Cryptocurrency Asset Service Providers: Capital Markets Board (SPK), Financial Crimes Investigation Board (MASAK), and the New Compliance Framework

Introduction

Turkey substantially resolved long-standing cryptocurrency regulation uncertainty in 2024. Law No. 7518, published in the Official Gazette on 2 July 2024, brought cryptocurrency asset service providers (KVHS) under the regulation and supervisory authority of the Capital Markets Board (SPK) through amendments to Capital Markets Law No. 6362. By year-end, MASAK amendments to the Measures and Compliance Regulation placed KVHS within the definition of financial institutions; Travel Rule implementation and comprehensive compliance program obligations came into effect.

This article addresses the new regime's SPK component, the MASAK framework, restrictions on foreign platforms' activities targeting Turkey, and compliance steps that should be prioritized for KVHS.

Legal Architecture

Law No. 7518 and SPK Authority

Law No. 7518 amended Law No. 6362 through three fundamental concepts:

• Definition of the cryptocurrency concept,
• Definition of cryptocurrency asset service provider (KVHS) and activities within scope (trading, custody, transfer, exchange, private key management),
• SPK authority for operational licensing, internal system requirements, segregation of customer assets, and sanctions.

The law explicitly prohibits foreign platforms from conducting direct or indirect marketing toward or providing services through a Turkish website to persons resident in Turkey (Art. 99/A); unlicensed activity carries criminal sanctions.

SPK Notices (Tebliğler)

In 2025, SPK published notices regulating KVHS operational licensing, internal control and risk management systems, protection of customer assets, transaction rules, and information technology infrastructure. The stages of operational licensing (preliminary investigation, final approval), minimum capital requirements, and professional qualification standards for managers were specified through these notices.

MASAK Regulatory Amendments

MASAK amendments to the Measures Regulation and Compliance Regulation published in the Official Gazette on 25 December 2024 introduced two significant innovations:

1. Inclusion of KVHS within the definition of financial institution. This means that AML/CFT obligations applicable to banks, payment and electronic money institutions, insurance companies, and capital market entities — customer due diligence, suspicious transaction reporting, compliance officer appointment, compliance program establishment — shall also apply to KVHS.
2. Travel Rule implementation. For transfers above a certain threshold (15,000 TL), information of both the sender and recipient must accompany the transfer. This rule implements FATF Recommendation No. 16 in Turkey.

Turkish Data Protection Law (KVKK) and Data Protection Layer

KVHS process sensitive and broad-scope personal data during customer due diligence (KYC) processes, including biometric data, identity document images, and address information. KVKK Article 6 (special category personal data) and Article 9 (international transfer) remain foundational to KVHS operations; particularly where international cloud infrastructure or foreign KYC providers are used, standard contractual clauses or binding corporate rule architecture become mandatory.

Prioritized Compliance Steps for KVHS

1. SPK Operational Licensing Application

Operational licensing is the first condition for KVHS to provide services in Turkey. The application process typically takes 6–12 months; required documents include company articles of association, ownership structure, capital sources, manager declarations, internal systems, IT infrastructure, and business plan.

2. Segregation of Customer Assets

Segregation of customer cryptocurrency from KVHS' own assets on a legal and accounting basis — is critical for customer protection in insolvency, attachment, or breach scenarios. The custody infrastructure (wallet architecture, multi-signature, offline storage) must technically ensure such segregation.

3. MASAK Compliance Program

KVHS are expected to have a MASAK compliance program no later than upon receiving SPK operational licensing. Core components of the program include:

• Compliance officer appointment — the compliance officer serves as KVHS' point of contact with MASAK.
• Risk management policy — risk classification by customer, product, channel, and geography.
• Customer due diligence (KYC) procedures — identity verification, beneficial ownership identification, politically exposed persons (PEP) screening, sanctions list screening.
• Suspicious transaction reporting (STR) procedures — reporting thresholds, internal escalation, and reporting mechanism to MASAK.
• Record-keeping — maintenance of customer, transaction, and correspondence records for the minimum retention period.
• Training program — AML/CFT awareness for all personnel.
• Independent audit — verification of compliance program effectiveness through internal or external audit.

4. Travel Rule Infrastructure

For transfers above the 15,000 TL threshold, operational infrastructure is required to ensure sender and recipient information accompanies the transfer. In practice, KVHS must:

• Establish interfaces with other KVHS for Travel Rule information sharing (standards such as IVMS 101),
• Implement mechanisms to share Travel Rule information with the counterparty for assets transferred on blockchain,
• Define procedures to reject or hold transactions when information is incomplete or appears suspicious.

5. Foreign Platform Restrictions

Foreign platforms serving customers resident in Turkey are subject to requirements to establish a local company and obtain SPK operational licensing. Foreign platforms must limit marketing toward Turkey and review operations conducted through local partnerships.

6. Contract Architecture

Contracts used by KVHS in customer relationships — account opening agreements, terms of use, custody agreements — must comply with SPK notices. Terms heavily favoring the provider, disproportionate liability limitations, and difficult dispute resolution mechanisms will emerge as issues in SPK supervision.

7. Data Protection Framework

KVHS must conduct data protection impact assessments (DPIA) for KYC and transaction data; where biometric KYC is used, implement adequate safeguards under Board Decision No. 2018/10; sign and notify standard contractual clauses when using foreign cloud providers.

8. Cybersecurity and Operational Resilience

KVHS are expected to establish incident response plans, obtain insurance, and deploy redundant infrastructure against cyber attacks, breaches, and wallet compromise. Law No. 7545 on Cybersecurity, effective in 2025, may create additional obligations for KVHS under secondary regulations.

Turkey Strategy for Foreign KVHS

Article 99/A of the law attaches criminal sanctions to unlicensed activity targeting persons resident in Turkey. The "targeting" criterion manifests practically through:

• Turkish-language website or user interface in Turkish,
• Registered office, address, or customer support channel in Turkey,
• Active marketing, advertising, or sponsorship activities in Turkey,
• Transaction in TL or integration with banks issuing cards in Turkey.

Passive compliance by foreign platforms is not deemed sufficient; when service provision to Turkish customers is detected, active contract termination and platform access blocking are expected. Establishing a local office, obtaining local company incorporation and SPK operational licensing, is the sole path to full compliance.

Conclusion

Turkey's cryptocurrency regime, after years of uncertainty, has settled into a dual SPK + MASAK structure. This, while representing a compliance cost for KVHS, paradoxically reinforces market confidence. Providers operating in regulatory compliance will gain a distinct advantage in attracting institutional customers and banking-payment partnerships; non-compliant operators will face both criminal sanctions and exclusion from the banking system.

KVHS compliance is not merely a matter of SPK or MASAK notices; it requires alignment with the Turkish Data Protection Law (KVKK), Law No. 7545 on Cybersecurity, consumer legislation, and — where international operations are involved — FATF and EU MiCA frameworks. This is a multi-layered discipline. If these areas are not monitored together in the coming period, a single deficiency may jeopardize the entire operational licensing.