Türkiye’de Kripto Varlık Hizmet Sağlayıcılarına Yeni Düzenleme Getirildi – Bölüm 2
March 21, 2025Türkiye’s M&A landscape: What’s on the horizon for 2025?
March 24, 2025
New Regulation Introduced for Crypto Asset Service Providers in Türkiye
Guide on the Enacted Regulations:
The following communiqués, published in the Official Gazette dated March 13, 2025, and numbered 32840, introduced significant new regulations for crypto asset service providers in Türkiye:
- Communiqué 1: Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1)
- Communiqué 2: Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2)
- Communiqué 3: Communiqué Amending the Independent Audit of Information Systems Communiqué (III-62.2.b)
- Communiqué 4: Communiqué on the Procedures and Principles of Information Systems Management (VII-128.10)
In the first part of our guide, the regulations under Communiqué 1 and Communiqué 2 were examined. This guide will focus on the regulations introduced by Communiqué 3 and Communiqué 4 in detail.
Communiqué 3
Communiqué 3 introduces certain changes to the Communiqué on Independent Audit of Information Systems dated January 5, 2018 (“Audit Communiqué”). First, Crypto Asset Service Providers have been added within the scope of the Audit Communiqué. As of the effective date of the Communiqué 3, which is June 30, 2025, Crypto Asset Service Providers will be subject to the procedures and principles regarding the independent audit of their information systems, the authorization of independent audit firms to conduct this activity, and the reporting of audit results.
Under the Audit Communiqué, the independent audit report of information systems becomes final when signed by the chief auditor of information systems and is delivered to the board of directors of the audited institution by the end of the first business day following the finalization. Before the amendment, the report, which was received by the board of directors, was sent to the Capital Markets Board of Turkey (“CMB”) within 5 business days and submitted to the CMB within 30 days following the end of the relevant audit period. With the amendment, the independent audit report of information systems, received by the chairman of the board of directors, will be sent to the CMB by the end of the month following the end of the relevant audit period.
The Audit Communiqué regulates which institutions are required to undergo independent audits and how frequently. Pursuant to the Communiqué 3, Crypto Asset Service Providers have been included among the institutions obligated to undergo an independent audit of their information systems once a year, as stated in the amended Article 30. Institutions required to undergo audits every two years were portfolio management companies with a minimum capital requirement exceeding 5 million TRY. However, this has been amended to refer to “portfolio management companies subject to paragraph (ç) of the first paragraph of Article 28 and the second paragraph of the Communiqué on Portfolio Management Companies and Principles Regarding Their Activities (III-55.1), published in the Official Gazette No. 28695 on July 2, 2013”. Lastly, companies that were required to undergo audits once every three years were previously specified as portfolio management companies with a minimum capital requirement of 5 million TRY or less, and Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş. With the amendment, this has been changed to “portfolio management companies subject to paragraphs (a), (b), and (c) of the first paragraph of Article 28 of the Communiqué on Portfolio Management Companies and Principles Regarding Their Activities (III-55.1), published in the Official Gazette No. 28695 on July 2, 2013, and Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş.”
Communiqué 4
Communiqué 4 repealed the Communiqué on Information Systems Management, published in the Official Gazette No. 30292 on January 5, 2018. The Information Systems Regulation establishes the procedures and principles for the management of information systems for a range of institutions and organizations, including Crypto Asset Service Providers (“Institutions, Organizations, and Partnerships“). Information systems refer to the software, hardware, and communication infrastructure where information is processed, transmitted, and stored, as well as the human resources, activities, and processes interacting with these systems.
Management of Information Systems
Institutions, Organizations, and Partnerships within the scope of the Information Systems Regulation have certain obligations regarding the management of their information systems. The alignment of information system strategies with business objectives must be ensured. Institutions, Organizations, and Partnerships will establish controls for the management of information systems and formalize processes and responsibilities in writing. The top management will prepare an information security policy, which will be updated at least once a year, and the board of directors will approve this policy. The information security policy aims to ensure the confidentiality, integrity, and accessibility of information when necessary, and covers processes such as the identification of required roles, job descriptions, objectives, risk management processes, and controls.
The security and management of information systems are the responsibility of the top management. The top management ensures the implementation of information security policies and reviews and approves critical projects. Additionally, ensuring the confidentiality and accessibility of information assets, establishing a risk management process, monitoring information security breaches, reviewing policies, providing training to personnel, and assigning their roles are also among the responsibilities of top management. A designated information security officer, who reports to the top management, will be responsible for controlling and monitoring information systems security.
Control of Information Systems
The top management of Institutions, Organizations, and Partnerships must ensure the development of necessary controls. Institutions, Organizations, and Partnerships must maintain an up-to-date inventory of their information assets and create a guideline, which will be approved by the top management, for determining the security classification. Appropriate utilization procedures for information assets should be developed, approved by the top management and announced to relevant personnel for their signature. Additionally, the information systems of institutions must undergo a penetration test at least once a year, and the penetration test reports will be submitted to the CMB.
To eliminate the risks of errors, deficiencies, and misuse, Communiqué 4 stipulates the separation of duties and areas of responsibility. Articles 12 and 13 of the Communiqué 4 describe some physical and infrastructural measures to be taken to ensure the security of information systems.
Additionally, necessary controls must be implemented to ensure the continuous and secure operation of the information systems. In this regard, capacity planning will be conducted, security vulnerabilities will be monitored, and patches will be tested and applied. For transactions carried out through information systems, authentication methods suitable for the security classification of the information asset will be determined and applied. Article 15 lists the minimum functions that authentication methods must fulfill. Institutions, Organizations, and Partnerships will take measures to ensure the confidentiality of transactions occurring within the scope of information systems activities, as well as the data transmitted, processed, and stored during these transactions. The minimum requirements for ensuring confidentiality are outlined in Article 18.
A monitoring mechanism must be established to evaluate and manage the risks associated with the procurement of external information systems services. External service providers must comply with the principles of risk management, information security, customer privacy, and business continuity. The access rights of external service providers should be subject to risk assessment, and additional controls must be implemented when necessary.
Customers benefiting from services provided electronically by Institutions, Organizations, and Partnerships must be clearly informed about the terms, risks, and exceptional circumstances related to the services offered. In this context, the information security principles adopted to mitigate the impact of risks associated with these services and the methods that must be used to protect against these risks will be submitted to the customers’ attention. It is the responsibility of the Institutions, Organizations, and Partnerships to prove that this information has been provided.
Institutions, Organizations, and Partnerships must establish an effective audit trail mechanism for the use of information systems, taking into account the risks associated with the systems, the complexity of the activities, and the scope of the operations.
A plan must be developed and secondary systems must be established to ensure the continuity of information systems. Necessary measures will be taken against disruptions, situations that may reduce transaction performance, or affect business continuity. Activities such as risk assessment, risk mitigation, and risk monitoring will be carried out to ensure continuity. A transition period until December 31, 2025, has been provided for Crypto Asset Service Providers for compliance with Article 27 on information systems continuity.
Article 29 stipulates that Institutions, Organizations, and Partnerships must conduct an internal audit of their information systems at least once a year, and that the internal audit cannot be outsourced. A transition period until December 31, 2026, has been provided for Institutions, Organizations, and Partnerships regarding the third paragraph, which regulates the individuals responsible for conducting the internal audit. Institutions, Organizations, and Partnerships, other than Crypto Asset Service Providers, must comply with the other provisions of the regulation by December 31, 2025. Until this date, they are required to comply with the provisions of the repealed regulation.