instruments
Suggests specific securities or funds
Creates risk-based portfolios
Uses algorithms to recommend buy/sell decisions
Provides automated portfolio management
Rebalances portfolios
Transmits orders to brokers
Receives fees from product providers
Uses customer data to rank investment products
Targets Turkish residents with investment recommendations
Offers crypto asset investment advice
Offers cross-border robo-advisory services to users in Turkey
The safest approach is to classify the service before launch and determine whether it must be provided by a licensed investment institution, portfolio management company, or another authorized entity.
7. Suitability Test in Robo-Advisory
The suitability test is one of the most important investor protection tools in robo-advisory. A suitability test evaluates whether a product, portfolio, or investment service is suitable for the client’s objectives, financial situation, knowledge, experience, risk tolerance, and investment horizon.
In digital robo-advisory, suitability is usually assessed through an online questionnaire. However, a digital questionnaire must be legally meaningful. It should not be designed only for speed or conversion. It must collect enough information to support the recommendation.
A proper robo-advisory suitability process should assess:
Investment objective
Risk and return preference
Investment horizon
Income level
Asset level
Loss-bearing capacity
Financial knowledge
Investment experience
Liquidity needs
Age and personal circumstances
Existing portfolio composition
Preference for conservative, balanced, or aggressive strategies
Tolerance for volatility
Need for regular income
Restrictions or special preferences
Search results for Communiqué III-37.1 confirm that suitability testing is connected to individual portfolio management and investment advice services. The Turkish Capital Markets Association’s ethics materials also emphasize that capital markets employees must consider the suitability of the client’s investment preferences, portfolio status, personal needs, financial position, and general economic information when providing capital markets services.
In robo-advisory, the algorithm must be able to translate this information into a suitable recommendation. If the questionnaire is superficial, the output may be legally weak.
8. Appropriateness Test and Execution-Only Services
The appropriateness test is different from the suitability test. It generally evaluates whether the client has sufficient knowledge and experience to understand the risks of a product or service. It is especially relevant where the firm does not provide full investment advice or portfolio management but offers access to capital markets products.
In practice, Turkish investment firms often distinguish between appropriateness and suitability tests in their customer documentation. For example, market documentation based on the CMB framework states that an appropriateness test is applied before certain investment services, while a suitability test is applied where the customer requests portfolio management or investment advisory services.
For robo-advisory platforms, this distinction matters because not all digital investment journeys are the same.
A platform may provide:
Execution-only access
General product information
Appropriateness-based product access
Personalized investment advice
Automated portfolio management
Each category has different legal consequences. A platform that claims to be execution-only should avoid personalized recommendations. A platform that recommends products should conduct a suitability analysis. A platform that manages portfolios should comply with portfolio management rules.
9. Algorithmic Recommendations and Legal Responsibility
A robo-advisor’s algorithm is the heart of the service. It may classify users, match products, calculate risk scores, select portfolio weights, recommend asset allocation, and trigger rebalancing. This creates legal responsibility.
The provider should be able to explain:
What data the algorithm uses
How risk scores are calculated
How products are matched to profiles
How conflicts of interest are managed
How the algorithm is tested
How recommendations are reviewed
How errors are corrected
How model updates are approved
How unsuitable recommendations are prevented
How exceptional cases are escalated to human review
A robo-advisory provider should not treat the algorithm as a black box. If an investor claims that the recommendation was unsuitable, the provider must be able to reconstruct the decision. It should show the user’s questionnaire answers, risk profile, product risk rating, recommendation logic, warnings displayed, and user approvals.
A legally strong robo-advisor must have algorithm governance.
10. Human Oversight
Robo-advisory does not always mean fully automated advice. Some models are hybrid. The algorithm prepares a recommendation, and a human advisor reviews it. In other models, automation is used only for risk classification, while licensed professionals provide the final recommendation.
Human oversight can reduce legal risk, especially where:
The investor has complex financial circumstances
The questionnaire produces inconsistent answers
The user wants high-risk products despite low risk tolerance
The user is elderly or financially vulnerable
The model recommends complex instruments
The portfolio involves derivatives or leveraged products
Market conditions change sharply
The user files a complaint
The algorithm produces an unusual result
Human oversight should be real. A licensed person should have authority to review, correct, or reject algorithmic output where necessary. A symbolic approval process without actual review may not reduce liability.
11. Investor Classification
Turkish capital markets law distinguishes between different investor categories, including general and professional clients. Robo-advisory platforms must carefully classify users because professional clients may be subject to different disclosure and protection rules.
Investor classification affects:
Suitability information requirements
Appropriateness testing
Risk disclosures
Product access
Warning obligations
Documentation
Complaint handling
Investor protection level
A digital platform should not assume that a user is sophisticated merely because they use an app. Retail investors may misunderstand algorithmic advice, risk scores, model portfolios, or projected returns. Therefore, robo-advisory user interfaces should be designed for clarity and investor protection.
If a user is treated as a professional client, the platform must preserve evidence supporting that classification.
12. Risk Disclosures
Robo-advisory platforms must provide clear risk disclosures. These disclosures should not be hidden in long terms of use. Users should understand the risks before acting on recommendations.
Risk disclosures should cover:
Market risk
Loss of principal
Volatility
Liquidity risk
Currency risk
Interest rate risk
Issuer risk
Fund risk
Concentration risk
Algorithm risk
Model error risk
Past performance limitations
Rebalancing risk
Tax uncertainty
Technology failure
Cybersecurity risk
Execution risk
Platform conflict of interest
The platform should avoid statements such as “safe return,” “guaranteed portfolio,” “risk-free automated investment,” or “AI will protect your capital.” Investment always involves risk, and algorithmic tools cannot eliminate market losses.
13. Conflicts of Interest
Conflicts of interest are a major concern in robo-advisory. An algorithm may appear neutral, but it can be designed to recommend products that generate higher commissions, benefit affiliated companies, increase platform revenue, or promote sponsored funds.
Potential conflicts include:
Recommending affiliated funds
Receiving commissions from product providers
Ranking products based on commercial arrangements
Using platform-owned model portfolios
Recommending high-fee instruments
Promoting products with better revenue sharing
Using customer data for cross-selling
Displaying sponsored instruments as “best fit”
Failing to disclose economic incentives
A robo-advisory provider should maintain a conflict of interest policy and disclose material conflicts to users. Product selection methodology should be documented. If the algorithm considers revenue factors, that fact may need to be disclosed and controlled.
Investor trust depends on impartiality. A robo-advisor that claims to provide objective advice while secretly prioritizing higher-fee products creates serious liability risk.
14. Performance Projections and Backtesting
Robo-advisory platforms often use charts, projections, simulations, backtesting, and hypothetical returns. These tools can help users understand potential outcomes, but they may also mislead investors if presented improperly.
A platform should clearly explain:
Past performance does not guarantee future results
Backtested results are hypothetical
Projected returns are uncertain
Market conditions may change
Fees and taxes may reduce returns
Risk scores do not prevent losses
Portfolio models may underperform
Rebalancing may not protect against severe market losses
Performance visuals should be balanced. Showing only optimistic scenarios may be misleading. A proper interface should include downside scenarios, maximum drawdown explanations, volatility indicators, and risk warnings.
15. KVKK and Personal Data Protection
Robo-advisory services process significant personal data. This may include identity data, income, assets, investment objectives, financial knowledge, risk preferences, investment history, transaction records, device data, behavioral data, and possibly sensitive personal indicators.
The Turkish Personal Data Protection Law No. 6698 aims to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing. Robo-advisory providers must therefore process personal data lawfully, transparently, securely, and proportionately.
KVKK compliance for robo-advisory should include:
Privacy notices
Data processing inventory
Lawful basis analysis
Explicit consent mechanisms where required
Data minimization
Retention and deletion policies
Cross-border transfer review
Data processing agreements with vendors
Customer rights procedures
Security controls
Data breach response plans
Robo-advisory data is highly sensitive because it reveals the investor’s financial capacity, risk appetite, investment strategy, and economic vulnerability. A data breach involving robo-advisory profiles could cause serious harm.
16. Automated Decisions and AI Governance
Robo-advisory services often use automated decision-making. A system may classify a user as conservative, balanced, or aggressive. It may recommend a model portfolio. It may reject access to certain instruments. It may rebalance automatically.
Automated decision-making creates legal risk if the decision negatively affects users and there is no transparency or review mechanism. Under KVKK, data subjects have rights related to processing and may object to results against them arising from analysis exclusively through automated systems.
A robo-advisory provider should implement AI governance measures such as:
Algorithm inventory
Model validation
Bias testing
Explainability assessment
Human oversight
Change management
Audit logs
Vendor review
Risk committee approval
Periodic performance review
Complaint escalation
Model error correction
Cybersecurity testing
AI governance should not be optional. If a platform provides investment advice through algorithms, the algorithm must be controlled like a regulated compliance process.
17. Cybersecurity and Operational Resilience
Robo-advisory platforms must be secure. Cybersecurity failures can expose personal financial data, manipulate recommendations, alter portfolios, disrupt trading, or create unauthorized transactions.
Cybersecurity measures should include:
Strong authentication
Encryption
Access controls
Secure software development
Penetration testing
API security
Logging and monitoring
Incident response
Business continuity
Vendor security review
Data backup
Change management
Segregation of environments
Protection of algorithm parameters
Protection against model manipulation
For banks and regulated financial institutions, the BRSA information systems regulation sets minimum principles for bank information systems, electronic banking services, risk management, and information systems controls. Although a robo-advisory fintech may not always be a bank, similar security expectations may arise through contracts, licensing, outsourcing rules, and investor protection principles.
18. Outsourcing and Technology Providers
Many robo-advisory businesses rely on external vendors. These may include cloud providers, algorithm developers, risk profiling tools, data providers, AI model vendors, order routing systems, portfolio analytics providers, cybersecurity companies, and customer support platforms.
Outsourcing does not eliminate responsibility. If a regulated investment institution uses a vendor to develop or operate a robo-advisory system, the regulated institution remains responsible for compliance.
Vendor contracts should address:
Scope of services
Data protection roles
Confidentiality
Security obligations
Audit rights
Model documentation
Change control
Incident notification
Cross-border data transfers
Service levels
Business continuity
Regulatory cooperation
Liability and indemnity
Termination assistance
Data deletion
A platform should not deploy a vendor algorithm without understanding how it works, what data it uses, how it was tested, and how it can be audited.
19. Crypto Robo-Advisory
Some platforms may offer robo-advisory services for crypto assets. This creates additional legal complexity. Crypto asset service providers in Turkey are now subject to CMB regulation under the 2025 communiqués. The CMB framework includes crypto asset services such as trading, custody, transfer, initial sale or distribution, and investment consultancy in respect of crypto assets.
A crypto robo-advisor may recommend:
Crypto portfolios
Stablecoin allocation
Token baskets
DeFi strategies
Staking products
Exchange-traded crypto exposure
Risk-based crypto asset allocation
Rebalancing between crypto assets
This may trigger crypto asset service provider rules, investment advisory analysis, AML obligations, custody concerns, and investor protection duties. Crypto robo-advisory is especially risky because crypto assets are volatile, regulatory treatment is evolving, and retail users may misunderstand risk.
A platform should not present crypto robo-advice as safe, guaranteed, or equivalent to traditional portfolio diversification.
20. Cross-Border Robo-Advisory
Foreign robo-advisory platforms may be accessible to Turkish users. However, cross-border access can create Turkish regulatory risk if the platform actively targets Turkish residents.
Indicators of targeting may include:
Turkish-language website or app
Turkish advertising
Turkish social media campaigns
Turkish customer support
TRY-based pricing
Acceptance of Turkish identity documents
Recommendations on Turkish capital market instruments
Partnerships with Turkish financial institutions
Local influencers
Turkish investor webinars
Marketing to Turkish residents
Foreign investment institutions may provide certain services to residents in Turkey under specific conditions, but Turkish capital markets rules remain relevant, especially where activities are directed toward Turkish investors. Legal commentary on foreign investment institutions in Turkey explains that local legislation distinguishes how foreign investment institutions may interact with Turkish investors and that investment advisory services are provided by duly licensed Turkish entities.
A foreign robo-advisor should not assume that foreign authorization is enough to target Turkish users.
21. User Agreements and Disclaimers
Robo-advisory platforms need carefully drafted user agreements. These agreements should match the actual service. A platform that provides personalized investment recommendations should not draft terms as if it only provides educational content.
User agreements should cover:
Provider identity
Regulatory status
Scope of service
Whether investment advice is provided
Whether portfolio management is provided
User responsibilities
Suitability questionnaire accuracy
Risk disclosures
Fees and commissions
Conflicts of interest
Algorithmic limitations
No guarantee of return
Data processing
Cybersecurity obligations
Complaint procedures
Termination
Governing law and dispute resolution
Recordkeeping and electronic communications
Disclaimers should be clear but not abusive. A provider cannot exclude all responsibility for unsuitable recommendations if it is legally responsible for investment advice. The contract must be realistic and legally enforceable.
22. Recordkeeping and Evidence
Robo-advisory disputes are evidence-heavy. If an investor alleges unsuitable advice, the provider must produce digital records.
Important records include:
Questionnaire answers
Risk score calculation
Investor classification
Product risk rating
Recommendation output
Algorithm version
Portfolio model used
Risk warnings shown
User approvals
Rebalancing logs
Fee disclosures
Conflict disclosures
Customer complaints
Human review notes
Data processing notices
Order transmission records
Transaction confirmations
The provider should be able to reconstruct the advisory journey. Without records, it may be difficult to prove that the recommendation was suitable and properly disclosed.
23. Liability for Unsuitable Recommendations
A robo-advisory provider may face liability if it gives unsuitable recommendations, fails to collect sufficient investor information, ignores risk profile, uses flawed models, fails to disclose risks, or recommends products due to conflicts of interest.
Liability may arise from:
Breach of capital markets duties
Contractual breach
Tort liability
Consumer protection principles
Data protection violations
Misleading advertising
Unfair terms
Failure to maintain records
Negligent algorithm design
Failure to supervise vendors
Failure to update suitability data
Investor loss alone does not automatically prove liability. Investments can lose value even when advice is suitable. However, if the product was incompatible with the user’s profile, the recommendation logic was defective, or the platform misled the investor, liability risk increases.
24. Practical Compliance Checklist for Robo-Advisory Platforms in Turkey
A robo-advisory platform should consider the following checklist:
Classify the service legally before launch.
Determine whether the service is general information, investment advice, portfolio management, order transmission, or execution.
Assess CMB licensing requirements.
Operate through an authorized investment institution where required.
Design a legally meaningful suitability questionnaire.
Distinguish suitability test and appropriateness test obligations.
Classify investors correctly.
Document product risk ratings.
Validate the algorithm.
Implement human oversight for high-risk cases.
Disclose risks clearly.
Avoid guaranteed return language.
Prepare conflict of interest policy.
Disclose fees and commissions.
Maintain audit logs.
Prepare KVKK privacy notices.
Review cross-border data transfers.
Secure the platform.
Review vendor contracts.
Prepare complaint handling procedures.
Keep records of every recommendation.
Monitor regulatory changes.
This checklist should be adapted to the model. A basic education app, fund comparison tool, hybrid advisory platform, automated portfolio manager, bank-based robo-advisor, and crypto robo-advisor will not have the same legal requirements.
Why Legal Support Is Important
Robo-advisory law in Turkey requires knowledge of capital markets regulation, investment advice, portfolio management, financial technology, AI governance, data protection, cybersecurity, consumer protection, and contract law.
A fintech and capital markets lawyer can assist with:
Robo-advisory regulatory classification
CMB licensing analysis
Investment advice compliance
Portfolio management structuring
Suitability test design
Appropriateness test review
User agreement drafting
Risk disclosure preparation
Conflict of interest policy
Algorithm governance review
KVKK compliance
Vendor contract drafting
Cross-border service analysis
Crypto robo-advisory review
Investor dispute strategy
Regulatory correspondence
Legal support should begin before the product is launched. Once the algorithm has already given recommendations to many users, correcting a non-compliant model may become difficult.
Conclusion
Robo-advisory services in Turkey create important opportunities for fintech companies, banks, portfolio management companies, brokerage firms, and investors. They can make investment guidance more accessible, reduce costs, automate risk profiling, and improve portfolio monitoring. However, robo-advisory is not an unregulated software service when it provides personalized investment recommendations or manages portfolios.
The key legal question is whether the digital tool provides general information, investment advice, portfolio management, order transmission, or another regulated investment service. If the algorithm recommends specific capital market instruments or portfolio allocation based on user information, CMB licensing, suitability testing, investor protection, risk disclosure, and recordkeeping obligations must be carefully reviewed.
A legally sound robo-advisory platform must combine technology with compliance. It should use a meaningful suitability test, classify investors correctly, validate algorithms, disclose risks, manage conflicts, protect personal data, maintain cybersecurity, preserve evidence, and provide complaint channels. Automation does not remove responsibility. If anything, it increases the need for governance because one algorithm can affect many investors.
Turkey’s capital markets framework is built around investor protection, transparency, fairness, and authorized investment services. Robo-advisory can fit within this framework if structured properly. Companies that build legal compliance into their robo-advisory products from the beginning will be better positioned to gain investor trust, satisfy regulators, avoid disputes, and grow sustainably in Turkey’s wealth-tech market.
Yanıt yok