Licentium

Licensing Hub

Turkey

Turkey's Capital Markets Board licenses crypto-asset service providers under Law No. 7518 and 2025 communiqués. MASAK handles AML; TCMB enforces the payment-use ban.

Available licences

CMB Crypto-Asset Platform Licence (Communiqué III-35/B.1 & III-35/B.2)

CMB licence to operate a crypto-asset platform: an institution where one or more of crypto-asset buying and selling, initial sale or distribution, exchange, transfer, required custody and other determined activities are carried out. Must be a joint-stock company with minimum capital TRY 150,000,000. Must satisfy corporate-structure, shareholding and governance requirements. Subject to operating procedures, principles, capital adequacy, custody and transfer rules, independent audit and proof-of-reserves obligations. Customer crypto-assets may be kept collectively in one or more wallets subject to CMB rules and limitations. Platforms must not conduct crypto-asset lending, customer credit facilities or leveraged transactions.

CMB Crypto-Asset Custody Institution Licence

CMB licence to operate as a crypto-asset custody institution. Joint-stock company with minimum capital TRY 500,000,000. Must satisfy CMB custody rules, TÜBİTAK technology criteria, wallet governance, private-key controls, incident procedures, audit readiness and proof-of-reserves capability. Custody institutions are a separate licence category from platforms.

TÜBİTAK Information Systems and Infrastructure Criteria

CMB permission for crypto-asset service providers requires compliance with criteria determined by TÜBİTAK on information systems and technological infrastructure. TÜBİTAK BİLGEM publishes the criteria. Providers should assess cyber-security, wallet security, private-key governance, systems resilience, business continuity, access controls, auditability, data integrity and incident response against the latest CMB and TÜBİTAK requirements.

MASAK AML/CFT Compliance

AML and CFT obligations administered by MASAK. Customer identification threshold for crypto-asset service providers and transfers is TRY 15,000. Suspicious transactions must generally be reported within 10 business days and immediately in urgent cases. STRs with supporting evidence trigger a postponement request and refusal to execute pending the competent decision (suspension up to 7 business days). Providers must maintain KYC, beneficial-owner checks, source-of-funds controls, sanctions screening, blockchain analytics, suspicious-wallet controls, transfer-information systems, asset-freeze controls and internal audit.

TCMB Payment Prohibition (Disuse of Crypto-Assets in Payments)

The TCMB Regulation on the Disuse of Crypto Assets in Payments prohibits crypto-assets from being used directly or indirectly in payments and prohibits services involving such use. Payment service providers may not develop business models in which crypto-assets are used directly or indirectly in payment services or e-money issuance. Payment and e-money institutions may not intermediate fund transfers to or from crypto-asset platforms providing trading, custody, transfer or issuance services. Investment and trading in crypto-assets is not itself prohibited; the prohibition targets payment use and payment/e-money intermediation.

Tokenised Capital-Market Instruments (CMB)

Crypto-assets that provide rights specific to capital-market instruments require separate CMB capital-markets analysis. The CMB may determine principles for issuing capital-market instruments as crypto-assets and for recording them electronically. Where capital-market instruments are issued as crypto-assets, electronic records in the environment where the crypto-assets are created and stored can be relevant for rights, transfer and enforceability. CMB may require integration with the Central Securities Depository system.

Detailed overview

Turkey: CMB Crypto-Asset Service Provider Licensing

Regulators

Turkey’s crypto-asset framework is administered principally by the Capital Markets Board of Turkey. The Central Bank of the Republic of Türkiye regulates the payment-use restriction. The Financial Crimes Investigation Board is responsible for AML and CFT obligations. TÜBİTAK is relevant for information technology and infrastructure criteria that crypto-asset service providers must satisfy.

Turkey regulates crypto-asset service providers under the Capital Markets Law, as amended by Law No. 7518, and CMB secondary legislation.

The core secondary regulations are Communiqué III-35/B.1 on the establishment and operation of crypto-asset service providers and Communiqué III-35/B.2 on operating procedures, principles and capital adequacy. The CMB announced that both communiqués were published in the Official Gazette dated 13 March 2025, No. 32840, and entered into force.

Turkey is now a CMB licensing jurisdiction for crypto-asset service providers. The regime is not a simple AML registration regime.

Crypto-assets

A crypto-asset is an intangible asset that can be created and stored electronically using distributed ledger technology or similar technology, distributed over digital networks and capable of expressing value or rights.

A crypto-asset service provider includes platforms, crypto-asset custody service providers and other institutions designated under the law to provide services relating to crypto-assets, including initial sale or distribution.

A platform is an institution where one or more of crypto-asset buying and selling, initial sale or distribution, exchange, transfer, required custody and other determined activities are carried out.

Licensing requirement

Crypto-asset service providers must obtain CMB permission to be established and to begin operating. They may perform only activities determined by the CMB.

A crypto exchange, brokerage platform, fiat on-ramp, off-ramp, transfer service, hosted wallet, private-key control service, custodian, OTC desk, token distribution platform or trading venue is likely to fall within the CMB perimeter where it operates in Turkey or targets persons resident in Turkey.

A pure software provider may require separate analysis if it does not exchange, transfer, custody, manage, intermediate or control crypto-assets for customers.

Operating List

The CMB maintains an Operating List for crypto-asset service providers. Inclusion on this list does not mean that the listed institution has been authorized under the relevant legislation.

A business should not describe an entity as fully licensed or authorized merely because it appears on the CMB Operating List.

The CMB also maintains transition and liquidation-related lists. Providers that did not continue activity under the temporary framework may appear on the relevant liquidation list.

Transition

The transition from operating-list status to full authorization remains relevant.

In March 2026, the CMB announced extensions concerning the deadline for Operating List providers to obtain authority certificates and the deadline for platforms to submit custody agreements. The timing is linked to CMB-authorized custody institutions becoming available.

A provider should verify its current status directly with the CMB before onboarding Turkish users, marketing in Turkey or claiming authorization.

Capital and structure

CMB Communiqué III-35/B.2 requires minimum capital of TRY 150,000,000 for platforms and TRY 500,000,000 for custody institutions.

CMB rules require crypto-asset service providers to be established as joint-stock companies and to satisfy corporate-structure, shareholding and governance requirements.

The CMB may request documents in establishment, operating licence and shareholding-structure applications.

Custody and customer assets

CMB Communiqué III-35/B.2 regulates services and activities of crypto-asset service providers, trading environments, custody and transfer of crypto-assets, operating principles, independent audit and proof-of-reserves matters.

Custody and wallet architecture are central licensing issues. A hosted wallet, exchange wallet, MPC provider, omnibus wallet or private-key custody model should be reviewed against CMB custody rules, TÜBİTAK technology criteria and current transition provisions.

Platforms may keep customer crypto-assets collectively in one or more wallets subject to the rules and limitations in CMB legislation.

A provider should maintain segregation, reconciliation, wallet governance, private-key controls, incident procedures, audit readiness and proof-of-reserves capability.

Payments

Crypto-assets cannot be used directly or indirectly in payments in Turkey.

The TCMB Regulation on the Disuse of Crypto Assets in Payments prohibits crypto-assets from being used directly or indirectly in payments and prohibits services involving their direct or indirect use in payments.

Payment service providers may not develop business models in which crypto-assets are used directly or indirectly in payment services or electronic money issuance. Payment and e-money institutions may not intermediate fund transfers to or from platforms providing crypto-asset trading, custody, transfer or issuance services.

A crypto business should not offer merchant payment, checkout, pay-with-crypto, e-money, payment initiation, payment aggregation or stablecoin payment products in Turkey without addressing the TCMB prohibition.

The payment prohibition does not prohibit all investment or trading in crypto-assets. It targets payment use and payment or e-money institution intermediation.

AML and CFT

Crypto-asset service providers are subject to Turkish AML and CFT obligations administered by MASAK.

MASAK’s current guide requires customer identification and information on the purpose and nature of the permanent business relationship.

For crypto-asset service providers and crypto-asset transfers, the customer identification threshold is TRY 15,000.

Suspicious transactions must generally be reported to MASAK within 10 business days and immediately in urgent cases.

Where a transaction is suspicious and there is supporting evidence, the provider must file a suspicious transaction report with a postponement request and must refrain from executing the transaction until the competent decision is made. The suspension period may last up to seven business days.

A crypto-asset service provider should maintain KYC, beneficial-owner checks, source-of-funds controls, sanctions screening, blockchain analytics or equivalent monitoring, suspicious-wallet controls, transfer-information systems, MASAK reporting workflows, asset-freeze controls, employee training and internal audit.

Foreign platforms and Turkish targeting

Foreign platforms can create Turkish regulatory exposure where they target persons resident in Turkey.

Turkish legislative materials identify Turkey-directed indicators such as opening a workplace in Turkey, creating a Turkish-language website or conducting promotion and marketing related to services through persons or institutions resident in Turkey.

An offshore exchange, broker, custodian or hosted wallet provider should not assume that foreign incorporation avoids Turkish regulation.

P2P activity

P2P or marketplace-style structuring does not automatically avoid CMB regulation.

A CMB board resolution states that acting in one’s own name but on behalf of others on a regular, commercial or professional basis in P2P marketplaces may constitute unauthorized crypto-asset service activity.

A P2P platform should assess whether it is facilitating, intermediating, routing or otherwise conducting crypto-asset services for Turkish residents.

Lending, credit and leverage

CMB materials restrict crypto-asset lending, customer-credit facilities and leveraged transactions.

A CMB board resolution states that platforms must not conduct crypto-asset lending transactions, transactions leading to credit facilities for customers or leveraged transactions.

Margin trading, leveraged products, crypto lending, borrowing, credit-like arrangements and yield products should be reviewed carefully before being offered in Turkey or to Turkish residents.

Tokenised capital-market instruments

Crypto-assets that provide rights specific to capital-market instruments require separate CMB capital-markets analysis.

The CMB may determine principles for issuing capital-market instruments as crypto-assets and for recording them electronically. Where capital-market instruments are issued as crypto-assets, the electronic records in the environment where the crypto-assets are created and stored can be relevant for rights, transfer and enforceability. The CMB may require integration with the Central Securities Depository system.

A tokenised share, bond, fund unit, sukuk, derivative, investment contract, revenue-right token, profit-right token or other security-like token should not be treated as ordinary platform-traded crypto without separate CMB analysis.

Technology and infrastructure

Information systems and technological infrastructure are licensing issues in Turkey.

Turkish legislative materials state that CMB permission for crypto-asset service providers requires compliance with criteria to be determined by TÜBİTAK on information systems and technological infrastructure.

TÜBİTAK BİLGEM publishes information technology and infrastructure criteria for crypto-asset service providers.

A provider should assess cyber-security, wallet security, private-key governance, systems resilience, business continuity, access controls, auditability, data integrity and incident response against the latest CMB and TÜBİTAK requirements.

Regulatory outlook

Turkey now has an active CMB framework for crypto-asset service providers, but transition from operating-list status to full authorization remains important.

New entrants should treat Turkey as a licensing jurisdiction. The key workstreams are CMB authorization, correct classification of the activity, Turkish nexus analysis, capital, joint-stock company structure, custody arrangements, TÜBİTAK technology compliance, MASAK AML/CFT controls, TCMB payment restrictions, P2P and offshore targeting review, and tokenised capital-market-instrument analysis.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started