Introduction
Payment services law in Turkey has become one of the most important areas of financial regulation due to the rapid growth of fintech companies, e-commerce platforms, digital wallets, payment gateways, marketplace payment systems, mobile applications and embedded finance solutions. Businesses that process payments, transfer funds, provide digital payment tools or support merchant collections may fall within the regulated payment services framework under Turkish law.
The core legislation governing payment services in Turkey is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. The Central Bank of the Republic of Türkiye, commonly referred to as the CBRT or TCMB, states that regulation and supervision in the payment services area are governed by Law No. 6493 and related secondary legislation. This framework includes rules on payment services, payment institutions, electronic money issuance, payment service providers, QR code payments, crypto assets in payments and information systems obligations.
Payment services law is especially important for fintech companies that want to operate in Turkey. A company may describe itself as a software provider, marketplace operator, merchant services provider or digital platform; however, if its actual activity involves executing payment transactions, transferring funds, operating payment accounts, issuing payment instruments, providing payment initiation services or providing account information services, licensing and compliance obligations may arise.
This article provides a comprehensive legal guide to payment services law in Turkey, focusing on licensing requirements, compliance obligations, payment institution activities, customer fund protection, anti-money laundering rules, data protection, information systems and practical legal risks.
1. Legal Framework of Payment Services in Turkey
The legal framework for payment services in Turkey is mainly based on Law No. 6493 and the secondary regulations issued by the CBRT. The official English version of Law No. 6493 states that its objective is to regulate the procedures and principles regarding payment and securities settlement systems, payment services, payment institutions and electronic money institutions. It also states that the law applies to payment and securities settlement systems, payment services, payment institutions and electronic money institutions.
This legal framework is significant because it brought non-bank payment service providers under a regulated licensing regime. Before modern payment legislation, many alternative payment models could operate with limited sector-specific supervision. Today, payment institutions and electronic money institutions are financial service providers subject to authorization, supervision, operational requirements and compliance duties.
The CBRT’s payment services framework lists several important secondary instruments, including the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, the Regulation on the Generation and Use of TR QR Code in Payment Services, the Regulation on the Disuse of Crypto Assets in Payments, and the Communiqué on the Management and Supervision of IT Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers.
Therefore, payment services law in Turkey should not be analyzed only through the main law. A complete compliance review must also consider CBRT regulations, information systems rules, AML legislation, data protection law, consumer law and contractual obligations.
2. What Is a Payment Institution in Turkey?
A payment institution is a legal entity authorized to provide payment services under Turkish law. Payment institutions are not banks, but they are regulated financial service providers. They operate in areas such as fund transfers, payment account services, merchant collections, payment gateways, payment instruments, money remittance, payment initiation services and account information services.
Payment institutions are particularly relevant for e-commerce platforms, marketplaces, mobile applications, utility payment services, cross-border payment companies, merchant acquiring businesses, QR payment providers and digital wallet ecosystems. In commercial practice, many businesses do not initially realize that their payment flow may trigger licensing obligations.
The key legal issue is the actual function performed by the company. If the business merely provides technical infrastructure without holding funds, controlling payment flows, initiating payment orders or operating payment accounts, it may be outside the licensing perimeter. However, if the business receives funds on behalf of users, transfers money between parties, operates a payment account, routes merchant settlements or executes payment instructions, it may need authorization as a payment institution.
For this reason, the first step for any fintech company entering the Turkish market should be a regulatory classification analysis. The company must identify whether its services fall under payment services, electronic money, banking, lending, crypto assets, marketplace intermediation or pure technology services.
3. Activities That May Qualify as Payment Services
Payment services may appear in different commercial models. A platform that allows users to send money to one another may be providing a regulated money remittance service. A marketplace that collects payments from buyers and later distributes funds to sellers may be involved in payment execution or merchant acquiring. A digital application that initiates payments from a user’s bank account may fall within payment initiation services. A dashboard that collects and displays bank account information may fall within account information services.
In practice, payment service classification depends on the transaction flow. A legal review should identify who receives the money, whose account is used, who gives the payment order, who executes the transaction, who holds customer funds, when the merchant is paid, who bears refund risk, who is responsible for chargebacks and whether the customer has a payment account with the provider.
This flow-based analysis is essential because Turkish regulators assess the substance of the activity rather than the label used in commercial documents. A company cannot avoid regulation simply by calling itself a “technology platform” if it is actually providing payment services.
4. Licensing Requirement for Payment Institutions
Payment institutions must obtain authorization before providing regulated payment services in Turkey. The CBRT is the main authority responsible for the regulation and supervision of payment services and payment service providers under Law No. 6493 and related secondary legislation.
A payment institution license is not a simple registration. The applicant must demonstrate that it has sufficient capital, transparent ownership, qualified management, appropriate internal control mechanisms, strong information systems, risk management procedures, customer fund protection arrangements and compliance infrastructure.
A license application should be prepared carefully. It typically requires a clear explanation of the business model, payment flow, target customers, merchant structure, technology infrastructure, outsourcing relationships, data processing activities, AML program, internal governance, complaint mechanisms and financial projections.
Foreign fintech companies should be particularly cautious. A license obtained in another jurisdiction does not automatically authorize payment services in Turkey. Unless a specific legal exemption applies, payment services offered in Turkey generally require local legal and regulatory analysis.
5. Difference Between Payment Institutions and Electronic Money Institutions
Payment institutions and electronic money institutions are closely related but legally different. A payment institution provides payment services. An electronic money institution is authorized to issue electronic money.
Electronic money generally refers to monetary value issued against funds received, stored electronically, used to perform payment transactions and accepted by persons other than the issuer. Digital wallets, prepaid balances, stored-value products and certain platform-based payment models may fall within electronic money regulation.
The distinction matters because a company that only executes payments may need a payment institution license, while a company that stores customer balances for future use may require an electronic money institution license. Some business models may involve both payment services and electronic money issuance.
For example, a payment gateway that immediately transfers funds from a customer to a merchant may be analyzed differently from a wallet provider that holds customer balances and allows future payments to multiple merchants. The legal classification affects capital requirements, safeguarding obligations, customer contracts, accounting treatment and compliance duties.
6. Capital, Ownership and Governance Requirements
Payment institutions are expected to have a proper corporate structure. Regulators focus on capital adequacy, ownership transparency, management competence and operational readiness. The ownership structure should be clear and capable of regulatory supervision.
In practice, shareholders, ultimate beneficial owners and controlling persons may be reviewed from a fit-and-proper perspective. Complex or opaque shareholding structures may create regulatory concerns. If foreign shareholders are involved, corporate documents, registry extracts, board resolutions, authority documents and financial statements may need to be submitted with proper legalization and Turkish translation.
Governance is also critical. Payment institutions should have qualified managers, clear decision-making structures, defined reporting lines, internal policies, risk controls and compliance functions. Since payment institutions handle customer funds and sensitive financial data, weak governance may create serious regulatory, financial and reputational risks.
7. Protection and Safeguarding of Customer Funds
One of the most important compliance obligations for payment institutions is the protection of customer funds. Payment institutions often receive money from users or merchants for the purpose of executing payment transactions. These funds should not be treated like the institution’s own commercial assets.
Safeguarding obligations are designed to protect users if the payment institution experiences financial difficulty. In practice, this may require segregated accounts, reconciliation processes, accounting controls, restrictions on the use of customer funds and proper internal reporting.
Customer fund protection should be considered at the product design stage. A fintech company should map every payment movement and determine when customer funds are received, where they are held, how they are reconciled, when they are transferred and how refunds or disputes are handled.
If customer funds are mixed with operational funds or used outside the permitted purpose, the institution may face regulatory sanctions, civil claims and loss of trust. For this reason, safeguarding is not merely an accounting issue; it is a core legal obligation.
8. Information Systems and Cybersecurity Obligations
Payment services are technology-driven financial services. Therefore, information systems and cybersecurity are central to Turkish payment services compliance. The CBRT’s payment services framework includes a communiqué on the management and supervision of IT systems of payment and electronic money institutions and data sharing services of payment service providers.
Payment institutions should maintain secure, reliable and auditable systems. This includes access controls, encryption, authentication mechanisms, log management, transaction monitoring, business continuity, disaster recovery, incident response, vulnerability management, penetration testing and outsourcing controls.
Cybersecurity failures may lead to unauthorized transactions, customer losses, fraud, data breaches and regulatory intervention. Payment institutions should therefore treat cybersecurity as a legal and compliance obligation, not merely as a technical concern.
Contracts with software providers, cloud service providers, payment processors, data centers and outsourcing companies should include detailed provisions on information security, confidentiality, audit rights, service levels, incident notification, data location, subcontracting and termination.
9. Open Banking, Payment Initiation and Account Information Services
Open banking and data sharing services have become increasingly important in Turkish payment services law. Payment initiation services allow a provider to initiate a payment from a customer’s account held with another payment service provider. Account information services allow a provider to access and present account information from one or more payment accounts.
These services create significant opportunities for fintech companies. They can support personal finance management tools, business accounting integrations, alternative credit scoring, direct account-to-account payments, merchant payment solutions and embedded finance products.
However, open banking also creates legal risks. Payment institutions must ensure that customer consent is valid, data access is secure, authentication is strong, API connections are reliable and liability allocation is clear. Unauthorized access to financial data may create regulatory, civil and data protection consequences.
A fintech company developing open banking services in Turkey should review CBRT rules, technical standards, customer consent processes, information systems obligations and data protection requirements before launch.
10. QR Code Payments in Turkey
QR code payments are widely used in modern payment ecosystems. They allow customers to make payments by scanning a code through mobile banking applications, digital wallets or payment apps. QR payments are common in retail stores, restaurants, transportation services, e-commerce, marketplaces and bill payment channels.
The CBRT’s legal framework includes the Regulation on the Generation and Use of TR QR Code in Payment Services. This shows that QR code payments are not merely a technical feature; they are part of the regulated payment services environment.
Payment institutions offering QR code payment services should review technical standards, merchant agreements, customer authentication, transaction security, fraud controls, refund processes and interoperability requirements.
Merchant contracts should clearly regulate settlement timing, prohibited products, fraud liability, chargebacks, customer complaints, data processing, confidentiality, termination rights and compliance cooperation.
11. Crypto Assets and Payment Restrictions
Crypto assets are a sensitive issue in Turkish payment services law. The CBRT’s payment services framework includes the Regulation on the Disuse of Crypto Assets in Payments. This means crypto assets cannot be treated like ordinary payment instruments within the regulated payment services framework.
Payment institutions should be careful when designing products involving crypto assets, blockchain-based value transfers, crypto-linked wallets or merchant settlement models. Even if a company does not directly hold crypto assets, an indirect payment model using crypto assets may raise regulatory concerns.
This does not mean that every blockchain-related business is prohibited. However, using crypto assets as a direct or indirect payment tool requires careful legal analysis. Payment institutions and fintech companies should obtain legal advice before integrating crypto-related payment functions in Turkey.
12. Anti-Money Laundering Compliance for Payment Institutions
Payment institutions are exposed to money laundering and terrorist financing risks because they process funds, onboard customers, work with merchants and support digital transactions. For this reason, AML compliance is a central obligation.
The main Turkish AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime. The official MASAK page states that the objective of this law is to determine principles and procedures for preventing the laundering of proceeds of crime.
A payment institution should implement a risk-based AML program. This program should include customer due diligence, identity verification, beneficial ownership checks, merchant risk assessment, transaction monitoring, sanctions screening, politically exposed person controls, suspicious transaction reporting, recordkeeping, staff training and internal audit.
AML compliance is especially important for digital onboarding and high-volume transaction platforms. Weak onboarding may allow mule accounts, stolen identities, fraud networks and suspicious merchants to enter the system. Weak transaction monitoring may allow suspicious activity to continue undetected.
13. Data Protection and Privacy Obligations
Payment institutions process large amounts of personal data, including identity information, contact details, account information, transaction history, device data, IP addresses, merchant information and fraud monitoring data. Therefore, Turkish data protection law is directly relevant.
The main data protection statute is Law No. 6698 on the Protection of Personal Data. The official English translation states that the purpose of the law is to protect fundamental rights and freedoms, particularly the right to privacy, with respect to personal data processing and to set out obligations, principles and procedures binding on natural or legal persons processing personal data.
Payment institutions must comply with general principles such as lawfulness, fairness, accuracy, purpose limitation, data minimization, storage limitation and security. They must provide privacy notices, identify legal grounds for processing, manage data subject requests, implement security measures and review cross-border data transfers.
The law also requires data controllers to take necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access and ensure protection of personal data. Where processing is carried out by another person on behalf of the controller, the data controller remains jointly responsible for these measures.
For payment institutions, data protection compliance should be built into product design. Applications should not collect unnecessary data, customer permissions should be clear, retention periods should be defined and sensitive financial data should be protected with strong security measures.
14. Consumer Protection and Transparency
Payment institutions often serve consumers through mobile apps, online forms, digital contracts and instant payment interfaces. This makes transparency essential. Users should clearly understand who provides the service, whether the provider is licensed, what fees apply, how payments are executed, when funds are transferred, how refunds work, how complaints are handled and what happens in case of unauthorized transactions.
Digital terms and conditions should be written clearly and should not rely on vague or unfair clauses. Key provisions such as fees, account suspension, transaction limits, refund procedures, fraud investigation, user responsibilities, termination rights and liability limitations should be transparent.
For marketplace payment models, transparency is also important between buyers, sellers and the payment institution. The platform should clarify whether it is a seller, intermediary, payment service provider, marketplace operator or technical service provider.
15. Merchant Agreements and Platform Payment Models
Merchant agreements are one of the most important contracts for payment institutions. These agreements define the commercial and legal relationship between the payment institution and merchants using the payment service.
A strong merchant agreement should regulate onboarding, merchant verification, settlement timing, transaction fees, refunds, chargebacks, fraud, prohibited goods and services, data protection, AML cooperation, tax responsibilities, intellectual property, technical integration, service interruptions, termination and post-termination obligations.
Marketplace models require special attention. If a platform collects payments from customers and distributes funds to sellers, the legal structure must be carefully designed. The platform may need a payment institution license, a partnership with a licensed payment institution or a structure that avoids regulated payment activity.
16. Outsourcing and Third-Party Service Providers
Payment institutions often rely on third-party service providers, including software vendors, cloud providers, data centers, card processors, fraud monitoring tools, customer verification providers and call centers. Outsourcing can improve efficiency but also creates regulatory risk.
The payment institution remains responsible for its regulated services. It cannot shift legal responsibility entirely to a vendor. Therefore, outsourcing contracts should include audit rights, compliance obligations, information security standards, business continuity requirements, confidentiality, subcontracting restrictions, data processing clauses, incident notification and termination rights.
Before outsourcing critical functions, payment institutions should conduct due diligence on the service provider. They should assess technical capacity, financial reliability, data security, regulatory experience, business continuity capability and legal compliance.
17. Foreign Payment Companies Entering the Turkish Market
Foreign payment companies frequently view Turkey as an attractive market due to its strong digital economy, e-commerce growth and advanced banking infrastructure. However, foreign companies should not assume that they can provide payment services into Turkey without local regulatory analysis.
A foreign payment company should first determine whether its services are offered to Turkish users or merchants. If the service involves payment execution, merchant acquiring, money remittance, payment initiation, account information services or customer fund handling in Turkey, licensing issues may arise.
Second, the company should consider whether it needs a Turkish subsidiary or whether it can work through a licensed local partner. Third, it should review data localization, cross-border transfer, AML, consumer protection, tax and contractual requirements.
A foreign license may support credibility but does not replace Turkish authorization where local law requires a license.
18. Common Legal Risks for Payment Institutions
Payment institutions in Turkey commonly face several legal risks.
The first risk is unauthorized activity. A company may unintentionally provide regulated payment services before obtaining authorization.
The second risk is weak safeguarding. If customer funds are not properly segregated or reconciled, both regulatory and civil liability may arise.
The third risk is AML failure. Weak customer checks, insufficient merchant screening or poor transaction monitoring can expose the institution to money laundering risks.
The fourth risk is data protection violation. Payment institutions handle sensitive financial data and may face liability for unlawful processing, excessive data collection, weak security or unlawful transfers.
The fifth risk is cybersecurity failure. Unauthorized transactions, account takeover, API weaknesses and system outages can cause financial loss and regulatory scrutiny.
The sixth risk is contractual weakness. Poorly drafted user agreements, merchant contracts or vendor agreements may create disputes, unclear liability and compliance gaps.
19. Practical Compliance Checklist for Payment Institutions
A payment institution operating in Turkey should maintain a structured compliance checklist.
First, the business model should be legally classified. Second, licensing requirements should be assessed before launch. Third, payment flows should be mapped in detail. Fourth, customer fund safeguarding mechanisms should be established. Fifth, AML policies and transaction monitoring systems should be implemented. Sixth, information systems and cybersecurity controls should be tested. Seventh, user agreements and merchant agreements should be drafted in line with Turkish law. Eighth, privacy notices and data protection documentation should be prepared. Ninth, outsourcing agreements should include regulatory safeguards. Tenth, complaint handling and incident response procedures should be established.
This checklist should not be treated as a one-time exercise. Payment institutions should continuously monitor regulatory developments, product changes, new payment flows, merchant risk and customer complaints.
20. Why Legal Support Is Important
Payment services law in Turkey is highly technical. It combines financial regulation, fintech law, contract law, AML, data protection, consumer protection, cybersecurity and administrative law. A business model may look simple commercially but may trigger complex licensing and compliance obligations.
A Turkish payment services lawyer can assist with regulatory classification, CBRT license applications, payment institution structuring, merchant agreements, user terms, AML documentation, data protection compliance, outsourcing contracts, open banking analysis, QR payment models, crypto payment restrictions and regulatory correspondence.
Early legal support is especially important. Launching first and analyzing regulation later may lead to serious consequences, including administrative sanctions, service interruption, banking relationship problems, customer claims and reputational damage.
Conclusion
Payment services law in Turkey is a central part of the country’s fintech regulatory framework. Law No. 6493 and CBRT secondary legislation regulate payment institutions, electronic money institutions, payment service providers, payment systems, QR payments, crypto payment restrictions and information systems obligations.
For payment institutions, compliance is not limited to obtaining a license. It also includes customer fund protection, AML controls, data protection, cybersecurity, transparent customer contracts, merchant due diligence, outsourcing governance and continuous regulatory monitoring.
Turkey offers significant opportunities for fintech companies, payment platforms, e-commerce businesses and foreign payment providers. However, these opportunities must be approached with a clear legal strategy. Any company planning to provide payment services in Turkey should first determine whether its business model requires authorization, how customer funds will be protected, how data will be processed, how AML risks will be managed and how contracts will allocate liability.
Yanıt yok