Introduction
Payment services law in Turkey has become one of the most important areas of financial technology regulation. As digital wallets, online payment gateways, electronic money institutions, mobile applications, marketplace payment solutions, open banking tools, and cross-border money transfer models continue to grow, companies operating in the payment ecosystem must understand the legal framework before launching their products.
Turkey has a specific legal regime for payment services and electronic money. The main statute is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. The official English text of Law No. 6493 states that its objective is to regulate the procedures and principles regarding payment and securities settlement systems, payment services, payment institutions, and electronic money institutions.
The competent authority for the regulation and supervision of payment services in Turkey is the Central Bank of the Republic of Türkiye, commonly referred to as the CBRT or TCMB. The CBRT confirms that payment services regulation and supervision in Türkiye are governed by Law No. 6493 and related secondary legislation, including the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers.
For fintech startups, foreign payment platforms, digital wallet providers, e-commerce marketplaces, money transfer businesses, SaaS companies, banks, investors, and technology service providers, payment services law is not merely a technical regulatory matter. It directly affects licensing, corporate structure, customer fund protection, AML compliance, data protection, contractual liability, consumer disputes, banking relationships, and market entry strategy.
This article explains the legal framework for payment services in Turkey, licensing requirements, compliance obligations, electronic money rules, digital wallet risks, crypto-related restrictions, AML duties, data protection issues, and practical legal risks for businesses operating in the Turkish fintech market.
1. Legal Framework of Payment Services in Turkey
The Turkish payment services regime is primarily based on Law No. 6493 and secondary regulations issued by the CBRT. Law No. 6493 applies to payment and securities settlement systems, payment services, payment institutions, and electronic money institutions.
The most important secondary legislation includes the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, which entered into force after being published in the Official Gazette dated 1 December 2021 and numbered 31676. This regulation replaced the previous 2014 regulation and introduced a more detailed framework for authorization, activities, compliance, payment service providers, and electronic money issuance.
In practice, the Turkish payment services framework is built around several key questions:
Is the business providing a regulated payment service?
Does the company hold or transfer customer funds?
Does the business issue electronic money?
Is the company merely a technical service provider?
Does the platform operate a digital wallet?
Are payment accounts created for users?
Is there any cross-border payment element?
Does the business model involve crypto assets?
Is the company subject to AML and KYC obligations?
Are customers properly informed about fees, refunds, transaction limits, and liability?
The legal answer depends on the actual operation of the product, not only on how the company describes itself. A company may call itself a “technology platform,” but if it receives customer funds, executes payment transactions, maintains payment accounts, issues stored value, or provides payment initiation services, it may fall within the payment services regime.
2. What Is a Payment Service?
Payment services generally refer to regulated activities involving the execution, initiation, facilitation, or management of payment transactions. These may include money remittance, operation of payment accounts, issuance or acceptance of payment instruments, payment initiation services, account information services, merchant payment collection, and certain forms of digital wallet activity.
Under Turkish law, the exact classification of a business model is critical. For example, a marketplace platform that collects funds from buyers and later transfers them to sellers may need to examine whether it is performing a regulated payment service. Similarly, a mobile application that allows users to load money, store value, and pay merchants may trigger electronic money and payment services regulation.
A company does not necessarily need a license merely because it develops payment-related software. However, if the company enters the regulated payment flow, controls funds, initiates transfers, or provides regulated payment services to customers, licensing requirements may arise.
This distinction is especially important for:
E-commerce platforms
Online marketplaces
Digital wallet providers
Payment gateways
Money transfer companies
Merchant acquiring models
Subscription billing platforms
Prepaid card programs
Open banking service providers
Embedded finance projects
Cross-border remittance platforms
Fintech SaaS companies integrated with banks or payment institutions
The safest approach is to conduct a legal classification analysis before launch. This analysis should map the customer journey, fund flow, data flow, contractual roles, banking relationships, and revenue model.
3. Who Can Provide Payment Services in Turkey?
Payment services in Turkey may only be provided by authorized payment service providers. In general, payment service providers may include banks, payment institutions, electronic money institutions, and other authorized entities under the applicable legislation.
The CBRT publishes information regarding payment institutions and electronic money institutions authorized under Law No. 6493. For electronic money institutions, the CBRT explains that all electronic money institutions are authorized to issue electronic money under Article 18 of Law No. 6493, and their payment service authorization scopes are listed by reference to Article 12 of the law.
This means that payment and electronic money activities are not ordinary commercial services. They are regulated financial services. A company wishing to operate as a payment institution or electronic money institution must obtain the relevant operating license from the CBRT and comply with regulatory conditions.
Operating without proper authorization may expose the company and its managers to regulatory sanctions, business interruption, contract disputes, banking relationship termination, and potential criminal or administrative consequences depending on the nature of the activity.
4. Licensing of Payment Institutions
A payment institution license allows a company to provide payment services within the scope of its authorization. The licensing process is not merely a formality. The CBRT evaluates the applicant’s corporate structure, shareholders, governance, capital adequacy, internal control systems, risk management, information systems, business plan, fund protection mechanisms, and operational capacity.
Payment institutions and electronic money institutions are required to obtain an operating license granted by the CBRT. The Turkish Payment and Electronic Money Institutions Association also states that on-site supervision and remote surveillance of payment and electronic money institutions, their branches, and representatives may be conducted by the CBRT.
A licensing file generally requires a comprehensive legal, financial, technical, and compliance preparation process. The applicant must be able to show that it has a sound business model, transparent ownership structure, sufficient financial resources, qualified management, secure information systems, and effective compliance policies.
The licensing strategy should be determined before incorporation or investment structuring whenever possible. This is because shareholder structure, articles of association, capital planning, board composition, service agreements, and operational design may all affect the regulatory evaluation.
5. Electronic Money Institutions and Digital Wallets
Electronic money is one of the most important concepts in fintech law. In simple terms, electronic money usually involves monetary value issued against funds, stored electronically, and used for payment transactions. Digital wallets, prepaid balances, app-based stored value, and certain card programs may raise electronic money issues.
Not every wallet is automatically electronic money. A wallet that only displays payment information or connects to a bank account may be different from a wallet that stores customer funds as value. The legal classification depends on whether funds are received, whether value is issued, whether users can make payments to third parties, and how settlement works.
Electronic money institutions in Turkey are authorized to issue electronic money under Law No. 6493. The CBRT’s official list of electronic money institutions and authorization scopes is an important reference point for market participants.
Digital wallet models must be carefully designed. Key legal issues include:
Whether the wallet balance qualifies as electronic money
How customer funds are protected
Whether the user has a payment account
Whether the wallet may be used for third-party payments
Whether merchant payments are allowed
Whether transfers between users are permitted
How refunds and chargebacks are handled
Whether transaction limits apply
How inactive balances are treated
Whether interest or benefits may be offered
How AML monitoring is conducted
How user identity is verified
How personal data is processed
The legal documentation must match the technical structure. If the product description, user agreement, fund flow, and banking arrangements are inconsistent, the company may face regulatory and civil liability risks.
6. Protection of Customer Funds
Protection of customer funds is a central principle in payment services law. Customers must be protected against misuse, commingling, insolvency risk, operational failure, and unauthorized transactions. Payment and electronic money institutions must comply with fund safeguarding rules and maintain appropriate arrangements for the protection of funds.
The Turkish Payment and Electronic Money Institutions Association states that payment institutions and electronic money institutions are subject to requirements regarding the protection of funds and are supervised by the CBRT. It also notes that these institutions are subject to independent financial audit and information systems audit obligations.
Fund protection is not only a regulatory issue. It is also a matter of customer trust and dispute prevention. If users load funds into a wallet or initiate payment transactions through a platform, they must be confident that their funds are held safely and used only for authorized purposes.
Companies should avoid unclear contractual language such as “platform balance,” “credit,” “points,” or “stored value” unless the legal meaning is properly analyzed. In some cases, these terms may create confusion about whether the customer holds electronic money, a contractual claim, a loyalty benefit, or another type of value.
7. AML and KYC Compliance
Payment institutions and electronic money institutions are exposed to financial crime risks. Digital onboarding, high-volume transactions, rapid transfers, multiple accounts, merchant settlements, cross-border flows, and wallet-based structures may be abused for money laundering, fraud, illegal betting, sanctions evasion, or terrorist financing.
Turkey’s AML framework is based mainly on Law No. 5549 on Prevention of Laundering Proceeds of Crime and related MASAK regulations. The official English text of Law No. 5549 defines “obliged parties” to include those operating in banking, insurance, individual pension, capital markets, money lending, and other financial services.
For payment institutions and electronic money institutions, AML compliance usually includes:
Customer identification
Know-your-customer procedures
Beneficial ownership checks
Risk-based customer classification
Suspicious transaction monitoring
Sanctions and politically exposed person screening
Record retention
Internal control mechanisms
Compliance officer functions where applicable
Employee training
Periodic reporting where required
Suspicious transaction reporting to MASAK
Enhanced due diligence for high-risk customers and transactions
MASAK-related rules are particularly important because payment services operate at the intersection of speed, volume, and financial access. A weak AML program may result in administrative fines, regulatory scrutiny, banking relationship problems, license risk, and reputational damage.
Recent developments also show that payment service providers remain under close AML and regulatory attention in Turkey. Reuters reported in 2025 that Turkish authorities increased scrutiny after the country’s FATF grey-list exit and that payment firms were among the entities affected by investigations, suspensions, or revocations.
8. Data Protection and Customer Privacy
Payment service providers process large volumes of personal data. This may include identity information, contact details, transaction history, device data, IP addresses, bank account details, card information, geolocation data, behavioral data, and fraud monitoring records.
In Turkey, personal data processing is primarily regulated under Law No. 6698 on the Protection of Personal Data, known as the KVKK. Fintech companies must ensure that personal data is processed lawfully, for specific and legitimate purposes, and in accordance with data minimization and retention principles.
Payment companies should prepare clear privacy notices, data processing agreements, retention policies, breach response procedures, cookie notices, and cross-border data transfer assessments. Special attention should be paid to mobile app permissions, third-party analytics tools, cloud services, fraud detection vendors, KYC providers, and banking integrations.
A common mistake is treating data protection as a standard website compliance issue. In payment services, data protection is operational. It affects onboarding, transaction monitoring, customer support, fraud review, dispute resolution, marketing, and regulatory reporting.
9. Information Systems, Cybersecurity, and Operational Resilience
Payment services depend on secure technology infrastructure. System outages, cyberattacks, unauthorized access, API failures, data breaches, incorrect settlement, or compromised credentials can create significant legal liability.
The CBRT lists the Communiqué on the Management and Supervision of the IT Systems of Payment and Electronic Money Institutions and the Data Sharing Services of Payment Service Providers among the secondary legislation relevant to payment services.
Payment service providers should establish strong information security governance, including:
Secure software development processes
Access control
Encryption
Network security
Penetration testing
Incident response plans
Business continuity plans
Disaster recovery systems
Audit logging
Fraud monitoring
Vendor security review
API security
Customer authentication
Regular information systems audits
Operational resilience is especially important because payment services are time-sensitive. A failure in payment execution may cause merchant losses, consumer complaints, regulatory notifications, and contractual liability.
10. Crypto Assets and Payment Services
Crypto assets create specific legal risk in payment services. Turkey has separate rules restricting the use of crypto assets in payments. The CBRT includes the Regulation on the Disuse of Crypto Assets in Payments among the payment services secondary legislation.
Legal commentary on the regulation notes that payment service providers are prohibited from developing business models that directly or indirectly use crypto assets in providing payment services or issuing electronic money, and from providing services to such business models.
This is particularly important for fintech companies developing:
Crypto-linked cards
Wallets converting crypto into merchant payments
Merchant settlement in crypto assets
Crypto reward programs connected to payments
Hybrid e-money and crypto balance models
Payment gateways serving crypto business models
Cross-border crypto payment flows
A crypto-related product may fall not only under payment services law but also under capital markets, AML, consumer protection, tax, and data protection rules. Before launching any crypto-payment-related service in Turkey, a detailed regulatory analysis is essential.
11. Cross-Border Payment Services
Foreign fintech companies often ask whether they can provide payment services to Turkish customers from abroad. The answer depends on the structure of the service, customer targeting, fund flow, local partnerships, marketing activity, and whether the regulated activity is considered to be carried out in Turkey.
The 2021 Regulation introduced rules concerning cooperation with foreign legal entities. Legal commentary explains that payment and electronic money institutions residing in Turkey have been allowed to cooperate with legal entities residing abroad, subject to CBRT permission and provided that at least one party to the payment transaction is abroad.
Cross-border payment models must examine:
Whether Turkish customers are targeted
Whether Turkish-language services are offered
Whether Turkish residents can open accounts
Whether funds are collected in Turkey
Whether Turkish banks or payment institutions are involved
Whether local licensing is required
Whether data is transferred abroad
Whether MASAK obligations apply
Whether consumer contracts are enforceable
Whether currency control rules are relevant
Whether foreign entities need CBRT permission or local cooperation
A foreign payment company should not assume that operating from abroad eliminates Turkish regulatory risk. If the service is effectively offered to Turkish users or integrated with Turkish payment infrastructure, Turkish law may apply.
12. Open Banking and Payment Initiation Services
Open banking and data-sharing services have become increasingly important in Turkey. Payment initiation services and account information services may create major business opportunities, but they also require strict compliance with payment services rules, data security standards, customer consent mechanisms, and technical requirements.
The CBRT’s payment services framework includes rules on data sharing services of payment service providers. Recent legal updates in 2025 also focused on developments in open banking and digital wallets, including amendments published in the Official Gazette on 28 March 2025.
Open banking models raise questions such as:
How is customer consent obtained?
How is consent recorded and revoked?
What data is accessed?
Which party is responsible for data security?
Is the service payment initiation, account information, or technical support?
What happens if an initiated payment fails?
How are APIs secured?
How are customer complaints handled?
How are liability and indemnity allocated among parties?
A fintech company providing open banking services should not rely only on technical API documentation. It must also prepare regulatory documentation, customer disclosures, data protection documentation, and contracts with banks or payment service providers.
13. Consumer Protection and User Agreements
Payment service providers must pay close attention to consumer protection. Customers must understand fees, transaction limits, cancellation rights, refund rules, complaint channels, unauthorized transaction liability, account closure procedures, and dispute resolution mechanisms.
User agreements should be clear, specific, and consistent with the product. A generic software terms-of-service document is usually insufficient for payment services. The agreement should describe:
The identity of the service provider
The scope of payment services
User eligibility
Account opening and verification
Transaction execution rules
Fees and commissions
Refund and cancellation procedures
Unauthorized transaction reporting
Security obligations of the user
Suspension and termination rights
Complaint procedures
Data processing rules
Liability limitations
Governing law and jurisdiction
Misleading marketing is also a major risk. If a platform describes itself as a bank, investment service, guaranteed payment product, or risk-free wallet without proper legal basis, this may create regulatory and consumer law exposure.
14. Liability Risks for Payment Service Providers
Payment service providers may face liability from customers, merchants, banks, regulators, vendors, and business partners. Common disputes include:
Unauthorized payment transactions
Failed or delayed transfers
Incorrect merchant settlement
Account freezing
Chargeback disputes
Fraudulent account opening
Identity theft
Data breaches
System outages
Unclear fee deductions
Refund refusal
Termination of merchant accounts
AML-related account restrictions
Cross-border transfer delays
Regulatory non-compliance
In payment disputes, digital evidence is crucial. Transaction logs, authentication records, IP addresses, device information, customer notifications, KYC files, API responses, fraud alerts, and settlement reports may determine liability.
For this reason, payment companies must maintain accurate and auditable records. A company that cannot reconstruct a transaction may struggle to defend itself in consumer complaints, litigation, arbitration, regulatory audits, or banking disputes.
15. Common Legal Mistakes in Payment Services
Many fintech companies face legal problems because they launch products before completing regulatory analysis. Common mistakes include:
Assuming that a payment model is “only software”
Holding customer funds without proper legal classification
Launching a wallet without analyzing electronic money rules
Using foreign payment infrastructure without local legal review
Failing to prepare AML and KYC procedures
Copying user agreements from unrelated platforms
Not separating customer funds from company funds
Using unclear marketing language
Ignoring data protection and cross-border transfer rules
Not documenting customer consent
Failing to monitor suspicious transactions
Entering weak outsourcing contracts
Providing services to crypto-linked payment models without legal analysis
Not preparing for CBRT audits
Not maintaining transaction evidence
Underestimating MASAK obligations
These mistakes may be costly. In regulated fintech, correcting a legal structure after launch is often harder than designing it correctly from the beginning.
16. Compliance Checklist for Payment Service Providers in Turkey
A payment services compliance checklist should include:
Legal classification of the business model
Assessment of whether a CBRT license is required
Review of fund flow and customer fund protection
Corporate structure and shareholder review
Preparation of internal policies and procedures
AML and KYC compliance framework
MASAK suspicious transaction reporting procedures
Data protection and KVKK compliance
Information systems and cybersecurity measures
Vendor and outsourcing contracts
Consumer-facing user agreements
Merchant agreements
Fee disclosures and refund procedures
Complaint management process
Transaction recordkeeping
Internal control and risk management
Independent audit planning
Cross-border service analysis
Crypto asset restriction review
Regulatory update monitoring
This checklist should be adapted to the specific business model. A digital wallet, payment gateway, open banking provider, money remittance company, marketplace payment solution, and e-money institution will not have identical obligations.
17. Why Legal Support Is Important
Payment services law in Turkey is technical, fast-moving, and enforcement-sensitive. A fintech company may have a strong product and commercial demand, but without legal compliance, it may face licensing barriers, regulatory intervention, banking restrictions, customer claims, AML investigations, or investor concerns.
A fintech lawyer can assist with:
Regulatory classification
CBRT license strategy
Preparation of licensing documents
Payment services and e-money structuring
Digital wallet legal analysis
AML and KYC policies
MASAK compliance
Data protection documentation
User and merchant agreements
Bank partnership contracts
Open banking arrangements
Outsourcing and vendor contracts
Consumer law compliance
Cross-border market entry
Regulatory investigations
Administrative sanction defense
Fintech litigation and dispute resolution
Legal support should begin before launch, not after a regulatory problem appears. In payment services, the legal structure is part of the product architecture.
Conclusion
Payment services law in Turkey is a core part of the fintech regulatory landscape. Law No. 6493, CBRT secondary legislation, AML rules, data protection law, consumer protection principles, cybersecurity obligations, and crypto-related restrictions all affect how payment businesses may operate.
The most important step is to classify the payment model correctly. If a company receives funds, executes transfers, issues electronic money, operates a wallet, initiates payments, provides account information services, or facilitates merchant settlement, it must carefully examine whether a CBRT license or regulatory permission is required.
Turkey offers significant opportunities for payment institutions, electronic money institutions, digital wallet providers, embedded finance platforms, open banking businesses, and cross-border fintech companies. However, these opportunities come with serious compliance responsibilities. Companies that build strong legal, technical, and compliance foundations from the beginning are more likely to gain regulatory trust, secure banking partnerships, attract investment, and scale safely.
Yanıt yok