MASAK Updates the Guide on Enhanced Due Diligence Measures

The Ministry of Treasury and Finance of the Republic of Türkiye, Financial Crimes Investigation Board, had previously published a guide titled “Enhanced Measures within the Scope of the Know Your Customer Principle” in 2021. With the updated Guide on Enhanced Measures within the Scope of the Know Your Customer Principle (“Guide”) published in 2025, new regulations introduced in this area are incorporated into the Guide. Situations in which enhanced measures are to be applied have been expanded to include relationships between financial institutions and crypto asset service providers (“CASPs”), relationships between CASPs and their customers, CASP asset transfers, and terminal services provided by payment and electronic money institutions. CASPs constitute the most significant part of this update. Some of the key sections added to the Guide through this update are summarized below.

In terms of the relationships between financial institutions and CASPs, the establishment of a business relationship with a CASP is made subject to the approval of a senior executive. Banks are required to obtain information regarding the source of funds belonging to CASPs, to inquire about the purpose of the transaction, and to keep the business relationship under close supervision.

When establishing a business relationship with their customers, CASPs are required, at minimum, to obtain information regarding the source of the assets and funds involved in the transaction, to obtain information about the purpose of the transaction, and to keep the business relationship under close supervision by increasing the number and frequency of the controls applied and by identifying the types of transactions that require additional scrutiny. In addition, CASPs must implement certain supplementary measures in high-risk situations identified within the framework of a risk-based approach, and with respect to groups determined to be high-risk as a result of risk assessment, in accordance with Article 13 of the Regulation on the Compliance Program Regarding Obligations for the Prevention of Laundering Proceeds of Crime and Financing of Terrorism.

CASPs are required to maintain secure, accessible and auditable records of all wallets and bank accounts used for their customers’ transfer of crypto asset and fiat moneys. Withdrawals to unregistered wallets or to foreign providers that are not subject to the obligation to share sender/recipient information, may be carried out only after a minimum “waiting period” of 48 hours following the related purchase, exchange, or deposit transaction. For a customer’s first withdrawal, this period is extended to 72 hours. In the case of stablecoin withdrawals, transaction limits shall apply as follows: USD 3,000 per day and USD 50,000 per month. For crypto asset transfer transactions where the travel rule obligation is implemented, these limits may be applied as double the amounts.

Apart from CASPs, business relationships established by payment institutions and electronic money institutions with their member merchants through terminals are also subject to enhanced due diligence measures. These institutions are required to take certain actions such as obtaining additional information about the customer and the transaction, making transactions subject to the approval of senior executives, and increasing the level of controls applied.

Finally, remote identity verification has been introduced as customer due diligence measure added to the Guide through the recent update. In ongoing business relationships established through remote identity verification, the duty of special diligence applies. When a customer who has established a business relationship remotely later wishes to conduct a face-to-face transaction with the obliged party, identity verification must be performed again and a signature specimen must be obtained. In cases where the identity document cannot be verified using near field communication (NFC) technology, the first financial transaction must be carried out through another financial institution. Service providers that facilitate the purchase, sale, or custody of privacy-based crypto assets are prohibited from performing remote identity verification.