Whistleblowing, internal reporting, and compliance culture in Turkey are becoming more important for employers, boards of directors, compliance officers, foreign investors, listed companies, financial institutions, healthcare providers, and public-facing businesses. Yet the Turkish framework does not operate through a single, all-purpose whistleblower statute. Instead, the official sources point to a sectoral model in which reporting duties, complaint-handling mechanisms, confidentiality expectations, and compliance-culture requirements appear across public ethics rules, criminal law, AML compliance legislation, capital-markets governance, internal-control standards, and personal data protection law. For that reason, any company trying to understand whistleblowing in Turkey should begin with a basic reality: the Turkish approach is fragmented, but it is not empty. It contains real obligations, real reporting channels, and real legal risk for businesses that ignore internal reporting altogether.
This matters because internal reporting in Turkey is not only about ethics hotlines or anonymous complaint boxes. In practice, it touches several different legal functions at once. It can involve the duty of public officials to report unlawful conduct to competent authorities, the duty of healthcare professionals to report indications of crime, the duty of obliged entities to escalate suspicious transactions internally to a compliance officer, the role of audit committees in handling complaints about accounting and internal control in listed companies, and the obligation of organizations to build a culture of transparency, accountability, and documentation. A Turkish company that treats whistleblowing as a foreign concept imported from other jurisdictions will miss how deeply internal reporting is already embedded in Turkish legal and regulatory practice.
Understanding the Turkish Model
A practical way to describe the Turkish model is to say that it is reporting-centered rather than statute-centered. There is no single official source in the materials reviewed that functions as a private-sector equivalent of a broad omnibus whistleblower law. Instead, the official framework distributes reporting duties and complaint mechanisms across different legal fields. Public ethics rules require reporting of unlawful or unethical conduct; criminal law imposes reporting duties in certain crime-related situations; MASAK rules organize internal suspicious-transaction reporting through compliance officers and internal audit; capital-markets governance expects complaint-handling structures around accounting and internal control; and data-protection law governs how whistleblowing systems process personal data. That is why the most accurate legal description of whistleblowing in Turkey is not a single right or a single procedure, but a network of sectoral reporting obligations and governance expectations. This is an inference drawn from the official sources reviewed, rather than from a single codified provision.
For companies, that fragmentation creates both opportunity and risk. The opportunity is that Turkish law already offers several building blocks for a strong internal reporting system. The risk is that companies sometimes assume that because there is no single “Whistleblower Act,” they can postpone channel design, policy drafting, case management, and anti-retaliation controls. That is usually a mistake. Once a report arises, it may immediately trigger criminal-law concerns, AML obligations, labor issues, board-reporting questions, or personal-data processing duties. In that sense, the absence of a single code does not reduce the need for a system. It increases the need for one.
Public-Sector Reporting Duties and Identity Protection
The clearest express reporting rule appears in the public ethics framework. The Regulation on Ethical Principles of Conduct for Public Officials states in Article 12 that public officials must notify the competent authorities if they are asked to engage in acts incompatible with the ethical principles laid down in the regulation or unlawful acts, or if they become aware of or witness such acts while performing their duties. Just as importantly, the same provision states that heads of institutions and organizations must keep the identity of the reporting public official confidential and must take the necessary measures to prevent any harm from coming to that person. This is one of the strongest official Turkish texts directly addressing internal reporting and reporter protection.
That provision is especially important because it does two things at once. First, it turns reporting into a duty, not merely a voluntary moral choice. Second, it links that duty to confidentiality and protection from harm. In the Turkish public-sector context, this is a direct legal statement that internal reporting is part of ethical administration and that retaliation risk must be addressed through protective measures. Any discussion of whistleblowing in Turkey that ignores Article 12 of the ethics regulation would therefore miss one of the most concrete legal anchors in the system.
A related public-law safeguard appears in the civil-service regime. The official text of Article 25 of the Civil Servants Law states that where complaints or denunciations against civil servants are made out of malice or mere insult through a fabricated accusation, and that situation is established by the investigation or judgment, the public prosecutor shall prosecute those responsible. This is not a general whistleblower-protection clause in the private-sector sense, but it is still important because it shows that Turkish law also recognizes the danger of abusive or bad-faith accusations in the public sphere. In other words, the public-law framework seeks to protect both the good-faith reporter and the wrongly accused official.
Public-law external reporting channels also exist outside the employing institution. The Ombudsman Institution states that, after application to the administration and depending on the response or lack of response, there is generally a six-month period to complain to the Ombudsman. That does not make the Ombudsman a universal whistleblowing body, but it does show that in public-administration disputes Turkey maintains a formal complaint route outside the employing institution. For public employees and persons interacting with public administration, this external path can be part of the broader reporting ecosystem.
Criminal-Law Reporting Duties Shape Whistleblowing in Practice
Turkish criminal law adds another important dimension. Article 278 of the Turkish Penal Code states that a person who fails to report an ongoing crime to the competent authorities, or fails to report a completed crime whose consequences can still be limited, may face imprisonment of up to one year. The same article increases the penalty where the victim is a child under fifteen, a person unable to defend himself or herself due to physical or mental disability, or a pregnant person unable to defend herself because of pregnancy. The article also provides that those entitled to refrain from testimony are not punished, while preserving any separate duty to prevent the crime.
Articles 279 and 280 make the reporting duty even more specific. Article 279 states that a public official who learns, in connection with his or her duty, that an offense requiring public investigation and prosecution has been committed, and fails to report it to the competent authorities or delays in reporting, is punishable by imprisonment from six months to two years. Article 280 states that a member of the health professions who, in the course of duty, encounters an indication that a crime has been committed and fails to report it or delays reporting is punishable by imprisonment of up to one year. The same article defines health professionals broadly to include physicians, dentists, pharmacists, midwives, nurses, and other persons providing health services.
These criminal-law provisions are not “whistleblowing law” in a corporate-governance sense, but they significantly affect how internal reporting must be designed in Turkey. If an internal report alleges assault, fraud, abuse, or another potentially criminal act, the company cannot assume that the matter is purely an HR or ethics issue. Depending on the facts, the report may intersect with statutory duties to notify authorities. This is especially true for public institutions and healthcare environments, where the Penal Code explicitly connects professional status to reporting obligations. A compliant internal-reporting policy in Turkey should therefore explain when a case may have to move from internal handling to external notification.
AML Rules Create a Strong Internal Reporting Model
The AML framework contains one of the most developed internal-reporting structures in Turkish law. MASAK’s official materials on compliance programs show that the AML compliance system includes institutional policies and procedures, risk management, monitoring and control, training, and internal audit. The search-result text for the compliance-program regulation also states that internal notifications made to the compliance officer within the scope of suspicious transactions are included in the recordkeeping framework, and that internal-audit results must also be reported. MASAK’s official “Yükümlülükler” page separately indicates that documents and records relating to suspicious-transaction reports made to MASAK or to internal notifications made to the compliance officer are part of the relevant compliance record set.
This is highly relevant for anyone trying to build a whistleblowing system in Turkey, because MASAK already offers a legally recognized model of internal escalation. Under that model, the institution does not rely on rumor or informal managerial awareness. It relies on structured internal reporting to a designated compliance function, documented handling of that report, recordkeeping, and integration with internal audit. MASAK’s search-result materials also show that suspicious transactions must be reported regardless of amount and that, in entities required to establish a compliance program, the suspicious-transaction reporting obligation is fulfilled through the compliance officer. That is a clear example of internal reporting being turned into a regulated compliance process.
The AML framework also matters for confidentiality. MASAK states that suspicious transactions are reported to the Presidency regardless of amount, and the Turkish AML regime separately prohibits disclosure that a suspicious-transaction report has been made, except in the limited circumstances permitted by law. That is not identical to a whistleblower-anonymity rule, but it shows how Turkish law treats certain internal and external reports as highly sensitive information that must be tightly controlled. Companies in financial services and adjacent sectors should learn from that logic when designing ethics hotlines and case files: broad internal circulation of reports is itself a compliance risk.
Listed Companies and Capital-Markets Governance
In listed companies, internal reporting and whistleblowing are tied closely to governance. The Capital Markets Board’s Corporate Governance Principles state that the audit committee should evaluate and resolve issues pertaining to complaints and suggestions about accounting practices, the internal control system, and the independent audit. This is a very important official text because it places complaint-handling squarely inside the formal governance architecture of listed companies. Complaints are not treated as incidental personnel matters. They are part of audit-committee oversight when they relate to accounting, internal control, or independent audit.
The Capital Markets Board’s Corporate Governance Monitoring Report adds another important point. Its official search-result text refers specifically to Principle 3.1.4 regarding the existence of a whistleblowing programme for reporting legal and ethical issues. That reference matters because it shows that, in the listed-company environment, whistleblowing is not only an imported multinational practice. It is also part of the Turkish corporate-governance conversation and reporting framework. Even where the exact design of the programme may vary from company to company, the existence of a whistleblowing programme for legal and ethical issues is treated as a governance-relevant subject.
Read together, these SPK materials show that internal reporting in Turkish listed companies should not be improvised. A listed issuer should have a channel for complaints and suggestions about accounting and controls, a governance body capable of receiving and evaluating those complaints, and a broader compliance culture in which legal and ethical issues can be reported through a structured programme. For boards of listed companies, a failure to build this architecture is not merely a soft-culture problem. It can become a governance weakness visible in disclosure and oversight practice.
Compliance Culture Is Part of Internal Control
Whistleblowing works only if the surrounding culture supports it. Official Turkish public internal-control standards make this point clearly. The Public Internal Control Standards document states that ethical rules must be known and followed in all activities, that honesty, transparency, and accountability must be ensured in activities, and that all information and documents relating to the administration’s activities must be correct, complete, and reliable. These are public-sector standards, but they provide a strong official expression of the broader Turkish view that reporting, documentation, and ethical awareness are part of a functioning control environment.
The Internal Control Guide published by the public-finance administration strengthens the same theme. Its official search-result text states that once an ethical infrastructure is established, clear standards concerning unethical behavior should be set and that managers should set an example for employees while helping create an ethics-based institutional culture. That is a useful compliance lesson well beyond the public sector. Reporting systems fail most often not because the email address or hotline number is missing, but because managers are perceived as unsafe, selective, or uninterested. In Turkey, as elsewhere, compliance culture depends heavily on managerial conduct.
The public internal-control materials also connect internal-control evaluation with complaints and requests. One official internal-control action-plan document states that, in evaluating internal control, the views of managers, requests and complaints of persons and administrations, and internal and external audit reports should be taken into account. This is another useful indicator of how Turkish administrative thinking treats complaints: they are not merely operational noise. They are relevant inputs into control evaluation and improvement. A private company building a modern Turkish compliance system would be wise to adopt the same logic.
Data Protection Rules Apply to Whistleblowing Systems
Any whistleblowing mechanism in Turkey must also be designed as a personal-data processing system. The Personal Data Protection Law states in Article 12 that the data controller must take all necessary technical and organizational measures to ensure an appropriate level of security, including preventing unlawful processing, preventing unlawful access, and ensuring protection of personal data. The same article also states that the controller must carry out the necessary audits, or have them carried out, to ensure implementation of the law within its organization, and that where processing is carried out by another natural or legal person on behalf of the controller, the controller and that processor are jointly responsible for the required measures. That has immediate consequences for ethics hotlines, case-management software, and external whistleblowing vendors.
Transparency duties matter as well. The Authority’s English-language data-protection publication explains that, under Article 10, data subjects must be informed about the identity of the controller, the purpose of processing, the recipients and purposes of any transfers, the methods and legal basis of collection, and the rights available under Article 11. For a whistleblowing system, that does not mean every investigation detail must be disclosed to every person at every stage. It does mean that the company needs a defensible transparency structure for reporters, implicated persons, and relevant case participants, consistent with Turkish data-protection rules.
Retention is another major point. The By-Law on Erasure, Destruction or Anonymization of Personal Data explains that processing inventories should specify purposes, legal grounds, recipient groups, storage periods, foreign-transfer plans, and data-security measures, and it states that erasure, destruction, or anonymization operations must be recorded, with those records stored for at least three years, excluding other legal obligations. For whistleblowing files, that means “keep everything forever” is not a safe default. Turkish companies need a retention rule for hotline files, triage notes, interview summaries, and substantiated or unsubstantiated allegations.
What Companies Should Do in Practice
Because the Turkish framework is sectoral, the safest corporate approach is to build a reporting system that is broader than the minimum legal requirement but narrower than a false promise. A company should have at least one internal channel through which employees and, where appropriate, third parties can report legal, ethical, accounting, AML, data-protection, harassment, fraud, corruption, or safety concerns. The channel should route issues according to subject matter: AML concerns to the compliance officer, accounting and control matters to audit or the audit committee, personal-data incidents to the privacy response team, and crime-related allegations to legal for assessment of any external-reporting duty. This is not taken from one specific statute; it is the practical synthesis of the Turkish sectoral framework described above.
Companies should also be careful about how they describe confidentiality and anonymity. In Turkey, some official sources explicitly require confidentiality of the reporter’s identity, as in the public ethics regulation, and some regimes impose strict secrecy around reports, as in AML. But that does not mean every employer can truthfully promise absolute anonymity in every case. A better and safer approach is to promise confidentiality to the fullest extent permitted by law, limited access on a need-to-know basis, and a prohibition on retaliation. That wording is more defensible under a fragmented legal framework than an unrealistic promise that the reporter’s identity will never have to be disclosed under any circumstances.
A Turkish internal-reporting policy should also distinguish between good-faith reporting and knowingly false accusations. The public-service rule protecting civil servants against malicious or fabricated accusations is an official reminder that reporting systems need integrity on both sides. Companies should therefore encourage good-faith reporting, prohibit retaliation, and also prohibit knowingly false or bad-faith allegations. That balance helps the system remain credible to both employees and management.
Board and senior-management oversight are also essential. The KGK’s principles on the risk-early-detection committee under Article 378 of the Turkish Commercial Code emphasize that the board is responsible for establishing, operating, and developing the system aimed at identifying and managing threats to the company’s existence, development, and continuity. Internal reporting belongs naturally inside that broader risk-governance logic. If the company is serious about compliance culture, it should not leave whistleblowing cases buried in HR or legal without periodic board-level visibility over themes, trends, remediation status, and control weaknesses.
Conclusion
Whistleblowing, internal reporting, and compliance culture in Turkey operate through a distributed legal architecture rather than a single dedicated statute. Public ethics rules impose reporting duties and require confidentiality of the reporting public official’s identity. The Penal Code imposes reporting duties in certain crime-related situations, including for public officials and health professionals. MASAK compliance rules provide a strong internal-reporting model through compliance officers, internal notifications, and internal-audit escalation. Capital-markets governance expects audit committees to address complaints concerning accounting and internal control, and SPK’s own reporting framework refers to whistleblowing programmes for legal and ethical issues. Data-protection law governs the security, transparency, and retention design of any hotline or case-management process.
For companies, the practical lesson is straightforward. In Turkey, whistleblowing is not something to wait for until a scandal happens. It should be designed as part of governance, internal control, and risk management from the start. The companies that manage internal reporting well are usually not the ones with the longest code of conduct. They are the ones that build trusted channels, route reports to the right function, protect confidentiality realistically, document decisions carefully, and treat reports as information that can improve controls rather than as threats to be suppressed. In the Turkish legal environment, that is what a real compliance culture looks like.
Yanıt yok