Turkish Fintech Law: Licensing, Compliance & Growth
yazarı lawyerfbc
açık Şubat 3, 2026

Turkish Fintech Law in 2026: A Practical Legal Guide for Payment, E-Money, Open Banking, Digital Banking, and Crypto Projects

Turkey’s fintech ecosystem has matured into a regulated, license-driven market where “moving fast” must be balanced with operational resilience, consumer trust, and strict compliance. Whether you are launching a payment app, an e-money wallet, an open-banking product, a Banking-as-a-Service partnership, or a crypto-asset platform, Turkish fintech law is no longer a patchwork of informal practices—it is a structured regime built on licensing, prudential requirements, cybersecurity, data protection, and anti-money laundering controls.

This guide explains the legal map in plain English—what you can do under each licence, which regulator supervises which activity, how to plan a compliant launch, and where founders and investors most commonly get stuck.

Important note: This article is for general information and does not constitute legal advice. Every fintech model has licensing and compliance nuances depending on product design, customer flow, and data architecture.

1) The Turkish Fintech Regulatory Map: Who Regulates What?

Fintech in Turkey is supervised through several core authorities, each with a distinct mandate:

  • Central Bank of the Republic of Türkiye (CBRT / TCMB): The main regulator and supervisor for payment services and e-money activities under the framework anchored in Law No. 6493 and related secondary legislation.
  • Banking Regulation and Supervision Agency (BDDK / BRSA): Supervises banks (including digital banks), banking outsourcing/service-model banking, and banks’ information systems requirements.
  • Capital Markets Board of Turkey (CMB / SPK): Regulates capital markets activities, crowdfunding, investment services, and—since 2024—crypto-asset service providers through amendments to the Capital Markets Law and secondary legislation.
  • Financial Crimes Investigation Board (MASAK): Turkey’s AML/CFT authority responsible for obligations under Law No. 5549 and related measures for obliged entities (often including fintechs depending on the activity).
  • Personal Data Protection Authority (KVKK): Enforces the Personal Data Protection Law (Law No. 6698) for all businesses processing personal data—highly relevant for fintechs because finance is “high-risk” data in practice.

Why this matters: in Turkey, your “product label” (fintech, wallet, platform) is less important than your regulated activity (payment services, e-money issuance, open banking access, banking services, investment services, crypto platform operations). Your licensing path must be mapped to your actual transaction and data flow.

2) The Backbone: Payment Services & E-Money Under Law No. 6493

2.1 What is Law No. 6493 and why is it central?

Turkey’s payment and e-money market is built on Law No. 6493 (Payment Systems Law), which sets the foundation for payment services, payment institutions, and electronic money institutions, complemented by CBRT secondary regulations and communiqués.

CBRT’s official overview explicitly states that the regulation and supervision of payment services in Turkey is governed by this framework and related secondary legislation.

2.2 What activities typically fall under CBRT licensing?

In practical terms, many mainstream fintech offerings will fall into one of these buckets:

  • Payment institution model: payment initiation, money remittance, bill payments, merchant acquiring-like services (depending on structure), and other regulated payment services.
  • Electronic money institution (e-money) model: issuing “electronic money” usable for payments, often paired with wallet functionality.

If your app receives funds from users and later pays merchants or transfers funds, you must be extremely careful: the difference between a “technical service” and a regulated payment service is often the difference between no licence and a full licensing programme.

2.3 Open banking within payment services: “Data Sharing Services”

Turkey recognizes open banking services in the payment-services context through “Data Sharing Services in the Field of Payment Services.” CBRT has publicly framed these services within the payment services regulatory perimeter.

This becomes crucial for:

  • Account Information Services (consolidating account data), and
  • Payment Initiation Services (initiating payments from a user’s bank account),

because these features usually trigger compliance requirements around consent, security, and infrastructure.

3) Secondary Legislation: Information Systems, Cybersecurity, and Data-Sharing Rules

For fintechs, the licence is only the beginning. Turkey’s approach is clear: operational resilience and information security are not optional.

CBRT introduced a major package of secondary legislation (Regulation + Communiqué) published in the Official Gazette on 1 December 2021, and it has been evolving through later amendments.

Key practical consequences for fintechs:

  • robust information systems governance (policies, controls, audit readiness),
  • strict outsourcing and vendor-risk expectations,
  • incident response maturity,
  • and careful handling of data sharing in open-banking style products.

Even if your core innovation is UX, your regulatory “make-or-break” is often how your system architecture and controls look on paper and in audit evidence.

4) A Recent “2026 Reality Check”: CBRT Amendments Effective 31 December 2025

Regulation in fintech moves—sometimes quietly—through amendments. One notable update: a CBRT amending regulation published in the Official Gazette dated 31 December 2025 (No. 33124) introduced specific exemptions for “Affiliated Institutions” (system operators with CBRT shareholding), and discussed how this relates to the Interbank Card Center.

Why this is practically relevant for startups:

  • It shows CBRT’s willingness to tailor obligations for critical payment infrastructure players, which can affect market structure, partnership models, and compliance expectations.
  • It also confirms that you must monitor Official Gazette amendments continuously because your compliance obligations can change faster than your product roadmap.

5) Fast Payments and QR: Infrastructure that Shapes Product Design

Fintech products are also shaped by national payment infrastructure. CBRT operates and oversees key payment systems, including the Instant and Continuous Transfer of Funds (FAST) system.

CBRT has also published communications on using FAST as a payment method in purchase/sale transactions and integrating “TR QR Code” mechanisms into the system.

For product teams, this matters because:

  • instant payments change fraud patterns and refund expectations,
  • QR-based payments raise new consent and authentication design questions,
  • 24/7 payments require stronger operational monitoring and incident readiness.

6) Digital Banking & Banking-as-a-Service: Where Fintech Meets Banking Law

Fintech founders often want to offer “bank-like” products without becoming a bank. In Turkey, that ambition meets a regulated reality.

BDDK published the Regulation on the Operating Principles of Digital Banks and Service Model Banking in the Official Gazette (29 December 2021), establishing procedures and principles for branchless/digital banks and service-model banking structures.

Practical takeaway:

  • If you want to provide deposit-like features, IBAN accounts, or core banking services, you usually need a licensed bank in the chain—either your own (high barrier) or a partner bank.
  • “Banking-as-a-service” is not a purely commercial outsourcing deal; it is connected to supervisory expectations, information systems standards, and contractual allocation of responsibilities.

Many successful fintechs in Turkey scale through a hybrid strategy:

  1. start under a payment/e-money licence where possible,
  2. partner with banks for bank-only services,
  3. expand gradually while maintaining a clean compliance record.

7) Crypto Assets in Turkey: A Capital Markets Regulatory Framework

Crypto has moved from “grey zone” to structured regulation.

7.1 Legal basis and timing

A comprehensive legal basis for crypto assets was introduced through amendments associated with Law No. 7518, published in the Official Gazette on 2 July 2024 (No. 32590), embedding crypto-asset concepts into Turkey’s capital markets framework and empowering the Capital Markets Board for secondary rules.

7.2 Secondary legislation and capital adequacy

Secondary legislation has continued to develop. Reports indicate that major secondary rules entered into force via Official Gazette publications in March 2025, including detailed operating principles and capital adequacy requirements for crypto-asset service providers (CASPs).

7.3 AML pressure: “travel rule” expectations and transfer controls

Turkey has also been tightening AML controls over crypto. Public reporting in mid-2025 referenced measures such as delays or limits for transactions not meeting “travel rule” style transparency expectations.

Business implication: If you are building a crypto platform, your roadmap must treat compliance as a core product feature: onboarding, transaction monitoring, sanctions screening, travel-rule messaging, and audit trails are integral—not add-ons.

8) AML/CFT Compliance: MASAK as a Core Pillar for Fintech Trust

Turkey’s AML framework is anchored in Law No. 5549 administered by MASAK.

For fintechs, AML/CFT affects:

  • customer onboarding (KYC/KYB),
  • beneficial ownership checks,
  • transaction monitoring,
  • suspicious transaction reporting (STR) readiness,
  • recordkeeping and auditability,
  • and governance (compliance officer, internal controls, policies).

Even when a fintech is not directly an “obliged party” for all activities, bank and payment partners will impose MASAK-aligned obligations contractually. Treat this as inevitable: sophisticated partners will require AML clauses, audit rights, and termination triggers.

9) Personal Data Protection (KVKK): The Hidden “Fintech Tax”

Fintechs are data-intensive by design. Turkey’s Personal Data Protection Law (Law No. 6698) applies broadly, and the KVKK authority’s official English materials emphasize protecting fundamental rights and regulating processing principles.

In a fintech context, the KVKK “hot spots” include:

  • lawful basis for processing (consent vs. contractual necessity vs. legal obligation),
  • transparency and privacy notices,
  • data minimization (collect only what you need),
  • retention schedules aligned with finance/AML obligations,
  • cross-border transfers (often complex in practice),
  • processor/vendor management (cloud, analytics, CRM),
  • breach response planning.

Practical rule: If your compliance plan treats KVKK as a template exercise, you will suffer later—usually during due diligence, licensing scrutiny, or a security incident.

10) Crowdfunding and Investment-Tech: When You Enter Capital Markets Territory

Fintech is not only payments. If your product touches investment, fundraising, or securities-like instruments, you may enter the Capital Markets Board perimeter.

The Capital Markets Board’s legal framework includes communiqués on equity-based crowdfunding and other instruments.
Practitioners also note that Turkish crowdfunding rules have broadened to cover share-based and borrowing/debt-based models under the relevant communiqué regime.

Founders should treat “investment-like” features as high-risk from a regulatory standpoint:

  • marketing language (promises, expected returns),
  • platform operator status,
  • investor classification and limits,
  • information form requirements,
  • custody and cash-flow design,
  • and conflict management.

11) A Step-by-Step Compliance Roadmap for Launching a Fintech in Turkey

Below is a practical sequence founders and investors can use.

Step 1: Map your “regulated activity” (not your app features)

Document the end-to-end flow:

  • who receives money, who holds it, who transfers it,
  • where funds sit (bank accounts, pooled accounts, escrow-like structures),
  • who can access balances and initiate payments,
  • how refunds, chargebacks, or reversals work,
  • whether you issue stored value (possible e-money),
  • whether you access bank accounts via APIs (open banking),
  • whether any token/crypto functionality exists (CASP territory).

Step 2: Choose the correct licensing track (or partnership architecture)

  • Payment institution vs. electronic money institution under CBRT.
  • Bank partnership under service-model banking for bank-only features (with BDDK constraints).
  • Capital markets permissions for crowdfunding/investment features.
  • CASP path for crypto platforms under CMB rules.

Step 3: Build “audit-ready” governance early

Regulators and partners care about:

  • board and senior management fitness,
  • compliance function independence,
  • internal control and risk management,
  • documented policies, training, and evidence trails.

Step 4: Engineer compliance into your product

  • Strong customer authentication and consent flows (especially for open banking).
  • Logging, monitoring, fraud controls, and incident handling aligned with information systems expectations.
  • Data protection by design under KVKK.
  • AML/KYC and transaction monitoring aligned with MASAK expectations.

Step 5: Prepare for licensing and ongoing supervision

Licensing is not a one-time project. You should plan for:

  • periodic reporting,
  • independent audit readiness,
  • vendor audits and contractual controls,
  • continuous regulatory monitoring (Official Gazette changes),
  • complaint handling and consumer protection discipline.

12) Common Legal Pitfalls (and how to avoid them)

  1. Misclassifying the activity (e.g., “we are just a software company” while handling funds).
  2. Underestimating AML (KYC shortcuts that later block bank partnerships).
  3. Ignoring KVKK cross-border issues (especially with global cloud stacks).
  4. Launching open banking features without mature consent and security design.
  5. Treating crypto compliance as optional, despite rapid rule development and heightened AML scrutiny.

13) FAQs

Is a licence always required to launch a fintech in Turkey?

Not always. But if you provide regulated payment services, issue e-money, operate as a CASP, or conduct capital markets activities, a licence/permission (or a licensed partner architecture) is usually essential.

Who regulates payment institutions and e-money institutions?

CBRT is the responsible authority for payment services/e-money supervision within the Law No. 6493 ecosystem and associated secondary legislation.

Is open banking recognized in Turkey?

Yes—CBRT has publicly described data-sharing services in payment services as open banking services in this field.

What is the key AML law for fintechs?

Law No. 5549 is central to Turkey’s AML/CFT regime.

Is crypto regulated in Turkey now?

Yes. Since 2 July 2024 (Official Gazette No. 32590), Turkey has a capital-markets-based framework for crypto assets, with further secondary rules published in 2025.

14) Conclusion: Compliance Is the Fastest Path to Scale

Turkish fintech law rewards companies that treat legal compliance as part of product quality. A clean licensing strategy, solid governance, KVKK-by-design, and MASAK-grade AML controls do more than “avoid penalties”—they unlock bank partnerships, investor confidence, and sustainable growth.

Categories:

Fintech Laws

Tags:

bankingcryptoprojrctsdigitalbankingfintechlawforeignerslawyerlawyer in IstanbulLawyerinIstanbulTURKİSH LAWYERturkishfintechlawTurkishLawyer

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button