New Regulation Introduced for Crypto Asset Service Providers in Türkiye

Guide on the Enacted Regulations:

The following communiqués, published in the Official Gazette dated March 13, 2025, and numbered 32840, introduced significant new regulations for crypto asset service providers in Türkiye:

• Communiqué 1: Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1)
• Communiqué 2: Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2)
• Communiqué 3: Communiqué Amending the Independent Audit of Information Systems Communiqué (III-62.2.b)
• Communiqué 4: Communiqué on the Procedures and Principles of Information Systems Management (VII-128.10)

In this guide, we will cover the regulations introduced under Communiqué 1 and Communiqué 2. Communiqué 3 and Communiqué 4 will be analyzed in our next publication.

Communiqué 1

Communiqué 1, contains important regulations regarding the establishment, operations, organization, outsourcing, document registration system, and audit processes, and personnel requirements of crypto asset service providers that will operate in Türkiye.

This new regulation aims to increase transparency in the crypto asset market, ensure investor safety and protect the stability of the market. 

Requirements for the Establishment of Crypto Asset Service Providers

According to Communiqué 1, crypto asset service providers must be established as joint-stock companies, with all their shares issued in registered form and fully paid in cash, and the minimum capital must not be lower than the amount determined by the Capital Markets Board (“CMB”), provided that it is not less than the legally required threshold. Additionally, the equity capital must not fall below the amount determined by CMB. Furthermore, it is stipulated that crypto asset service providers must ensure that their articles of association comply with the legislation, their activities are limited exclusively to the areas for which they are authorized, their founders meet the specified financial, legal, and criminal requirements, and their ownership structure remains transparent.

Pursuant to Communiqué 1, crypto asset service providers are expected to include their field of activity in their trade name, obtain approval from the CMB for using a brand or business name, and make changes to their trade name only under specific conditions. Additionally, they are required to obtain the CMB’s approval for any amendments to their articles of association.

Obtaining an Operating License

Crypto asset service providers must obtain a license from the CMB to commence operations. To obtain this approval, the establishment conditions must be maintained, the minimum capital must be fully paid in cash, capital adequacy requirements must be met, internal control and risk management systems must be established, and the information security infrastructure must comply with regulations. Additionally, technical integrations must be completed in accordance with Central Registry Agency (“MKK”) and TÜBİTAK criteria.

Platforms must also sign an agreement with a crypto asset custody service provider, defining the scope of authority and responsibilities, hold customers’ cash funds in bank accounts, establish internal mechanisms to manage complaints and disputes, and implement a price monitoring system. Companies providing crypto asset custody services must set up a dedicated unit for this activity and employ sufficient personnel.

SPK may, when deemed necessary, impose additional requirements for operating licenses, require professional liability insurance, and conduct information systems audits in collaboration with TÜBİTAK and other public institutions.

Pursuant to Communiqué 1, crypto asset service providers are required to act fairly while protecting customer interests and market integrity, establish an organizational structure and a written policy to manage conflicts of interest, regularly update this policy, and take necessary measures.

Crypto asset service providers would lose the right to an operating license within six months unless they make an application within six months of obtaining their establishment permit. To obtain an operating license, general and specific requirements must be met, an authorization certificate must be obtained, and the necessary fees must be paid. Services cannot be provided without an authorization certificate; unauthorized entities may not use misleading statements that create the impression that they are engaged in these activities.

 Customer Relations and Operational Principles

Platforms are required to inform customers about the risks associated with crypto assets, fees and commissions, custody conditions and market makers. A framework agreement must be signed before transactions begin, to cover the services provided by the platform. The execution or amendment of agreements in electronic form is subject to specific security conditions. Framework agreements cannot contain provisions that violate regulations, impair customer rights, or eliminate or limit the service provider’s liability. Each customer must be assigned a unique number, which must be matched with a MKK registration number. Orders cannot be accepted from accounts that lack a MKK registration or have not been properly matched.

In addition, Communiqué 1 requires crypto asset service providers to publish and keep updated information on their authorized services, company details, customer-related risks, transaction policies and data storage conditions on their websites and Public Disclosure Platform announcements.

Share Transfers and Changes in Ownership Structure

Communiqué 1 requires certain changes in the ownership structure of crypto asset service providers to be subject to CMB approval and mandates obtaining permission for share transfers exceeding specific thresholds. Privileged shares granting management rights are also subject to CMB approval, irrespective of any percentage. Additionally, direct or indirect share transfers at certain levels require approval, while transfers below such thresholds are subject to notification requirements. Share transfers conducted without approval from the CMB are deemed invalid and cannot be recorded in the share ledger.

Advertising and Promotion Restrictions

Communiqué 1 mandates that crypto asset service providers must be objective in their advertisements, announcements, publications, promotions, and disclosures. It also prohibits the use of misleading or false information, as well as statements guaranteeing absolute returns or protection against losses.

The use of content which cannot be substantiated with real data, creates false impression, promises additional income to specific groups, or implies government assurance is strictly prohibited. Additionally, advertisements that set specific price targets or exploit religious or social sensitivities are not allowed.

Communiqué 1 bans promotional campaigns which offer high-value rewards, provide benefits in exchange for customer referrals, or which direct investors toward specific crypto assets.

Outsourcing and Obligations

Communiqué 1 permits crypto asset service providers to outsource only certain support services while prohibiting the delegation of management, accounting, internal audit, risk management or activities requiring CMB approval. Outsourcing must be conducted under a written contract, with workflow procedures established and contingency plans prepared for potential risks. Crypto asset service providers remain responsible to their customers for outsourced services and are obligated to ensure the confidentiality of customer information.

Prohibited Activities and Transactions

Communiqué 1 mandates that crypto asset service providers operate only within the scope of activities approved by the CMB and prohibits activities such as deposit-taking, real estate trading, and foreign exchange transactions. Additionally, providers are enjoined from unauthorized use of customer assets, executing transactions on behalf of customers, engaging in misleading or detrimental practices, and manipulating the market. Crypto asset service providers cannot encourage unnecessary transactions, provide funds to compensate customer losses, or make donations exceeding a certain percentage of their equity.

Cessation of Operations and Cancellation

Organizations that do not have an operating license or whose operating license has been revoked cannot provide crypto asset services. In the event of a temporary suspension of activity, the relevant organization must obtain CMB’ approval before resuming operations. It is mandatory to inform customers and ensure the security of assets.

Communiqué 2

Communiqué 2 regulates the services and activities that crypto asset service providers may offer, the principles governing these activities, the listing requirements for crypto assets, the reconciliation system, as well as the principles and requirements related to the capital and capital adequacy of service providers.

Services and Activities Offered by Crypto Asset Service Providers

The services that crypto asset service providers may offer include the receipt and execution of orders, clearing, transfer, custody services, intermediation in initial sales or distributions, investment advisory and other services to be determined by the CMB.

It is mandatory to obtain permission from the CMB for each service and activity regulated by this Communiqué 2.

Services can only be provided by service providers authorized under Articles 35/B and 35/C of the Capital Markets Law (“Law”).

Transactions conducted by crypto asset service providers for their own wallets with parties other than their customers, are not subject to the CMB’s permission.

CMB may establish different principles for Borsa İstanbul A.Ş., İstanbul Takas ve Saklama Bankası A.Ş., MKK, and public institutions.

Other services will be provided by crypto asset service providers within the framework determined by the CMB without requiring an additional authorization certificate.

Services offered by foreign service providers are outside the scope of Communiqué 2, provided that no advertising, promotion, or marketing is conducted towards individuals residing in Türkiye.

Principles Regarding Platform Activities

Platforms may fulfill customer orders directly from their wallets. In this case, investors should be informed as the platform may profit if the customer incurs a loss.

Platforms may only sell up to the amount of the crypto assets held in their wallets.

Platforms must establish a special unit for the management of the price monitoring system and assign at least one risk management personnel. This unit should detect market-distorting transactions and report to the general manager.

The general manager is responsible for taking necessary measures against market-distorting transactions and notifying the CMB.

Platforms cannot offer leveraged transactions, margin trading, or derivative transactions.

Investment advisory can only be provided to customers holding at least TL 50 million worth of crypto assets in the platform.

Platforms are required to employ a sufficient number of investment advisors who have received four years of undergraduate education and have at least three years of experience in financial markets.

Portfolio management activities are prohibited.

Platforms are obliged to examine the smart contracts of the crypto assets for which they will act as intermediaries in initial sales or distributions, to ensure compliance with listing criteria.

Platforms may hold customers’ crypto assets in bulk are required to transfer these assets to customers’ wallets after a maximum of six months if no custody institution is available.

Listing Principles

Platforms must establish a listing committee consisting of at least three members to manage the processes of listing and delisting crypto assets. The majority of the committee members must have at least seven years of experience in finance, law, information technology, and distributed ledger technologies.

Platforms may only list crypto assets that can be held by authorized custody institutions, and these assets must not be suitable for use in illegal transactions, must not grant unilateral extraordinary rights to the project owner, and must be capable of being held in cold wallets.

Platforms must create a written procedure regarding the conditions under which crypto assets will be listed and delisted, specifying criteria such as trading volume, price fluctuations, susceptibility to manipulation, and legal status, and must publish up-to-date information about the listing process on their websites.

Platforms may delist crypto assets that are found to no longer meet the established listing criteria based on an evaluation report they prepare. In the event that a major global platform delists the same asset, they must inform investors in advance or may proceed with immediate delisting in emergencies.

Principles of Custody

Customers are primarily responsible for holding their crypto assets in their own wallets, and custody services may only be provided by platforms or authorized custody institutions if preferred by the customers.

Crypto assets belonging to customers must be segregated from the custody institutions’ own accounts, and the use of hot wallets must not exceed 5% of total customer assets.

The custody and access of private keys must be securely managed in accordance with TÜBİTAK Infrastructure Criteria, and all key parts must be kept in Türkiye.

Wallets where customer assets are stored must be protected by secure hardware modules, measures must be taken against unauthorized access, and security mechanisms capable of deleting data in case of physical interventions must be included.

A written custody agreement between platforms and custody institutions is mandatory, and the agreement must clearly specify the recording of transactions, costs, and obligations in case of termination of the agreement.

Reconciliation System

Platforms and custody institutions must integrate customer crypto asset balances with MKK and report regularly.

Platforms must create a netting report for each crypto asset on a customer basis and transfer to the custody institution at the end of the day or as necessary during the day.

Capital Adequacy

The equity of crypto asset service providers must not be less than their incorporation capital, and at least 25% must constitute of paid or issued capital by the end of the sixth month of each year. The equity of platforms must be at a level to meet liquidity reserve obligations.

The total of all short and long-term debts listed in the balance sheets of crypto asset service providers must not exceed three times the capital adequacy thresholds. The current values of the debts are taken into account when determining such amounts.

At least 95% of the crypto assets that customers prefer not to hold in their own wallets must be kept by authorized custody institutions, and the proportion of assets held in the platforms’ wallets must not exceed 10%. Platforms must maintain liquid reserves equivalent to 3% of customer assets.

In the liquid reserves of platforms, the weight of a single asset must not exceed 20% of the total portfolio, and the weight of crypto assets with a market value below 5 billion dollars must not exceed 10%. Cash and cash-equivalent financial assets are not included in these calculations.

The total risk coverage of crypto asset service providers must consist of position risk and foreign exchange risk coverage. Risk calculations must be made based on price fluctuations in the market and changes in the value of assets.

Position risk must be calculated for the assets in the portfolios of crypto asset service providers, and different risk ratios must be applied for each type of asset. The position risk ratio determined for crypto assets is 30%.

The foreign exchange risk of crypto asset service providers must be calculated by offsetting the Turkish Lira equivalents of assets and liabilities in each currency. Foreign exchange positions exceeding 2% of the capital adequacy threshold must be considered as 8% risk coverage.

Provision of Other Services

Crypto asset service providers may offer additional services such as investment advisory, financial analysis, and market recommendations. To provide these services, notification to the CMB is required, and compliance with the established principles must be ensured.

Crypto asset service providers are obliged to inform investors about risks in a clear and understandable manner within the scope of the services they provide.

Administrative sanctions may be imposed by the CMB on organizations that mislead or inadequately inform investors.

Other Matters

Existing crypto asset service providers are obliged to comply with all obligations within the specified period following the entry into force of the Communiqué 2.

During the compliance process, platforms must fulfill all requirements related to capital adequacy, custody services, protection of customer assets, and reconciliation systems.

The CMB may request additional information and documents from platforms during the transition process and may audit whether obligations are being fulfilled.

Service providers that do not make the necessary arrangements within the specified period may have their activities restricted, suspended, or licenses revoked.