Introduction
Crypto asset regulation in Turkey has entered a new and much more formal legal phase. For many years, crypto assets were widely traded in Turkey, but the market operated under a fragmented legal framework. Investors used crypto exchanges, wallet providers and digital asset platforms, while regulators addressed specific risks through payment restrictions, anti-money laundering rules and general criminal law. This changed significantly with the adoption of Law No. 7518 Amending the Capital Markets Law, which introduced crypto assets and crypto asset service providers into the Turkish capital markets regulatory framework.
Turkey is one of the most active crypto markets in the region. High retail participation, currency volatility, a developed fintech ecosystem and strong digital adoption have made crypto assets a significant part of financial behavior. However, this popularity also creates serious legal risks: platform failure, unauthorized service providers, custody losses, misleading listings, market manipulation, money laundering exposure, tax uncertainty, cybersecurity incidents, investor disputes and cross-border enforcement problems.
The key regulator for crypto asset service providers in Turkey is now the Capital Markets Board of Turkey, commonly referred to as the CMB or SPK. The CMB’s amended Capital Markets Law includes crypto asset-related provisions following Law No. 7518, and the CMB has issued secondary regulations on the establishment, operation, working principles and capital adequacy of crypto asset service providers.
This article provides a comprehensive legal guide to crypto asset regulation in Turkey, focusing on legal risks for crypto exchanges, investors, custody providers, foreign platforms, fintech companies and crypto asset service providers.
1. The Legal Development of Crypto Regulation in Turkey
Before the 2024 amendments, Turkey did not have a comprehensive statute specifically regulating crypto asset exchanges as capital markets actors. Crypto platforms operated in a developing legal environment, while certain aspects were governed by general laws such as contract law, criminal law, anti-money laundering legislation, consumer protection principles, data protection rules and payment services regulation.
The first major sector-specific restriction came from the Central Bank of the Republic of Türkiye, which introduced the Regulation on the Disuse of Crypto Assets in Payments. The CBRT regulation entered into force on 30 April 2021 and restricted the direct or indirect use of crypto assets in payments. The CBRT’s annual report explains that payment service providers cannot develop business models that directly or indirectly use crypto assets in payment services or electronic money issuance, and payment and electronic money institutions cannot intermediate fund transfers to or from platforms providing crypto trading, custody, transfer or issuance services.
The second major development was the inclusion of crypto asset service providers in anti-money laundering obligations. MASAK compliance became increasingly relevant for exchanges and platforms, particularly for customer identification, suspicious transaction reporting, recordkeeping and transaction monitoring.
The third and most important development was the 2024 amendment to the Capital Markets Law. Law No. 7518 introduced definitions and obligations concerning crypto assets, crypto asset service providers, platforms, custody and regulatory authorization. This created a formal licensing and supervision framework under the CMB.
2. What Is a Crypto Asset Under Turkish Law?
Turkish law now defines crypto assets within the capital markets framework. In general terms, crypto assets are intangible assets that may be created and stored electronically using distributed ledger technology or similar technology, distributed over digital networks, and capable of expressing value or rights.
This definition is broad. It does not cover only well-known cryptocurrencies such as Bitcoin or Ether. It may also include tokens, digital assets, platform-based crypto units and other digital value representations depending on their technical and economic characteristics.
However, not every digital value is automatically treated in the same legal way. A crypto asset may raise different legal questions depending on whether it functions as a payment tool, investment product, utility token, security-like instrument, stablecoin, governance token, non-fungible token, custody asset or trading instrument.
For this reason, legal classification is essential. A token issuer, exchange, wallet provider or fintech company should not assume that a digital asset is outside regulation merely because it is called a “utility token” or “digital collectible.” The legal analysis must focus on the substance of the asset, the rights it provides, the way it is marketed, whether it is traded, and whether investors expect financial gain.
3. Capital Markets Board Supervision
The Capital Markets Board of Turkey is the principal authority for crypto asset service providers under the amended Capital Markets Law. The CMB is authorized to regulate crypto asset service providers, determine operating principles, set licensing requirements, supervise platforms, regulate custody arrangements and impose sanctions where necessary.
In March 2025, two major communiqués were published: Communiqué III-35/B.1 on the Establishment and Operation Principles of Crypto Asset Service Providers and Communiqué III-35/B.2 on the Working Principles and Capital Adequacy of Crypto Asset Service Providers. The first communiqué covers establishment, founders, managers, shareholders, personnel, organization, share transfers, technological infrastructure, outsourcing, records, internal audit, internal control, risk management and suspension of activities. The second communiqué regulates services and activities, crypto asset listing principles, settlement systems and capital adequacy.
This new framework means that crypto service providers in Turkey are no longer merely private technology companies. They are regulated financial market actors. Their legal obligations are closer to those of licensed financial institutions than ordinary software platforms.
4. Crypto Asset Service Providers in Turkey
Crypto asset service providers may include platforms that allow crypto trading, custody service providers, wallet-related service providers and other entities offering crypto asset services as defined under the Capital Markets Law and CMB regulations.
The most visible category is the crypto exchange or crypto asset platform. These platforms allow users to buy, sell, exchange, transfer or hold crypto assets. However, under Turkish law, the platform’s legal responsibilities are not limited to matching orders. Platforms may have obligations regarding licensing, custody, customer onboarding, AML compliance, cybersecurity, listing standards, client asset segregation, order execution, conflict of interest management, complaints and recordkeeping.
Custody providers are also critical. In crypto markets, loss of private keys, unauthorized wallet access, hacking, internal fraud and inadequate segregation may result in irreversible losses. Therefore, custody is one of the central legal risk areas under the Turkish framework.
Service providers must evaluate whether their activities fall within the CMB’s authorization regime. Operating without permission may lead to serious administrative, civil and criminal consequences.
5. Licensing and Authorization Risks
The most important legal risk for crypto exchanges and service providers is operating without proper authorization. Under the new regulatory framework, crypto asset service providers must comply with CMB requirements and obtain the necessary permissions to continue or commence activities.
The CMB announced processes concerning service providers and created lists relating to entities continuing activities and those declaring liquidation during the transition period. The CMB also published application process materials for crypto asset service providers, referring to Communiqué III-35/B.1 and Communiqué III-35/B.2.
A crypto platform should not treat licensing as a simple administrative formality. The regulator will examine legal structure, capital, founders, shareholders, directors, internal systems, information systems, custody arrangements, outsourcing, conflicts of interest, customer complaints, recordkeeping, audit systems and risk management.
For foreign platforms, licensing risk is especially sensitive. A foreign exchange that targets Turkish residents, markets services in Turkish, offers Turkish lira access, uses local advertising or maintains Turkey-focused customer operations may face regulatory scrutiny even if it has no formal company in Turkey.
6. Foreign Crypto Exchanges Targeting Turkish Users
One of the most important questions in crypto regulation is whether a foreign platform may serve Turkish residents without local authorization. The 2024 amendment created transition obligations for crypto asset service providers resident outside Turkey, and legal analyses of the amendment noted that foreign-resident providers were required to terminate activities targeting Turkish residents within the statutory transition period.
This creates major legal risk for global exchanges. A platform incorporated abroad may still be considered to be offering services in Turkey if it actively targets Turkish users. The analysis may consider language, marketing, Turkish lira payment channels, local influencer campaigns, Turkish customer support, local domain usage, app-store targeting and the practical availability of services to Turkish residents.
Foreign exchanges should therefore review whether they are passively accessible from Turkey or actively providing services to Turkish residents. The second scenario carries significantly higher legal risk.
7. Capital Adequacy and Financial Strength
Crypto asset service providers are now expected to demonstrate financial strength. The CMB’s 2025 secondary regulations introduced rules concerning capital adequacy and operating standards. Legal and professional summaries of the 2025 framework indicate that minimum capital requirements are a central part of the new regime and that the regulatory framework distinguishes between different types of crypto asset service providers, including platforms and custody providers.
Capital requirements are not merely technical numbers. They serve an investor protection function. Crypto platforms may face operational losses, cyber incidents, liquidity problems, customer claims, regulatory penalties, market volatility and technology failures. A platform with insufficient financial resources may not be able to compensate users or maintain operations during market stress.
For investors, capital strength is a key risk indicator. Users should not evaluate a crypto exchange only by transaction fees, token listings or mobile application design. They should also consider whether the platform is authorized, financially strong, transparent and subject to regulatory oversight.
8. Custody and Wallet Risks
Custody is one of the most important legal and technical risks in crypto markets. Traditional finance relies on banks, central securities depositories, custodians and regulated settlement systems. Crypto assets, by contrast, may be controlled through private keys, smart contracts, wallet infrastructure and blockchain transactions.
If a crypto exchange holds customer assets, the legal question is whether those assets are properly segregated from the platform’s own assets, whether private keys are securely managed, whether cold wallet and hot wallet processes are controlled, whether internal access is limited, whether insurance or reserve mechanisms exist, and whether customers have clear contractual rights.
Custody failures may arise from hacking, employee misconduct, loss of keys, weak internal controls, smart contract vulnerabilities, commingling of assets or unauthorized transfers. Because blockchain transfers may be irreversible, prevention is more important than later litigation.
Under the CMB framework, custody service providers and platforms must treat custody and settlement as core compliance functions. Investors should also understand that holding assets on an exchange is legally and practically different from self-custody.
9. Listing and Delisting of Crypto Assets
Crypto asset platforms must adopt clear rules for listing and delisting crypto assets. Listing risk is significant because investors often assume that a token listed on a platform has been approved, verified or endorsed. In reality, listing does not necessarily mean that the token is risk-free or that the regulator guarantees its value.
The CMB’s 2025 framework includes rules on services and activities that crypto asset service providers may provide and principles relating to crypto asset listings and settlement systems.
Platforms should conduct legal, technical and financial review before listing a crypto asset. Relevant issues may include token issuer identity, project documentation, smart contract audit, circulating supply, insider allocations, lock-up terms, governance rights, liquidity, market manipulation risk, regulatory classification, sanctions risk and investor disclosure.
Delisting is also legally sensitive. If a platform suddenly delists a token, investors may suffer losses or be unable to withdraw assets. Terms of service should clearly explain delisting procedures, notification periods, transfer options and user rights.
10. Market Abuse, Manipulation and Misleading Information
Crypto markets are vulnerable to manipulation. Pump-and-dump schemes, wash trading, spoofing, insider trading, fake volume, misleading social media campaigns, paid influencer promotions and coordinated token hype may cause serious investor losses.
Although crypto assets are not always treated exactly like traditional securities, platforms operating under the CMB framework should expect increasing scrutiny of market integrity. A platform that allows manipulative conduct, fails to monitor suspicious trading or promotes misleading token information may face legal consequences.
Investors should be cautious about social media investment advice, anonymous Telegram groups, influencer marketing, unrealistic return promises and projects that rely on aggressive promotion rather than transparent fundamentals.
For service providers, a strong market surveillance system is essential. Platforms should monitor abnormal trading behavior, related accounts, suspicious volume patterns, insider-related wallets, sudden price spikes and coordinated trading activity.
11. AML and MASAK Compliance
Anti-money laundering compliance is central to crypto regulation in Turkey. Crypto platforms may be misused for laundering proceeds from fraud, illegal betting, cybercrime, tax crimes, sanctions evasion and other unlawful activities.
Turkey’s main AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime, whose purpose is to determine principles and procedures for preventing money laundering. MASAK’s regulations require obliged parties to identify customers, report suspicious transactions, retain records, provide information and documents and maintain compliance systems.
In 2025, Turkish authorities also announced further steps to combat money laundering through cryptocurrency transactions, including measures linked to the travel rule, waiting periods for withdrawals where information-sharing obligations are not applied, and stablecoin transfer limits according to reports based on official statements.
Crypto asset service providers should implement strong KYC and AML controls. These should include customer identification, beneficial ownership checks, wallet screening, sanctions screening, politically exposed person checks, suspicious transaction monitoring, blockchain analytics, risk scoring, transaction limits, source-of-funds requests and suspicious transaction reporting.
12. Payment Restrictions and Crypto Assets
One of the clearest rules in Turkish crypto regulation is that crypto assets cannot be used directly or indirectly in payments under the CBRT regulation. The CBRT regulation also restricts payment service providers from developing business models based on crypto assets in payment services or electronic money issuance and restricts payment and electronic money institutions from intermediating transfers to and from crypto platforms.
This rule creates important legal consequences. A business cannot lawfully design a payment system where customers pay for goods or services directly with crypto assets in a way prohibited by the regulation. A payment institution cannot structure a wallet product that indirectly uses crypto assets as a payment tool. A merchant payment gateway cannot treat crypto assets as ordinary payment instruments.
However, the payment restriction does not mean that every crypto asset transaction is banned. Trading, custody and transfer services may exist within the CMB framework, but crypto assets cannot be used as payment instruments in the prohibited manner.
13. Investor Protection Risks
Crypto investors in Turkey face several legal and practical risks.
The first risk is platform risk. If an exchange fails, is hacked or becomes insolvent, investors may struggle to recover assets.
The second risk is custody risk. Investors may lose assets due to private key compromise, phishing, SIM swap fraud, fake wallet applications or platform security breaches.
The third risk is listing risk. A token may be listed on a platform but still be economically weak, technically insecure, manipulated or abandoned by its developers.
The fourth risk is liquidity risk. Investors may not be able to sell large positions without major price impact, especially in smaller tokens.
The fifth risk is legal classification risk. A token may later be treated differently under capital markets, tax, AML or payment rules.
The sixth risk is fraud risk. Fake exchanges, fake investment advisors, Ponzi schemes, guaranteed return promises and impersonation scams are common.
Investors should therefore prefer authorized platforms, use strong security practices, avoid unrealistic return promises, preserve transaction records and understand that crypto assets may be highly volatile and legally complex.
14. Terms of Service and Customer Contracts
Crypto exchanges and service providers must draft strong customer agreements. The terms of service should not be a generic website document copied from another jurisdiction. It should reflect Turkish law, CMB rules, AML obligations, data protection rules, custody structure, listing policies and dispute resolution.
A proper customer agreement should explain account opening, KYC, risk disclosure, order execution, fees, custody, withdrawals, delisting, fork and airdrop treatment, suspension of transactions, account closure, suspicious transaction review, data processing, liability limits, complaint procedures and governing law.
Risk disclosure is especially important. Users should be clearly informed that crypto assets are volatile, may lose value, may not be covered by deposit insurance, may be subject to technical failures and may not have the same protection as traditional financial instruments.
If a platform’s terms are unclear, misleading or unfair, customer disputes may arise. A platform that wants to reduce litigation risk should prioritize transparency.
15. Data Protection and Cybersecurity
Crypto platforms process sensitive personal and financial data, including identity documents, biometric verification data, wallet addresses, transaction history, IP addresses, device information, phone numbers, bank account details and risk scores. This makes data protection a major legal risk.
Under Turkish personal data protection law, platforms must process personal data lawfully, provide privacy notices, implement security measures, manage data subject requests and comply with cross-border transfer rules. For crypto platforms using foreign cloud providers, overseas analytics tools, blockchain intelligence vendors or international group systems, cross-border data transfer analysis is essential.
Cybersecurity is also critical. A crypto exchange may be attacked through phishing, API abuse, insider access, wallet compromise, DDoS attacks, malware, credential stuffing, smart contract exploitation or social engineering. Cybersecurity failures may lead to customer loss, regulatory sanctions and reputational collapse.
A crypto service provider should maintain penetration testing, access controls, multi-signature wallet procedures, cold storage, transaction approval workflows, incident response plans, business continuity plans, logging, monitoring and independent security audits.
16. Tax Risks for Crypto Investors and Platforms
Crypto taxation in Turkey remains an evolving area. In March 2026, a parliamentary proposal introduced discussions on crypto asset transaction taxation and income taxation, including a proposed transaction tax on crypto asset sales and transfers through crypto asset service providers. TBMM materials described a proposed crypto asset transaction tax calculated over the sale amount or market value at transfer time.
However, crypto tax policy has been politically and legislatively fluid. Reports in late March 2026 indicated that controversial crypto tax provisions were removed from the relevant omnibus bill after parliamentary discussions.
For investors and platforms, the practical point is clear: crypto tax treatment should be checked before significant transactions. Investors should keep detailed records of purchase prices, sale prices, transfer dates, wallet addresses, exchange statements, bank transfers and transaction fees. Platforms should prepare for possible future withholding, reporting or transaction tax obligations.
Tax uncertainty is itself a legal risk. A profitable investor may later face questions about income declaration, source of funds, bank transfers or tax residency. A platform may need to adapt quickly if new transaction reporting or withholding rules are introduced.
17. Criminal Law Risks
Crypto assets may be involved in criminal investigations. Common criminal scenarios include fraud, breach of trust, unauthorized access, phishing, illegal betting proceeds, money laundering, market manipulation, ransomware payments and theft of digital assets.
Victims of crypto fraud should act quickly. They should preserve wallet addresses, transaction hashes, exchange records, screenshots, bank transfer receipts, communication logs, IP information, e-mail headers and identity information of the counterparty where available. A criminal complaint may be necessary, but blockchain tracing and exchange cooperation are often crucial.
For platforms, criminal law risk arises when systems are used by criminals or when employees misuse customer assets. Strong internal controls, transaction monitoring and law enforcement cooperation procedures help reduce this risk.
18. Civil Liability and Investor Claims
Investors may bring civil claims against crypto platforms in several situations. Claims may arise from unauthorized withdrawals, incorrect execution, failure to process withdrawals, misleading information, account suspension, delisting losses, cybersecurity breaches, custody failures, wrongful liquidation, unfair terms or negligence.
The legal basis may include breach of contract, tort liability, unjust enrichment, consumer law, data protection law or capital markets-related obligations depending on the relationship and facts.
Platforms can reduce civil liability risk by maintaining accurate records, clear terms, strong technical controls, transparent fee policies, effective complaint handling and proper risk disclosures.
Investors should also preserve evidence before filing claims. Crypto disputes are highly technical, and courts may require expert examination. Transaction hashes, exchange statements, KYC records, system logs and correspondence may determine the outcome.
19. Advertising, Influencers and Public Communications
Crypto advertising is legally sensitive. Misleading statements, guaranteed return promises, celebrity endorsements, undisclosed paid promotions, exaggerated profit claims and failure to disclose risks may expose platforms and promoters to liability.
Service providers should ensure that marketing materials are accurate, balanced and not misleading. Influencer campaigns should be carefully reviewed. If a social media campaign creates the impression that an investment is risk-free or regulator-approved, legal problems may arise.
Public communications should also avoid suggesting that CMB authorization equals a guarantee of profitability. Regulatory authorization means the provider may operate under the applicable framework; it does not mean that listed crypto assets are safe or that investors cannot lose money.
20. Compliance Checklist for Crypto Asset Service Providers
A crypto asset service provider operating in Turkey should maintain a detailed compliance checklist.
First, determine whether the business model falls within the CMB authorization regime.
Second, review whether the company satisfies corporate form, capital, shareholder, management and governance requirements.
Third, prepare licensing or activity permission documentation.
Fourth, establish custody, wallet management and client asset segregation procedures.
Fifth, create listing and delisting policies.
Sixth, implement AML and MASAK compliance systems.
Seventh, establish transaction monitoring and blockchain analytics procedures.
Eighth, adopt cybersecurity, information systems and incident response controls.
Ninth, prepare customer agreements, risk disclosures and complaint procedures.
Tenth, review advertising, influencer marketing and public communications.
Eleventh, prepare data protection documentation and cross-border transfer analysis.
Twelfth, monitor tax, reporting and legislative developments.
A crypto platform that treats compliance as a one-time application process will remain exposed. Compliance must be continuous.
21. Practical Checklist for Crypto Investors in Turkey
Investors should also follow a legal risk checklist.
They should use authorized or compliant platforms, avoid unlicensed foreign services targeting Turkish users, enable strong authentication, avoid sharing private keys or passwords, preserve transaction records, understand listing risk, avoid guaranteed return schemes, check whether crypto transfers are linked to suspicious counterparties, and maintain tax records.
Investors should also be cautious when transferring large funds from crypto platforms to Turkish bank accounts. Banks may ask for source-of-funds documents. Investors should be ready to provide exchange statements, transaction history and lawful source explanations.
In crypto disputes, early evidence preservation is essential. Blockchain transactions may be traceable, but account records and platform logs may become harder to obtain over time.
22. Why Legal Support Is Important
Crypto asset regulation in Turkey is technical and rapidly developing. It combines capital markets law, banking law, payment services law, AML compliance, tax law, data protection, contract law, criminal law and technology regulation.
A Turkish crypto lawyer may assist with CMB licensing, platform structuring, foreign exchange compliance, custody arrangements, terms of service, investor disputes, MASAK compliance, token listing analysis, fraud complaints, data protection, advertising review, regulatory correspondence and tax coordination.
For exchanges and service providers, legal support should begin before launch. For investors, legal support is especially important after fraud, account freezes, large losses, suspicious transaction reviews or disputes with platforms.
Conclusion
Crypto asset regulation in Turkey has moved from a fragmented legal environment into a formal regulatory framework under the Capital Markets Law and CMB supervision. Law No. 7518 and the CMB’s 2025 communiqués introduced important rules on crypto asset service providers, platforms, custody, capital adequacy, internal systems, listing, settlement and operational standards.
At the same time, crypto assets remain subject to other legal regimes. The CBRT prohibits the use of crypto assets in payments. MASAK rules impose anti-money laundering obligations. Data protection law applies to customer data. Criminal law applies to fraud, theft and laundering. Tax rules continue to evolve.
For crypto exchanges and service providers, the main risks are unauthorized activity, insufficient capital, weak custody, poor cybersecurity, inadequate AML controls, misleading advertising, defective customer agreements and regulatory non-compliance. For investors, the main risks are platform failure, custody loss, fraud, market manipulation, legal uncertainty, bank compliance reviews and tax exposure.
Turkey’s crypto market offers significant opportunities, but it now requires serious legal compliance. A successful crypto business in Turkey must combine technology, security, transparency, regulatory licensing, investor protection and continuous monitoring of legal developments. For investors, legal awareness is equally important: crypto assets may be digital, but the risks are real, and the legal consequences can be substantial.
Yanıt yok