Regulatory Compliance for Fintech Companies in Turkey

Fintech regulatory compliance in Turkey operates within a complex multi-regulatory framework that has evolved substantially over the past five years through several legislative reforms producing the current operational landscape. The framework that governs the relevant questions is set primarily by the 6493 sayılı Ödeme ve Menkul Kıymet Mutabakat Sistemleri, Ödeme Hizmetleri ve Elektronik Para Kuruluşları Hakkında Kanun (Law No. 6493) governing payment services and electronic money institutions with the critical 20 November 2019 amendment transferring regulatory and supervisory authority from BDDK (Bankacılık Düzenleme ve Denetleme Kurumu) to TCMB (Türkiye Cumhuriyet Merkez Bankası / Central Bank of the Republic of Turkey); the 7518 sayılı Kanun (effective 2 July 2024) adding m.35/B vd. to the 6362 sayılı Sermaye Piyasası Kanunu and establishing the first consolidated regulatory framework for kripto varlık hizmet sağlayıcıları (crypto-asset service providers) under SPK (Sermaye Piyasası Kurulu) supervision; the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun governing AML compliance through MASAK (Mali Suçları Araştırma Kurulu) under Hazine ve Maliye Bakanlığı, with the framework extended to crypto-asset service providers through MASAK General Communiqué No. 5 (effective 1 May 2021); the 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK) administered through the KVKK Kurulu (Personal Data Protection Board) with VERBIS (Veri Sorumluları Sicili) registration framework; the TCMB Yönetmelik dated 16 April 2021 (Ödemelerde Kripto Varlıkların Kullanılmamasına Dair Yönetmelik) prohibiting the use of crypto-assets as payment instruments; the TCMB Yönetmelik dated 1 December 2021 (Ödeme Hizmetleri ve Elektronik Para İhracı ile Ödeme Hizmeti Sağlayıcıları Hakkında Yönetmelik) establishing the operational framework for licensed payment service providers; the 6102 sayılı Türk Ticaret Kanunu (TTK) governing the corporate-vehicle requirements; the 2577 sayılı İdari Yargılama Usulü Kanunu (İYUK) governing administrative litigation against regulatory decisions; the 6216 sayılı Anayasa Mahkemesinin Kuruluşu ve Yargılama Usulleri Hakkında Kanun governing AYM (Anayasa Mahkemesi) bireysel başvuru framework; and various supplementary statutes governing specific fintech sub-sectors. Practice may vary by authority and year.

An English speaking lawyer in Turkey advising on Turkish fintech regulatory compliance will explain that the multi-regulator landscape produces substantial coordination challenges where structured compliance architecture must address TCMB (for payment services and electronic money), SPK (for crypto-asset service providers under post-7518 framework, capital markets and crowdfunding), MASAK (for AML across the regulatory perimeter), the KVKK Kurulu (for personal data), and various supplementary regulators with sub-sector authority — with the resulting compliance discipline requiring structured operational coordination across multiple regulatory interfaces simultaneously. The body of this guide walks through the licensing architecture under Law No. 6493 with the TCMB authority transfer; the AML compliance framework under Law No. 5549 with MASAK supervision; the KVKK personal data compliance with VERBIS registration; the regulatory reporting and TCMB supervision; the crypto-asset regulation under Law No. 7518 (2024) and TCMB 16 April 2021 Yönetmelik; the corporate governance and internal controls under TTK; the M&A compliance due diligence; and the regulatory defense architecture through İYUK and AYM frameworks. For procedural orientation on adjacent topics, our notes on Turkish banking and finance law, KVKK personal data protection in Turkey and AML compliance under Turkish law can be read alongside this material.

1) Licensing Architecture: 6493 sayılı Kanun, TCMB Authority Transfer (2019) and Crypto-Asset Service Provider Framework under Law No. 7518 (2024)

A lawyer in Turkey advising on fintech licensing architecture will explain that Turkish fintech licensing operates through several distinct regulatory channels depending on the specific service category, with the post-2019 TCMB authority transfer and the post-2024 crypto-asset framework establishing the current regulatory landscape. The procedure ordinarily considers payment service provider (Ödeme Hizmeti Sağlayıcısı / ÖHS) licensing under the 6493 sayılı Kanun framework as amended through the 20 November 2019 amendment transferring authority from BDDK to TCMB, with the resulting TCMB-administered licensing covering minimum capital requirements, governance standards, IT infrastructure assessment, and operational compliance demonstration; electronic money institution (Elektronik Para Kuruluşu / EPK) licensing under the same framework with specific additional requirements applicable to electronic money issuance; crypto-asset service provider (kripto varlık hizmet sağlayıcısı) licensing under the post-Law No. 7518 framework with SPK administration covering the substantive licensing criteria including minimum capital, custody standards, operational infrastructure and governance; and various sub-category licensing structures including financial leasing through BDDK-licensed leasing companies under Law No. 6361, crowdfunding through SPK-licensed platforms under the III-35/A.2 framework, and other specialized financial services under their respective regulatory frameworks.

An Istanbul Law Firm advising on the TCMB licensing process will note that the 6493 sayılı Kanun framework operates through structured licensing applications with substantial documentary and operational requirements that the practical compliance discipline must address from initial design rather than as post-application adaptation. The procedure ordinarily considers the corporate-vehicle establishment as anonim şirket under TTK Law No. 6102 with appropriate capital structure meeting the TCMB-specified minimum capital thresholds (with different thresholds for payment service providers versus electronic money institutions); the governance framework establishment including board composition meeting fit-and-proper requirements, executive management qualifications, and committee structures supporting the licensed-entity operational framework; the IT infrastructure framework including operational systems, security infrastructure, business continuity arrangements, and disaster recovery capabilities; the operational policies and procedures including AML procedures coordinated with MASAK requirements, KVKK compliance procedures, customer-relationship procedures, and incident-response procedures; and the structured documentary chain supporting the licensing application's substantive review by TCMB.

A Turkish Law Firm advising on the crypto-asset service provider framework will note that Law No. 7518 (effective 2 July 2024) added m.35/B vd. to the Sermaye Piyasası Kanunu (Law No. 6362) establishing the first consolidated framework for kripto varlık hizmet sağlayıcıları with SPK supervisory authority, producing substantial operational requirements that crypto-asset service providers must address through structured compliance architecture. The procedure ordinarily considers the SPK licensing requirement covering minimum capital, governance standards, custody arrangements (including segregation of customer assets from the service provider's own assets), operational infrastructure, and ongoing supervisory compliance; the implementation framework where existing crypto-asset service providers face structured transition periods to achieve full compliance with the new framework; the AML extension where Law No. 7518 explicitly extended the 5549 sayılı Kanun framework to crypto-asset service providers (building on the prior MASAK Communiqué No. 5 framework); and the broader integration with existing regulatory frameworks including TCMB's 16 April 2021 Yönetmelik prohibiting crypto-asset use in payments. The discipline outlined in our note on Turkish banking and finance law covers the broader financial-regulation context relevant to fintech licensing. Practice may vary by authority and year. Turkish lawyers who advise on the broader licensing-strategy choice will note that fintech founders and investors must navigate the categorization analysis carefully because different licensing pathways produce materially different operational frameworks, capital requirements, ongoing compliance burdens, and broader strategic implications. The procedure ordinarily considers the substantive service-categorization analysis distinguishing payment services (under Law No. 6493 / TCMB), electronic money issuance (under Law No. 6493 / TCMB), crypto-asset services (under post-7518 framework / SPK), financial leasing or financing services (under Law No. 6361 / BDDK), crowdfunding services (under SPK Communiqué III-35/A.2), and other specialized service categories with distinct regulatory frameworks; the multi-license scenario where complex business models may require multiple coordinated licenses with structured operational separation; the strategic-positioning analysis weighing the operational flexibility of different licensing pathways against the regulatory burden, capital requirements, and broader strategic implications of each pathway; and the timing-strategy analysis where licensing pathway choice substantially affects market-entry timing through different review-period expectations across the regulatory authorities.

2) AML Compliance under 5549 sayılı Kanun, MASAK Framework and Crypto-Asset Service Provider Extension via Communiqué No. 5

An English speaking lawyer in Turkey advising on AML compliance will explain that AML obligations under the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun framework administered through MASAK (Mali Suçları Araştırma Kurulu) within the Hazine ve Maliye Bakanlığı apply to all yükümlü (obligated) entities including fintech companies across the regulatory perimeter, with crypto-asset service providers explicitly added to the obligated-entity scope through MASAK General Communiqué No. 5 effective 1 May 2021. The procedure ordinarily considers customer due diligence (Müşteri Tanıma İlkesi / CDD) covering identity verification, beneficial ownership analysis, customer risk profile assessment, and structured ongoing relationship management; enhanced due diligence (Sıkılaştırılmış Müşteri Tanıma) for higher-risk customer categories including politically exposed persons (siyasi nüfuz sahibi kişiler / PEP), high-risk jurisdiction customers, and customers exhibiting transaction patterns warranting enhanced scrutiny; ongoing transaction monitoring with structured alert handling and suspicious transaction reporting (Şüpheli İşlem Bildirimi / STR) submission to MASAK where appropriate; and the broader operational discipline supporting consistent AML positioning across the multi-year compliance horizon.

A lawyer in Turkey advising on the MASAK record-keeping and compliance officer framework will note that the 5549 sayılı Kanun and supplementary MASAK Yönetmelik framework establish specific operational requirements that the practical compliance discipline must address through structured infrastructure rather than ad-hoc compliance attention. The procedure ordinarily considers the eight-year record retention requirement under m.8 of the 5549 sayılı Kanun and the supporting Yönetmelik framework covering customer due diligence records, transaction records, suspicious transaction reports, internal compliance documentation, and broader supporting documentation; the compliance officer (Uyum Görevlisi) appointment requirement covering qualifications, authority, organizational positioning, and ongoing professional development obligations; the internal training framework supporting structured AML awareness across the fintech entity's employee base with specific role-tailored training; the internal audit framework supporting structured ongoing review of AML compliance effectiveness; and the broader documentary discipline supporting both ongoing compliance demonstration and any subsequent MASAK examination response.

A Turkish Law Firm advising on the MASAK Communiqué No. 5 crypto-asset extension will note that the 1 May 2021 effective date of MASAK Communiqué No. 5 added kripto varlık hizmet sağlayıcıları to the obligated-entity scope under the 5549 sayılı Kanun framework, producing the substantive AML obligations now applicable to crypto-asset platforms operating in or interacting with Turkish residents. The procedure ordinarily considers the customer due diligence obligations specifically tailored to crypto-asset platform operations including the technical mechanisms for identity verification in digital-onboarding contexts; the transaction monitoring framework adapted to blockchain-context transaction patterns including specific monitoring approaches for cross-blockchain transfers, mixing-service interactions, and other crypto-specific risk patterns; the suspicious transaction reporting framework covering crypto-specific transaction categories that warrant MASAK reporting; the structured integration with the post-Law No. 7518 SPK regulatory framework where AML compliance and broader regulatory compliance operate through coordinated frameworks; and the ongoing evolution of the MASAK guidance affecting crypto-asset service provider operations across the framework's continuing implementation period. The discipline outlined in our note on AML compliance under Turkish law covers the broader 5549 sayılı Kanun framework relevant to all fintech sub-sectors. Practice may vary by authority and year.

3) KVKK Personal Data Compliance under 6698 sayılı Kanun with VERBIS Registration and Cross-Border Framework

An Istanbul Law Firm advising on KVKK personal data compliance will note that fintech operations involve substantial personal data processing producing extensive obligations under the 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK / Personal Data Protection Law) administered through the KVKK Kurulu, with structured compliance architecture supporting both regulatory positioning and practical operational discipline. The procedure ordinarily considers the data inventory mapping identifying all personal data categories processed across the fintech operation including customer onboarding data, transaction data, behavioral data, communication records, and supporting documentation; the lawful basis analysis under KVKK m.5 (general personal data) and m.6 (special-category personal data such as biometric and health data) establishing the legal basis for each processing category; the data subject rights framework supporting access, correction, deletion, processing-restriction, and other KVKK-recognized rights through structured operational mechanisms; the VERBIS (Veri Sorumluları Sicili / Data Controllers Registry) registration where threshold-applicable fintech operations must register with detailed processing inventory documentation; and the broader operational discipline supporting consistent KVKK positioning.

A lawyer in Turkey advising on the cross-border data transfer framework will note that fintech operations frequently involve cross-border data flows that face structured KVKK transfer-mechanism requirements, with the 2023-2024 KVKK reforms (Law No. 7499 amending the cross-border transfer framework) substantially modifying the previous restrictive transfer regime. The procedure ordinarily considers the cross-border transfer mechanisms under the amended KVKK m.9 framework including adequacy decisions by the KVKK Kurulu (where the receiving country provides adequate protection), standard contractual clauses (taahhütname) approved by the KVKK Kurulu, binding corporate rules (bağlayıcı şirket kuralları) for intra-group transfers, and explicit consent mechanisms with limited residual application; the documentary discipline supporting the chosen transfer mechanism through structured documentation; the operational implementation including vendor contract amendment, data flow architecture adjustment, and ongoing compliance monitoring; the breach notification framework requiring KVKK Kurulu notification within specified timeframes for personal data breaches affecting Turkish data subjects; and the broader integration with international compliance frameworks where applicable (including any EU GDPR positioning for fintech operations serving EU residents, though Turkey is not an EU member state and GDPR does not directly apply to Turkish operations).

A Turkish Law Firm advising on the irtibat kişisi framework will note that KVKK uses the irtibat kişisi (contact person) framework rather than the GDPR's Data Protection Officer (DPO) concept, with the substantive role and authority differing materially between the two frameworks. The procedure ordinarily considers the irtibat kişisi appointment requirement for VERBIS-registered data controllers covering the qualifications, authority and reporting structure required under KVKK Yönetmelik framework; the irtibat kişisi versus DPO distinction where the KVKK irtibat kişisi serves primarily as a communication interface with the KVKK Kurulu rather than as an independent compliance officer with the broader independence and authority that GDPR establishes for DPOs; the practical operational implications where fintech operations serving both Turkish and EU markets must coordinate the irtibat kişisi role with any GDPR DPO role through structured allocation supporting both frameworks' requirements; the data protection impact assessment (Veri Koruma Etki Değerlendirmesi) framework where high-risk processing categories warrant structured impact assessment; and the broader integration of KVKK compliance with the fintech operation's overall compliance architecture. The discipline outlined in our note on KVKK personal data protection in Turkey covers the broader Law No. 6698 framework relevant to all fintech operations. Practice may vary by authority and year. The data subject rights handling architecture deserves separate operational attention because fintech operations face high data subject rights exercise volumes including access requests, correction requests, deletion requests, and other category requests requiring structured operational mechanisms supporting compliant response within the KVKK-specified timeframes. The procedure ordinarily considers the data subject rights request channel covering structured intake mechanisms supporting verification of requestor identity, request scope clarification, and structured request processing; the response timeline framework requiring substantive response within thirty days of request receipt under KVKK m.13 with potential extension under specific circumstances; the technical implementation supporting data subject access through structured data extraction mechanisms providing comprehensive response without inadvertent disclosure of other parties' personal data; the deletion handling framework addressing both the substantive deletion mechanics and the documentary discipline supporting deletion-claim records for subsequent KVKK Kurulu review; and the broader operational integration where data subject rights handling integrates with the broader compliance architecture without producing operational friction undermining fintech service quality.

4) Regulatory Reporting and TCMB Supervision under 6493 sayılı Kanun Framework

An English speaking lawyer in Turkey advising on TCMB supervisory compliance will explain that licensed payment service providers and electronic money institutions face structured ongoing supervisory obligations under the 6493 sayılı Kanun framework as administered through TCMB after the 20 November 2019 authority transfer, with the supervisory architecture requiring continuous compliance discipline rather than episodic compliance attention. The procedure ordinarily considers the periodic financial reporting framework covering monthly, quarterly and annual reporting categories with specific data requirements supporting TCMB's prudential supervision; the operational reporting framework covering transaction volumes, customer numbers, geographic distribution, and other operational metrics supporting both prudential supervision and broader market analysis; the incident reporting framework requiring rapid notification of operational incidents, security incidents, customer complaints exceeding thresholds, and other supervisory-relevant events; the change-of-control and material-change reporting where corporate-level developments affecting the licensed entity warrant structured TCMB notification; and the broader supervisory examination framework where TCMB conducts both desk-based and on-site examinations supporting comprehensive supervisory coverage.

A lawyer in Turkey advising on the prudential framework will note that licensed payment service providers and electronic money institutions face structured prudential requirements supporting both safety-and-soundness supervision and broader market integrity considerations. The procedure ordinarily considers the capital adequacy framework requiring ongoing maintenance of minimum capital levels with structured reporting against the regulatory thresholds; the customer fund protection framework requiring segregation of customer funds from the licensed entity's own funds with specific operational mechanisms supporting the segregation; the IT and operational risk framework requiring structured infrastructure supporting business continuity, incident response, and operational integrity; the AML and broader financial-crime framework integrating with the MASAK supervisory architecture; and the broader compliance framework covering KVKK, consumer protection, and other supplementary regulatory frameworks with TCMB-specific implementation requirements.

An Istanbul Law Firm advising on the supervisory examination framework will note that TCMB examinations operate through structured procedural mechanics that the licensed entity's compliance discipline must support through both ongoing operational integrity and specific examination preparation. The procedure ordinarily considers the examination scope analysis where TCMB examinations may cover specific subject areas (operational, financial, AML, IT, etc.) or comprehensive cross-area review depending on the supervisory cycle and any specific concerns; the documentary preparation discipline supporting structured presentation of compliance materials to examiners with appropriate organization, completeness, and supporting context; the personnel preparation supporting effective interaction with examiners covering the key compliance personnel including the senior management, compliance officer, and operational subject matter experts; the examination response handling including formal responses to examination findings, remediation planning where deficiencies are identified, and broader integration with the licensed entity's compliance architecture; and the post-examination implementation where examination outcomes drive structured remediation, governance updates, and compliance enhancement across the multi-year supervisory horizon. Practice may vary by authority and year.

5) Crypto-Asset Regulation: Law No. 7518 (2024), TCMB 16 April 2021 Payment Prohibition Yönetmelik and MASAK Communiqué No. 5

A Turkish Law Firm advising on the comprehensive crypto-asset regulatory framework will note that Turkish crypto-asset regulation has evolved through several distinct legislative and regulatory developments producing the current multi-layered framework, with structured analysis of all relevant frameworks supporting compliant crypto-asset operations. The procedure ordinarily considers the Law No. 7518 framework (effective 2 July 2024) adding m.35/B vd. to the Sermaye Piyasası Kanunu and establishing the first consolidated regulatory framework for kripto varlık hizmet sağlayıcıları with SPK supervisory authority, minimum capital, custody standards and operational compliance requirements; the TCMB Yönetmelik dated 16 April 2021 (Ödemelerde Kripto Varlıkların Kullanılmamasına Dair Yönetmelik) prohibiting the use of crypto-assets as payment instruments — meaning crypto-assets cannot be used directly or indirectly to pay for goods or services in Turkey, though crypto-asset trading and holding remain permitted; the MASAK General Communiqué No. 5 effective 1 May 2021 adding crypto-asset service providers to the obligated-entity scope under Law No. 5549 framework; and the broader regulatory landscape including ongoing SPK secondary regulation development establishing the substantive operational standards through the post-7518 framework's continuing implementation period.

An English speaking lawyer in Turkey advising on the TCMB payment prohibition implications will explain that the 16 April 2021 TCMB Yönetmelik produces specific operational implications for both crypto-asset service providers and merchants accepting payment for goods and services, with structured compliance discipline supporting the operational positioning. The procedure ordinarily considers the prohibition scope covering both direct crypto-asset payment use and indirect payment facilitation through technical mechanisms designed to circumvent the direct-use prohibition; the merchant-side compliance where businesses accepting payment for goods and services cannot accept crypto-asset payments regardless of merchant or customer preferences; the platform-side compliance where payment service providers cannot facilitate crypto-asset payment flows that effectively circumvent the prohibition; the trading-and-holding distinction where the prohibition applies specifically to payment use rather than to crypto-asset trading or investment activity (which remains permissible subject to the Law No. 7518 framework and broader compliance requirements); and the broader integration with international payment frameworks where Turkish entities may face complications when interacting with international payment infrastructure that incorporates crypto-asset functionality.

A lawyer in Turkey advising on the post-7518 transition and ongoing compliance will note that the implementation period for Law No. 7518's substantive requirements involves structured transitions for both existing market participants and new market entrants, with the resulting compliance landscape requiring careful navigation through the framework's continuing development. The procedure ordinarily considers the transition framework where existing crypto-asset service providers face structured timelines to achieve full compliance with the new licensing and operational standards; the licensing application strategy where the timing, scope and substantive content of SPK licensing applications substantially affect the resulting regulatory positioning; the ongoing SPK secondary regulation monitoring where additional regulations, guidance and supervisory positions continue to develop the substantive operational framework; the cross-jurisdictional considerations where international crypto-asset platforms operating in or interacting with Turkish residents face specific compliance considerations; and the broader integration with global crypto-asset regulatory developments affecting Turkish operations through cross-border transaction flows. Practice may vary by authority and year. The substantive operational standards continuing development through SPK secondary regulation will substantially affect the practical operating environment for licensed crypto-asset service providers across the framework's continuing implementation period, with structured monitoring supporting timely operational adaptation. The procedure ordinarily considers the custody-standard development affecting customer asset segregation, hot-wallet versus cold-wallet allocation, security infrastructure standards, and broader custody compliance; the operational-standard development affecting transaction processing, customer onboarding, market-integrity controls, and ongoing operational discipline; the reporting-standard development affecting periodic reporting to SPK, incident reporting, and supervisory examination preparation; and the broader market-conduct framework affecting crypto-asset service providers' interactions with customers, counterparties, and the broader market ecosystem.

6) Corporate Governance, Internal Controls and TTK Law No. 6102 Coordination

An Istanbul Law Firm advising on corporate governance frameworks for fintech companies will note that fintech operations require structured governance architecture coordinating the underlying TTK (Türk Ticaret Kanunu, Law No. 6102) corporate framework with the various regulatory-specific governance requirements producing the integrated governance discipline. The procedure ordinarily considers the corporate-vehicle establishment as anonim şirket under TTK with appropriate articles of association (esas sözleşme) supporting both the broader corporate framework and the regulatory-specific requirements; the board composition under TTK m.359 vd. supporting both the general corporate governance framework and regulatory fit-and-proper requirements applicable to licensed fintech entities; the executive management framework supporting both day-to-day operational responsibility and regulatory accountability; the committee structure including audit committee under TTK m.378 (where threshold-applicable), risk committee where licensed-entity status warrants such structure, and other specialized committees supporting structured governance; and the broader shareholder rights framework supporting both ordinary corporate governance and any specialized regulatory positioning.

A lawyer in Turkey advising on the internal controls framework will note that internal controls operate through coordinated frameworks addressing financial integrity, operational integrity, compliance integrity and governance integrity — with structured architecture supporting consistent positioning across the multi-year operational horizon. The procedure ordinarily considers the financial controls framework covering authorization protocols, segregation of duties, reconciliation procedures, and audit trail mechanics supporting financial integrity; the operational controls framework covering process documentation, exception handling, change management, and incident response supporting operational integrity; the compliance controls framework covering AML procedures, KVKK procedures, regulatory reporting procedures, and ongoing compliance monitoring supporting compliance integrity; the IT controls framework covering access management, data security, business continuity, and disaster recovery supporting technological integrity; and the broader integration where the various control frameworks operate through coordinated architecture rather than as independent silos.

A Turkish Law Firm advising on the governance evolution framework will note that fintech governance must evolve with the underlying business including funding rounds, product launches, scale events, M&A activity, and other corporate developments — with structured governance evolution supporting both regulatory positioning and broader corporate maturation. The procedure ordinarily considers the governance scaling framework where governance complexity should scale with business complexity rather than remaining static across the entity's growth trajectory; the funding-round governance evolution where Series A, B, C and subsequent funding events typically produce specific governance modifications including investor representation, special-class share rights, and supplementary governance mechanisms; the M&A-event governance handling where acquisitions, dispositions, mergers, and restructuring events produce specific governance implications; the regulatory-event governance handling where supervisory examinations, enforcement actions, license modifications, and other regulatory events produce specific governance implications; and the broader strategic governance framework supporting consistent governance positioning across the entity's strategic evolution. Practice may vary by authority and year.

7) Fintech M&A Compliance Due Diligence and Post-Closing Integration

Turkish lawyers who advise on fintech M&A transactions will note that fintech transactions face specialized due diligence considerations beyond standard corporate due diligence, with structured compliance review supporting both transaction execution and post-closing integration. The procedure ordinarily considers the licensing status review covering current license validity, any pending renewal or modification procedures, license-conditions compliance, and any historical license-related issues; the regulatory communication review covering historical regulator interactions, examination outcomes, enforcement matters, and any pending regulatory proceedings; the AML compliance review covering MASAK compliance positioning, suspicious transaction reporting history, customer due diligence procedures, and any AML-related supervisory or enforcement matters; the KVKK compliance review covering personal data processing positioning, VERBIS registration status, cross-border transfer mechanisms, and any KVKK-related matters; and the broader compliance review covering tax compliance, employment compliance, intellectual property positioning, and other compliance dimensions affecting the target's overall risk profile.

An English speaking lawyer in Turkey advising on the M&A representation and warranty framework will note that fintech M&A transactions typically involve specialized representation and warranty packages addressing the fintech-specific compliance dimensions, with structured negotiation supporting appropriate risk allocation between buyer and seller. The procedure ordinarily considers the licensing-related representations covering current license status, license-conditions compliance, and the absence of any pending license-related matters; the AML-related representations covering MASAK compliance positioning, suspicious transaction reporting history, and customer due diligence procedures; the KVKK-related representations covering personal data compliance positioning, VERBIS registration status, and cross-border transfer mechanisms; the regulatory-investigation representations covering both pending investigations and any historical investigations affecting the target's risk profile; and the indemnification framework supporting structured allocation of compliance-related risks between the parties through appropriate caps, baskets, and procedural mechanics.

A lawyer in Turkey advising on post-closing integration will note that post-closing fintech integration involves both operational integration and compliance integration with the resulting integration discipline supporting both the transaction's commercial objectives and the ongoing regulatory positioning. The procedure ordinarily considers the regulatory notification framework where the change-of-control event triggers specific TCMB, SPK, MASAK or KVKK Kurulu notification obligations depending on the target's regulatory status; the licensing modification framework where the change-of-control may require license modification, fit-and-proper review of new ultimate beneficial owners, or other licensing-related procedures; the operational integration framework where compliance procedures, IT systems, governance structures, and operational practices undergo structured integration with the acquirer's broader infrastructure; the personnel integration framework where compliance officers, key management, and other specialized personnel face specific integration considerations; and the broader strategic integration framework supporting consistent post-closing positioning across the integrated entity's broader strategic objectives. Practice may vary by authority and year. The fit-and-proper assessment for new ultimate beneficial owners following change-of-control transactions deserves separate operational attention because regulatory authorities apply structured assessment criteria that may produce surprises for acquirers without prior fit-and-proper experience in the Turkish regulatory environment. The procedure ordinarily considers the personal-history review covering criminal records, regulatory enforcement history, and broader integrity assessment for individual ultimate beneficial owners; the financial-capacity review confirming the new ownership's financial substance supporting the entity's ongoing operations; the source-of-funds review establishing the legitimate origin of acquisition funding; and the broader strategic-and-operational fit assessment evaluating the new ownership's compatibility with the entity's regulated-activity profile.

8) Regulatory Defense: Administrative Litigation under İYUK Law No. 2577 and AYM Bireysel Başvuru under Law No. 6216

An Istanbul Law Firm advising on regulatory defense architecture will note that fintech entities facing regulatory enforcement actions can pursue structured legal defense through the administrative litigation framework under the 2577 sayılı İdari Yargılama Usulü Kanunu (İYUK) supplemented by AYM (Anayasa Mahkemesi / Constitutional Court) bireysel başvuru framework under the 6216 sayılı Kanun where applicable. The procedure ordinarily considers the administrative remedy phase where preliminary objection (itiraz) to the regulator's decision must be pursued before judicial review where the framework requires; the administrative court (İdare Mahkemesi) review under İYUK where the administrative decision is challenged on substantive and procedural grounds within the 60-day filing period under İYUK m.7; the appellate review through Bölge İdare Mahkemesi (regional administrative court) under the istinaf framework; the high-court review through Danıştay (Council of State) under the temyiz framework; and the AYM bireysel başvuru framework under Law No. 6216 m.45-49 where ordinary remedies are exhausted and the matter involves alleged violation of fundamental rights protected by the Anayasa or the European Convention on Human Rights.

A lawyer in Turkey advising on the substantive defense framework will note that regulatory defense in fintech matters typically involves multiple substantive defense theories that the structured defense should evaluate and pursue based on the specific case facts. The procedure ordinarily considers the procedural-defect defense where the regulatory decision was made without appropriate procedural compliance including notice, hearing rights, evidence consideration, and reasoned decision-making; the substantive-error defense where the regulatory decision involves substantive misapplication of the underlying regulatory framework, factual error, or analytical error affecting the decision's validity; the proportionality defense where the regulatory measure (typically penalty severity, license action scope, or other consequential decision) is disproportionate to the underlying conduct; the constitutional-law defense where the regulatory framework's application produces alleged violation of fundamental rights including due process, property rights, freedom of enterprise, and other Anayasa-protected rights; and the European Convention defense where the regulatory framework's application produces alleged violation of ECHR rights potentially supporting both AYM bireysel başvuru and ECtHR proceedings under the four-month framework following AYM exhaustion.

A Turkish Law Firm advising on the strategic defense framework will note that effective regulatory defense in fintech matters requires structured coordination of legal, operational, communication, and broader strategic dimensions producing comprehensive defense rather than narrow procedural challenge. The procedure ordinarily considers the defense timeline coordination ensuring procedural deadlines are met across all applicable frameworks (administrative remedy, İYUK litigation, AYM bireysel başvuru) without procedural defaults; the documentary discipline supporting structured presentation of defense materials across multiple decision-making interfaces; the operational coordination ensuring that ongoing operations support the defense narrative through demonstrated compliance commitment, remediation initiatives, and broader good-faith positioning; the communication coordination addressing internal communications, regulator communications, investor communications, and broader stakeholder communications supporting the defense without creating supplementary risks; and the broader strategic coordination supporting consistent defense positioning across the multi-year resolution horizon. Practice may vary by authority and year. The cross-border enforcement coordination warrants separate operational attention because international fintech operations frequently face simultaneous proceedings across multiple jurisdictions producing coordination complexity affecting both immediate defense and broader strategic positioning. The procedure ordinarily considers the multi-jurisdictional proceeding mapping identifying all relevant proceedings across the various jurisdictions where the entity operates; the substantive consistency framework ensuring that positions taken in one jurisdiction do not inadvertently undermine positions in other jurisdictions through inconsistent factual or legal characterizations; the procedural coordination supporting timing, sequencing and structural alignment of defense activities across the various jurisdictions; the strategic-resource allocation distributing defense resources across the various proceedings based on materiality, procedural urgency, and broader strategic considerations; and the broader integration with cross-border enforcement cooperation mechanisms increasingly characterizing financial regulatory enforcement across major jurisdictions.

9) Frequently Asked Questions for Fintech Founders, Investors and Compliance Officers

1. Which authority licenses payment service providers and electronic money institutions in Turkey? Following the 20 November 2019 amendment to Law No. 6493, regulatory and supervisory authority over payment service providers (Ödeme Hizmeti Sağlayıcıları) and electronic money institutions (Elektronik Para Kuruluşları) was transferred from BDDK to TCMB (Türkiye Cumhuriyet Merkez Bankası). Licensing applications are now submitted to and administered by TCMB under the 6493 sayılı Kanun framework with supplementary TCMB Yönetmelik framework.
2. What is the regulatory framework for crypto-asset service providers? Law No. 7518 (effective 2 July 2024) added m.35/B vd. to the Sermaye Piyasası Kanunu (Law No. 6362) establishing the first consolidated regulatory framework for kripto varlık hizmet sağlayıcıları under SPK supervisory authority, with licensing requirements, minimum capital, custody standards, operational infrastructure standards, and ongoing supervisory framework. AML extension applies through the broader 5549 sayılı Kanun framework as initially extended through MASAK Communiqué No. 5 (effective 1 May 2021).
3. Can crypto-assets be used for payments in Turkey? No. The TCMB Yönetmelik dated 16 April 2021 (Ödemelerde Kripto Varlıkların Kullanılmamasına Dair Yönetmelik) prohibits the direct or indirect use of crypto-assets as payment instruments for goods and services. Crypto-asset trading and holding remain permitted subject to the post-Law No. 7518 framework and broader compliance requirements.
4. What are the AML obligations for fintech companies? Under the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun framework administered through MASAK (Mali Suçları Araştırma Kurulu), fintech entities (as yükümlü / obligated entities) must implement customer due diligence (Müşteri Tanıma İlkesi), enhanced due diligence for higher-risk customers, ongoing transaction monitoring, suspicious transaction reporting (Şüpheli İşlem Bildirimi), structured eight-year record retention under m.8, compliance officer (Uyum Görevlisi) appointment, internal training, and internal audit frameworks.
5. How long must AML records be retained? Under Law No. 5549 m.8 and the supporting MASAK Yönetmelik framework, AML-related records (customer due diligence, transactions, suspicious activity reports, internal compliance documentation) must be retained for at least eight years.
6. What KVKK obligations apply to fintech companies? Under the 6698 sayılı Kişisel Verilerin Korunması Kanunu administered through the KVKK Kurulu, fintech entities (typically as data controllers / veri sorumlusu) must conduct data inventory mapping, lawful basis analysis under m.5 and m.6, data subject rights handling, VERBIS (Veri Sorumluları Sicili) registration where threshold-applicable, cross-border transfer compliance under the amended m.9 framework (post-Law No. 7499 reforms), breach notification, and structured ongoing compliance.
7. Does GDPR apply to Turkish fintech companies? Turkey is not an EU member state and GDPR does not directly apply to Turkish operations. However, Turkish fintech entities serving EU residents may face GDPR obligations through the GDPR's territorial scope provisions. Turkish KVKK and EU GDPR are distinct frameworks requiring separate compliance analysis even where both apply.
8. What is VERBIS? VERBIS (Veri Sorumluları Sicili / Data Controllers Registry) is the KVKK Kurulu-administered registry where threshold-applicable data controllers must register with detailed processing inventory documentation. Registration thresholds and procedural requirements are established through KVKK Yönetmelik framework.
9. Is a DPO required under KVKK? No. KVKK uses the irtibat kişisi (contact person) framework rather than the GDPR's Data Protection Officer (DPO) concept. The irtibat kişisi serves primarily as a communication interface with the KVKK Kurulu rather than as an independent compliance officer with the broader independence and authority that GDPR establishes for DPOs. Fintech operations serving both Turkish and EU markets must coordinate the irtibat kişisi role with any GDPR DPO role through structured allocation.
10. How long does fintech licensing take? Licensing timelines vary substantially based on application completeness, business model complexity, and regulator workload. Practitioners typically anticipate multi-month review periods for TCMB licensing under Law No. 6493 framework, with longer periods for complex business models or where the application requires substantial supplementary information. Pre-application preparation discipline materially affects practical timeline outcomes.
11. Can foreign investors hold Turkish fintech entities? Yes, subject to fit-and-proper review for ultimate beneficial owners under the applicable regulatory framework, change-of-control notification and approval procedures where applicable, KVKK cross-border data transfer compliance, and broader regulatory positioning. The Turkish corporate-vehicle requirement (typically anonim şirket under TTK) and operational presence requirements apply regardless of ultimate ownership.
12. What is BNPL regulatory positioning in Turkey? Buy-Now-Pay-Later (BNPL) services in Turkey face the 6502 sayılı Tüketicinin Korunması Hakkında Kanun (Consumer Protection Law) framework with the Tüketici Kredisi Sözleşmeleri Yönetmeliği (Consumer Credit Agreements Regulation) governing consumer credit aspects. Specific BNPL structures may also engage the 6361 sayılı Kanun (financial leasing/financing companies) framework where the structure meets the financial-services-provider criteria. Specific regulatory positioning depends on the substantive structure rather than the marketing labels.
13. What is peer-to-peer lending regulatory positioning? Peer-to-peer lending and crowdfunding in Turkey operate under the SPK Kitle Fonlaması Tebliği (III-35/A.2) framework supporting paya dayalı (equity-based) and borçlanmaya dayalı (debt-based) crowdfunding through SPK-licensed crowdfunding platforms with specific limits, operational requirements and investor-protection frameworks.
14. How can fintech entities defend regulatory enforcement actions? Through structured legal defense including administrative remedy (itiraz) where applicable, administrative court (İdare Mahkemesi) review under the 2577 sayılı İYUK framework within the 60-day İYUK m.7 filing period, appellate review through Bölge İdare Mahkemesi (istinaf), high-court review through Danıştay (temyiz), and AYM bireysel başvuru under Law No. 6216 m.45-49 where ordinary remedies are exhausted and fundamental rights are alleged to be violated.
15. Does ER&GUN&ER Law Firm advise on fintech regulatory compliance? Yes. ER&GUN&ER Law Firm is an Istanbul-based law firm advising fintech founders, investors, electronic money institutions, payment service providers, crypto-asset platforms, peer-to-peer lending platforms, neobanks and corporate participants on Turkish fintech regulatory compliance, including TCMB licensing under the 6493 sayılı Ödeme ve Menkul Kıymet Mutabakat Sistemleri, Ödeme Hizmetleri ve Elektronik Para Kuruluşları Hakkında Kanun (post-2019 authority transfer); SPK licensing for crypto-asset service providers under the post-Law No. 7518 (2024) framework adding m.35/B vd. to the Sermaye Piyasası Kanunu; AML compliance under the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun framework with MASAK supervision and Communiqué No. 5 crypto-asset extension; KVKK personal data compliance under the 6698 sayılı Kişisel Verilerin Korunması Kanunu including VERBIS registration, m.9 cross-border transfer framework (post-Law No. 7499 reforms), and irtibat kişisi appointment; TCMB Yönetmelik dated 16 April 2021 crypto payment prohibition compliance; corporate governance under TTK Law No. 6102 with anonim şirket structure, board composition, committee structure and shareholder framework; M&A compliance due diligence and post-closing integration including change-of-control notification across all relevant regulatory authorities; regulatory defense through 2577 sayılı İYUK administrative litigation framework and 6216 sayılı AYM bireysel başvuru where applicable; and ECHR/ECtHR coordination where appropriate — with English-language client communication and bilingual documentation throughout each engagement. Files in this area are typically led personally by the managing partner rather than delegated.

Turkish lawyers who advise on the strategic dimension of multi-regulator coordination will note that fintech operations face structured complexity where the various regulators (TCMB, SPK, MASAK, KVKK Kurulu) operate through distinct frameworks with different procedural mechanics, different timing expectations, different documentary standards, and different supervisory cultures producing the integrated coordination discipline that experienced practitioners support across the multi-year compliance horizon. Practice may vary by authority and year.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises fintech founders, investors, electronic money institutions, payment service providers, crypto-asset platforms, peer-to-peer lending platforms, neobanks, family offices, foreign financial institutions and multinational groups on Turkish fintech regulatory compliance under the 6493 sayılı Ödeme ve Menkul Kıymet Mutabakat Sistemleri, Ödeme Hizmetleri ve Elektronik Para Kuruluşları Hakkında Kanun (Law No. 6493) including the 20 November 2019 amendment transferring authority from BDDK to TCMB, the 7518 sayılı Kanun (effective 2 July 2024) adding m.35/B vd. to the Sermaye Piyasası Kanunu (Law No. 6362) and establishing the consolidated framework for kripto varlık hizmet sağlayıcıları under SPK supervisory authority, the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun governing AML compliance through MASAK (Mali Suçları Araştırma Kurulu) under Hazine ve Maliye Bakanlığı including the eight-year record retention under m.8 and MASAK General Communiqué No. 5 effective 1 May 2021 adding crypto-asset service providers to the obligated-entity scope, the 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK / Law No. 6698) administered through the KVKK Kurulu including VERBIS (Veri Sorumluları Sicili) registration framework and the post-Law No. 7499 amended m.9 cross-border transfer framework, the TCMB Yönetmelik dated 16 April 2021 (Ödemelerde Kripto Varlıkların Kullanılmamasına Dair Yönetmelik) prohibiting crypto-asset use in payments, the TCMB Yönetmelik dated 1 December 2021 establishing the operational framework for licensed payment service providers, the 6102 sayılı Türk Ticaret Kanunu (TTK) governing the corporate-vehicle requirements including anonim şirket establishment under m.329 vd. and board composition under m.359 vd., the 6361 sayılı Finansal Kiralama, Faktoring, Finansman ve Tasarruf Finansman Şirketleri Kanunu where BNPL or similar structures engage the financial-services-provider framework, the 6502 sayılı Tüketicinin Korunması Hakkında Kanun for consumer credit dimensions, the SPK Kitle Fonlaması Tebliği (III-35/A.2) for peer-to-peer lending and crowdfunding, the 2577 sayılı İdari Yargılama Usulü Kanunu (İYUK) including the 60-day filing period under m.7 governing administrative court review, the 6216 sayılı Anayasa Mahkemesinin Kuruluşu ve Yargılama Usulleri Hakkında Kanun governing AYM bireysel başvuru under m.45-49, and the European Convention on Human Rights and ECtHR procedural framework where cross-jurisdictional fundamental-rights coordination applies. His advisory work covers fintech licensing applications including TCMB applications for payment service providers and electronic money institutions, SPK applications for crypto-asset service providers under the post-7518 framework, and broader regulatory positioning analysis; AML compliance architecture including customer due diligence procedures, enhanced due diligence procedures, ongoing transaction monitoring, suspicious transaction reporting, eight-year record retention discipline, compliance officer appointment, training framework, and internal audit framework; KVKK compliance architecture including data inventory mapping, lawful basis analysis, data subject rights handling, VERBIS registration coordination, cross-border transfer mechanisms (adequacy decisions, taahhütname, binding corporate rules, explicit consent), breach notification procedures, and irtibat kişisi appointment; TCMB regulatory reporting and supervisory examination support; SPK regulatory reporting and supervisory examination support for post-7518 framework participants; corporate governance architecture under TTK with anonim şirket establishment, esas sözleşme drafting, board composition, committee structure, and shareholder agreement support; M&A compliance due diligence including licensing review, regulatory communication review, AML compliance review, KVKK compliance review, and broader compliance review with structured representation and warranty negotiation; post-closing integration including change-of-control notification across TCMB, SPK, MASAK and KVKK Kurulu interfaces; regulatory defense through İYUK administrative litigation including itiraz, İdare Mahkemesi review, Bölge İdare Mahkemesi istinaf, and Danıştay temyiz; and AYM bireysel başvuru coordination under Law No. 6216 with potential ECtHR coordination under ECHR Protocol 15 four-month framework following AYM exhaustion.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.