FinTech 2019 Comparisons

Last Updated June 06, 2019

Contributed By Paksoy

Law and Practice


Paksoy is a leading full-service law firm in Istanbul, Turkey, focused on advising clients in a wide range of legal areas, including cross-border investments, international business transactions, M&A, competition, information and emerging technologies, banking and finance, capital markets, telecommunications, media, data protection and cybersecurity, FinTech, intellectual property, insurance and pensions, investigations, compliance and disputes. Clients include leading investment banks, financial institutions, IT service providers, telecoms companies, healthcare-providers, manufacturers, contractors and private equity investors across Europe, the Middle East, the Gulf and CIS countries, Asia and the United States. Paksoy collaborates with leading international law firms in major jurisdictions, and works with them on cross-border transactions. The FinTech team works under the Information Technologies and Internet Law department of the firm, which comprises seven lawyers.

As younger generations are using internet and mobile devices widely in every aspect of their lives, traditional institutions are re-shaping their business models to include recent technological trends. Product and services-providers have started to combine technology with all sectors in order to provide faster and more user-friendly services. This trend is further supported by intensive legislative efforts enabling and regulating the use of technology in the provision of traditional products and services (see Law No 6493 on Payment and Security Settlement Systems, Payment Services and Electronic Money (“Payment Services Law”) in 2013, the Regulation on Payment Services and Electronic Money Issuance and Payment (“Payment Services Regulation”) in 2014, the Communiqué on the Management and Supervision for Information Systems of the Payment E-Money Institutions (the “Payment Services Communiqué”) in 2014 and Europe’s new Payment Services Directive II (“PSD2”)).

The banking sector seems to lead the way in adapting new technologies to the needs of banks and their customers. According to a survey conducted by ING Bank in 2015, Turkey has been quoted as a future hotspot for mobile banking due to high penetration ratios for internet access and mobile-device usage. 60% of Turkish participants admitted to already using mobile banking services. In fact, since the 2010s, digital wallets, e-commerce, contactless cards services, robo-advisers, identity management, trading platform services, etc, have been widely used in Turkey, providing Turkey with a competitive advantage when it comes to new developments regarding new payment systems and digital banking services, with more than 300 FinTech companies currently active in Turkey.

In addition to the above, over the course of the past year, a number of players have initiated blockchain R&D projects such as InsurTech and RegTech projects. Payment and asset management technologies have been developing as well. A leading Turkish Islamic bank has established a FinTech-focused venture capital in Turkey, and another Turkish Islamic bank has launched a payment platform backed by artificial intelligence. Islamic FinTech companies are also gaining visibility by providing interest-free payment systems.

The FinTech market growth rate in the banking and finance sector is considerably high in Turkey – ie, 14% as announced by the Banking Regulation and Supervision Agency (“BRSA”) in April 2017. In 2018, the market size was around USD16 billion. With the establishment of payment service-providers, investment in FinTech has risen by 180% compared to the preceding year. However, the Turkish FinTech market is still developing and its developing nature is in fact an advantage since investors have plenty of opportunities to choose from.

As digital transformation is picking up pace in the insurance sector, InsurTech is becoming more and more crucial to insurance companies. However, in a market with more than 300 FinTech companies, a mere 12 are focused on InsurTech. The most widespread trend in InsurTech is the Robot Process Automation (“RPA”). A leading Turkish insurance company has been using RPA technology since early 2017, whereby a virtual assistant handles the filing process regarding insurance claims by automatically sorting through relevant paperwork submitted to the insurance company. The virtual assistant is expected to be able to handle two million operations per year, which consists of matching the submitted documents with the relevant insurance file. Another technology used by the insurance market is virtual risk-analysis, which allows insurance companies to determine the parameters of a potential damage before it occurs and suggest preventive measures. Lastly, in-car cameras that take automatic pictures of an accident are used in commercial vehicles in Turkey, especially to back up insurance claims. In-car cameras are subject to Turkish data protection regulations.

Istanbul aims to become a regional technology hub within the course of this year. Additionally, with the spread of blockchain projects, improvements on contactless payment systems, prepaid card usage, offline payments and money transfer systems are expected. API (application programming interface) banking is also expected to develop in Turkey, depending on whether the Turkish payment systems regulation will be amended in line with the European Payment Systems Directive II.

On the other hand, Turkish public authorities have been increasingly relying on digitalised technologies in the provision of bureaucratic services (eg, electronic apostille, electronic legal service, tax payments) as well as access to some public services (eg, legal, health, state insurance, education). Other examples of digitalisation in the public sector include the e-tender system, which aims to encourage participation in tenders initiated by the Directorate General of Customs and hence increase funds raised by the selling of goods confiscated by customs. The optional electronic trust stamp granted to electronic commerce platforms that fulfil a series of requirements, verified by the authorised authority, certifies the trustworthiness of a given e-commerce site. Lastly, it is worth mentioning that Turkey is currently implementing a comprehensive “smart cities” project whereby two of the country’s main cities have been chosen as pilot cities: Istanbul and Izmir. While the focus in Izmir is on energy solutions, Istanbul tackles advancements in transportation (eg, payment systems that allow credit card payments in taxis and topping-up of the city transportation card, and the recently introduced driverless metro line with a capacity of 1,620 passengers).


With the enactment of Law No 7061 Amending Certain Tax Laws and Certain Other Laws (the “Omnibus Law”) in 2017, the Capital Markets Law No 6362 (“Capital Markets Law”) has been amended to include crowdfunding in national legislation. According to the statistics portal Statista, global transaction value in the crowdfunding segment amounts to USD15 million in 2019 and is expected to show an annual growth rate of 12%. While reward-based and donation-based crowdfunding platforms existed in Turkey previously, with the new legislation, share-based platforms are now developing. There are currently nine active crowdfunding platforms in Turkey, four of which are share-based. The oldest is Fongogo, a share-based platform established in 2013 in İstanbul, and Arıkovanı (Beehive), a reward-based platform.

Digital Banking

Turkey’s young and digitally active population provides a good customer base for digital banking. According to the EMEA 2018 Report by Deloitte, Turkey was named a digital champion in the EMEA market along with Poland, Russia, Spain and Switzerland.  According to the Turkish Banking Association, in 2017, 46% of the population was a user of internet banking. 80% of all banking in Turkey is already digital, with the main regulatory authority, the BRSA, supporting this change. Instead of new banks forming, established banks in Turkey like Akbank, İş Bankası, Garanti, Yapı Kredi, DenizBank and TEB have embraced digitalisation and developed digital models. While the percentage of mobile banking in Credit and Credit Card Application, Credit Card Transactions and Other Financial Transactions is over 80%, the percentage of mobile banking in Money Transfers and Investment Transactions is over 60%. The fact that there is a 10% difference between March 2017 and March 2018 in Investment Operations particularly shows the speed and effect of development in this area. As numbers of ATMs, POSs, Internet banking, call centres and mobile applications are increasing, the number of bank branches where conventional banking transactions are conducted is decreasing. Banks are investing in Digital Banking to keep their competitive position.

On the other hand, Turkish banking law contains stricter provisions than EU law. The cost of a banking licence for deposit banking is USD300 million, and the conditions for obtaining a banking licence are vigorous. Digital banking providers are required to meet the same requirements, so there are no banks that are focused only on digital services.

Payment Systems

Turkish Payment Systems Legislation is aligned with European law, but not with the new Directive PSD 2. Therefore, API-banking has not been regulated in Turkey, although new draft legislation indicates that this will soon change (see 2.2 Regulatory Regime).

Payment institutions and institutions issuing E-Money are subject to a licence from the BRSA. There are 33 active payment institutions and 14 active E-money institutions listed by the BRSA.

The e-commerce market in Turkey has an expected turnover of USD41 billion in 2019. Credit cards are expected to keep their dominant role as the primary payment method, followed by mobile payments with a market share of 37%. According to Statista, credit cards constitute 74% of payment methods. E-wallets have a market share of 2% and prepaid cards and bank transfers about 1% each. The majority of Turkish customers pay via instalments under the local providers like World, Axess and CardFinans. Loyalty programmes are very popular, where customers are able to pay with loyalty points in co-operation with stores and e-commerce websites.

Blockchain and Virtual Currency

Turkey is becoming increasingly digitalised and keeps pace with digital transformation. However, Turkish authorities have demonstrated an ambiguous stance towards the crypto industry.

The Turkish Central Bank Governor, Murat Cetinkaya, emphasised that bitcoin and crypto-currencies could contribute to global financial stability with the decentralised and peer-to-peer (P2P) financial network. Blockchain research centres have been established at Turkish universities.

According to an ING Bank Report of 2018 on crypto-currency, Turkey was leading among the 15 countries surveyed on interest in crypto-currency, with 53% of Turkish respondents agreeing that bitcoin is the future of online spending. 

Access to crypto-currency has been growing. There are local crypto-currency sites like localbitcoins, and BTCTurk where Turkish Lira can be exchanged for crypto-currency bitcoin and ether. Exchanges to access currency like altcoins do not exist. Several companies such as Ma and stores have accepted bitcoin as payment, but it is not commonly used by the public.

Robo Advice

According to an ING mobile banking Survey of 2017, 40% of the people in Turkey say they would accept Robo Advice, as long as they have final approval on any resulting activity. This percentage is higher than the other countries surveyed – more than half of respondents in Luxembourg, Austria and France said they did not want any automated financial activities at all. The Turkish insurance market stands in terms of investments in Robo Advice technologies in particular, as well as blockchain, artificial intelligence and other robotic systems. In Turkey, Robo Advice was first used by Adendum, through the smart information system called ‘AddVICE’ for the private pension market. 

Robo Advice is not regulated separately, and must comply with the relevant legislation of the sector in which it is applied.

There is no specific regulation regarding FinTech in Turkey, so there are no general FinTech licensing or approval requirements. The applicable general regulation is as follows:

  • Customer Identification Rules (Know Your Customer Rules) established as preventive measures by the Financial Crimes Investigation Board (“MASAK”). Parties obliged to do so under the Law on Prevention of Laundering Proceeds of Crime No 5549 (“Anti-Money Laundering Law”) shall identify persons carrying out transactions and persons on behalf or for the benefit of whom the transactions are conducted. Document types required for customer identification, and the types of transactions necessitating customer identification, monetary limits for them and other related principles and procedures have been determined under chapter three of the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (“Anti-Money Laundering Regulation”). In electronic transactions, customer identification is necessary when the amount of a single transaction or the total amount of multiple linked transactions is equal to or more than TRY2,000 (approximately USD400). Customer identification in Turkey is applied on a face-to-face basis. Turkey does not apply Compare Video Technology for the implementation of KYC (know your customer) principles. There are, however, signs that these will be regulated and applied in the future, with the new Draft Regulation on Information Systems of Banks and Electronic Banking Services (the “Draft E-Banking Regulation”) by the BRSA pointing in this direction. Two-component authentication on devices that provide access to the mobile banking application has been regulated, and it has been decreed that authentication components of the device (such as cameras) can be used for this.
  • Anti-money laundering laws (the Anti-Money Laundering Law and secondary legislation) containing preventive measures such as Suspicious Transaction Reporting, the assignment of a compliance officer, establishing systems of internal audit, control and risk management and obligation of submitting information and documents as well as periodical reporting for obliged institutions.

Depending on the vertical that the FinTech Company is active in, regulatory regimes can differ, as follows.


The Omnibus Law contained important amendments to the Capital Markets Law concerning crowdfunding, which has been legally accepted due to a Draft Law on Crowdfunding being submitted to the Grand National Assembly in 2016. According to the Omnibus Law, crowdfunding companies have to be granted an authorisation by the Capital Markets Board of Turkey (“CMB”). The transition of existing platforms has not been regulated. Because crowdfunding platforms have been excluded from the definitions of “publicly held companies” and “issuer” in the Capital Markets Law, they are not obliged to comply with the corporate governance principles and public disclosure duties of publicly held companies, nor are they obliged to prepare a prospectus or offering circular. They are not considered as investment services under capital markets legislation and therefore will not be subject to the relevant legislation like stock exchange provisions. Turkish obligation law governs the relationships between the platforms, lenders and collectors of monies. The CMB has the authority to take measures to request a remedy, limit or cancel the activities of the platform. It will notify the Information and Communication Technologies Authority (“ICTA”) to ban access to the website if the platform is unauthorised. Gaps remain in the legislation – for instance, which form of crowdfunding is regulated (donation-based, reward-based or investment-based crowdfunding) has not been addressed.

The CMB issued a draft regulation on investment-based crowdfunding on 4 January 2019 (“Draft Crowd Funding Regulation”), which was open for public comments until 4 February 2019. The Draft Crowd Funding Regulation aims to ensure the effective penetration of the crowdfunding model into the capital markets legislation and create a regulatory framework for crowdfunding activities. It requires crowdfunding platforms to apply to the CMB for listing, and to comply with the specific requirements set forth by the CMB. According to the Draft Crowd Funding Regulation, crowdfunding platforms have to apply to be listed by the CMB, and must meet certain equity and organisation-related criteria. They have to form an investment committee made up of the board of directors.

According to the Draft Crowd Funding Regulation, the CMB can oblige a platform to take out professional liability insurance. Platforms can carry out crowdfunding activities exclusively. They may provide consulting services during the execution of their activities. The contract between the platform and the investor/investment company needs to be in written form. For five years after a campaign page is made for a certain project, the investment committee has to publish all information on the campaign page that may affect the decision of potential investors during the campaign. The obligation to inform the general public has been included for investment-based crowdfunding. The CMB Draft Crowd Funding Regulation restricts some activities for crowdfunding platforms, such as that they are forbidden to act as an intermediary for lending or to offer any capital market instrument other than share-based mass funding in return.

Investors who have not been classified by the CMB as qualified investors may only invest up to TRY20,000 per year. In the case of early termination of the campaign or in the case of the collection of the fund after all periods of withdrawal for investors have expired, the investors have the right to damages, according to the Turkish Code of Obligations No 6098 (“Code of Obligations”).

Foreign platforms that establish an office or webpage in Turkey are subject to the Draft Crowd Funding Regulation.

Digital banking

Turkish banking legislation imposes stricter requirements for establishing a bank than the EU legislation, and digital banking providers are required to meet the same requirements. Cloud Usage is prohibited, except for Cloud Service providers based in Turkey that meet certain requirements. 80% of the Turkish banking sector is already digital. The BRSA supports this change. FinTech is growing the fastest in the banking sector.

Currently, the Turkish Banking Law No 5411 (“Banking Law”) and the Payment Services Law, as well as Personal Data Protection Law No 6698 (“Data Protection Law”), MASAK Regulations and the Payment Services Communiqué, put some obstacles in front of digitalisation by the banking sector. 

The Banking Law puts banks under an obligation to protect customer secrets. They may, however, obtain explicit consent according to the Data Protection Law in order to transfer customer data to APIs. For further details, please see the payment system section below.

As per the MASAK Regulation, customer acquisitions cannot be digitalised due to the identification principle. MASAK Regulation puts all the partaking banks under the obligation of determining the identity of a person attempting a given transaction. Written-form requirements prevent the digitisation of the customer acquisition process.

The Banking Association of Turkey’s Communiqué Related to Minimum Form and Substance of Agreements Signed with Retail Customers regulates that, after signature of the agreement, one copy has to be provided to the customer. As such, taking such a process into a digital platform would likely cause a breach.

The Code of Obligations is still the main code regulating signature requirements, since the digital signature is not yet regulated under Turkish law.

Payment systems

The Payment Services Law issued in 2013 and its secondary legislation provide the legal infrastructure for payments with electronic money. The Payment Services Law is aligned with the European Union legislation, in particular the Payment Systems Directive (PSD, Directive 2007/64/EC), and makes it possible for institutions other than banks to provide payment systems in Turkey. However, Turkish law is not yet aligned with the current PSD 2 (Directive (EU) 2015/2366). Therefore, open banking through Account Information Service Providers (API) or Payment Initiation Service Providers (PISP) is not regulated in Turkey. As digital banking providers need to meet the same licence and regulatory requirements as regular banks, there are no sole providers of digital banking in Turkey.

Changes made to the Payment Services Regulation in October 2018, contrary to general expectation, did not include API banking. Currently, the Banking Law, the Payment Services Law and the Data Protection Law, as well as the MASAK Regulation and the Payment Services Communiqué, put some obstacles in the way of digitalisation attempts in the banking sector.

The Draft E-Banking Regulation shows that Turkey is open to the sector. API Banking is mentioned in the new regulation draft, so it is expected that payment system regulations will be aligned with PSD 2. In practice, leading banks have opened or announced the opening of their own API portals.

According to the current regulation, entities providing payment services, which are defined broadly in the Payment Services Law, need to meet certain equity-related and operation requirements, and to obtain licences from the BRSA. Payment and E- Money institutions are required to keep their records and information systems within Turkey and cannot operate in fields unrelated to payment or electronic money services. Foreign institutions that operate in Turkey are subject to the Payment Services Law and need to obtain a licence in Turkey.

The BRSA will suspend operations of unlicensed providers and shut them down. The BRSA publishes a list of licensed payment institutions and institutions licensed to issue e-money.

Blockchain technology

Blockchain technology is not regulated in Turkey, but it is used in the public sector. The first blockchain project between financial institutions has been implemented in Turkey by the Istanbul Stock Exchange (“BIST”). With the blockchain project prepared by the BIST IT team, the information in the customer databases of BIST, Trade Istanbul and Istanbul Central Registry was synchronised. However, this cannot be construed as trading through blockchain.

Blockchain in Germany, for instance, is regulated and supervised by authorities such as BaFin, the regulatory authority, which classifies bitcoins as so-called “units of account” and therefore as financial instruments within the meaning of the German Banking Act. Virtual currencies do not qualify as e-money and the holding for third parties does not qualify as deposit-taking and is not regulated. The operation of a trading platform for virtual currencies may be regulated (see section below). FinTech companies operating in the blockchain sector have to fulfil the same requirements as other financial service-providers in order to obtain a licence.

Blockchain mining in exchange for virtual currency is considered a financial activity by BaFin.

Such a regulation does not exist in Turkey.

Virtual currencies

Crypto-currency is not considered as a payment instrument in Turkey and does not fall under the Scope of Law no 6439. There is no CMB or BRSA regulation concerning E-currency as E-currency does not have a derivative status in Turkey. Virtual currencies are not seen as a derivative instrument and therefore are not subject to a restriction. There is no official law prohibiting or regulating the buying and selling of crypto-currency in the country, thus making it legal. Turkish citizens have access to crypto-currency, with bitcoin being the most popular and most sought-after currency. Crypto-currencies are not regulated by any official authority and do not fall within the scope of the Payment Services Law.

The CMB announced on its website in September 2018 that it does not regulate or supervise Initial Coin Offerings (ICOs) or token offerings. ICOs were included in the announcement of the New Economy Programme, and it is to be expected that IPOs and crypto-currency trades will be regulated in the future. There are already up to 20 crypto-currency exchange platforms operating and/or established in Turkey.

The establishment, dissemination or recommendation of a pyramid sales system is prohibited according to the Law on the Protection of the Consumers No 6520, and the Customs and Trade Ministry is authorised to take necessary measures, including making the necessary investigations about pyramid sales systems and to put an end to the electronic system, if there is one in place.

As a comparison, in Germany, ICOs are subject to the Regulations of the Regulatory Authority, BaFin, which has classified bitcoin and comparable virtual currencies as so-called “units of account” – ie, as financial instruments within the meaning of the German Banking Act. Depending on the nature of the offered token (vanilla or tokens with subscription rights for other tokens), the Asset Investment Act (Vermögensanlagengesetz, "VermAnlG") could entail a prospectus requirement for a public offering of tokens. Even if the company is not established in Germany, the regulations will apply if the ICO is actively advertised on German platforms.

Such a regulation does not exist in Turkey.

In light of the 2011 Agreement between the CMB and the US Securities Exchange Commission (“SEC”) regarding a ‘Regulatory Dialogue’, it can reasonably be expected that they may align their regulations. The SEC qualifies crypto-currencies such as bitcoin and ether as commodities, regulated by the Commodity Futures Trading Commission, but for all other crypto-currencies created through ICOs, the agency uses a method known as the "Howey Test" for determining whether certain transactions qualify as "investment contracts". The rule comes from a 1946 US Supreme Court decision.

Robo Advice

No separate Turkish regulation exists concerning Robo Advice, but the technical standards set under the Banking Law and the Data Protection Law must be met. Robo Advice needs to be in accordance with the relevant legislation of the sector in which it operates. The Standards of the International Organization for Standardization (ISO) concerning robots prepared by ISO Technical Committee 299 with the title “Robotics" may be applied but are not mandatory.

There is no specific regulation regarding FinTech issues. As such, there is no difference between FinTech industry participants and legacy players from a regulatory perspective.

For the time being, there is no “sandbox” or other regulation published. Further to this, there is no expectation or intention to draft any such regulation.

As explained under 2.1 Predominant Business Models and 2.2 Regulatory Regime, the regulators in Turkey are the BRSA for the banking market, CBM for capital markets, and Masak for the prevention of money laundering and the financing of terrorism. Moreover, in order to regulate personal data processing issues, the Turkish Data Protection Board is available. There is no overlapping between their jurisdictions.

Provisions concerning outsourcing exist in the banking sector, payment systems, capital markets regulation and insurance sector.

In the Banking Sector, the BRSA is the leading banking regulator. The Regulation Regarding Banks' Procurement of Support Services (“Banking Support Services Regulation”) regulates the outsourcing process.

Outsourceable support services as defined in the Regulation are services that are either an extension of or supplementary to the main services provided by banks (including IT services) within the Banking Law and BRSA principles. Activities that cannot be outsourced are requesting loans; accounting for banking transactions and preparing financial reports; monitoring and assessing the exposure and process regarding loans; and safekeeping activities.

Special activities are considered support services and can be outsourced. These activities include call centre services; the maintenance of information systems software; the operation of automated telling machine and point of sale services; the printing of bank cards, credit cards, cheque books and bank statements, and the electronic delivery of such statements; and the archiving, collection, safekeeping and delivery of assets such as cash, commercial papers and precious metals provided by special security companies.

Banks are required to submit a report to the BRSA about the risks, benefits and costs of outsourcing a service. Even when a service is outsourced, the bank must comply with legislation and the service will be supervised according to the relevant regulations. Each year banks must submit a report to their board of directors on their process of identifying the necessary support services. In the report, they must evaluate the cost and risk of procuring the service, and an action plan about the management of risks and evaluating the costs and benefits of procuring such services.

Vendors must be incorporated and are required to meet the structure requirements set out in the Regulation, such as having a sufficient number and quality of personnel, necessary technical equipment and measures against security risks to perform the service, which must be supervised by the bank. They are obligated to take out liability insurance if requested by the bank or the BRSA. Outsourcing a service does not preclude the bank from the legal obligations regarding the service. The vendor is required to undertake the contractual obligation to comply with all obligations of the regulated service. For instance, pursuant to Law No 5188 on Private Security Services, archiving services can only be carried out on the property of the bank and only under the supervision of a bank employee, and the provision of external security and secure collection of all kinds of cash, negotiable documents and other valuable goods can only be provided by certain companies.

Under the same provisions, the service can be outsourced again by the first vendor.

The outsourcing of payment services is regulated in the Payment Services Law and its secondary legislation. Under these regulations, the vendor is obliged to use information systems and back-ups maintained in Turkey. There are some mandatory provisions in the Agreement between the payment system-provider and the vendor to ensure that the vendor complies with the payment regulations.

Insurance providers can outsource services under the Banking Support Services Regulation on Insurance Support Services if the vendor is established in Turkey, has a valid licence and meets the structure, qualified personnel and technical capacity requirements stipulated by the Banking Support Services Regulation.

Companies that are regulated by the CMB can outsource activities that are not in the scope of their main activity. The Vendor must comply with capital markets legislation on internal control, risk management and information security procedures. The Payment Systems Communiqué allows some institutions to outsource information system services under specified conditions. The primary and secondary information systems must be kept in Turkey. The BRSA has introduced the Draft E-Banking Regulation, which is planned to be implemented in January 2020, in order to abolish the Communiqué. For further details, please see 2.8 Implications of Additional Regulation.

Outside of the regulated areas, suppliers may provide services based on a contractual relationship with the company wishing to outsource, under the general provisions of the Code of Obligations and Turkish Labour Code concerning commodities and service procurement. In this case, liability can be excluded except for gross negligence, and a cap can be agreed on. If the service requires authorisation by a competent authority, the liability of the vendor cannot be excluded.

The Turkish Labour Code defines subcontracting as the ability for a customer to assign a part of its main activity to a supplier, due to operational and technological necessities or auxiliary activities to a supplier. The customer and the supplier are jointly liable to the supplier's employees.

In the aforementioned regulated areas, outsourcing does not excuse the outsourcing company from its legal obligations regarding the service. Therefore, outsourcing does not provide the possibility to escape or cap liabilities when a regulated entity is concerned. 

In the banking sector, the BRSA determines the working principles of independent audit firms, by taking into account the opinions of the Central Bank and the associations. The BRSA issues a list of independent audit firms which it deems as satisfying these principles. If there is a breach of legislation and standards, the BRSA can strike an audit firm from the list.

The BRSA grants establishment and operation licences and supervises banks, representative offices of foreign banks and financial institutions. It regulates public financing, global economic relations, exchange regimes, and private insurance companies.

The Central Bank of Turkey can require necessary information from financial institutions. The Saving Deposit and Insurance Fund (SDIF) is a public legal entity that insures the saving deposits and participation funds of natural persons in credit institutions.

The BRSA has the authority to impose administrative fines under the Banking Law if banks fail to comply with their duties stated therein (Article 146).

If a bank fails to take measures according to the Banking Law to prevent its resolution, the BRSA can restrict the activities of the bank, revoke the bank’s operating licence or transfer the rights of its shareholders to the SDIF (except for the right to dividends and management and supervision). The BRSA will determine if a bank will be subject to SDIF supervision and whether the requirements of the Banking Law are met. The SDIF will then be responsible for liquidation transactions.

During the auditing of a bank, the BRSA can transfer the issues that require judicial punishment to the relevant institutions of the state.

There is no separate Cybersecurity Regulation in Turkey.

The BRSA has published the Draft E-Banking Regulation, which is expected to have an implementation period of one month before January 1st 2020. The Draft Regulation will abolish the Payment Services Communiqué.

Major changes in the regulation concern the organisational units in charge of information systems in banks, documents the banks are required to prepare, the provision that primary and secondary information systems need to be kept within the country, and rules banks need to follow in the procurement of outsourcing services. Outsourced services as defined by the Draft Regulation cover all Support Services as defined by the Banking Support Services Regulation. Products and services concerning critical information systems and security should either be produced in Turkey, or the Research and Development Centres must be in Turkey. In either case, it is regulated that response teams concerning the service shall be present in Turkey. Primary or secondary cloud computing services may be procured by private cloud services that only serve the bank concerned, or by community cloud services that are used by several banks but assign logically distinct resources to each bank and only serve banks. In contracts with search engines and social media platforms, they must assume responsibility for false ads given in the name of the bank.

According to the Turkish Constitution as well as the Banking Law and the Criminal Code, the protection of customers' secrets is an obligation for banks. Information obtained both before and after the conclusion of a banking contract is regarded as customer secrets; this includes the customers’ asset situation and personal information. All persons or legal entities to which a bank provides services can be regarded as customers of that bank, even if they do not hold an account. This information cannot be shared or explained to unauthorised persons, nor used by the individual responsible for his or her or another's benefit; this offence carries civil liability as well as criminal penalties.

Anti-Money Laundering Laws

In Turkey, the Anti-Money Laundering Law and relevant provisions in the Turkish Criminal Code and the Anti-Money Laundering Regulation, the Regulation on the Programme of Compliance with Obligations of Anti-Money Laundering and Combating the Financing of Terrorism (the “MASAK Regulation”) make up the anti-money laundering laws. MASAK is the regulative authority. Regulations require companies to have systems in place to report suspicious activities to the government.

The regulations apply to banks as well as other financial institutions, insurance firms and asset management companies.

Customer due diligence is regulated as a main element to prevent the financing of terrorism and money laundering. Transactions requiring customer due diligence are specified, and companies must file Suspicious Transaction Reports and maintain records of transactions for a period of eight years.

The Anti-Money Laundering Regulation regulates real persons, corporate bodies recorded in a trade registry, associations and foundations, trade unions and confederations, political parties, corporate bodies located abroad, organisations that are not corporate bodies and public institutions separately. Regarding technological risks, financial institutions are required to limit the amount and number of transactions that are not carried out face to face.

Data Protection

The Data Protection Law ("DPL") regulates the processing of personal data. It may not be transferred, for example in an outsourcing contract, without the express consent of the subject or an exemption in the DPL, such as legitimate interest. For the transfer of data outside of the country, the foreign country to which the personal data will be transferred has to have an adequate level of protection. If there is not an adequate level of protection, the data controllers in Turkey and abroad must commit, in writing, to provide an adequate level of protection and obtain the permission of the Personal Data Protection Board.

The Draft Regulation concerning customer identity verification and the usage of authentication systems for more than one application has been introduced for Internet Banking. Detailed regulations on Data Privacy have been introduced, such as the procedure for banks in the case of a cyber-incident. Customers’ consent regarding usage of their data cannot be imposed as a prerequisite for the service provided.

The use of social media and/or similar tools is not regulated separately.

Pursuant to the Turkish Commercial Code, joint stock and/or limited companies that meet at least two of the following three criteria on their own, or together with their subsidiaries and affiliates, have been identified by the Council of Ministers as being subject to an independent audit:

  • total assets in the amount of TRY40 million or more;
  • annual net sales revenue of TRY80 million or more;
  • 200 or more employees.

Therefore, all banks and insurance companies, and some firms, are audited annually by certified audit firms. Since FinTech companies are generally start-ups in Turkey, many of them would not meet the above-mentioned criteria and would not be subjected to an independent audit. However, FinTech companies acting as a supplier for banks would also be subject to an independent audit.

Since the use of unlawful products is not allowed, industry participants cannot offer unregulated products.

Different business models are not required.

Legal authorities are implementing technical solutions as per the general rules and regulation. If the implementation would be in the banking sector, BRSA’s best practices and Banking Law will be applicable. If the implementation would be in the insurance area, the insurance law will be valid.

Turkey has no best practices in the area.

Turkish-resident natural persons are not entitled to utilise FX and/or FX indexed loans, while Turkish legal persons are entitled to utilise FX loans to the extent they fall within the scope of the exceptions listed under Decree No 32 regarding the Protection of the Value of Turkish Lira. Banks have general template agreements that comply with the Banking Law and are customised based on the type of transaction – ie, customer loans, individual, corporate, etc. In certain transactions, depending on the size and purposes of the loan, structured loan agreements based on LMA type are used rather than template agreements of the banks.

The underwriting processes are mainly regulated by the Regulation on Lending Transactions of Banks (the “Lending Regulation”) issued by the BRSA. Pursuant to the Lending Regulation, banks operating in Turkey are obliged to receive an account status form prepared in line with the forms attached to the Regulation for credit disbursements above TRY1 million. The account status form for legal persons briefly includes information on shareholding status, field of activity investments, number of employees, members of the board of directors, credit notes, financials and tax payments. The real persons should state their family members, properties, encumbrances over such properties, occupation details and other credit payments, if any.

In Turkey loans are essentially provided by banks, whose principal funding sources are:

  • funds through deposit-taking activities (applicable to deposit banks);
  • syndicated loans;
  • debt capital markets instruments, either as part of senior unsecured issuances or as regulatory capital issuances;
  • peer-to-peer bilateral funding; and
  • securitisations.

Deposit collection by banks requires a specific licence and is strictly monitored by the BRSA. Syndicated loans are not regulated but are dominated by the contractual terms of the syndication, which is rolled over on an annual basis. Offerings of banks at debt capital markets including securitisations are regulated by the CMB and the capital markets legislation. If such debt offering is in the form of a regulatory capital issuance, it is also subject to the equity regulation of the BRSA in order to qualify as capital.

Currently, there is no secondary loan market in Turkey, so banks do not syndicate their loan portfolio. This is legally possible in Turkey, even though it is not yet used in practice.

Payment processors should use existing payment rails.

Under Turkish law, funds are established and administrated by portfolio management companies. Portfolio management activities, including individual portfolio management services, are regulated by the Capital Markets Law and the secondary legislation published by the CMB. All types of portfolio management and investment advisory services are subject to CMB regulations and the respective licence.

There are a number of provisions dictated by CMB regulations, particularly the Communiqué on Portfolio Management Companies and Principles regarding Their Activities No III-55.1. The fund administrator is the portfolio management company, which is obliged to establish the required systems for internal control and risk management. Therefore, it needs to hire enough officers, including investment advisers, inspectors, portfolio managers and internal control officers.

The portfolio management companies must have an inspection unit independent from their daily activities, and in charge of supervision and inspection functions, including all activities, operations and organisation units, particularly the functioning of internal control systems and risk-management systems, and also including audits of compliance with applicable legislation and its policies, depending on the requirements of management and the structure of the respective portfolio management company.

If an inspection unit discovers any event that may weaken the financial situation or create extraordinary results for a respective portfolio management company, or any breach of legislation that may result in the suspension or termination of activities of such company, said inspection unit is obliged to present its report to the board of directors as soon as possible, and to send a copy of such report to the CMB on the same day.

In addition to the inspection unit, an internal control system needs to be established in order to ensure that all operations and activities are carried out regularly and effectively in accordance with the management strategies and policies and the applicable legislation, and that its accounting and recording systems are held integrally and reliably, and that information in its data system can be obtained accurately and in a timely manner, and that mistakes, frauds and breaches are detected and prevented.

All accounts and transactions of fund founders, fund administrators and portfolio custodians related to the respective funds are subject to the supervision of the CMB.

Pursuant to the applicable CMB legislation, each member of personnel and manager of the portfolio management companies is obliged to show professional attention and care in their work and decisions as a diligent and prudent person under the same conditions, and they need to be independent. Furthermore, the portfolio managers must act honestly and objectively in their activities, and their independence should not be prejudiced.

Portfolio managers are responsible, in the capacity of agent (vekil), for the establishment of portfolios that are suitable for the financial conditions, risk-return preferences and investment periods of clients and the management of such portfolios. Additionally, portfolio management companies are obliged to have a fund service unit and a fund manager. The fund manager is responsible for operational activities such as the organisation of the fund service unit, co-ordination, follow-up and the conduct of legal and other activities related to funds. Fund managers cannot conduct portfolio management activities.

To ensure an effective internal control, the obligations and duties of each personnel in accordance with written procedures and to report to the management events such as activities in contradiction with professional principles and/or applicable legislation and/or corporate policies should be defined in writing. Procedures are formed in such manner to ensure effective participation of all levels of personnel in the internal control system. The reports to be prepared with respect to internal control activities need to be presented to the board of directors on a monthly basis.

The current trading platforms of Borsa Istanbul A.Ş. (“BIST”) are as follows:

  • Equity Market: The rules and principles regarding the operation of the Equity Market are mainly regulated by (i) the BIST Equity Market Directive, (ii) the BIST Equity Market Operation Implementing Procedures and Principle, (iii) BIST Listing Directive and (iv) the BIST Algorithmic Trade on the Equity Market and BISTECH PTRM/Pre-Trade Risk Management Operation Procedures and Principles. The instruments traded in this market are as follows: (i) equities of companies from various sectors, (ii) pre-emptive rights, (iii) exchange traded funds, and (iv) warrants and certificates. Only licensed investment firms may carry out trading activities on the Equity Market as members. These members may accept written or oral orders through various channels, including electronic communication channels.
  • Debt Securities Market: The rules and principles regarding the operation of the Debt Securities Market are mainly regulated by (i) the BIST Debt Securities Market Directive, (ii) BIST Listing Directive and (iii) the BIST Debt Securities Market Operation Implementing Procedures and Principles. The instruments traded in this market are as follows: (i) debt securities, (ii) securitised asset and income-backed debt securities, (iii) lease certificates, (iv) liquidity bills issued by the Central Bank, and (v) other securities approved by the board of BIST. Trading is carried out electronically with the automated multiple price-continuous trading system. Only licensed investment firms may carry out trading activities on the Debt Securities Market. The following markets are operated under the Debt Securities Market: (i) Outright Purchases and Sales Market, (ii) Repo - Reverse Repo Market, (iii) Repo Market for Specified Securities, (iv) Equity Repo Market, (v) Offering Market for Qualified Investors, (vi) International Bonds Market, (vii) Committed Transactions Market, and (viii) Watchlist Market.
  • Derivatives Market (“VIOP”): The rules and principles regarding the operation of this market are mainly regulated by the BIST Derivatives Market Directive and the BIST Derivatives Market Operation Implementing Procedures and Principles. BIST Swap Market Operation Implementing Procedures and Principles and BIST Money Market Operation Implementing Procedures and Principles are the other applicable principles. The investors need to open an account with a licensed entity registered as VIOP member in order to trade on this market. 
  • Precious Metals and Diamond Market: There are various regulations applicable to activities within the Precious Metals and Diamond Market, mainly: (i) the Regulation on the Procedures and Principles regarding Precious Metal Trading of Banks, (ii) the Regulation on the Operation Principles of Precious Metals Intermediary Institutions and the Establishment of the Precious Metals Intermediary Institutions, (iii) BIST Precious Metals Market and Precious Metals Lending Market Directive, (iv) BIST Precious Metals and Diamond Market Operation Implementing Procedures and Principles, and (v) BIST Precious Metals Customer Orders and Trade Operation Procedures and Principles. The markets operating under the Precious Metals and Diamond Market are as follows: (i) the Precious Metals Market, which includes the spot trade of standard and non-standard gold, silver, platinum and palladium metals, (ii) the Precious Metal Lending Market, which includes lending and certificate transactions on defined precious metals, and (iii) the Diamond and Precious Stone Market, which includes the trade of diamonds and precious stones.

The types of assets briefly summarised above are subject to different trading requirements, such as order types, trading methods (eg, single price trading method, multiple price trading method or other trading methods, if applicable), market-makers' principles (eg, market-maker eligibility criteria and mandatory market-making requirements), liquidity providing principles, and settlement rules. Despite the different requirements depending on the asset type, the trading transactions on the central regulated platforms should be conducted through licensed entities. Please see listing requirements depending on the asset type below, under 7.4 Listing Standards.

Platforms regarding crypto-currencies are not specifically regulated.

The listing standards and eligibility criteria for equities, debt instruments, lease certificates and structured instruments such as warrants and fund units are regulated under the BIST Listing Directive. These are generally related to the equity capital ratio, profitability, ability to conduct the financial activities, and compliance with the applicable legislation. There are additional standards set forth for the equities, such as requirements for value of the shares, the percentage of public shares and a minimum ratio of shareholder’s equity to the share capital, depending on the market in which the equities will be listed.

Please note that there are no additional requirements for the listing of lease certificates, fund units and structured instruments other than investment firms’ warrants and certificates under the relevant BIST regulation. The approval of CMB is sufficient.

Under Turkish law, investment firms shall (i) carry out their activities based on the framework agreement signed with customers in accordance with best execution rules; (ii) act as a prudent merchant and show appropriate professional care; (iii) effectively use the resources they have for sustaining the performance of their activities; and (iv) provide sufficient information and transparency to customers.

Investment firms are obliged to prepare an order execution policy, and to comply with it. They must have a system to record the customer orders based on the time they are received. Orders recorded as such will then be transmitted to BIST.

If an investment firm transmits the orders to another investment firm dealing on its own account, such firm is obliged to execute the customer orders in priority to the orders made for its own account (or related parties' accounts) with the same price.

Investment firms that accept orders electronically are required to comply with the same rules for priority of orders received electronically as those that apply to orders accepted in written form or verbally. They must disclose and prevent possible differences that might arise between customers transmitting orders electronically and customers transmitting orders by any other means. Such investment firms shall ensure that the data processing infrastructure they use (i) allows customer orders to be prioritised based on the time they are received, (ii) promptly records the date, time, amount, price, leverage ratio and all other information regarding all transactions and information on the price provided to the customers, and (iii) enables the customers to monitor their collaterals, debts and receivables, open positions and profit and loss situations, and to carry out respective risk checks.   

With respect to over-the-counter derivatives transactions, investment firms are required to pay any cash receivables that become payable to customers in full and in cash, within three business days, upon the request of the customer.

With respect to leveraged transactions, investment firms may not allow general customers (and professional customers based on request) to enter into transactions that may lead them to incur loss exceeding the value of their collaterals. However, if an investor suffers a loss above the value of its collaterals due to market conditions, such loss cannot be claimed from the investment firm.

Additional order-handling rules might apply, depending on the specific trading platform.

Furthermore, there are confidentiality obligations in relation to customer orders.

Apart from the provisions that are specific to crowdfunding platforms, it should be noted that other peer-to-peer trading platforms are not regulated under Turkish legislation, so the centralised exchange markets are still the main trading platforms. However, there is expected to be growing interest among Turkish resident investors in the near future.

Under Turkish law, investment firms are required to comply with best practices for the execution of orders or dealing on own account activities. Pursuant to this best execution obligation, investment firms are obliged to execute customer orders in a way that would provide the best results for the customers, considering customer preferences such as price, cost, speed, clearing, settlement, custody and counterparty.

On the other hand, investment firms may refuse orders if there is a provision to do so within the framework agreement, except for the orders that are in compliance with the legislation regarding filling the open positions in derivatives.

With regard to leveraged transactions, if an investment firm changes the order price to the detriment of a customer’s interest before the order is processed, said firm is required to apply such price renewal for all the circumstances in the benefit of the customer as well. In addition, customer approval is required for any changes in price, amount or any other element of the order to the detriment of the customer before the order is processed. However, the investment firm may make any amendments that fall within the price range specified in the offer without the customer’s approval.

Under Turkish law, investment firms have a duty of care and loyalty to their customers for the execution of orders and on account activities. There are a number of provisions regulating the prevention or disclosure of conflicts of interest for investment firms, which must act fairly and honestly by protecting the interests of their customers and the integrity of market, in the course of providing investment services and activities as well as ancillary services. To this end, each investment firm shall establish an organisational structure to prevent any conflict of interest between its customers and itself, its shareholders, employees and managers, or any other persons who are directly or indirectly related to them, or between two or more of its customers, and shall take any required administrative measures.

The investment firm shall create and implement a written conflict of interest policy to ensure compliance with these rules. The conflicts of interest policy shall contain probable events that may contradict with customers’ interests, precautions that can be taken to prevent such events, and procedures to be followed in case of a failure to prevent such conflict of interest.

In order to determine the probable events that may conflict with customers’ interests, the investment firm shall take the minimum criteria in which the investment firm, its shareholders, employees and managers, and other persons directly or indirectly related make a financial profit or avoid a financial loss to the detriment of the customer, derive personal benefit from services and activities provided to the customer although the customer does not have any personal benefit, derive personal benefit from the preference of a customer or a group of customers over another customer or another group of customers, or make a financial profit, other than standard fees and commissions, from a person other than a customer, resulting from activities and services provided to that customer.

The high-frequency and algorithmic trading principles are mainly regulated in Algorithmic Trade in the Equity Market and BISTECH PTRM/Pre-Trade Risk Management Implementing Procedures, BIST Equity Market Operation Implementing Procedures and Principles, and BIST Derivatives Market Operation Implementing Procedures and Principles.

While there are separate instruments governing the implementing procedures and principles of algorithmic order transmission systems in the equity market and in the derivatives market, both regulations are quite similar to each other. These implementing procedures and principles are subject to certain main principles, including that market members who establish algorithmic order transmission systems in their own centre or BIST co-location centres, generate orders through algorithms running on these systems, and transmit these orders to the derivatives market trading system or the equity market trading system must use the BISTECH Pre-Trade Risk Management Application (“PTRM”). PRTM is an application that is used to check and watch any risks that may arise from orders entered into or any trade processed on the BISTECH Trade Platform.

Additionally, it is mandatory for market members to make a written notification to BIST explaining the algorithm software they will use to send orders from their own centre or co-location centres via Algorithmic Order Transmission Systems. Before the market member begins sending orders via the algorithmic order transmission systems, it must submit an undertaking to BIST stating, inter alia, that these systems are tested, their results are predictable, and they will not result in operations that would distort the market.

The market member is responsible for the algorithmic order transmission systems that are used for transmitting their own orders or their customers’ orders. Therefore, they need to have the necessary controls in place, to monitor the risks in real-time, and to take precautions to limit these risks and suspend the order transmission. If a market disruption occurs, BIST is entitled to suspend users from trading, and may partially or completely cease services provided to users/members.

In order to ensure that high-frequency trades can be distinguished from regular customer orders, separate users will be assigned for these trades, upon the application of the market member. A separate user must be defined for each algorithmic order transmission system for the purposes of high frequency trading (“HFT”).

Pursuant to Algorithmic Trade in the Equity Market and BISTECH PTRM/Pre-Trade Risk Management Implementing Procedures and Principles, HFT users are exempt from fees for the cancellation of orders, price worsening and reductions in the amount. Instead, they are required to pay an amount based on the order/trade ratio for excess usage.

All market members that establish algorithmic order transmission systems in their own centres or BIST co-location centres, generate orders through algorithms running on these systems, and transmit these orders on the derivatives market trading system or the equity market trading system are subject to these regulations.

For the purposes of these regulations, algorithmic order transmission systems are defined as systems that generate buy/sell orders by using algorithms that are formed by software, without any human intervention, depending on a rule set that has predefined parameters. Additionally, HFT users are defined as those who have the potential to transmit orders and process trades in large amounts and at high frequency using algorithmic order generation/transmission systems. In order to be considered as a HFT user, the servers that will issue orders on behalf of that user must be placed at the BIST's co-location centre by the market member, and a specific user code must be given to such user by BIST.

Pursuant to the applicable BIST principles, a market-maker is a participant who contributes to market-making and trade realisation by placing two-sided quotes or single-sided buy/sell orders on behalf of its name and account for the capital market instruments it is assigned.

Certain capital markets instruments are subject to market making principles. Warrants and certificates are required to be traded only based on continuous trade with the market making method. Additionally, equities traded on BIST Stars or BIST Main, Group C equities in BIST Emerging Companies, equities of security investment companies with a free-floating market capitalisation less than TRY10 million and exchange investment funds can be traded with the continuous trading method only if market-making activities are carried out.

The following contracts are subject to the market-making programme:

  • Single Stock Options and Futures;
  • BIST30 Index Options;
  • Currency (USD/TRY) Options;
  • Gold (TRY/Gram and USD/Ounce) Futures;
  • Commodity (Anatolian Red Wheat and Durum Wheat) Futures;
  • Base-Load Electricity Futures;
  • Steel Scrap Futures; and
  • Currency (RUB/TRY and CNH/TRY) Futures.

Please see 7.7 Issues Relating to Best Execution of Customer Trades, above.

The same obligations regarding the best execution of trades will be applicable to market members using algorithmic trading for the execution of orders and on account activity.

The only distinction between funds and other participants under the BIST Algorithmic Trade in the Equity Market and BISTECH PTRM/Pre-Trade Risk Management Implementing Procedures and Principles appear in the account verification stage while entering orders into the PTRM application. The account type must be set as F while entering an order on behalf of a fund, M while entering an order for a customer account, and P while entering an order for a portfolio account in the system. In addition, it is mandatory to enter the order intermediary/fund code that is registered with the Istanbul Clearing, Settlement and Custody Bank (“Takasbank”) system when entering an order on behalf of a fund, but this is not applicable to customer or portfolio orders.

Note that, under Turkish legislation, only licensed entities such as intermediary firms and banks can become members of the equity market and the derivatives market, and can execute orders on those markets.

Please see 7.8 Rules of Payment for Order Flow, above.

Although there is no clear prohibition specific to high-frequency and algorithmic trading activities, the above summarised principles should be taken into account while conducting all types of investment activities.

Under the CMB regulations, “general financial information” is defined as written or verbal information on capital market instruments, their issuers and market trends. If financial information is neutral and honest, and does not have the purpose of meeting the needs and demands of a particular person, group or portfolio, providing said financial information is not considered an investment advisory activity that is subject to a licensing requirement. Accordingly, the institutions who engage in activities to provide such financial information other than CMB licensed entities, such as financial research platforms, are exempt from the licence requirement.

In light of the above, if the activities provided by any participant fall within the scope of investment advisory services to meet the needs and demands of a particular person, group or portfolio, such participants are required to obtain the respective CMB licence.

As a general rule, the CMB obliges market actors to provide accurate and objective information; however, it does not set out a mechanism that monitors the accuracy of information before it is publicised. General rules such as market abuse set out certain administrative fines and even criminal punishments for spreading rumours and other unverified information. Article 107 of the Capital Markets Law states that giving false, wrong or deceptive information, spreading rumours, making notices and comments or preparing reports or distributing them in order to affect the prices of capital market instruments, their values or investors' decisions might result in imprisonment from two to five years.

Turkish regulations set out certain principles on the spread of information and the consequences of failure to comply with these principles, but do not monitor the information until an incompliance occurs. That being said, it is believed that the research platform itself, as a private party, may develop its own curation methods for the given purposes.

The financial research platforms fall under the general obligation regulated under the Communiqué on Obligation of Notification Regarding Insider Trading or Manipulation Crimes. If there is a matter implying any information or doubt that a transaction constitutes market manipulation or inside trading, capital market institutions are obliged to notify this situation to the CMB. Based on Article 102 of the Capital Markets Law and the above Communiqué, it is believed that the market actors are not obliged to actively look for such activity, but to inform about an activity that is seen or should have been seen as suspicious.

The process for the underwriting of the Insurance Certificate is regulated in the Turkish Commercial Code (Law No 6102) as well as the Insurance Law (No 5684). Industry participants must comply with the rules of procedure constituted thereby.

Insurance contracts are made according to the basic principles of the Code of Obligation and Insurance Law, and do not require any special form, although courts look for a written Insurance Policy to constitute sufficient proof.

The Insurance Contract consists of an information form (under Regulation No 26684 participants are obliged to inform the customer about the contract of the changes and developments that may arise during the maintenance), a proposal form that will lead to the formation of a contract if it is not rejected within 30 days, the Insurance Policy containing all information about the parties, and the date of issuance, payment and expiry of the policy. Parties may agree on special conditions for each insurance contract, as long as they do not contradict any relevant regulation.

The Undersecretariat of Treasury’s General Directorate of Insurance (Undersecretariate) issues General Conditions for each Branch of Insurance that must be followed when conducting an Insurance Contract.

Next to Insurance Companies, other participants in the Turkish insurance industry are Agencies and Brokers, Experts, and Actuaries, which are subject to the ultimate supervision of the Treasury. Brokers' obligations are set out in the Brokers Regulation – for instance, they are prohibited to engage in any other business. Agencies need to be incorporated as joint stock or limited liability companies and obtain the approval of the Undersecretariat, and shall be registered on the Agency Registry. They too cannot engage in work outside the insurance sector.

Insurance and Reinsurance activities can be conducted by Turkish joint stock companies, co-operative companies or licensed Turkish branches of foreign insurance or reinsurance companies. They must all obtain a licence from the Undersecretariat in order to operate. Share transfers of a certain size, mergers, asset and liability transfers and portfolio transfers are subject to a permit from the Minister presiding over the Undersecretariat.

A real person or entity located in Turkey must insure its local risks through a Turkish insurance-provider. Several exceptions whereby insurance can be provided by foreign insurers are listed in the Insurance Law.

Insurance in Turkey can be categorised as compulsory and non-compulsory insurance or as life and non-life insurance. It could be argued that compulsory insurance is treated differently to non-compulsory insurance. In compulsory insurance, the beneficiary is under the obligation by law to ensure the specific risk in the regulated scope, but may choose its own provider. Compulsory insurance types are as follows:

  • highway motor vehicle third-party financial liability insurance;
  • earthquake insurance;
  • bus seat personal accident insurance;
  • bottled gas liability insurance; and
  • workers' compensation insurance (compulsory for all employees but can only be provided by the state).

There are general conditions issued by the Undersecretariat for each compulsory insurance type. Regulations force providers to form insurance pools to share premiums and damages for some risky types of compulsory insurance, like the highway motor vehicle third-party financial liability insurance pool or the Turkish catastrophe insurance pool for earthquake insurance.

RegTech is not specifically regulated in Turkey.

The provisions of agreements that will be executed between the technology provider and the financial firm are not dictated by regulation or industry custom. Penalty and deadline provisions are commonly used in order to assure the performance of the technology producer and the accuracy of the project.

RegTech providers have no specific duty to act as gatekeepers, and they do not have an affirmative duty.

The Turkish financial services industry has rapidly adapted to new FinTech trends over the course of the last few years. As such, a number of Turkish banks have established working groups and R&D projects focused on FinTech developments, which include applications of blockchain technology in the financial services industry. One of the leading Turkish private banks has already started using blockchain technology for international money transfers through its partnership with the Silicon Valley firm Ripple. The bank in question is currently seeking to expand its network of partnering banks for such transfers.

BKM (interbank card centre) has been experimenting with blockchain with respect to a number of applications – eg, digital ID, smart contracts, distributed ledgers and crypto money. Among other initiatives, BKM’s Blockchain Turkey Platform focuses on R&D and raising public and institutional awareness regarding the potential uses of blockchain technology.

BIST has introduced the first blockchain project to be used in the work-flow between Turkish financial institutions (ie, BIST, Trade Istanbul and Istanbul Central Registry). As part of the project, blockchain technology is used for the storage, alteration and addition of customer data into a synchronised common database.

The Istanbul Settlement and Custody Bank (Takasbank) has recently announced a new gold transfer system based on blockchain technology, which allows the transfer of gold between individuals and banks at high speed. Moreover, one of the leading participating banks has established a venture capital investment fund aimed at exclusively funding FinTech companies.

Lastly, a number of leading Turkish banks are actively investing in R&D around blockchain technology, with a particular focus on money transfers, authentication and customer acquisition procedures, as well as the optimisation of operational processes. 

There are a number of efforts to bring Turkish legislation up to date with the current technological legal framework. However, blockchain as an underlying technology is not regulated under Turkish law and the legal uncertainty created by such lack of regulation gives rise to potential issues around the various uses of blockchain technology. As such, if blockchain is used as an underlying technology for crypto assets, potential implications would arise regarding, inter alia, banking, tax, electronic money and anti-money laundering regulations. Further details regarding the qualification of crypto assets under Turkish law (ie, as currency or asset) are provided under 12.7 Virtual Currencies, below. Moreover, where blockchain is used to store personal information, there may be implications under the Turkish personal data protection legislation. Further details on the data protection issues are provided under 12.8 Impact of Privacy Regulation on Blockchain, below. All in all, blockchain technology is used in Turkey mainly in the banking, insurance and manufacturing sectors. Overall, where blockchain is used in regulated sectors such as banking and insurance, it is safe to say that it would be subject to the regulatory rules that are applicable within that sector.

In addition to the above, blockchain technology is mainly employed in Turkey by banks, as part of the FinTech movement. As such, the customer secret provisions of the Banking Law are also worth mentioning, which prohibit the disclosure of customer secrets to any unauthorised party (also regulated as a crime within the scope of the Turkish Criminal Code). As such, potential issues may arise where blockchain containing customer data is used in banking interactions, and special care must be taken not to allow any unauthorised parties access to the distributed ledger containing customer data. Moreover, pursuant to the Draft E-Banking Regulation of the BRSA, secondary information centres need to be established by banks in Turkey and as backup in case the primary data centre of the bank is compromised. Such backup information may be kept in material servers or cloud systems. Where cloud services are employed to keep such data, the requirement as to this data being kept within the Turkish territory may pose a number of complications. With respect to blockchain, the decentralised nature of the underlying technology is unlikely to comply with these requirements.

Crypto assets based on blockchain are widely classified as investment-type, utility-type, payment-type (eg, bitcoin) and hybrids of these various types. None of these crypto assets have been subject to any regulatory classification in Turkey so far. Within this scope, BRSA announced as early as 2013 that crypto-currencies cannot be considered as electronic money under the Payment Services Law and, as such, are not subject to regulation and scrutiny by BRSA. BRSA also warned the general public against risks that may arise from trading with such assets; the position of BRSA has not been changed since.

In addition to the above, under Turkish law, crowdfunding platforms and IPOs are subject to regulation by the CMB, which recently announced the Draft Crowd Funding Regulation, which requires crowdfunding platforms to apply to the CMB for listing and to comply with the specific requirements set forth by the CMB. Moreover, on 27 September 2018, the CMB announced that it does not regulate or supervise ICOs, and also noted that it does not regulate or supervise most practices in which blockchain technologies are being used, such as crypto-currency offerings and token offerings. As such, while Turkey does not prohibit the trading of blockchain-based crypto-currency through creating crypto-currency wallets and accounts, it is safe to say that any ICO addressing the Turkish market constituting an IPO or crowdfunding is currently restricted.

In conclusion, from a regulatory perspective, there are no obstacles for blockchain assets to qualify as financial instruments subject to crowdfunding and ICOs in Turkey. However, potential investors need to bear in mind the risks created by the current legal uncertainty around this issue. Lastly, note that ICOs have been quoted as a potential project finance instrument by the Turkish Minister of Treasury and Finance as part of the Ministry’s New Economic Programme for the years 2019-2021.

Issuers of blockchain assets are not subject to any regulation in Turkey. It is worth mentioning that blockchain assets do not qualify as electronic money as they do not fulfil the legal requirements to be classified as such (ie, "the monetary value issued against a fund accepted by the issuing institution, stored electronically, used for carrying out the payment transactions defined by this Law, and accepted as a payment instrument by the real and legal entities other than the institutions issuing electronic money"), as set out under the Payment Services Law.

There is no specific regulation regarding blockchain asset trading platforms in Turkey. However, note that Law No 6563 on the Regulation of Electronic Commerce, which regulates the commercial correspondence obligations of service providers and intermediary service-providers (ie, e-commerce platforms), and contracts made via electronic communications tools and other aspects of electronic trade, could potentially apply to blockchain asset-trading platforms.

Funds that invest in blockchain are not regulated under Turkish law. One of the issues open to discussion is whether blockchain assets would qualify as a form of financial derivative. However, the CMB seems to have an opposed stance regarding this issue. As such, it announced in 2017 that crypto assets should not be used in derivative or spot transactions, as they are not subject to any regulation.

As previously explained, Turkish law does not recognise or regulate blockchain assets, including virtual currencies. On the other hand, there follows a compilation of announcements made by various governmental authorities that are applicable to the specific type of blockchain assets that is virtual currency:

  • on 25 November 2013, BRSA announced that crypto-currencies cannot be considered as electronic money in Turkey pursuant to the Payment Services Law – for further details please refer to 12.4 Regulation of 'Issuers' of Blockchain Assets, above; 
  • in its guideline on suspicious transactions, MASAK has listed bitcoin transactions as suspicious transactions, so Turkish banks and insurance companies are required to apply crypto-currency transactions measures, which are applicable to suspicious transactions, such as the know your customer principle and the preparation of a declaration form; and
  • on 27 November 2017, the CMB announced that bitcoin or crypto-currencies shall not be considered as capital market instruments. By a resolution dated 27 September 2018, the CMB announced that it will apply administrative fines to initial coin offerings addressing the Turkish market constituting an IPO or crowdfunding. 

Like the GDPR in the EU, the Data Protection Law provides for the protection of individuals' personal data. Under the Data Protection Law, data subjects have the right to request the deletion, destruction or rectification of their personal data. As such, where blockchain is used as underlying technology to store any kind of personal data, the distributed, decentralised and immutable nature of data stored in blockchain, which are the main sources of blockchain’s appeal, may result in a lack of compliance with the Data Protection Law.

In addition to the above, the Data Protection Law would apply to any personal data being transferred abroad by Turkish individual users. Pursuant to the Data Protection Law, the explicit consent of the data subject is required for any personal data being transferred to secured countries. However, the data protection authority of Turkey has yet to issue a secured country list; until it does so, market practice is to execute a data transfer agreement with the data subject. Having said that, this is not in full compliance with the Data Protection Law. Therefore, it is advisable to wait for the list of secured countries, and obtain explicit consent from the data subject for transfers to such countries. Furthermore, if the platform for data processing is built up within Turkey, the platform should comply with all technical and organisational measurements required as per the Data Protection Law.

As explained above, Turkey’s Payments System Regulation is not aligned with PSD , so open banking is not yet regulated, although there is a new Draft E-Banking Regulation (as explained under 2.1 Predominant Business Models, above), which recognises open banking and paves the way for it.

However, there are impediments to open banking under the current Banking Law that strictly prohibit the processing and sharing of customer information, including sharing information of the customer via application programming interfaces. Furthermore, the Data Protection Law requires the explicit consent of the customer for data transfer, which needs to be catered for by open banking technology.

As indicated above, open banking is not yet available in Turkey. In terms of data privacy and data security, it is expected that the explicit consent of the customer will be required, as regulated under PSD 2 as well.


Orjin Maslak,
Eski Büyükdere Caddesi
No:27 K:11 Maslak 34485
Istanbul, Turkey

+90 (212) 366 4700
Author Business Card

Law and Practice


Paksoy is a leading full-service law firm in Istanbul, Turkey, focused on advising clients in a wide range of legal areas, including cross-border investments, international business transactions, M&A, competition, information and emerging technologies, banking and finance, capital markets, telecommunications, media, data protection and cybersecurity, FinTech, intellectual property, insurance and pensions, investigations, compliance and disputes. Clients include leading investment banks, financial institutions, IT service providers, telecoms companies, healthcare-providers, manufacturers, contractors and private equity investors across Europe, the Middle East, the Gulf and CIS countries, Asia and the United States. Paksoy collaborates with leading international law firms in major jurisdictions, and works with them on cross-border transactions. The FinTech team works under the Information Technologies and Internet Law department of the firm, which comprises seven lawyers.


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.