Introduction
Fintech law in Turkey has become one of the most dynamic areas of Turkish financial regulation. As digital wallets, online payment platforms, mobile banking applications, embedded finance solutions, payment gateways, electronic money products, open banking services and digital marketplaces continue to grow, Turkish law has developed a structured regulatory framework for fintech companies.
Turkey is a significant market for fintech businesses because of its young population, high mobile banking usage, strong e-commerce sector, advanced banking infrastructure and increasing demand for fast digital payment solutions. However, fintech is not an unregulated technology business. In Turkey, many fintech activities are subject to licensing, supervision, capital requirements, information systems obligations, anti-money laundering rules, data protection obligations and consumer-facing transparency standards.
The main statute governing payment institutions and electronic money institutions in Turkey is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. The Central Bank of the Republic of Türkiye, commonly known as the CBRT or TCMB, states that regulation and supervision in the payment services area are governed by Law No. 6493 and related secondary legislation.
For fintech entrepreneurs, foreign investors, payment service providers, digital platforms and financial institutions, understanding Turkish fintech law is essential before launching any regulated product. A business model that appears to be a simple software solution may require a payment institution license, electronic money institution license, partnership with a licensed bank, compliance with open banking rules or additional regulatory analysis.
This article explains the legal framework of fintech law in Turkey, focusing on payment services, electronic money institutions and regulatory compliance.
1. Legal Framework of Fintech Law in Turkey
The Turkish fintech sector is regulated through a combination of banking law, payment services law, electronic money law, anti-money laundering legislation, data protection law, consumer protection rules, information systems regulations and capital markets legislation.
The most important legal source for payment and e-money fintech companies is Law No. 6493. This law regulates payment and securities settlement systems, payment services, payment institutions and electronic money institutions. It establishes the legal basis for licensing, supervision, operational requirements and regulatory oversight of non-bank payment and e-money businesses in Turkey.
The CBRT is the principal authority responsible for payment services and electronic money institutions. Its official payment services page identifies the main secondary legislation, including the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers, the Regulation on the Generation and Use of TR QR Code in Payment Services, the Regulation on the Disuse of Crypto Assets in Payments and the Communiqué on information systems and data sharing services in the payment services area.
This regulatory structure shows that fintech law in Turkey is no longer limited to general contract law or technology law. A fintech company must be legally classified according to the actual services it provides. The key question is not how the company markets itself, but whether it transfers funds, issues electronic money, initiates payments, provides account information, stores customer balances, processes merchant payments or performs another regulated financial service.
2. What Is a Payment Institution in Turkey?
A payment institution is a legal entity authorized to provide payment services under Turkish law. Payment institutions are not banks, but they are regulated financial service providers. They may provide services such as money remittance, payment execution, payment account services, merchant acquiring, payment initiation services, account information services and other payment-related activities permitted under the legal framework.
Payment institutions are particularly important in e-commerce, mobile applications, marketplace payments, subscription platforms, bill payment systems, money transfer solutions and merchant collection services. Many businesses that receive, process or route customer payments may fall within the payment services framework if they are not merely acting as technical service providers.
The distinction between a regulated payment service and a technical service is one of the most important questions in Turkish fintech law. A software company that only provides infrastructure without holding funds, initiating payments or controlling payment flows may not require a payment license. However, if the company handles payment orders, transfers funds, operates payment accounts or provides payment initiation or account information services, licensing obligations may arise.
Therefore, fintech businesses should conduct regulatory classification before launching in Turkey. Misclassification may result in unauthorized financial activity, administrative sanctions, contractual invalidity risks and reputational harm.
3. What Is an Electronic Money Institution in Turkey?
An electronic money institution is a legal entity authorized to issue electronic money. Electronic money generally refers to monetary value issued against funds received, stored electronically, used for payment transactions and accepted by persons other than the issuer.
E-money institutions are central to digital wallet systems, prepaid balances, stored-value products, mobile payment accounts and platform-based payment ecosystems. They are commonly used in marketplace models, gaming platforms, mobility services, online subscription services, loyalty programs and closed or semi-open payment environments.
However, not every digital balance is automatically electronic money. The legal analysis depends on whether the value is issued against funds, whether it represents a monetary claim, whether it is accepted by third parties and whether it is used for payment transactions. A closed-loop balance usable only within a limited network may be treated differently from a broadly accepted wallet balance.
Because e-money issuance is regulated, a company wishing to operate a digital wallet in Turkey should determine whether it must obtain an electronic money institution license from the CBRT or structure its model through a licensed partner.
4. CBRT Licensing and Authorization
Payment institutions and electronic money institutions must obtain authorization from the CBRT before conducting regulated activities in Turkey. The CBRT’s official framework makes clear that payment services and electronic money activities are subject to Law No. 6493 and related secondary legislation.
The licensing process is not limited to submitting a simple application form. The applicant must demonstrate that it has adequate capital, transparent ownership, qualified management, internal controls, risk management systems, information systems, compliance policies, customer fund protection mechanisms and operational capacity.
In practice, a licensing application should address the following issues:
The company’s business model, payment flow, customer journey, merchant structure, technology infrastructure, ownership chart, source of funds, management qualifications, internal governance, anti-money laundering program, outsourcing arrangements, information security framework, data processing structure, complaint handling procedure and financial projections.
Foreign fintech companies planning to enter the Turkish market should also consider whether they will establish a Turkish subsidiary, partner with a licensed Turkish payment institution, cooperate with a bank or operate under a different regulatory structure. Cross-border provision of payment services into Turkey without local authorization may create regulatory risk.
5. Payment Services Covered by Turkish Fintech Regulation
Payment services in Turkey may include several different activities. These may involve services enabling cash placement or withdrawal from a payment account, execution of payment transactions, money remittance, issuing or acquiring payment instruments, payment initiation services and account information services.
In commercial practice, payment services may appear in many different forms. An online marketplace that collects payments from buyers and distributes funds to sellers may require payment service analysis. A mobile app that allows users to send money to each other may require payment institution authorization. A platform that connects to bank accounts and initiates payments may fall under payment initiation rules. A dashboard that aggregates bank account data may fall under account information service regulation.
This is why fintech legal analysis must be based on transaction flow. Lawyers and compliance teams should map each payment step: who receives the funds, where the funds are held, who instructs the payment, who controls the payment account, who has contractual liability, who pays the merchant and who bears operational risk.
6. Open Banking and Data Sharing Services
Open banking is an important part of fintech law in Turkey. It allows customers to access financial services through authorized third parties, including account information and payment initiation models. Open banking creates opportunities for account aggregation, personal finance management, alternative lending, merchant payment solutions and embedded financial products.
The CBRT’s payment services framework refers to data sharing services of payment service providers and information systems rules applicable to payment and electronic money institutions.
Open banking creates special legal risks because it involves access to financial data, customer authentication, API security, consent management and liability allocation between service providers. A fintech company offering account information or payment initiation services must ensure that it has the proper authorization, secure technical infrastructure and legally valid customer consent.
For banks and payment institutions, open banking also requires strong API governance, monitoring, fraud controls and incident response procedures. A technical failure or unauthorized access event may create both regulatory and civil liability.
7. Information Systems and Cybersecurity Compliance
Fintech companies are technology-driven financial institutions. Therefore, information systems compliance is one of the most important parts of Turkish fintech regulation.
The CBRT’s official payment services framework lists the Communiqué on the Management and Supervision of IT Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Payment Services Area.
This means payment and e-money institutions must implement secure, reliable and auditable IT systems. They should maintain access controls, authentication mechanisms, encryption, log management, transaction monitoring, business continuity plans, disaster recovery systems, penetration testing, vulnerability management, incident reporting procedures and outsourcing controls.
Cybersecurity is especially important for digital wallets and payment platforms because they handle customer funds and sensitive financial data. A system weakness may result in unauthorized transactions, fraud, loss of customer confidence, regulatory sanctions and compensation claims.
Fintech companies should treat information security as a legal obligation, not only a technical preference. Contracts with technology vendors, cloud providers, payment processors and outsourcing partners should include security standards, audit rights, confidentiality obligations, incident notification duties and termination rights.
8. Safeguarding of Customer Funds
Payment institutions and electronic money institutions must protect customer funds. This is one of the main differences between ordinary technology companies and regulated financial service providers.
A fintech company may receive funds from customers or merchants for the purpose of executing payment transactions or issuing electronic money. These funds must be handled according to regulatory requirements. The purpose is to prevent customer funds from being mixed with the institution’s own operational funds and to protect users if the institution faces financial difficulty.
In practice, safeguarding obligations may require segregated accounts, restrictions on use of customer funds, reconciliation processes, accounting controls and internal reporting. Fintech companies should design their payment flows with safeguarding rules from the beginning. If customer funds are routed incorrectly, the company may face serious compliance and operational risks.
9. Anti-Money Laundering Compliance for Fintech Companies
Anti-money laundering compliance is a central requirement for fintech companies in Turkey. Digital onboarding, fast payments, money transfers, wallets and online merchant transactions may be attractive for legitimate users, but they may also create financial crime risks.
Turkey’s main AML statute is Law No. 5549 on Prevention of Laundering Proceeds of Crime. The objective of this law is to determine principles and procedures for preventing the laundering of proceeds of crime.
Fintech companies may be required to comply with customer due diligence, identity verification, beneficial ownership checks, suspicious transaction reporting, recordkeeping, risk-based monitoring and compliance program obligations. MASAK’s Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism is also a key part of the AML framework.
A payment or e-money institution should establish a risk-based AML program before launching operations. This program should cover onboarding, customer risk scoring, transaction monitoring, sanctions screening, politically exposed persons checks, suspicious transaction escalation, employee training and internal audit.
Failure to comply with AML obligations may result in administrative fines, criminal exposure, license risk, banking relationship problems and reputational damage.
10. Know Your Customer and Remote Onboarding
Know Your Customer procedures are essential for fintech companies. Payment and e-money institutions must understand who their customers are, what services they use, what transaction patterns are expected and whether transactions create suspicious activity concerns.
Remote onboarding is common in fintech. Customers may open accounts, create wallets, verify identity and start using services entirely through digital channels. This creates convenience, but also requires strong identity verification and fraud prevention.
Fintech companies should design onboarding workflows that comply with Turkish AML, data protection and sector-specific requirements. Identity documents, biometric checks, liveness detection, address information, phone verification, device information and risk flags should be managed carefully.
If onboarding is too weak, the platform may be used for fraud, mule accounts, stolen identity transactions or money laundering. If onboarding is too complex, the business may lose customers. The legal challenge is to create a user-friendly but compliant onboarding process.
11. Data Protection and Fintech
Fintech companies process large amounts of personal data, including identity information, contact details, bank account information, transaction history, device data, IP addresses, location information, financial behavior and sometimes biometric data.
The main Turkish data protection statute is Law No. 6698 on the Protection of Personal Data. The Turkish Personal Data Protection Authority states that the purpose of the law is to protect fundamental rights and freedoms, particularly privacy, in relation to the processing of personal data and to set out obligations, principles and procedures for persons processing personal data.
Fintech companies must comply with general principles such as lawfulness, fairness, accuracy, purpose limitation, data minimization, storage limitation and security. They must also provide privacy notices, establish legal grounds for processing, manage data subject rights, implement technical and administrative safeguards and evaluate cross-border transfer rules.
In 2024, Article 9 of the Turkish Personal Data Protection Law concerning transfers of personal data abroad was amended by Law No. 7499. This is particularly important for fintech companies using foreign cloud services, international group systems or overseas technology vendors.
Data protection compliance should be integrated into product design. A fintech application should not collect unnecessary data merely because it is technically possible. Every data category should have a legal purpose, retention period and security measure.
12. Crypto Assets and Payment Restrictions
Crypto assets have a special position in Turkish fintech law. Turkey does not treat crypto assets as a lawful payment instrument for goods and services under the CBRT’s payment rules.
The CBRT’s payment services framework includes the Regulation on the Disuse of Crypto Assets in Payments.
This is a critical issue for fintech businesses. A payment institution or e-money institution should not design a payment product that uses crypto assets directly or indirectly in a way prohibited by Turkish law. A digital wallet, merchant payment gateway or checkout solution involving crypto assets must be reviewed very carefully.
The fact that a product is based on blockchain technology does not automatically make it illegal. However, where crypto assets are used as a payment tool, settlement method or indirect payment mechanism, Turkish regulatory restrictions may apply. Fintech companies should obtain legal advice before offering any crypto-related payment service in Turkey.
13. QR Code Payments and Merchant Solutions
QR code payments are increasingly common in Turkey. They are used in retail, restaurants, transportation, e-commerce, marketplace payments and mobile banking.
The CBRT’s legal framework includes the Regulation on the Generation and Use of TR QR Code in Payment Services. The official English translation of this regulation states that it is based on Law No. 6493 and concerns QR code payment services.
Fintech companies providing QR code payment solutions must ensure that their systems comply with applicable technical and regulatory standards. Merchant-presented QR models, consumer-presented QR models, payment initiation processes, transaction security and interoperability issues should be legally and technically reviewed.
Merchant acquiring businesses should also ensure that their merchant agreements include settlement rules, chargeback mechanisms, fraud responsibilities, prohibited goods and services, data protection clauses, AML cooperation duties and termination rights.
14. Consumer Protection in Fintech Services
Fintech services are often offered to consumers through mobile applications, online platforms and digital contracts. This creates consumer protection obligations.
Customers should clearly understand what service they are using, which legal entity provides the service, whether the provider is licensed, what fees apply, how complaints can be submitted, how refunds work, how personal data is processed and what happens in case of unauthorized transactions.
Transparency is especially important where fintech platforms work with banks, payment institutions, e-money institutions or merchants. Customers should not be misled into believing that a non-licensed technology company is itself a bank or payment institution.
Digital terms and conditions should be written clearly. Important clauses concerning fees, account suspension, fraud investigation, termination, liability limits, chargebacks and data use should be presented in a transparent and legally enforceable way.
15. Fintech Partnerships with Banks
Many fintech companies in Turkey operate through partnerships with banks. These partnerships may involve payment infrastructure, account services, virtual POS, card issuing, open banking APIs, Banking-as-a-Service, embedded finance, lending, merchant acquiring or data analytics.
Bank-fintech partnerships can be commercially powerful, but they require careful legal structuring. The contract should define the role of each party, regulatory responsibilities, customer ownership, data sharing, service levels, audit rights, confidentiality, liability, outsourcing compliance, complaint handling, AML cooperation and termination consequences.
The bank will usually require strong compliance undertakings because it remains subject to strict banking regulation. The fintech company, on the other hand, needs operational flexibility and clear commercial terms. A balanced contract should protect both regulatory compliance and business scalability.
16. Foreign Fintech Companies Entering Turkey
Foreign fintech companies often seek to enter the Turkish market because of its growing digital economy. However, Turkey’s regulatory framework requires careful local analysis.
A foreign fintech company should first determine whether its service is regulated in Turkey. If the service involves payment execution, e-money issuance, wallet balances, money transfers, account information, payment initiation or merchant acquiring, licensing or partnership requirements may arise.
Second, the company should decide whether to establish a Turkish subsidiary. Many regulated activities require a local legal entity and local authorization. Third, it should review Turkish AML, data protection, consumer protection, tax and foreign exchange rules.
Foreign fintech companies should also avoid assuming that a license in another jurisdiction automatically allows operations in Turkey. Turkish financial regulation generally requires local compliance unless a specific exemption applies.
17. Common Legal Risks for Fintech Companies in Turkey
Fintech companies in Turkey commonly face several legal risks.
The first risk is unauthorized regulated activity. A company may unintentionally perform payment services or e-money issuance without a license.
The second risk is weak AML compliance. Digital platforms may be exposed to suspicious transactions, mule accounts, fraud networks or high-risk merchants.
The third risk is data protection failure. Excessive data collection, unclear privacy notices, unlawful cross-border transfers or insufficient security measures may create legal liability.
The fourth risk is poor customer fund segregation. If customer funds are mixed with company funds or reconciliations are weak, regulatory and civil risks increase.
The fifth risk is misleading marketing. Companies must avoid implying that they are banks, payment institutions or e-money institutions unless properly licensed.
The sixth risk is inadequate contracts. Merchant agreements, user terms, bank partnership agreements and outsourcing contracts must reflect regulatory obligations.
18. Practical Compliance Checklist for Fintech Companies
A fintech company planning to operate in Turkey should follow a structured compliance checklist.
First, classify the business model legally. Determine whether the service is payment, e-money, banking, lending, crypto, investment, marketplace, software or outsourcing.
Second, assess licensing requirements. Identify whether CBRT, BRSA, CMB or another authority’s approval is required.
Third, design compliant payment flows. Map customer funds, merchant settlements, refunds, chargebacks and reconciliation.
Fourth, prepare AML compliance. Establish customer due diligence, transaction monitoring, suspicious transaction reporting and sanctions screening.
Fifth, prepare data protection documentation. Draft privacy notices, data processing inventories, consent mechanisms where necessary and cross-border transfer analysis.
Sixth, review IT systems. Ensure cybersecurity, access control, logging, incident response, business continuity and outsourcing controls.
Seventh, draft strong contracts. User agreements, merchant agreements, vendor contracts and bank partnership agreements should all reflect regulatory obligations.
Eighth, establish complaint and dispute procedures. Customers must have accessible channels for support, complaints and unauthorized transaction claims.
19. Why Legal Support Is Important in Turkish Fintech Law
Turkish fintech law is highly technical because it combines financial regulation, technology law, data protection, AML, consumer protection and commercial contracts. A business model may look simple from a technology perspective but may create serious regulatory consequences.
A Turkish fintech lawyer may assist with regulatory classification, CBRT licensing, payment institution applications, e-money institution applications, bank partnership agreements, digital wallet structures, marketplace payment models, open banking services, AML policies, privacy documents, merchant agreements, outsourcing contracts, consumer terms and regulatory correspondence.
Early legal review is especially important. If a fintech business launches first and analyzes regulation later, it may face license problems, payment interruptions, blocked banking relationships, customer claims or administrative sanctions. In fintech, compliance should be designed before market entry.
Conclusion
Fintech law in Turkey is a rapidly developing and highly regulated field. Payment institutions, electronic money institutions, digital wallets, payment gateways, open banking providers, merchant acquiring platforms and embedded finance businesses must operate within a clear legal framework.
Law No. 6493 and CBRT secondary legislation form the core of Turkish payment services and e-money regulation. In addition, fintech companies must comply with AML rules under MASAK legislation, personal data protection rules under Law No. 6698, information systems obligations, consumer protection principles and, where relevant, crypto payment restrictions.
Turkey offers significant opportunities for fintech companies, but regulatory compliance is essential. A successful fintech project in Turkey must combine strong technology with legal precision, secure payment flows, transparent customer communication, robust AML controls, careful data governance and well-drafted commercial contracts.
For investors, entrepreneurs and foreign fintech companies, the safest approach is to conduct legal classification and compliance planning before launching services in Turkey. With the correct legal strategy, fintech businesses can operate confidently, build trust with customers and scale within the Turkish financial regulatory framework.
Yanıt yok