Payment and E-Money License in Turkey: 2025 Roadmap

Payment institution and e-money licensing roadmap in Turkey: TCMB authorization, MASAK compliance and safeguarding architecture

Payment and e-money licensing in Turkey is a structured authorization process administered primarily by the Türkiye Cumhuriyet Merkez Bankası (TCMB), with parallel obligations under MASAK (Mali Suçları Araştırma Kurulu) for anti-money laundering controls and under the Kişisel Verilerin Korunması Kanunu for data protection. The framework that founders and investors must work within is shaped by the Ödeme ve Menkul Kıymet Mutabakat Sistemleri, Ödeme Hizmetleri ve Elektronik Para Kuruluşları Hakkında Kanun (No. 6493) and its implementing regulation, together with the financial-crime baseline set by the Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun (No. 5549) and the periodically refreshed MASAK General Communiqués. This guide describes how the authorization actually proceeds in our filings, where the supervisor commonly probes, and what foreign-owned applicants should prepare before they sit down with TCMB and the partner banks they will need to operate. Practice may vary by authority and year, and the discussion below is procedural rather than promotional.

An English speaking lawyer in Turkey who handles payment-services files day to day will tell you that the licensing dossier is read as evidence of an operating company, not as a description of an idea. TCMB and MASAK both look for artifacts: organograms with named persons and deputies, written policies that match working processes, system diagrams that engineering can defend under questioning, and contracts with sponsor banks and vendors that match what the policies promise. The body of this article walks through each of those layers in the order in which a competent application is built. We use the statutory names of the relevant authorities and registries throughout, because foreign founders deserve to leave this material with a working vocabulary they can use in their own boardrooms, audit committees and investor calls. The supervisor that reviews a payment-services file is reading for evidence that responsibilities have been assigned to identifiable people who hold accountable positions, that operating routines have been exercised before the file was submitted rather than scheduled to begin once authorization is granted, and that the documentation produced for TCMB and MASAK is the same documentation that the company is using internally rather than a separate marketing artifact. In our practice, the files that move most predictably are those whose drafting is led by an in-house team that has already been through one or more dry runs of an operations rhythm — daily reconciliations, suspicious-transaction triage, incident response and KVKK request handling — under the supervision of an experienced practitioner who can translate observed friction into policy refinements before the dossier is filed. Foreign-owned applicants in particular benefit from this discipline, because the bilingual nature of board governance, supervisor correspondence and partner negotiation places premium value on coherence across documents and across languages, and the cost of repairing inconsistency once a file has been submitted is usually higher than the cost of building consistency before submission.

1) License Types and Core Differences Under Law No. 6493

A lawyer in Turkey who maps the licensing landscape will begin with the statutory taxonomy of Law No. 6493, because the choice between a payment institution (ödeme kuruluşu) license and an electronic money institution (elektronik para kuruluşu) license drives the rest of the application. A payment institution provides payment services in the sense of the statute — money remittance, acquiring, payment initiation, account information, and similar services — without issuing a redeemable claim against itself. An e-money institution issues electronic money: a stored monetary value with a redemption right at par, accepted by parties other than the issuer. The line between these two models is not cosmetic. It governs safeguarding obligations, the treatment of customer funds, redemption obligations, and the way TCMB will read your treasury and ledger architecture. Practice may vary by authority and year, and TCMB has historically treated category drift in product copy as a signal that the applicant has not yet decided what it is building.

An Istanbul Law Firm that has guided foreign founders through this decision will typically prepare a category memorandum at the kick-off stage, mapping each user-facing flow to a statutory service line and identifying the moment at which a balance becomes electronic money. If the consumer can hold value on the platform and direct it to third parties at par, the model is almost certainly an e-money model regardless of how the marketing reads. If the platform is purely a transmission rail — funds in, funds out, no redeemable balance — the payment institution category may be sufficient. We document this analysis in the file itself because TCMB asks how you arrived at your category, and a written rationale signed by the board is much easier to defend than a verbal one extracted under questioning. Reviewing the analytical posture against our broader notes on crypto exchange licensing in Turkey can help applicants whose models touch digital-asset rails calibrate their category claims early. The category memorandum we attach to the file usually opens with a side-by-side comparison of statutory service definitions and the actual product flows, identifies the precise moments at which custody of value crosses the line into electronic money, and reconciles those moments with what the user interface, the terms of service and the partner contracts each describe. We then walk the engineering team through the same comparison, because the answer to the category question lives in code as much as in contract: a holding ledger that a user can reload, retain and direct toward third-party merchants will be read as electronic money even where the front-end labels the service as transmission, and a true transmission rail must show that the user cannot accumulate redeemable balances on the platform. The standard approach is to lock the category analysis before product copy is finalized, lock product copy before partner contracts are signed, and lock partner contracts before the file is submitted, so that supervisors do not encounter conflicting category claims across annexes. Where a foreign parent operates similar products in other jurisdictions, the Turkish analysis should be conducted independently rather than imported, because Law No. 6493 describes the categories in its own terms and authorizations granted abroad are not portable to the Turkish supervisory perimeter even when the underlying technology is identical. Practice may vary by authority and year, and TCMB has been particularly attentive to "wallet" language in recent application cycles.

A Turkish Law Firm that has run authorizations across both categories will also tell you that capital and control intensity scale with category and product breadth. Issuers carrying customer balances must show that safeguarding accounts at custodian banks are real, segregated and reconcilable on a daily cycle, and that redemption can happen within a reasonable operational window without improvisation. Pure payment institutions face lighter float duties but still need ring-fencing of client funds, monitoring rules calibrated to their product and channels, and contractual discipline with sponsor banks. The standard approach we follow is to design the operating model first, run the model against the statute and the regulation, and only then write the marketing — because TCMB will read the marketing as if it were a contract, and any gap between the two becomes a question on the file. Practice may vary by authority and year, and the late-2024 cycle has tightened the supervisor's appetite for consistency between category claims and observed flows.

2) Minimum Capital, Shareholding and Organizational Setup

An English speaking lawyer in Turkey building a licensing dossier will treat paid-in capital as the starting point of a longer story. The implementing regulation under Law No. 6493 sets minimum paid-in capital floors that differ between payment institutions and e-money institutions, and these floors are reviewed periodically; what TCMB cares about, beyond the floor itself, is whether the capital is unencumbered, whether its source can be traced, and whether the projected burn until breakeven leaves the company with adequate own funds at every milestone. Applicants should anticipate questions about funding rounds, intragroup loans, foreign-currency exposure on the capital base, and the treatment of capital under Türk Ticaret Kanunu rules on share capital. We prepare a bilingual capital memorandum that ties the equity story to the business plan and the projected control costs, so the supervisor sees a financed company rather than a recapitalized shell. Practice may vary by authority and year, and TCMB has been increasingly sensitive to capital structures that mask undisclosed beneficial owners.

A lawyer in Turkey who has handled foreign-owned applicants will pay equally close attention to shareholding architecture. The procedure ordinarily requires a transparent ladder up to the ultimate beneficial owners, with fit-and-proper declarations from qualifying shareholders and from board members, and the standard document set includes notarized passport copies, address certificates, criminal-record extracts with apostille, source-of-funds declarations, and resolutions from each upstream entity authorizing participation in the Turkish licensee. The Ticaret Sicil Müdürlüğü will examine the corporate documents at the registration step, and the MERSİS records must mirror the share register and the application file without inconsistency. We pair this exercise with the UBO-notification logic discussed in our UBO notification roadmap, because the beneficial-owner narrative shown to TCMB has to match the file delivered to the Vergi Dairesi within the same calendar window. The standard document set for the corporate stack ordinarily includes the Türk Ticaret Kanunu compliant ana sözleşme reflecting the regulated activity, board and general-assembly resolutions authorizing the licensing application, share register entries reconciled with MERSİS records, signed fit-and-proper questionnaires from each qualifying shareholder and board member, criminal-record extracts with apostille translations dated within the validity window the supervisor expects, source-of-funds declarations supported by bank statements or audited financial statements, and notarized signature circulars (imza sirküleri) reflecting current authority. In our filings before TCMB, the common requirement is to align these documents with the Ticaret Sicili registration and with the tax-office files in advance, because supervisors will check whether the share ladder shown in the licensing application matches the corporate stack on the registry and the beneficial-owner declaration on file with the Vergi Dairesi, and any inconsistency produces remediation cycles that delay the calendar by weeks. For passport-driven identity proofs of foreign individuals, we also prepare bilingual notary minutes, apostille certificates from the country of origin, and translations sworn before a noter, because file completeness is judged against documents that hold up under both administrative review and any subsequent judicial scrutiny. Practice may vary by authority and year, and the recent cycle has shown a noticeable increase in supervisor follow-up questions on the source-of-funds layer.

An Istanbul Law Firm that takes governance seriously will then write the organizational design as if it already exists, because supervisors expect to see committees with calendars, control functions with named heads and deputies, internal audit with a real charter, and a board that will be in a position to challenge management from day one. In our filings before TCMB, the common requirement is to attach committee charters, job descriptions matching actual duties, training schedules, and an organogram that does not collapse under cross-questioning about who covers whom in case of absence. Foreign-owned groups should anchor accountability in Turkey through a managing body whose members can sign in Turkish and address supervisors in Turkish, with an English speaking lawyer in Turkey running the bilingual minute-book so corporate steps remain valid in both jurisdictions. Practice may vary by authority and year, and the supervisor's tolerance for "we will hire after authorization" has shrunk markedly across the recent cycle.

3) AML/KYC and Suspicious Transaction Handling After the 25.12.2024 MASAK Update

A Turkish Law Firm advising on AML compliance will explain that the 25.12.2024 MASAK refresh did not invent new categories of duty so much as it tightened expectations around the depth of customer due diligence, the documentation of beneficial-owner verification, the timing of suspicious transaction reports, and the operational discipline of monitoring scenarios. Under Law No. 5549 and the relevant MASAK General Communiqués, payment institutions and e-money institutions are obliged entities and must maintain a written compliance program, designate a compliance officer reporting to the board, and run training and internal-audit cycles that produce evidence rather than merely paper. The standard approach we follow is to write the program in two layers: a high-level policy that names the compliance officer, the escalation paths and the board-reporting cadence, and a detailed operations manual that reduces each control to a workflow with owners, time stamps and exception handling. Practice may vary by authority and year, and the post-25.12.2024 baseline has nudged supervisors toward expecting case files that read like investigations.

Turkish lawyers who run AML programs in payments practice will tell foreign founders that suspicious transaction handling is the single area where a young company is most likely to be tested. The procedure ordinarily requires the obliged entity to identify, evaluate and, where the threshold is met, file a suspicious transaction report (Şüpheli İşlem Bildirimi) with MASAK without tipping off the customer, and to retain the underlying records for the statutory period. In our practice, the safest method is to capture every alert with the anomaly description, the data points reviewed, the checks performed, the outcome and the time-stamped author, and to treat closure-without-filing decisions with the same documentary rigor as filings. If a regulator returns to the case a year later, the file should be self-explanatory. We attach sanitized case logs to the application dossier so TCMB and MASAK reviewers can see how judgment travels across the organization rather than asking us to describe it. Monitoring scenario architecture deserves its own annex, because a scenario without a typology rationale, without parameter logic and without a tested override path is read by supervisors as cosmetic rather than operational. In our practice, we describe each scenario in three layers: the typology (what financial-crime pattern the rule is designed to surface), the parameter set (thresholds, time windows, weighting), and the operational handling (who reviews the alert, within what service-level window, with what escalation matrix). Tipping-off avoidance is built into the workflow at the system level, with case management screens that suppress customer-facing copy while the case is active and with audit trails that record every staff member who viewed the case. The MASAK reporting cadence is tied to internal calendars: the compliance officer reports to the board on a documented frequency, internal audit tests the program against the policy on its own cycle, and the training plan covers all customer-facing and operations staff with refresh modules that follow material regulatory changes. Where the platform onboards customers digitally without face-to-face contact, the standard approach is to apply enhanced identity verification methods that satisfy MASAK expectations on biometric matching, liveness detection and document authentication, and to document those mechanics in the program. Practice may vary by authority and year, and supervisors have shown growing interest in the documented rationale behind threshold choices rather than only in the thresholds themselves.

An English speaking lawyer in Turkey will also coordinate the AML program with sponsor-bank expectations, because divergences between licensee policy and bank standard cause practical breakage even when both sides are technically compliant. Banks will read your enhanced due diligence for politically exposed persons and sanctions screening with their own files in hand, and they will resist models that effectively export compliance risk back to them. We draft a short bilingual compliance brief explaining what "enhanced" means in your stack, how velocity rules and merchant-category mapping work, where manual review is triggered, and how human judgment reconciles with system decisions; the brief travels in partner onboarding and in the licensing file. For applicants whose architecture touches cross-border transfers, aligning early with the discipline outlined in our KVKK cross-border transfers guide avoids re-engineering at filing stage. Practice may vary by authority and year, and the post-25.12.2024 review of monitoring typologies has been notably more granular than earlier cycles.

4) Safeguarding, Settlement and Float Management for Issuers and Acquirers

An Istanbul Law Firm that has built float architectures in licensing files will tell founders that safeguarding is the area where TCMB reads code and contracts in equal measure. For e-money institutions, the legal framework requires that customer funds be held in a manner segregated from the institution's own balance sheet, ordinarily through dedicated accounts with one or more banks operating in Turkey, with daily reconciliations between the platform ledger and the safeguarding accounts, and with treasury rules that prevent commingling on the operational current account. Applicants should anticipate questions about diversification across custodian banks, the contractual treatment of safeguarding accounts in insolvency, and the redemption mechanics that allow customers to convert e-money back into bank money on demand. We write these obligations into a safeguarding policy that the board adopts before filing, and we attach sample reconciliation reports and minutes that show directors actually reading the data. Practice may vary by authority and year, and TCMB has shown growing interest in the operational mechanics rather than only the policy text.

A lawyer in Turkey who handles acquiring mandates will draw the same logic for payment institutions running merchant settlement. The Land Registry analogy does not apply here, but the discipline is similar: client funds should be ring-fenced, settlement should follow predictable D+1 or D+2 cycles, chargeback reserves should be sized to actual risk profiles, and the contractual chain through processors and schemes should reflect who bears each loss. In filings we handle before TCMB, the common requirement is to provide a full reconciliation map — from cardholder authorization through processor capture, scheme settlement, sponsor-bank credit, internal ledger and merchant pay-out — together with sample reports demonstrating that exceptions are detected and resolved within a documented service-level window. We have found that rough edges in this area are read as governance gaps rather than as engineering quirks, and we accordingly invest in the contracts and SOPs before the supervisor reads them. The reconciliation flow itself ordinarily requires three independent vantage points to be reconciled at end of day: the platform ledger generated from authorization and capture events, the processor settlement statement received from the acquiring partner, and the bank-account credit and debit lines as reflected in the safeguarding or merchant-funds account at the custodian bank. The standard approach is to operate a daily T+1 reconciliation cycle with a documented break-handling procedure that escalates unmatched items above a defined threshold to the head of operations within a fixed service-level window, and a weekly board pack summarizing the open break inventory, the aging profile and the resolution status. Dispute and chargeback handling is part of the same architecture: each card scheme prescribes its own time windows for representment, pre-arbitration and arbitration, and the licensee must hold reserves sized to actual chargeback experience rather than to industry averages. Merchant agreements should expressly empower the licensee to hold or release funds when chargeback ratios exceed defined limits and to require additional collateral when the underwriting profile of the merchant changes materially. We document the entire flow in a settlement and reconciliation policy that cross-references the merchant agreements, the processor agreements, the sponsor-bank agreements and the internal SOPs, and we attach a sanitized end-to-end transaction trace to the licensing file so supervisors can read the architecture without independent reconstruction. Practice may vary by authority and year, and the supervisor's questions on reserve sizing have grown in granularity over the recent cycle.

A Turkish Law Firm working with the board will translate safeguarding and settlement realities into capital and reserve commitments. The standard document set includes a treasury policy with thresholds for diversification, counterparty selection rules, intraday liquidity expectations and a triggered capital top-up logic when indicators move adversely. Boards that minute these triggers in advance project seriousness; supervisors read them as evidence that the company is run by people who have lived through volatility. Investors, in turn, see priced risk rather than narrative comfort. We anchor these mechanics against the statutory framework of Law No. 6493 and the implementing regulation without quoting article numbers we cannot verify, because honest framing under a "Practice may vary by authority and year" caveat is more durable than ornamental specificity. Properly documented, safeguarding becomes a competitive advantage with banks, schemes and merchants — not merely a regulatory cost.

5) Information Systems, Cybersecurity and KVKK Alignment

An English speaking lawyer in Turkey coordinating a licensing file will integrate information-systems controls and personal-data protection from the first sprint, because TCMB and the Kişisel Verileri Koruma Kurumu (KVKK Kurulu) read the two as a single operating posture rather than as separate exercises. The Bilgi Sistemleri Yönetimine İlişkin Tebliğ and the related guidance set expectations on system-management governance, role-based access, change control, key management, business continuity and the testing of those controls; the KVKK framework adds processing inventories, layered notices, data-subject request handling, breach notification within the statutory window and, increasingly, written compliance with cross-border transfer mechanics. Applicants should anticipate that supervisors will ask for screenshots, sample logs and excerpts from runbooks rather than abstract policy text, and the file is more credible when it shows a system in motion than when it shows a binder at rest.

Turkish lawyers who run audit-readiness exercises before filing will rehearse the information-systems audit (Bilgi Sistemleri Denetimi) so that the first hard questions arrive in a controlled setting. The standard approach is to scope a year-end style audit covering access management, change management, incident handling, backup and restoration, segregation of duties between development and production, and the integrity of audit trails. If the platform processes card data, the PCI DSS scope must be defined explicitly, with storage, processing and transmission boundaries enforced and tested. We document these realities in the licensing file with annexes that mirror what an external auditor would expect to receive, and we cross-reference them to the KVKK inventory so that personal-data flows match information-system flows. The discipline outlined in our Turkish cybersecurity compliance note is helpful as an internal checklist for engineering and compliance heads working in parallel. The scope of an information systems audit prepared in advance of a TCMB filing ordinarily covers governance and policy ownership, identity and access management with least-privilege principles, segregation of duties between development and production environments, secure software development life cycle controls covering peer review and security testing, change-management workflows from ticket through deployment with approval matrices and rollback paths, incident-response playbooks that have been exercised within the past audit window, capacity and performance monitoring with thresholds tied to alerting, backup and restoration with documented restore tests, encryption at rest and in transit with documented key-management procedures, log integrity with tamper-evident storage and time-synchronized clocks, vulnerability management on a documented cadence, and outsourcing and vendor controls covering pre-engagement due diligence, contractual controls and ongoing monitoring. For card environments, the PCI DSS scoping exercise should produce a network diagram clearly identifying the cardholder data environment boundaries, the connected systems and the segmentation controls, with quarterly internal vulnerability scanning, annual external penetration testing where applicable, and remediation tracking for findings. We pair the technical audit with a privacy review that maps each system to the personal data it processes, the lawful basis for processing, the retention period, the access controls protecting it and the cross-border transfer mechanism applied where data leaves Turkey, so that the information-systems audit and the KVKK file describe the same machine from two angles rather than two parallel narratives. Practice may vary by authority and year.

A Turkish Law Firm coordinating with the data protection function will treat KVKK as an integral part of the licensing dossier rather than a parallel narrative. Controllers must keep a Veri Sorumluları Sicili (VERBİS) registration where applicable, publish notices that pass the readability test that the KVKK Kurulu now expects, honor access, correction and deletion rights with documented service-level windows, and complete cross-border transfer paperwork — standard contracts, undertakings or other lawful mechanisms — for cloud providers and intra-group flows. We attach sample privacy notices, data-subject request workflow diagrams and incident response memoranda, and we pair them with the breach-notification cadence in our KVKK compliance overview. Practice may vary by authority and year, and the cross-border standard-contract regime has materially changed how foreign cloud architectures are documented in TCMB files.

6) Open Banking, Merchant Onboarding and Risk-Based Pricing

A lawyer in Turkey advising on open banking will explain that the Ödeme Hizmetleri Yönetmeliği framework allows account information services and payment initiation services as distinct payment services within the statutory taxonomy, and that the BKM (Bankalararası Kart Merkezi) infrastructure is the practical channel through which licensed institutions interact with bank APIs. The procedure ordinarily requires an applicant offering open-banking services to align consent capture, scope definition, token rotation, partner contracting and audit-trail retention with both Law No. 6493 and the KVKK framework, since open-banking flows touch both regulated payment activity and personal financial data. We draft the application annexes so that the API documentation, the consent texts and the partner contracts use the same nouns and verbs, and we resist the temptation to over-promise on uptime or coverage. Practice may vary by authority and year, and Turkish bank counterparties have become noticeably more selective about open-banking partners over the recent cycle.

An Istanbul Law Firm working on merchant onboarding will tie acquiring policy to risk pricing in writing rather than in marketing decks. In our filings before TCMB, the common requirement is to show that the institution understands which merchant categories it will accept, which it will route to enhanced underwriting, and which it will decline, and that its operational team can apply the rules without exception drift. Merchant Category Code mapping, geofencing rules, velocity limits, reserve schedules and chargeback handling should appear in SOPs that name owners and decision rights, with price books that reflect risk and contracts that reserve the right to hold or release funds when indicators move. We document a decision trail per merchant — what the underwriter saw, asked, decided and signed — because TCMB and the sponsor banks reading the file will treat that documentary habit as evidence that the company can keep promises as volumes rise. The merchant onboarding workflow itself ordinarily proceeds through a defined sequence: corporate identification of the merchant entity through Ticaret Sicil records and MERSİS, beneficial-owner verification of qualifying shareholders, sanctions and adverse-media screening, MCC-based risk classification with documented mappings to acquired-product capability, financial review where reserve or settlement-cycle adjustments may be warranted, KVKK alignment for shared customer-facing communications, and contract execution with countersigned schedules covering pricing, settlement timing and chargeback responsibilities. For higher-risk verticals — travel, gaming where permitted, certain digital goods, cross-border services — the standard approach is to run a more granular underwriting review that includes the merchant's own AML and consumer-protection posture, business-continuity arrangements and historical chargeback data where obtainable. Reserve schedules are documented in the merchant agreement with reference to the merchant's MCC, settlement velocity and historical performance, and adjustments are pushed through a change-control workflow with notice provisions that the merchant has accepted in writing. Where the licensee provides services to other regulated entities under a tenancy or white-label model, the underwriting and ongoing monitoring obligations extend to the sub-merchants of that tenant in proportion to the contractual structure, and the licensee retains residual oversight that the supervisor will read as part of the file. Practice may vary by authority and year, and the supervisor's preference for documented underwriting trails over unwritten experience has continued to deepen.

An English speaking lawyer in Turkey will also help foreign founders translate onboarding policy into consumer- and merchant-facing communication that does not over-state the platform's position. Friction is more readily accepted by users when its purpose is explained, and merchants tolerate underwriting scrutiny when decisions arrive in writing within reasonable windows. We encourage clients to build plain-language pages explaining onboarding, monitoring and dispute-handling without exposing rule logic that could be gamed, and to train support agents to speak in the language of policy rather than apology. Where merchant relationships span jurisdictions, the contracts should be supported by professional legal translation services in Turkey so that bilingual versions move in lockstep without the drift that has sunk otherwise sound deals. Practice may vary by authority and year, and the supervisor's appetite for clean merchant files has grown alongside the size of the acquiring market.

7) Contracts, Partnerships and Vendor Governance

Turkish lawyers who negotiate the contractual layer of a payments business will treat sponsor-bank, processor, scheme and vendor agreements as the operating spine of the licensee. Bank agreements should tie obligations to controls, define audit cooperation, allocate liability in line with who can prevent harm and reserve cooperation rights in incident response. Processor and scheme contracts should make scope and service levels explicit, bind confidentiality and data use under the KVKK framework, and preserve the licensee's right to step in when vendors fail. Vendor master service agreements should carry audit rights, data-location clarity, termination mechanics and exit assistance. We negotiate these terms so that they travel from the licensing file to production without rewrites, and we keep the language plain enough for counterparties to onboard within a reasonable window without inflating the calendar.

A Turkish Law Firm preparing the contractual annexes for a TCMB file will pay particular attention to the alignment between the marketing claim, the contractual promise and the operational reality. If the website calls something "instant", the contract should not call it "best efforts" while the SOP describes a multi-hour reconciliation. We standardize a glossary across documents and keep counsel close to product and marketing so words do not drift, because supervisors and counterparties read inconsistencies as governance gaps. For early pilots and sandboxed integrations, confidentiality agreements and invention-assignment provisions keep the IP portable; the templates discussed in our NDA in Turkey note and our e-signature and smart contract overview can be adapted to payments use cases without losing the discipline that lets evidence be produced to supervisors without breaching third-party obligations. The contract bench that supports a payment-services licensee ordinarily covers, at minimum, the sponsor-bank framework agreement with safeguarding-account schedules and operational annexes, the acquiring-bank or processor agreement with scheme-rule pass-throughs and settlement schedules, the master service agreements with each technology vendor with information-security and KVKK clauses tailored to the function performed, the master merchant services agreement with countersigned merchant schedules, the partner agreements with open-banking counterparties where applicable, the data-processing agreements with each cloud and SaaS provider that processes personal data on the licensee's behalf, the cross-border transfer instruments accompanying intra-group flows, and the customer-facing terms of service together with the layered KVKK notices. Each contract carries its own renewal calendar, insurance-evidence requirements and audit-cooperation clauses, and intake of any production-impacting service is gated by a written risk assessment and an approval from the head of compliance and the head of information security. We update the contract bench whenever the regulatory baseline moves materially, including the post-25.12.2024 MASAK refresh, the KVKK cross-border guidance and any sectoral cybersecurity or operational-resilience amendments. Practice may vary by authority and year, and supervisors increasingly read contractual hygiene as a leading indicator of operational discipline rather than as a separate documentation exercise. Practice may vary by authority and year, and bank counterparties now routinely require updated contractual templates that mirror the post-25.12.2024 AML expectations.

A lawyer in Turkey running the vendor-governance work-stream will impose intake discipline so that no production-impacting service is engaged without a recorded due-diligence file, a signed agreement that covers the regulatory points, and a renewal calendar that prevents quiet drift. The standard document set includes vendor-risk classification, sub-processor approval logs, breach-notification clauses with statutory and contractual windows, audit reports where available, and exit plans that name the receiving system or successor vendor. Foreign-owned groups using intra-group services should memorialize them on arm's-length terms with transfer-pricing support, because the Vergi Dairesi reads intra-group payments alongside the corporate-tax file and the supervisor will check that the picture coheres. We treat the resulting contract bench as a transferable asset rather than as paperwork, and we update it when products change rather than when audits arrive.

8) Sandbox Operations, Application Dossier and Supervisory Interactions

An Istanbul Law Firm preparing a TCMB filing will treat the months before submission as evidence-gathering months. A controlled sandbox with production-like integrations, run with constrained partners and disciplined logging, produces precisely the artifacts a serious application dossier needs: screenshots of onboarding flows, traces of fraud rules firing and clearing, reconciliation reports tied to bank statements, incident drills with time stamps and named roles, and post-mortems that change code and process. In our filings before TCMB, the common requirement is to attach these artifacts as annexes that map to the policy claims in the body of the file, so that the reviewer can move from a sentence in the executive narrative to a screenshot or a log without rereading the dossier. We have found that this evidence-led structure shortens supervisory queries by replacing aspirations with documents.

A Turkish Law Firm coordinating the supervisory engagement will staff the meetings with the people who do the work — the head of compliance who closes alerts, the engineer who runs change control, the operations lead who owns reconciliation, the director who can speak to safeguarding and risk appetite. Executives should frame and not dominate. If a question lands outside the room's expertise, the right answer is "we will check," followed by a documented response within a defined window. This habit projects competence and humility in equal measure and replaces performance anxiety with professional conversation. We brief directors before each meeting with a one-page summary of dashboards, open items and pending decisions, and we minute every interaction so that the chronology of the file remains uninterrupted from kick-off through authorization. The application dossier itself is structured to allow a reviewer to navigate from a sentence in the executive narrative directly to the supporting evidence: the executive narrative is followed by the corporate stack and shareholder file, the governance and policy register, the AML compliance program with monitoring scenario annex and sample case logs, the information-systems architecture and audit-readiness annex, the KVKK file with processing inventories and cross-border instruments, the safeguarding and reconciliation policy with sample reports, the merchant and customer onboarding policy with decision matrices, the contract bench with sponsor-bank, processor, scheme and vendor agreements, and the sandbox evidence pack. Each annex carries a version date, a document owner and a cross-reference back to the executive narrative section it supports. Supervisory queries are tracked in a dedicated log that captures the date received, the supervisor's wording, the responsible internal owner, the deadline for response, the response text and the documents attached, with redacted samples retained for the licensee's own historical record. We have found that this level of organization shortens the back-and-forth meaningfully because the supervisor reading a query response receives an answer that is already cross-linked to the original dossier rather than as an independent letter that requires reconciliation. Practice may vary by authority and year, and the recent supervisory cycle has rewarded applicants whose query responses arrive with embedded evidence rather than only with prose.

An English speaking lawyer in Turkey will also keep the dossier coherent as a single chronology rather than as a stack of unrelated documents. Every policy, contract, system diagram, minute and training record should fit into one time line that explains what changed, why it changed and who approved it. When documents contradict one another, supervisors lose confidence; when the story fits, decisions move faster. We maintain this chronology for clients as a living index that survives staff turnover and management changes, and we update it whenever queries or audits arrive so that nothing is lost in the churn of a growing fintech. The same index becomes a transferable asset during fundraising and M&A, because it proves to investors and acquirers that the business is governed and not improvised. Boards that have lived through this process appreciate that the cost of building the chronology in real time is materially lower than the cost of reconstructing it under diligence pressure during a financing round, an acquisition or a regulatory inspection, and they treat the index as a permanent operational asset rather than as a licensing artifact that can be retired once authorization is in hand. Common failure modes that the discipline prevents include over-promising in marketing copy, under-building in monitoring scenarios and under-documenting in governance minutes — each curable before filing if the applicant operates in "licensee mode" for a full quarter before submission rather than treating authorization as a finish line, and each materially harder to repair after the supervisor's first round of substantive queries arrives. Practice may vary by authority and year, and dossiers that read as living chronologies have consistently outperformed those built only on point-in-time submissions.

9) Frequently Asked Questions for Foreign Founders and Investors

  1. How long does TCMB authorization typically take after filing? Timelines depend on the completeness of the dossier, the complexity of the model, and the responsiveness of the applicant to supervisory queries; in our practice, well-built files supported by a real sandbox and bilingual board minutes tend to move on a more predictable arc than thin files that defer evidence to later cycles. Practice may vary by authority and year, and we do not commit to specific calendar windows.
  2. What is the minimum paid-in capital for a payment institution or an e-money institution? Minimum capital floors are set under Law No. 6493 and its implementing regulation and are reviewed periodically; rather than quote a figure that may have moved, we calculate the realistic capital plan against burn-to-breakeven and build a buffer for supervisor-driven contingencies. Applicants should anticipate questions about the source and traceability of the capital.
  3. Do shareholders and directors need to be Turkish nationals? No. Foreign nationals and foreign legal entities may hold qualifying participations and serve on the board, subject to fit-and-proper review by TCMB, transparency of the ultimate beneficial owners and corporate accountability located in Turkey through resident management or a properly empowered general manager.
  4. Can a foreign-owned applicant rely on group-level AML and information-security policies? Group policies can serve as a baseline but must be adapted to the Turkish statutory and supervisory framework, including the Law No. 5549 obligations and the post-25.12.2024 MASAK expectations on customer due diligence, monitoring, suspicious-transaction reporting and record retention.
  5. What did the 25.12.2024 MASAK update change in practice? The refresh sharpened expectations around the depth of customer due diligence, the documentation of beneficial-owner verification, the timing of suspicious-transaction reporting and the operational rigor of monitoring scenarios; in our filings, it has translated into more granular case files and tighter alignment between licensee and sponsor-bank standards.
  6. How is electronic money distinguished from a stored-value wallet that is not e-money? The distinction turns on whether the value held is redeemable at par against the issuer and accepted by parties other than the issuer; closed-loop instruments accepted only by the issuer for its own goods or services may fall outside the e-money perimeter, but the analysis is fact-specific and we document it in the file.
  7. Can the licensee use foreign cloud infrastructure? Yes, subject to compliance with the Bilgi Sistemleri Yönetimine İlişkin Tebliğ and the KVKK cross-border transfer regime, with documented standard contracts where applicable, mapped data flows and contractual audit cooperation; foreign cloud architectures must be reconcilable with the supervisor's expectations on access and continuity.
  8. Are sponsor-bank arrangements mandatory for safeguarding and settlement? Yes, in practice the licensee will operate through one or more banks in Turkey for safeguarding accounts, settlement and treasury operations; the contracts must allocate responsibility honestly, support daily reconciliations and contemplate redemption pathways that survive partner-side disruption.
  9. How are suspicious-transaction reports filed and retained? Suspicious-transaction reports (Şüpheli İşlem Bildirimi) are filed with MASAK without tipping off the customer, with the underlying records retained for the statutory period; the licensee should be able to reconstruct each case from the alert, the checks performed, the data points reviewed, the decision and the time-stamped author.
  10. Is open banking activity a separate license category? Account information services and payment initiation services are payment services within the statutory taxonomy of Law No. 6493 and are accommodated within the payment institution license, subject to API governance, consent management and partner contracting that match both supervisory and KVKK expectations.
  11. What KVKK obligations apply to a payment institution before launch? The licensee must maintain processing inventories, publish layered notices, operate a working data-subject-request workflow, observe breach-notification timing and complete cross-border transfer mechanisms where applicable; sample artifacts should appear in the licensing file rather than being deferred to post-authorization.
  12. Can the licensee outsource compliance and information-security functions? Tasks may be outsourced; accountability cannot be. Outsourcing arrangements must include audit rights, service-level metrics, data-location clarity, breach-notification clauses and exit assistance, and the compliance officer remains the obliged person under MASAK irrespective of outsourcing arrangements.
  13. How is the application dossier organized? A coherent dossier reads as a working system explained by the people who run it: an executive narrative, policies that match SOPs, system diagrams that engineers can defend, contracts with banks and vendors, evidence annexes from the sandbox, and a chronology that ties policies, contracts and minutes to a single time line.
  14. Are there additional notification duties under foreign-investment rules? Foreign-owned licensees should be reconciled with the Doğrudan Yabancı Yatırımlar Kanunu reporting framework, the UBO notification regime and the Vergi Dairesi corporate filings, so that the picture across registries coheres rather than fragmenting under audit.
  15. Does ER&GUN&ER Law Firm advise on payment institution and e-money licensing in Turkey? Yes. ER&GUN&ER Law Firm is an Istanbul-based law firm advising foreign founders, multinational groups and institutional investors on the complete Turkish payment-services licensing track, including category analysis under Law No. 6493, capital and shareholding architecture, AML and KVKK alignment with the post-25.12.2024 baseline, safeguarding and settlement design, information-systems audit readiness, sponsor-bank and vendor contracting, sandbox and dossier preparation, supervisory engagement before TCMB and MASAK, and ongoing compliance management after authorization — with English-language client communication and bilingual documentation throughout each engagement. Files in this area are typically led personally by the managing partner rather than delegated.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises foreign founders, multinational groups, financial sponsors and institutional investors on the Turkish legal architecture surrounding payment institutions, e-money institutions and adjacent regulated entities — including the categorization decisions under Law No. 6493, the AML and reporting cycle under MASAK, information-systems and KVKK alignment, and the contractual layer with sponsor banks, processors, schemes and vendors. The firm operates in English and Turkish across bilingual board minutes, supervisory correspondence and partner-bank documentation.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.