Table of Contents hide

1. Fintech market

1.1 Evolution of the fintech market

The main fintech business models currently predominant in the market include:

  • payment and e-money institutions;
  • open banking;
  • digital banking;
  • Banking-as-a-Service (“BaaS”); and
  • crypto-asset service providers.

These business models are open to new market entrants, and new fintech companies continue to be established and licensed in each of these areas. At the same time, legacy players, including banks and other financial institutions, as well as large e-commerce or technology companies, are adapting to these models by expanding their offerings and by establishing subsidiaries or affiliated entities licensed to operate in these fintech verticals.

2.2 Regulatory regime

In Türkiye, financial markets are governed by highly detailed legislative framework based on laws, secondary legislation and regulatory authority decisions, under which different regulatory regimes apply depending on the relevant business model.

Legacy players are generally subject to different regulatory regimes depending on the nature of their activities:

  • Banks are primarily governed by the Banking Law No. 5411 (“Banking Law”) and extensive secondary legislation, and are regulated and supervised through resolutions, and instructions issued by the Banking Regulation and Supervision Agency (BRSA) and the CBRT.
  • Other financial institutions, such as financial leasing, factoring and financing companies, are subject to their respective sector-specific legislation and supervision by the BRSA.
  • Capital markets institutions, including investment firms, fall within the scope of the CML and related secondary legislation.

The regulatory frameworks applicable to the fintech business models can be summarised as follows:

  • Payment and e-money institutions operate under the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions No. 6493 (“Payment Services Law”), alongside applicable secondary legislation.
  • Open banking services are regulated under the Regulation on Banks’ Information Systems and Electronic Banking Services.
  • Digital banking and BaaS models are regulated under the Regulation on the Operating Principles of Digital Banks and Service Model Banking.
  • Crypto-asset service providers are regulated mainly under the CML and the CMB Communiqués, in addition to applicable AML/CFT legislation.

2.3 Compensation models

Industry participants may charge customers interest, fees, expenses, commissions or other monetary benefits only if such charges are contractually agreed and duly disclosed to customers, and only to the extent permitted under the applicable regulatory framework and, where relevant, within the limits or principles set by the competent authority, such as the CBRT, which may determine the types and maximum amounts of such charges for banks and payment service or electronic money institutions.

2.4 Variations between the regulation of fintech and legacy players

The regulation of fintech industry participants differs from that of legacy players primarily in terms of regulatory scope, licensing, incorporation and operation requirements, and ongoing obligations.

While banks are subject to a comprehensive prudential framework covering the full range of banking activities, fintech participants are generally regulated under activity-specific frameworks. Fintech industry participants are authorised on a limited, service-based basis, with regulatory requirements tailored to the specific activities they are permitted to perform and focused mainly on functional compliance and consumer protection.

2.5 Regulatory sandbox

There are no official regulatory sandboxes operated by regulatory authorities such as the BRSA or CMB in Türkiye so that new technologies or players could benefit from regulatory exemptions or exceptions. However, the 2022 “State of the Fintech Ecosystem in Türkiye” report, published by the Presidency of the Republic of Türkiye mentions a sandbox regime to be established by the Istanbul Financial Center. Accordingly, Fintech Zone Istanbul was established by the Istanbul Financial Center. It hosts a “Fintech Sandbox” which allows fintech start-ups to test their products in real-world conditions and help them comply with the regulations. It does not provide any regulatory exemptions or no-action reliefs. The establishment of regulatory sandboxes is also addressed in the “Türkiye 2030 Industry and Technology Strategy” report issued by the Republic of Türkiye Ministry of Industry and Technology, indicating potential future regulatory developments.

2.6 Jurisdiction of regulators

Turkish fintech jurisdiction is delineated among multiple regulatory authorities based on the type of financial activity:

  • BRSA: The BRSA is the competent authority for all banks, including digital banks, open banking structures and BaaS arrangements. Within the scope of the Banking Law, the BRSA regulates the establishment and activities of banks, with a mandate to ensure the effective functioning of the credit system and the protection of depositors’ rights.
  • CBRT: The CBRT is responsible for the conduct of monetary and exchange rate policies and for safeguarding financial stability in Türkiye. In addition, under the Payment Services Law, the CBRT has jurisdiction over payment systems, payment service providers and electronic money institutions, including the power to regulate fees, charges, and capital and safeguarding requirements.
  • CMB: The CMB regulates capital markets activities, including capital market instruments, public offerings, capital market institutions and exchanges. In the fintech context, the CMB is the competent authority for crypto-assets and crypto-asset service providers, setting the principles governing their establishment, operation and activities.
  • Ministry of Treasury and Finance/MASAK: The Ministry of Treasury and Finance exercises cross-sectoral oversight, including in relation to taxation and financial policy. Through the Financial Crimes Investigation Board (MASAK), it regulates and supervises compliance with AML and CFT obligations.

Where regulatory responsibilities overlap, co-ordination between authorities applies in practice. By way of example, banks intending to offer crypto-asset custody services are required to obtain a favourable preliminary opinion from the BRSA, and, where relevant, the licensing of payment and electronic money institutions may similarly involve the BRSA’s input. This approach ensures that fintech participants are overseen by the appropriate authority in line with the nature of their activities, while maintaining co-ordination across intersecting regulatory mandates.

2.7 No-action letters

In Türkiye, regulators do not issue “no-action letters”. Regulatory authorities such as the CMB may issue principle decisions clarifying how existing legislation will be interpreted or applied in practice, as well as transaction-specific clearance letters.

2.8 Outsourcing of regulated functions

In general, industry participants may outsource only non-core and ancillary functions, provided that such outsourcing does not prevent the entity from fulfilling its legal obligations, complying with applicable regulations or being effectively supervised.

For instance, banks may not outsource board-level functions, internal control, credit assessment/decision-making, financial reporting and deposit-taking; payment and e-money institutions may not outsource core payment services or e-money issuance; and crypto-asset service providers may not outsource board-level functions, licensed crypto services and their marketing, accounting, financial reporting, internal audit, internal control or risk management.

Outsourcing does not transfer regulatory responsibility; the regulated entity remains fully liable to its customers. Written agreements are required for outsourced services, and their minimum content is defined by applicable legislation. Moreover, service providers remain subject to the competent authority’s audit and information requests. They must comply with confidentiality and data protection obligations and, where relevant, duly report to the competent regulator in accordance with applicable procedures.

2.9 Gatekeeper liability

Under Turkish law, there is no formally defined or designated “gatekeeper” concept comparable to the approach taken in the EU. That said, financial entities such as banks, non-bank card issuers, financing and factoring companies, payment and electronic money institutions, and crypto-asset service providers are classified as “obligors” under Turkish AML legislation and are subject to a broad set of obligations such as customer due diligence and know-your-customer (KYC) requirements, transaction monitoring, establishment of internal compliance programmes, record-keeping and suspicious transaction reporting.

2.10 Significant enforcement actions

Regulatory authorities in Türkiye have broad and robust enforcement powers across the main fintech verticals, exercised within the limits of their respective legislation. For banks and other institutions subject to the supervision and oversight of the BRSA, the BRSA may impose significant administrative fines, order corrective and restrictive measures, revoke licences and pursue criminal sanctions for serious breaches. Payment service providers and electronic money institutions are subject to similar enforcement by the CBRT, including administrative fines, temporary suspension or revocation of licences, and criminal liability for unauthorised activity or obstruction of supervision. Crypto-asset service providers fall within the CMB’s enforcement jurisdiction, and breaches such as the unauthorised provision of crypto-asset services or the misappropriation of client assets may result in severe criminal sanctions, including imprisonment and judicial fines, as well as mandatory compensation of losses and, in certain cases, personal liability of managers extending to personal bankruptcy.

Across all verticals, entities that are defined as “obligors” under AML legislation may be subject to AML-related enforcement by MASAK, including administrative and criminal sanctions, reflecting that each competent authority may take robust enforcement action within the scope of its statutory powers.

2.11 Implications of additional, non-financial services regulations

For banks, the Regulation on Banks’ Information Systems and Electronic Banking Services governs information systems; for payment and electronic money institutions, the applicable framework is set out in the Communiqué on the Information Systems of Payment and Electronic Money Institutions and the Data Sharing Services of Payment Service Providers; and for capital markets institutions and crypto-asset service providers, the relevant rules are provided under the Communiqué on the Principles Regarding Information Systems Management (VII-128.10). Issues such as information systems governance, cybersecurity and data confidentiality are primarily regulated under these sector-specific regulations. In addition, to the extent relevant, horizontal legislation such as AML legislation, the Law on the Protection of Personal Data No. 6698 (“Personal Data Protection Law”) and the Consumer Protection Law No. 6502 may also apply alongside these rules.

2.12 Review of industry participants by parties other than regulators

The activities of industry participants are reviewed through mandatory independent audits conducted by audit firms authorised by the Public Oversight, Accounting and Auditing Standards Authority (KGK) and, where required, by licensed valuation and credit rating firms. Mandatory membership of industry associations (such as the Turkish Banks Association (TBB)) introduces additional standard-setting and peer oversight, while the Credit Bureau (operating in conjunction with the TBB Risk Center) reviews and aggregates customer risk data shared by market participants. For crypto-asset platforms in particular, compliance with information systems and technological infrastructure criteria set by the Scientific and Technological Research Council of Türkiye (TÜBİTAK) is required, and technical aspects may be subject to its testing and certification. Additionally, where professional liability insurance is required, insurance companies are also involved in the oversight framework.

2.13 Conjunction of unregulated and regulated products and services

Under Turkish law, regulated fintech entities are permitted to carry out only those activities expressly listed in their governing legislation and licence conditions; activities falling outside this scope are not allowed. However, where the applicable legislation expressly allows, a regulated entity may also engage in activities that are not themselves fintech-regulated, such as banks acting as insurance agents alongside their core banking activities.

2.14 Impact of AML and sanctions rules

Fintech companies are classified as “obligors” under Turkish AML legislation, meaning that they must comply with the obligations set out in the AML framework and are subject to the supervision of the competent authority, MASAK. In this capacity, they are required to comply with a broad set of obligations, including customer due diligence and KYC requirements, transaction monitoring, establishment of internal compliance programmes, record-keeping and suspicious transaction reporting.

2.15 Financial action task force (FATF) standards

As a member of the FATF since 1991, Türkiye’s AML and CTF framework is largely aligned with the standards and recommendations of the FATF.

The core legislation, including the Law on the Prevention of Laundering Proceeds of Crime No. 5549 and the related secondary regulations, incorporates the main FATF requirements regarding customer due diligence, beneficial ownership identification, risk-based approach, record-keeping, suspicious transaction reporting and internal compliance programmes. Obligors, including fintech companies, are required to comply with these obligations and implement risk-based AML/CTF measures.

Türkiye is also bound by United Nations Security Council resolutions on targeted financial sanctions and has introduced domestic mechanisms for the implementation of these obligations, in line with FATF Recommendation 6. Although Türkiye does not maintain an autonomous sanctions regime, the legal framework enables the application of UN-based measures and requires obliged entities to screen customers and transactions accordingly.

Overall, the Turkish AML/CTF regime follows FATF standards to a substantial degree, and ongoing legislative and regulatory updates continue to be made to ensure further harmonisation with evolving FATF requirements.

2.16 Reverse solicitation

Under Turkish law, regulated products and services may be offered only by duly licensed or otherwise authorised financial institutions. There is no overarching or general reverse solicitation rule or guidance applicable to fintech companies as a whole, and activities of a foreign entity that constitute the provision of regulated services to persons resident in Türkiye, such as payment services, trigger Turkish licensing requirements, with any related marketing or solicitation being prohibited.

That said, the reverse solicitation scenario is generally recognised for certain fintech business models, most notably for investment services provided by foreign financial institutions and services provided by foreign crypto-asset service providers. While such entities are in principle required to be licensed in Türkiye, Turkish legislation allows, on a reverse basis, Turkish residents to receive investment services from foreign financial institutions and crypto-asset services from foreign crypto-asset service providers, provided that no promotion, advertising or marketing activities are directed at persons resident in Türkiye and that the services are obtained solely at the initiative of the Turkish resident. Conversely, where a foreign entity establishes a place of business in Türkiye, operates a Turkish language website or engages, directly or indirectly through intermediaries, in promotional or marketing activities targeting persons resident in Türkiye, the activities are deemed to be directed at Turkish residents and cannot be characterised as reverse-based.

3. Robo-advisers

3.1 Requirement for different business models

Regulatory framework

Share


Legal Information

This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.


You May Be Interested In

Privacy Preference Center