AML and financial crime compliance rules in Turkey have become a central legal issue for banks, payment institutions, insurers, investment firms, crypto asset service providers, real estate businesses, precious-metals traders, and many other companies that either qualify as “obliged parties” or face enhanced counterparty and banking scrutiny because of the way they conduct business. In Turkey, this area is not governed by a single stand-alone compliance code. It is built from Law No. 5549 on the Prevention of Laundering Proceeds of Crime, the Turkish Penal Code’s laundering offence in Article 282, Law No. 6415 on the Prevention of the Financing of Terrorism, MASAK’s Measures Regulation, the Compliance Program Regulation, and MASAK communiqués and guidance. That framework means AML compliance in Turkey is both a legal requirement and an operating model.
For companies operating in Turkey, the practical point is simple: AML compliance is not limited to filing a suspicious transaction report after something goes wrong. Turkish law expects obliged entities to identify customers, understand the purpose of the business relationship, monitor activity, report suspicious transactions regardless of amount, preserve records, provide information and documents to MASAK, and in some cases build a formal compliance program with a compliance officer, internal policies, risk management, training, monitoring, and internal audit. Turkish AML law therefore functions as an integrated preventive system rather than a purely reactive reporting regime.
The Main Legal Structure of AML Compliance in Turkey
The statutory backbone is Law No. 5549. MASAK’s official law page states that the purpose of Law No. 5549 is to determine the procedures and principles for preventing the laundering of crime proceeds. The same law defines “crime proceeds” as assets derived from crime and defines the “laundering offence” by reference to Article 282 of the Turkish Penal Code. MASAK’s official pages also show that the law regulates core preventive obligations such as suspicious transaction reporting, continuing information reporting, and information and document production. This makes Law No. 5549 the central framework statute for Turkish AML compliance.
The criminal side sits in Article 282 of the Turkish Penal Code. MASAK’s official materials state that the laundering offence in Article 282 covers assets derived from offences punishable by a minimum term of six months’ imprisonment or more. MASAK’s “General Information” and “National Fight” pages also reflect that structure. In other words, Turkish AML compliance is not detached from criminal law; it is designed to prevent the concealment, transfer, disguise, or integration of criminal proceeds into the lawful economy before that conduct matures into a prosecutable laundering case.
Turkey’s financial crime compliance framework also includes terrorist-financing controls. Law No. 6415, as published on MASAK’s site, regulates the prevention of terrorist financing and includes an asset-freezing regime. MASAK’s related implementing-regulation materials also show that once an asset-freezing decision exists, the legal consequences apply to subsequent transactions involving the frozen assets, and the law includes a system for foreign-state requests and domestic implementation. For businesses, this means Turkish financial crime compliance is not only about laundering risk; it also requires sanctions-style screening, freeze-list awareness, and controls over dealings with designated persons, organizations, or transactions.
Who Falls Within the Turkish AML Regime
Law No. 5549 and MASAK’s “Yükümlüler” pages show that the Turkish AML regime applies to a broad group of obliged parties. MASAK’s official materials list categories that include banking, insurance, private pension, capital markets, lending and other financial services, as well as various non-financial actors. The official “Yükümlüler” page also lists, among others, banks, card issuers outside banks, authorized foreign-exchange institutions, financing and factoring companies, insurance and pension actors, capital markets institutions, postal service providers in relevant transactions, and a range of other obliged parties. This breadth is important because many businesses underestimate how far Turkish AML obligations extend beyond the traditional banking sector.
MASAK’s official materials also show that the list of obliged parties reaches non-financial businesses in certain sectors. Search-result text from MASAK’s Measures Regulation and “Yükümlüler” pages refers to precious-metals intermediary institutions, persons engaged in commercial real-estate purchase and sale or intermediation, and sector-specific businesses such as crypto asset service providers. MASAK’s sectoral suspicious transaction guides page further confirms that the authority publishes dedicated guidance for sectors such as crypto asset service providers, e-commerce intermediary service providers, precious-metals businesses, and betting-related operators. The compliance consequence is clear: Turkish AML law is sector-sensitive, and a company should not assume it is outside scope merely because it is not a bank.
Core Obligations: Customer Due Diligence and Knowing the Business Relationship
The first operational pillar is customer identification and customer due diligence. MASAK’s Measures Regulation states that where obliged entities cannot complete identification or cannot obtain sufficient information about the purpose of the business relationship, they must not establish the business relationship and must not carry out the transaction requested. MASAK General Communiqué No. 5 also reflects the ongoing-monitoring duty by stating that the customer’s status must be monitored within the scope of the continuous business relationship and that customer information, documents, and records must be kept up to date. In practical terms, Turkish AML compliance requires not only onboarding checks but also an ongoing understanding of who the customer is and why the relationship exists.
This is one of the reasons AML compliance in Turkey is so operationally important. The law does not treat KYC as a one-time formality. It expects obliged entities to understand the business purpose, maintain current records, and keep reviewing the customer over the life of the relationship. That means gaps in beneficial-ownership understanding, unexplained transaction behavior, sudden account changes, inconsistent source-of-funds patterns, or customer behavior that no longer matches the original profile should all be treated as compliance issues. That inference follows directly from MASAK’s insistence on purpose-based onboarding and ongoing monitoring.
Suspicious Transaction Reporting in Turkey
Suspicious transaction reporting is the defining obligation in the Turkish AML system. Law No. 5549 and MASAK’s Measures Regulation both make clear that suspicious transactions must be reported regardless of amount. MASAK General Communiqué No. 2 repeats the same rule, stating that obliged parties report suspicious transactions with no monetary threshold through the Suspicious Transaction Reporting Form. MASAK General Communiqué No. 13 further states that suspicious transactions must be reported no later than ten business days after suspicion arises and, in urgent cases where delay may be harmful, without delay. This is one of the most important points in Turkish AML practice: suspicion, not transaction size, triggers the reporting duty.
MASAK’s guidance structure also shows that suspicious transaction reporting is expected to be tailored to sectoral risk. The authority’s sectoral suspicious transaction guides cover multiple industries, and MASAK has separately published crypto-specific suspicious transaction reporting guidance and system updates. The existence of sectoral reporting guides is significant because it shows Turkish regulators do not expect a generic, one-size-fits-all approach. A bank, insurer, crypto platform, e-commerce intermediary, or precious-metals business is expected to recognize different red flags, transaction patterns, and abuse typologies.
Continuing Information, Recordkeeping, and Information Production
Turkish AML compliance also includes continuing information reporting. Law No. 5549 states that obliged parties must report to MASAK the transactions to which they are party or through which they act as intermediary when those transactions exceed the amount determined by the Ministry. MASAK’s sanctions page and FAQs also show that continuing information is treated as a distinct legal obligation, separate from suspicious transaction reporting. Companies subject to this duty should therefore be careful not to confuse ordinary threshold-based reporting with suspicion-based reporting; both may apply, and they serve different legal functions.
Recordkeeping and production duties are equally important. MASAK’s “Yükümlülükler” page states that, under Article 8 of Law No. 5549 and Article 46 of the Measures Regulation, obliged parties must preserve the records and documents falling within the scope of the law and secondary legislation and produce them when required. MASAK’s sanctions page also confirms that violations of the recordkeeping and production duty are sanctionable under Article 13 of Law No. 5549. In practice, this means that an institution with weak document management, fragmented onboarding files, or incomplete transaction records may fail compliance even before any suspicious activity is proven.
The same logic applies to MASAK’s power to request information and documents. MASAK’s Compliance Program Regulation and General Communiqué No. 13 make clear that when information and documents are requested, the obliged entity must provide them and internal units must also furnish the requested materials and facilitate the compliance function. That is why Turkish AML compliance is not only about frontline KYC teams; it requires organization-wide responsiveness from operations, finance, legal, IT, and business units whenever MASAK or the internal compliance function needs data.
Compliance Programs Under Turkish Law
Turkey does not require the same formal compliance-program architecture for every obliged party, but for the entities within scope the requirements are quite explicit. MASAK’s Compliance Program Regulation states that the regulation was issued under Article 5 of Law No. 5549 and governs the procedures and principles for creating compliance programs. MASAK materials describe the program as including institutional policy and procedures, risk management, monitoring and control, training, and internal audit. This is important because it shows Turkish AML compliance is not merely transactional; for many institutions it must be built into governance and internal-control design.
MASAK’s current materials also show that certain categories must establish formal compliance programs, and that crypto asset service providers were brought within Article 4 of the Compliance Program Regulation. The regulation’s search snippet expressly states that crypto asset service providers must establish compliance programs, while financial groups must establish group-level compliance programs. MASAK’s FAQs further state that all obliged entities that must establish a compliance program under Article 4 must also appoint a compliance officer under Article 15. So, for institutions in scope, a Turkish AML program is not complete without a formally designated compliance function.
MASAK’s materials also show that the compliance function is becoming more formalized. In 2025, MASAK announced that the first compliance officer authorization exam would be held on 18 October 2025, later announced that the exams would be conducted electronically by SPL from 10 December 2025 onward, and opened the compliance-officer licensing application system in November 2025. Those developments matter because they show Turkish AML compliance is moving toward a more credentialed and structured professional model for compliance officers, especially for obliged entities subject to the full program regime.
Recent Developments: Crypto, Remote Identification, and Risk-Based Tightening
One of the most important recent trends in Turkey is the expansion and refinement of AML rules for crypto-related activity. MASAK’s 2023 amendment notice stated that crypto asset service providers were taken into the scope of Article 4 of the Compliance Program Regulation so that they would be required to establish compliance programs. In July 2024, MASAK also announced an updated suspicious transaction reporting guide and MASAK Online system changes for crypto asset service providers. In September 2025, MASAK announced that the crypto guide had been updated again and specifically highlighted customer recognition and identification processes, remote identification, suspicious transaction reporting, information and document duties, and compliance-program obligations.
The regulatory trend continued in late 2024 and 2025. MASAK’s Measures Regulation page notes that the 25 December 2024 amendments inserted “risk-based enhanced measures,” and the same regulation’s snippet also states that a new Article 24/A requires identity information for crypto-asset transfer transactions intermediated by crypto asset service providers at TL 15,000 and above. MASAK General Communiqué No. 19 further shows that, after a 12 June 2025 amendment, crypto asset service providers may carry out remote identification for the establishment of continuous business relationships in accordance with the communiqué’s framework. These developments show that Turkey is not merely adding crypto businesses to the AML perimeter; it is refining how customer identification and transaction controls should work in that sector.
MASAK also introduced a specific control for financial institutions dealing with crypto businesses. The Compliance Program Regulation’s search snippet states that the establishment of a business relationship by financial institutions with crypto asset service providers is subject to the approval of a high-level official. That requirement is significant because it shows the Turkish regime is increasingly using enhanced internal-approval measures where the counterparty itself may represent elevated AML/CFT risk. From a compliance-design perspective, that is a strong signal in favor of risk-based escalation for high-risk sectors and counterparties.
Sanctions and Enforcement Exposure
Non-compliance with Turkish AML rules carries real enforcement consequences. MASAK’s sanctions page states that Article 13 of Law No. 5549 applies to violations of customer identification, suspicious transaction reporting, continuing information, and recordkeeping/production obligations, and it specifically notes that certain violations may be calculated separately for each customer. MASAK’s sanctions page also points to the seriousness of these breaches within the administrative enforcement system. For companies, the main lesson is that AML failures in Turkey are not treated as technical defects without consequence; repeated operational failures can produce cumulative exposure.
The criminal-law side is also real. MASAK’s “General Information” and “National Fight” pages connect the preventive regime directly to the laundering offence under Article 282 of the Turkish Penal Code, while the High Council of Judges and Prosecutors announced in 2021 that specific criminal courts would handle cases involving the laundering offence under Article 282. That does not mean every compliance failure becomes a laundering prosecution. It does mean, however, that the preventive regime exists in the shadow of a fully operative criminal framework, and serious failures can trigger attention well beyond administrative supervision.
How Companies Should Build a Defensible AML Program in Turkey
For businesses, the best approach is to start with a written, Turkey-specific risk assessment. The legal framework itself points in that direction: MASAK’s compliance-program materials are expressly risk-based, MASAK issues sectoral suspicious transaction guidance, and recent amendments have added more risk-sensitive measures for crypto and other sectors. A defensible Turkish AML program should therefore map the company’s customer base, delivery channels, geographic exposure, product set, transaction types, beneficial-ownership complexity, and high-risk counterparty categories before drafting policies. A global template may help, but it is not enough on its own.
Once the risk map is clear, the operating framework should follow. For an obliged entity, that typically means clear onboarding rules, escalation thresholds, suspicious-transaction workflows, internal reporting lines, screening against freeze-related restrictions, document-retention controls, training, and periodic testing. For institutions subject to the formal compliance-program regime, it also means a compliance officer, institutional policy and procedures, risk management, monitoring and control, training, and internal audit. Turkish AML compliance works best when the legal requirements are translated into routine operating behavior rather than left in a policy binder that nobody uses.
Conclusion
AML and financial crime compliance rules in Turkey are now too broad, too technical, and too operational to be treated as a narrow banking issue. The Turkish regime combines preventive law, criminal law, terrorist-financing controls, asset-freezing mechanisms, sector-specific guidance, and increasingly formal compliance-program expectations. MASAK’s framework makes customer identification, business-relationship understanding, suspicious transaction reporting, continuing information, recordkeeping, and internal governance central to lawful operation. Recent amendments affecting crypto asset service providers, risk-based measures, remote identification, and compliance-officer professionalization show that the system is still evolving. For companies active in Turkey, the right question is no longer whether AML compliance matters, but whether their current controls actually match the Turkish legal framework as it exists today.
Yanıt yok