Third-Party Due Diligence in Turkey: TCK 252 & Law 5549 Framework

Third-party due diligence (üçüncü taraf inceleme) for businesses operating in Türkiye operates through an integrated framework spanning anti-bribery, anti-money-laundering, sanctions, data protection, civil liability, and procedural rules. The principal Turkish legal sources are: the Penal Code (Law No. 5237, the "TCK") Articles 252 (bribery), 253 (entity-level security measures), 254 (effective regret), and 255 (improper benefit through office); the Misdemeanours Law (Law No. 5326) Article 43/A providing administrative fine framework against legal entities for representative misconduct; the Law on Prevention of Laundering Proceeds of Crime (Law No. 5549, the "AML Kanunu") of 11 October 2006 establishing AML framework with MASAK supervision; the Personal Data Protection Law (Law No. 6698, the "KVKK") with Article 5/2(ç) legal obligation processing basis enabling sanctions and AML screening; the Constitution Article 90 establishing supremacy of ratified international agreements over conflicting domestic law; the Competition Law (Law No. 4054) governing competition concerns; the Commercial Code (Law No. 6102, the "TTK") Articles 553-557 governing director liability; the Capital Markets Law (Law No. 6362) Article 106 establishing corporate criminal liability for capital markets offences; the Electronic Signature Law (Law No. 5070) Articles 4-5 establishing qualified electronic signature equivalence to handwritten signature; and HMK Article 199 governing electronic evidence admissibility.

Foreign legal frameworks frequently extend to Turkish operations creating compounded compliance obligations. The US Foreign Corrupt Practices Act (FCPA) anti-bribery and accounting provisions reach Turkish transactions involving US-listed parents, US-correspondent-bank payment routing, or US-issuer subsidiaries. The UK Bribery Act 2010 Section 7 strict liability for failure to prevent bribery extends to UK-incorporated parents' Turkish operations. The German Supply Chain Due Diligence Act (LkSG) imposes human rights and environmental due diligence on Turkish suppliers of qualifying German entities. EU Council Regulations on restrictive measures (sanctions) apply directly to EU-incorporated entities and their Turkish operations, with US Office of Foreign Assets Control (OFAC) sanctions creating de facto compliance obligations through banking channels. Turkish banks routinely block payments involving listed parties under EU and OFAC frameworks despite no formal Turkish incorporation. The integrated multi-jurisdiction framework requires comprehensive third-party due diligence aligning Turkish substantive obligations with foreign extraterritorial requirements. ER&GUN&ER Law Firm advises Turkish and multinational organisations on integrated third-party due diligence design, documentation, and execution. Practice may vary by authority and year — check current guidance.

Anti-Bribery Framework Under TCK 252-255

Turkish anti-bribery framework operates under Penal Code Articles 252-255 establishing comprehensive criminalisation. TCK Article 252 governs bribery (rüşvet) as the principal anti-bribery offence — both the bribe-giver and bribe-recipient face criminal penalties of 4-12 years imprisonment, with Article 252/3 specifically extending criminal liability to private sector bribery in defined circumstances. The article also addresses promised, offered, or solicited bribery beyond completed transactions, capturing inchoate misconduct. Foreign public official bribery falls under TCK Article 252 framework with extraterritorial application supporting Türkiye's OECD Anti-Bribery Convention obligations.

TCK Article 253 establishes entity-level (legal person) security measures (tüzel kişiler hakkında güvenlik tedbiri) for bribery and similar offences. The framework permits courts to impose: confiscation of benefits derived from the offence; cancellation of operating permits; and other entity-level consequences. The substantive entity liability operates alongside individual criminal liability for the actual perpetrators (executives, employees, agents) — not as alternative but as supplemental. TCK Article 254 (etkin pişmanlık) provides significant penalty reductions for effective regret and cooperation with prosecution before discovery — establishing important incentive structure for self-reporting and cooperation in bribery investigations. TCK Article 255 (yetkili olmadığı bir iş için yarar sağlama) addresses obtaining benefit through office where the official lacks authority for the underlying matter — closing potential gaps in classical bribery prosecution. Practice may vary by authority and year — check current guidance.

Misdemeanours Law (Law No. 5326) Article 43/A provides administrative fine framework for legal entities benefiting from criminal offences committed by representatives. The article enables substantial monetary fines independent of criminal prosecution against individuals — supporting comprehensive entity-level enforcement against organisations whose internal controls fail to prevent representative misconduct. The framework operates through judicial application following criminal proceeding outcomes, with specific procedures for entity defence and proportionality analysis. The combination of TCK entity-level security measures, Misdemeanours Law administrative fines, and individual criminal prosecution creates layered enforcement framework requiring comprehensive prevention and response infrastructure. Capital Markets Law (Law No. 6362) Article 106 establishes additional corporate criminal liability framework for capital markets offences with specific application to listed companies and capital markets professionals. The integrated Turkish anti-bribery framework supports robust third-party due diligence requirements addressing both direct organisational misconduct and indirect liability through agents, distributors, and intermediaries. Foreign anti-bribery frameworks (FCPA, UK Bribery Act, OECD Convention) operating in parallel create comprehensive compliance obligations for multinationals operating in or through Türkiye.

AML Framework Under Law 5549 and MASAK Supervision

Anti-money-laundering framework operates under the Law on Prevention of Laundering Proceeds of Crime (Law No. 5549) of 11 October 2006 (Resmi Gazete 18.10.2006/26323). Law 5549 Article 2 designates obligated parties (yükümlüler) including banks, capital markets institutions, insurance companies, real estate intermediaries, accountants, lawyers (with specific limitations), notaries, dealers in precious metals, and crypto asset service providers (added through MASAK Tebliğ No. 18 of 1 May 2021). The obligated parties framework extends substantially through implementing regulations and MASAK communiqués with periodic expansion to address emerging sectors and risks.

Law 5549 Article 3 establishes customer identification (kimlik tespiti) obligations including: identification at establishment of continuous customer relationships; identification for occasional transactions exceeding TRY 75,000 (single transaction or linked transactions); enhanced due diligence for high-risk customer categories; beneficial ownership identification for legal entity customers; ongoing monitoring of customer activity against expected behaviour patterns; and integrated record-keeping. Identification documentation requirements include government-issued identity documents, address verification, beneficial ownership documentation through ownership chain analysis, and similar comprehensive verification. Law 5549 Article 4 establishes suspicious transaction reporting (şüpheli işlem bildirimi) obligation — obligated parties must report suspicious transactions to MASAK within 10 business days of identifying the suspicious nature (frequently misstated as 3 days in incorrect sources). The reporting framework operates through MASAK's online portal with specific report categories. Practice may vary by authority and year — check current guidance.

Law 5549 Article 5 establishes record-keeping obligations including 8-year minimum retention for customer identification, transaction records, and similar AML documentation. Article 7 establishes administrative fine framework for non-compliance with substantial financial penalties indexed annually. Article 13 establishes additional sanctions for serious violations including potential criminal exposure. Internal AML programme requirements under implementing regulations include: written AML policies and procedures; designated compliance officer with appropriate authority and independence; ongoing employee training; independent audit function; and integrated systems supporting customer monitoring and reporting. The integration between AML compliance and broader due diligence creates strong synergies — AML customer identification, ongoing monitoring, and suspicious transaction reporting frameworks substantially overlap with anti-bribery and sanctions due diligence requirements. Strategic compliance design typically integrates AML, anti-bribery, sanctions, and broader counterparty due diligence into unified third-party risk management framework with shared infrastructure, common documentation, and integrated escalation pathways. Cross-border AML coordination under bilateral agreements and Egmont Group framework supports international cooperation in transnational money laundering investigations affecting Turkish counterparties.

Sanctions Framework and Constitutional Article 90

Turkish sanctions framework derives from multiple sources with specific application varying by sanctioning authority. Constitution Article 90 establishes that international agreements ratified by Türkiye on fundamental rights and freedoms that conflict with domestic law prevail over conflicting provisions — providing constitutional foundation for direct application of UN Security Council Resolution sanctions framework where Türkiye is bound. UN Security Council Resolutions imposing sanctions are implemented in Türkiye through Cabinet Decree (formerly) and Presidential Decree (since 2018 constitutional reform) framework, with specific implementation lists and procedures.

EU Council Regulations on restrictive measures (sanctions) do not directly apply to Türkiye as a non-EU member state, but practical compliance obligations arise through several pathways. EU-incorporated parents face direct EU sanctions obligations extending through their Turkish operations. EU-banking-system payment routing creates de facto sanctions exposure for Turkish counterparties whose payments traverse EU banks. Trade relationships with EU counterparties typically include sanctions compliance obligations through contractual provisions. The combined effect creates substantial practical EU sanctions compliance even for purely Turkish operations engaging with European value chains. US OFAC sanctions operate through analogous practical pathways — US-correspondent-bank routing, US-listed parents, US-issuer subsidiaries, and similar US connections trigger OFAC compliance obligations. US Secondary Sanctions framework specifically targets non-US persons engaging with sanctioned entities, creating substantial OFAC exposure for Turkish operations engaging with Iran, Russia, North Korea, and similar comprehensive sanctions targets. Practice may vary by authority and year — check current guidance.

Practical sanctions screening implementation requires several integrated elements. Daily list updates from UN, EU, OFAC, UK OFSI, and other relevant authorities provide current restricted parties information. Beneficial ownership analysis identifies entities owned 50% or more by sanctioned parties under OFAC's "50 Percent Rule" and analogous EU/UK frameworks — meaning even formally non-listed entities may trigger sanctions through ownership analysis. Sanctions screening operates through commercial screening services or in-house systems integrated with customer onboarding, ongoing monitoring, and payment processing. KVKK Article 5/2(ç) legal obligation processing basis supports sanctions screening data processing — the processing is necessary for compliance with legal obligations to which the data controller is subject, providing lawful basis without explicit consent requirement. Cross-border data transfer for global sanctions database access operates under KVKK Article 9 framework as substantially amended by Law No. 7499 of 2 March 2024. Banking system integration creates real-time sanctions interdiction for payment processing — Turkish banks routinely block payments involving listed parties even where the underlying commercial transaction is otherwise lawful. Effective sanctions compliance requires integration between counterparty due diligence (identifying potential sanctions exposure pre-transaction), payment system controls (preventing prohibited payments), and ongoing monitoring (detecting changes in sanctions status post-transaction).

Risk-Based Counterparty Segmentation and Onboarding

Effective third-party due diligence operates through risk-based segmentation matching due diligence intensity to identified risk levels. Risk segmentation factors include: counterparty jurisdiction (using Transparency International Corruption Perceptions Index, FATF jurisdiction classifications, sanctions exposure, and similar country-risk indicators); industry sector (defence, healthcare, energy, customs, real estate, and similar high-risk sectors face enhanced scrutiny); transaction volume (higher-value relationships warrant deeper analysis); government-touch profile (counterparties interacting with public officials, public procurement, or regulated activities face elevated bribery risk); ownership transparency (opaque structures with offshore elements or politically exposed persons require enhanced beneficial ownership analysis); and similar risk indicators.

Tiered due diligence frameworks typically segment counterparties into low, medium, and high-risk categories with corresponding due diligence depth. Low-risk counterparties (routine suppliers in transparent sectors with established commercial relationships) receive streamlined onboarding including basic registry verification, sanctions screening, and standard contractual provisions. Medium-risk counterparties receive enhanced due diligence including comprehensive beneficial ownership analysis, financial verification, references checking, and detailed contractual provisions with audit rights and certification requirements. High-risk counterparties (counterparties in elevated-risk jurisdictions, sectors, or with concerning indicators) receive comprehensive due diligence including site visits, forensic financial analysis, third-party investigative reports, integrated reference checking, and rigorous contractual provisions with detailed audit rights, regular certifications, and termination protections. Practice may vary by authority and year — check current guidance.

Onboarding documentation typically includes: trade registry verification through MERSİS (Merkezi Sicil Sistemi) covering legal entity status, registration details, capital structure, and authorised signatories; tax registration verification through Revenue Administration system (Vergi Levhası); beneficial ownership identification through ownership chain analysis with appropriate documentation; identity verification for individuals through government-issued identification; politically exposed persons (PEP) declarations and screening; sanctions screening with documented results; criminal record clearances where appropriate to risk level and jurisdiction; financial standing verification including audited financials for material relationships; references from existing business partners; and integrated certifications regarding compliance, ethics, anti-bribery, sanctions, and similar undertakings. Foreign documentation requires Hague Apostille 1961 certification (Türkiye party through Law No. 6303 of 8 May 1985 since 1985, with recent expansions including UAE effective 7 May 2022, Canada 2024, and Qatar 2024) for member states or consular legalisation for non-member states, with sworn translation under HMK Article 223 by translators registered with Turkish notaries. Documentation typically operates through secure digital onboarding platforms with role-based access controls, integrated record retention, and audit trails supporting regulatory and litigation requirements. ER&GUN&ER Law Firm advises on counterparty due diligence framework design, onboarding documentation standards, and integrated risk segmentation methodology.

Continuous Monitoring and Escalation

Continuous monitoring extends due diligence beyond onboarding through ongoing relationship oversight. Trade registry monitoring through MERSİS captures changes in legal entity status, ownership, capital, authorised signatories, and similar fundamental information. Tax registration monitoring identifies tax compliance issues that may signal broader operational concerns. Sanctions list monitoring through integrated screening systems with daily list updates from UN, EU, OFAC, UK OFSI, and similar authorities identifies post-onboarding sanctions exposure. Adverse media monitoring through commercial services or in-house systems captures publicly reported concerns including criminal investigations, regulatory enforcement, civil litigation, and similar issues. Politically exposed persons (PEP) status changes including counterparty officials acquiring or losing PEP status trigger reassessment.

Escalation protocols translate monitoring findings into operational responses with risk-proportionate procedures. Low-severity findings (routine documentation refresh, expired certifications, similar administrative issues) typically operate through procurement workflow with specific deadlines for remediation. Medium-severity findings (litigation disclosures through UYAP court system access, unresolved tax matters, capital structure changes, similar concerns) typically operate through compliance team review with substantive assessment, counterparty engagement, and documented disposition. High-severity findings (sanctions designations, criminal indictments, public regulatory enforcement, beneficial ownership changes implicating sanctioned persons, similar serious concerns) typically operate through immediate freeze of new transactions, comprehensive investigation, executive escalation, and formal counterparty engagement including potential termination. Practice may vary by authority and year — check current guidance.

Documentation and audit trail requirements support both regulatory compliance and litigation defence. Each monitoring alert, assessment, decision, and action is documented with: timestamp; analyst identification; supporting evidence; decision rationale; approval authority where applicable; and integrated outcome documentation. Qualified electronic signature under Law No. 5070 Articles 4-5 provides equivalent legal effect to handwritten signature for electronic records — supporting digital workflow with legal validity. TÜBİTAK-KamuSM time-stamping provides additional integrity assurance for evidence preservation. HMK Article 199 establishes electronic records' evidentiary value subject to authenticity and integrity verification — proper electronic signature and time-stamping infrastructure supports admissibility. Record retention under Law 5549 Article 5 (8-year minimum for AML records) and TTK Article 82 (10-year retention for commercial books) provides framework for due diligence record retention. Strategic record retention typically exceeds minimum statutory requirements addressing potential regulatory enforcement, civil litigation, and integrated investigation needs. ER&GUN&ER Law Firm advises on monitoring framework design, escalation protocol implementation, documentation standards, and integrated audit trail architecture.

Contractual Protections and Termination

Contractual frameworks for third-party relationships incorporate due diligence findings and provide ongoing protection through specific provisions. Representations and warranties typically include: anti-bribery compliance with TCK 252-255, FCPA, UK Bribery Act, and similar applicable frameworks; sanctions compliance with UN, EU, OFAC, UK OFSI, and similar applicable frameworks; AML compliance with Law 5549 and similar applicable frameworks; absence of criminal convictions, regulatory sanctions, and similar adverse circumstances; truthful disclosure of beneficial ownership, control, and related information; and ongoing notification obligations regarding material changes. The representations support both pre-contract due diligence reliance and post-contract enforcement through misrepresentation claims and contractual remedies.

Audit rights provisions enable ongoing verification through specific access to counterparty books, records, operations, and personnel. Effective audit clauses specify: scope including financial records, compliance documentation, and operational systems; frequency including periodic and incident-driven audits; cost allocation typically with counterparty bearing costs for material findings; cooperation requirements for personnel access and document production; and integrated remediation requirements for identified deficiencies. Compliance certifications typically require periodic counterparty certifications regarding ongoing compliance with specified frameworks supported by appropriate internal investigation and documentation. Termination rights specifically include: termination for breach of compliance representations; termination upon sanctions designation of counterparty or beneficial owner; termination for material adverse changes in compliance status; and termination upon regulatory enforcement against counterparty. Effective termination clauses specify: triggering events with appropriate clarity; notice requirements supporting orderly transition; payment provisions for services rendered through termination; and post-termination obligations including data return, confidentiality, and cooperation. Practice may vary by authority and year — check current guidance.

Dispute resolution provisions typically include: governing law selection (Turkish law for Turkish operations, alternative selections for international transactions); forum selection through Turkish courts, Istanbul Arbitration Centre (ISTAC), International Chamber of Commerce (ICC) arbitration, or similar appropriate forums; integrated injunction and provisional measure pathways supporting interim protection during disputes; cost provisions including legal fees and arbitration costs; and integrated enforcement provisions supporting cross-border enforcement under New York Convention 1958 (Türkiye party since 1992) for international arbitration awards. Indemnification provisions allocate risk for compliance failures with counterparty bearing indemnification obligations for losses arising from counterparty's compliance breaches. Liability limitations balance counterparty risk acceptance with appropriate carve-outs for serious misconduct including bribery, sanctions violations, and intentional misconduct. Strategic contractual design integrates due diligence findings with risk-appropriate contractual protections, with counterparties' due diligence risk profile influencing contractual provision intensity. Foreign-counterparty contracts typically require additional provisions addressing extraterritorial framework compliance, currency and payment terms, dispute resolution venue selection, and integrated cross-border enforcement.

Documentation, Evidence, and Audit Defence

Comprehensive documentation supports regulatory compliance, audit defence, and litigation preparation. Documentation framework typically includes: written policies and procedures establishing programme structure, roles, responsibilities, and operational requirements; risk assessment documentation supporting risk-based approach with explicit risk identification, evaluation, and mitigation; counterparty files containing onboarding documentation, monitoring records, decision logs, and integrated relationship history; transaction documentation supporting individual relationship activity with appropriate audit trails; compliance certifications evidencing ongoing programme execution; training documentation supporting staff competence; audit and review documentation evidencing programme effectiveness assessment; and remediation documentation supporting continuous improvement.

Electronic documentation infrastructure typically operates through secure digital platforms with role-based access controls, integrated workflow management, audit trail capture, and document retention enforcement. Qualified electronic signature under Law No. 5070 provides evidentiary equivalence to handwritten signature for electronic documents. Law 5070 Article 5 specifically establishes that secure electronic signature has the same legal effect as handwritten signature for legal acts requiring written form. TÜBİTAK-KamuSM time-stamping provides integrity protection through trusted third-party timestamping. HMK Article 199 establishes electronic records' admissibility subject to authenticity and integrity demonstration — properly signed and time-stamped records support legal admissibility. Format selection for long-term preservation typically employs PDF/A or analogous archival formats supporting future operability. Practice may vary by authority and year — check current guidance.

Audit defence preparation operates through sustained programme execution rather than reactive document assembly. Standard documentation packages include: programme overview with policies, procedures, and organisational structure; risk assessment documentation; counterparty inventory with risk tier classifications; monitoring activity documentation; escalation case files; training records; audit and review reports; and integrated remediation documentation. Regulatory examination response typically requires rapid documentation production within examination timeframes — programmes with sustained documentation discipline meet timing requirements while reactive programmes face substantial pressure. KVKK considerations for examination response include: data subject access rights coordination for personal data within examination scope; cross-border transfer analysis under Article 9 framework where examination involves international authorities; and integrated privacy compliance throughout examination process. Litigation defence preparation parallels regulatory examination preparation with additional emphasis on specific evidence preservation, expert witness coordination, and integrated case theory development. Strategic programme design typically integrates regulatory examination preparation, litigation defence preparation, and routine programme operation through unified documentation framework — minimising duplication while supporting multiple use scenarios. ER&GUN&ER Law Firm advises on documentation framework design, electronic infrastructure architecture, and integrated audit and litigation preparation.

Sector-Specific Requirements

Sector-specific requirements layer additional obligations onto general third-party due diligence framework. Banking sector under Banking Law (Law No. 5411) and BDDK regulations imposes comprehensive customer due diligence, ongoing monitoring, and integrated risk management requirements through Banking Regulation and Supervision Agency framework. Financial sector entities including banks, insurance companies, capital markets institutions, and similar regulated entities face enhanced AML obligations under MASAK supervision plus sector-specific regulator requirements.

Telecommunications sector under Electronic Communications Law (Law No. 5809) and ICTA regulations imposes data localisation, subscriber identification, and integrated regulatory compliance requirements. Defence sector under regulations administered by Presidency of Defence Industries imposes export control, security clearance, and integrated national security requirements substantially exceeding general due diligence frameworks. Energy sector under Energy Market Regulatory Authority framework imposes sector-specific licensing, reporting, and counterparty verification requirements. Healthcare sector under Ministry of Health framework imposes specific licensing, ethics, and integrated regulatory compliance requirements. Practice may vary by authority and year — check current guidance.

Cross-cutting frameworks affecting multiple sectors include: Personal Data Protection Law (Law No. 6698, "KVKK") applying to data processing across sectors with Article 9 cross-border transfer framework substantially amended by Law No. 7499 of 2 March 2024; Electronic Commerce Law (Law No. 6563) as amended by Law No. 7416 of 1 July 2022 imposing marketplace and e-commerce specific obligations; International Labour Force Law (Law No. 6735) governing foreign worker compliance for cross-border supplier workforce; Foreigners and International Protection Law (Law No. 6458) governing foreign personnel residence; and integrated tax compliance frameworks under Income Tax Law (Law No. 193), Corporate Tax Law (Law No. 5520), VAT Law (Law No. 3065), and similar tax frameworks. Sector tailoring within third-party due diligence frameworks addresses sector-specific regulatory requirements while maintaining unified core programme infrastructure. Strategic sector tailoring typically operates through risk-tier modifications, sector-specific questionnaire modules, sector-specific monitoring sources, and integrated sector regulator engagement protocols. ER&GUN&ER Law Firm advises on sector-specific tailoring within unified third-party due diligence framework with integrated multi-regulator engagement.

Frequently Asked Questions

1. What Turkish laws drive third-party due diligence? TCK Articles 252-255 (anti-bribery); Law 5326 Article 43/A (entity administrative liability); Law 5549 (AML) with MASAK supervisory framework; KVKK (Law 6698) Article 5/2(ç) legal obligation processing basis enabling screening; Constitution Article 90 international agreement supremacy; Law 4054 (Competition); TTK (Law 6102) Articles 553-557 director liability; SPK (Law 6362) Article 106 corporate criminal liability; Law 5070 qualified electronic signature; HMK Article 199 electronic evidence.
2. How does TCK 252 bribery framework apply? Article 252 establishes 4-12 years imprisonment for both bribe-giver and bribe-recipient with Article 252/3 extending to private sector bribery. Article 253 entity-level security measures. Article 254 effective regret penalty reduction for cooperation. Article 255 improper benefit through office.
3. What about foreign frameworks? US FCPA reaches Turkish transactions through US-listed parents, US-bank routing, US-issuer subsidiaries. UK Bribery Act Section 7 extends to UK-incorporated parents' Turkish operations. German LkSG imposes supply chain due diligence on Turkish suppliers of qualifying German entities. EU and US sanctions create de facto compliance through banking channels.
4. What is the Law 5549 STR deadline? Suspicious transaction reporting under Article 4 requires submission to MASAK within 10 business days of identifying the suspicious nature — frequently misstated as 3 days in incorrect sources.
5. What identification thresholds apply? Under Law 5549 Article 3 and implementing regulations: continuous customer relationships regardless of value; occasional transactions exceeding TRY 75,000 (single or linked); enhanced due diligence for high-risk categories; beneficial ownership identification for legal entities.
6. How long must records be kept? Law 5549 Article 5: 8-year minimum for AML records. TTK Article 82: 10 years for commercial books. VUK Article 253: 5 years for tax records. Strategic retention typically exceeds minimums for litigation and regulatory examination support.
7. Can KVKK block sanctions screening? No. KVKK Article 5/2(ç) provides "legal obligation" processing basis enabling sanctions and AML processing without explicit consent. Cross-border data transfer under Article 9 (substantially amended by Law No. 7499 of 2.3.2024) requires appropriate transfer mechanism but does not prevent screening operations.
8. How are UN sanctions implemented in Türkiye? Through Constitutional Article 90 international agreement supremacy and Presidential Decree implementation framework (since 2018 reform; previously Cabinet Decree). Specific implementation lists and procedures vary by sanctions framework.
9. What about EU and OFAC sanctions? No direct application in Türkiye but practical compliance obligations through banking channels (Turkish banks block payments involving listed parties), parent entity obligations, and contractual provisions in cross-border relationships. US Secondary Sanctions specifically target non-US persons engaging with sanctioned entities.
10. How does electronic signature support due diligence? Law 5070 Article 5 establishes secure electronic signature equivalence to handwritten signature for legal acts requiring written form. TÜBİTAK-KamuSM time-stamping provides integrity protection. HMK Article 199 establishes electronic records' evidentiary value subject to authenticity verification.
11. What is the 50% rule for sanctions? OFAC's framework treats entities owned 50% or more by sanctioned parties as themselves sanctioned, even where formally not listed. EU/UK frameworks apply analogous principles. Beneficial ownership analysis is essential for accurate sanctions screening.
12. What ISO standards apply? ISO 37001 (Anti-Bribery Management Systems) and ISO 37301 (Compliance Management Systems) provide internationally recognised frameworks. Not legally mandatory in Türkiye but increasingly expected in major commercial relationships, public tenders, and integrated regulatory compliance.
13. How does counterparty risk segmentation work? Risk-based approach matching due diligence intensity to identified risk levels. Factors include jurisdiction (TI CPI, FATF status, sanctions), industry sector, transaction volume, government-touch profile, ownership transparency. Tiered framework typically segments low/medium/high risk with corresponding due diligence depth.
14. What about cross-border foreign documentation? Hague Apostille 1961 (Türkiye party through Law No. 6303 since 1985) for member states with recent expansions UAE 2022, Canada 2024, Qatar 2024. Sworn translation under HMK Article 223 by translators registered with Turkish notaries. Consular legalisation for non-member states.
15. Where does ER&GUN&ER Law Firm support TPDD matters? Programme design under TCK 252-255, Law 5549, KVKK, Law 4054, and integrated framework; risk segmentation methodology; onboarding documentation under MERSİS, tax registration, beneficial ownership, sanctions screening, and integrated verification; ongoing monitoring framework with multi-regulator coordination; escalation protocols with KVKK Article 5/2(ç) compliance; contractual frameworks with anti-bribery, sanctions, AML representations and audit rights; documentation infrastructure with Law 5070 QES and HMK Article 199 electronic evidence; sector-specific tailoring for banking, telecom, defence, energy, healthcare; cross-border due diligence with Hague Apostille 1961 and HMK 223 translation; FCPA, UK Bribery Act, and German LkSG coordination; ISO 37001/37301 certification preparation; regulatory examination defence; criminal complaint and defence under TCK 252-255; and integrated multi-jurisdiction representation with foreign counsel coordination.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises Turkish and multinational organisations across Anti-Bribery Programme Design under TCK Articles 252-255 and Misdemeanours Law (Law No. 5326) Article 43/A, AML Compliance under Law No. 5549 of 11.10.2006 with MASAK Supervisory Framework, Sanctions Screening under Constitution Article 90 with UN/EU/OFAC Implementation, KVKK Compliance under Law No. 6698 with Article 5/2(ç) Legal Obligation Processing Basis and Article 9 Cross-border Transfer Framework (amended Law No. 7499 of 2.3.2024), Risk-Based Counterparty Segmentation, Onboarding Documentation through MERSİS and Beneficial Ownership Analysis, Continuous Monitoring with Sanctions Lists Integration, Escalation Protocols, Contractual Frameworks with Anti-Bribery and Sanctions Representations, Documentation Infrastructure under Law No. 5070 Qualified Electronic Signature with HMK Article 199 Electronic Evidence, Sector-Specific Tailoring across Banking under Law No. 5411 BDDK Framework, Telecom under Law No. 5809 ICTA Framework, Defence under Presidency of Defence Industries Framework, Energy under EMRA Framework, Cross-border Documentation with Hague Apostille Convention 1961 (Türkiye party through Law No. 6303 since 1985) and HMK Article 223 Sworn Translation, FCPA US Foreign Corrupt Practices Act Coordination, UK Bribery Act Coordination, German LkSG Supply Chain Coordination, ISO 37001 and 37301 Certification Preparation, Regulatory Examination Defence, Criminal Liability Defence under TCK Articles 252-255, Civil Liability under TBK (Law No. 6098), Capital Markets Corporate Criminal Liability under Law No. 6362 Article 106, TTK Director Liability under Articles 553-557, Competition Law Compliance under Law No. 4054, and Integrated Multi-Jurisdiction Programme Design.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.