Over the past 12 months, the Turkish fintech market has continued to expand in various sectors while regulatory authorities, including the Central Bank of the Republic of Türkiye (CBRT), have strengthened supervision of payment and e-money institutions through licensing actions, enhanced oversight practices, and increased minimum capital requirements aimed at improving financial resilience.

After the first regulation in relation to crypto-assets in 2021 that prohibited their use in payments, crypto-assets and crypto-asset service providers were brought into a formal regulatory framework in 2024 through amendments to the Capital Markets Law No. 6362 (CML) and decisions of the Capital Markets Board of Türkiye (CMB). In particular, towards the end of 2024, crypto-asset service providers were classified as financial institutions and became subject to anti-money laundering (AML) and countering the financing of terrorism (CFT) obligations, and in 2025, the CMB issued detailed secondary legislation regulating the licensing, financial, administrative and technical processes of crypto-asset service providers (“CMB Communiqués”).

We expect the next 12 months to be shaped by regulatory compliance costs, increased supervisory intensity and ongoing licensing processes, with new market entrants anticipated in both the crypto-asset and payment services segments. While there is no fintech-specific artificial intelligence regulation in Türkiye, we believe that fintech firms may make use of advanced data analytics and automated tools, primarily in areas related to risk management and compliance.

The main fintech business models currently predominant in the market include:

• payment and e-money institutions;
• open banking;
• digital banking;
• Banking-as-a-Service (“BaaS”); and
• crypto-asset service providers.

These business models are open to new market entrants, and new fintech companies continue to be established and licensed in each of these areas. At the same time, legacy players, including banks and other financial institutions, as well as large e-commerce or technology companies, are adapting to these models by expanding their offerings and by establishing subsidiaries or affiliated entities licensed to operate in these fintech verticals.

In Türkiye, financial markets are governed by highly detailed legislative framework based on laws, secondary legislation and regulatory authority decisions, under which different regulatory regimes apply depending on the relevant business model.

Legacy players are generally subject to different regulatory regimes depending on the nature of their activities:

• Banks are primarily governed by the Banking Law No. 5411 (“Banking Law”) and extensive secondary legislation, and are regulated and supervised through resolutions, and instructions issued by the Banking Regulation and Supervision Agency (BRSA) and the CBRT.
• Other financial institutions, such as financial leasing, factoring and financing companies, are subject to their respective sector-specific legislation and supervision by the BRSA.
• Capital markets institutions, including investment firms, fall within the scope of the CML and related secondary legislation.

The regulatory frameworks applicable to the fintech business models can be summarised as follows:

• Payment and e-money institutions operate under the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions No. 6493 (“Payment Services Law”), alongside applicable secondary legislation.
• Open banking services are regulated under the Regulation on Banks’ Information Systems and Electronic Banking Services.
• Digital banking and BaaS models are regulated under the Regulation on the Operating Principles of Digital Banks and Service Model Banking.
• Crypto-asset service providers are regulated mainly under the CML and the CMB Communiqués, in addition to applicable AML/CFT legislation.

Industry participants may charge customers interest, fees, expenses, commissions or other monetary benefits only if such charges are contractually agreed and duly disclosed to customers, and only to the extent permitted under the applicable regulatory framework and, where relevant, within the limits or principles set by the competent authority, such as the CBRT, which may determine the types and maximum amounts of such charges for banks and payment service or electronic money institutions.

The regulation of fintech industry participants differs from that of legacy players primarily in terms of regulatory scope, licensing, incorporation and operation requirements, and ongoing obligations.

While banks are subject to a comprehensive prudential framework covering the full range of banking activities, fintech participants are generally regulated under activity-specific frameworks. Fintech industry participants are authorised on a limited, service-based basis, with regulatory requirements tailored to the specific activities they are permitted to perform and focused mainly on functional compliance and consumer protection.

There are no official regulatory sandboxes operated by regulatory authorities such as the BRSA or CMB in Türkiye so that new technologies or players could benefit from regulatory exemptions or exceptions. However, the 2022 “State of the Fintech Ecosystem in Türkiye” report, published by the Presidency of the Republic of Türkiye mentions a sandbox regime to be established by the Istanbul Financial Center. Accordingly, Fintech Zone Istanbul was established by the Istanbul Financial Center. It hosts a “Fintech Sandbox” which allows fintech start-ups to test their products in real-world conditions and help them comply with the regulations. It does not provide any regulatory exemptions or no-action reliefs. The establishment of regulatory sandboxes is also addressed in the “Türkiye 2030 Industry and Technology Strategy” report issued by the Republic of Türkiye Ministry of Industry and Technology, indicating potential future regulatory developments.

Turkish fintech jurisdiction is delineated among multiple regulatory authorities based on the type of financial activity:

• BRSA: The BRSA is the competent authority for all banks, including digital banks, open banking structures and BaaS arrangements. Within the scope of the Banking Law, the BRSA regulates the establishment and activities of banks, with a mandate to ensure the effective functioning of the credit system and the protection of depositors’ rights.
• CBRT: The CBRT is responsible for the conduct of monetary and exchange rate policies and for safeguarding financial stability in Türkiye. In addition, under the Payment Services Law, the CBRT has jurisdiction over payment systems, payment service providers and electronic money institutions, including the power to regulate fees, charges, and capital and safeguarding requirements.
• CMB: The CMB regulates capital markets activities, including capital market instruments, public offerings, capital market institutions and exchanges. In the fintech context, the CMB is the competent authority for crypto-assets and crypto-asset service providers, setting the principles governing their establishment, operation and activities.
• Ministry of Treasury and Finance/MASAK: The Ministry of Treasury and Finance exercises cross-sectoral oversight, including in relation to taxation and financial policy. Through the Financial Crimes Investigation Board (MASAK), it regulates and supervises compliance with AML and CFT obligations.

Where regulatory responsibilities overlap, co-ordination between authorities applies in practice. By way of example, banks intending to offer crypto-asset custody services are required to obtain a favourable preliminary opinion from the BRSA, and, where relevant, the licensing of payment and electronic money institutions may similarly involve the BRSA’s input. This approach ensures that fintech participants are overseen by the appropriate authority in line with the nature of their activities, while maintaining co-ordination across intersecting regulatory mandates.

In Türkiye, regulators do not issue “no-action letters”. Regulatory authorities such as the CMB may issue principle decisions clarifying how existing legislation will be interpreted or applied in practice, as well as transaction-specific clearance letters.

In general, industry participants may outsource only non-core and ancillary functions, provided that such outsourcing does not prevent the entity from fulfilling its legal obligations, complying with applicable regulations or being effectively supervised.

For instance, banks may not outsource board-level functions, internal control, credit assessment/decision-making, financial reporting and deposit-taking; payment and e-money institutions may not outsource core payment services or e-money issuance; and crypto-asset service providers may not outsource board-level functions, licensed crypto services and their marketing, accounting, financial reporting, internal audit, internal control or risk management.

Outsourcing does not transfer regulatory responsibility; the regulated entity remains fully liable to its customers. Written agreements are required for outsourced services, and their minimum content is defined by applicable legislation. Moreover, service providers remain subject to the competent authority’s audit and information requests. They must comply with confidentiality and data protection obligations and, where relevant, duly report to the competent regulator in accordance with applicable procedures.

Under Turkish law, there is no formally defined or designated “gatekeeper” concept comparable to the approach taken in the EU. That said, financial entities such as banks, non-bank card issuers, financing and factoring companies, payment and electronic money institutions, and crypto-asset service providers are classified as “obligors” under Turkish AML legislation and are subject to a broad set of obligations such as customer due diligence and know-your-customer (KYC) requirements, transaction monitoring, establishment of internal compliance programmes, record-keeping and suspicious transaction reporting.

Regulatory authorities in Türkiye have broad and robust enforcement powers across the main fintech verticals, exercised within the limits of their respective legislation. For banks and other institutions subject to the supervision and oversight of the BRSA, the BRSA may impose significant administrative fines, order corrective and restrictive measures, revoke licences and pursue criminal sanctions for serious breaches. Payment service providers and electronic money institutions are subject to similar enforcement by the CBRT, including administrative fines, temporary suspension or revocation of licences, and criminal liability for unauthorised activity or obstruction of supervision. Crypto-asset service providers fall within the CMB’s enforcement jurisdiction, and breaches such as the unauthorised provision of crypto-asset services or the misappropriation of client assets may result in severe criminal sanctions, including imprisonment and judicial fines, as well as mandatory compensation of losses and, in certain cases, personal liability of managers extending to personal bankruptcy.

Across all verticals, entities that are defined as “obligors” under AML legislation may be subject to AML-related enforcement by MASAK, including administrative and criminal sanctions, reflecting that each competent authority may take robust enforcement action within the scope of its statutory powers.

For banks, the Regulation on Banks’ Information Systems and Electronic Banking Services governs information systems; for payment and electronic money institutions, the applicable framework is set out in the Communiqué on the Information Systems of Payment and Electronic Money Institutions and the Data Sharing Services of Payment Service Providers; and for capital markets institutions and crypto-asset service providers, the relevant rules are provided under the Communiqué on the Principles Regarding Information Systems Management (VII-128.10). Issues such as information systems governance, cybersecurity and data confidentiality are primarily regulated under these sector-specific regulations. In addition, to the extent relevant, horizontal legislation such as AML legislation, the Law on the Protection of Personal Data No. 6698 (“Personal Data Protection Law”) and the Consumer Protection Law No. 6502 may also apply alongside these rules.

The activities of industry participants are reviewed through mandatory independent audits conducted by audit firms authorised by the Public Oversight, Accounting and Auditing Standards Authority (KGK) and, where required, by licensed valuation and credit rating firms. Mandatory membership of industry associations (such as the Turkish Banks Association (TBB)) introduces additional standard-setting and peer oversight, while the Credit Bureau (operating in conjunction with the TBB Risk Center) reviews and aggregates customer risk data shared by market participants. For crypto-asset platforms in particular, compliance with information systems and technological infrastructure criteria set by the Scientific and Technological Research Council of Türkiye (TÜBİTAK) is required, and technical aspects may be subject to its testing and certification. Additionally, where professional liability insurance is required, insurance companies are also involved in the oversight framework.

Under Turkish law, regulated fintech entities are permitted to carry out only those activities expressly listed in their governing legislation and licence conditions; activities falling outside this scope are not allowed. However, where the applicable legislation expressly allows, a regulated entity may also engage in activities that are not themselves fintech-regulated, such as banks acting as insurance agents alongside their core banking activities.

Fintech companies are classified as “obligors” under Turkish AML legislation, meaning that they must comply with the obligations set out in the AML framework and are subject to the supervision of the competent authority, MASAK. In this capacity, they are required to comply with a broad set of obligations, including customer due diligence and KYC requirements, transaction monitoring, establishment of internal compliance programmes, record-keeping and suspicious transaction reporting.

As a member of the FATF since 1991, Türkiye’s AML and CTF framework is largely aligned with the standards and recommendations of the FATF.

The core legislation, including the Law on the Prevention of Laundering Proceeds of Crime No. 5549 and the related secondary regulations, incorporates the main FATF requirements regarding customer due diligence, beneficial ownership identification, risk-based approach, record-keeping, suspicious transaction reporting and internal compliance programmes. Obligors, including fintech companies, are required to comply with these obligations and implement risk-based AML/CTF measures.

Türkiye is also bound by United Nations Security Council resolutions on targeted financial sanctions and has introduced domestic mechanisms for the implementation of these obligations, in line with FATF Recommendation 6. Although Türkiye does not maintain an autonomous sanctions regime, the legal framework enables the application of UN-based measures and requires obliged entities to screen customers and transactions accordingly.

Overall, the Turkish AML/CTF regime follows FATF standards to a substantial degree, and ongoing legislative and regulatory updates continue to be made to ensure further harmonisation with evolving FATF requirements.

Under Turkish law, regulated products and services may be offered only by duly licensed or otherwise authorised financial institutions. There is no overarching or general reverse solicitation rule or guidance applicable to fintech companies as a whole, and activities of a foreign entity that constitute the provision of regulated services to persons resident in Türkiye, such as payment services, trigger Turkish licensing requirements, with any related marketing or solicitation being prohibited.

That said, the reverse solicitation scenario is generally recognised for certain fintech business models, most notably for investment services provided by foreign financial institutions and services provided by foreign crypto-asset service providers. While such entities are in principle required to be licensed in Türkiye, Turkish legislation allows, on a reverse basis, Turkish residents to receive investment services from foreign financial institutions and crypto-asset services from foreign crypto-asset service providers, provided that no promotion, advertising or marketing activities are directed at persons resident in Türkiye and that the services are obtained solely at the initiative of the Turkish resident. Conversely, where a foreign entity establishes a place of business in Türkiye, operates a Turkish language website or engages, directly or indirectly through intermediaries, in promotional or marketing activities targeting persons resident in Türkiye, the activities are deemed to be directed at Turkish residents and cannot be characterised as reverse-based.       

Although there is no specific legal regime governing robo-advisers, robo-advisers are implemented and mostly used in Turkish practice in relation to investment activities by market participants, such as banks and investment institutions.

Investment advice, financial analysis and general recommendation activities relating to crypto-assets may be carried out in accordance with the conditions set out under the applicable legislation; however, the conduct of portfolio management activities is expressly prohibited.

Legacy players, particularly banks, pension companies and investment institutions, are increasingly implementing robo-advisers, especially in connection with portfolio management services.

In addition, robo-advisers are used to provide analyses of clients’ portfolios and to offer recommendations in the form of weekly or monthly bulletins. Legacy players currently tend to offer these services through their existing platforms rather than via separate robo-adviser platforms.

As there is no separate legal regime governing robo-advisers in general, the applicable legislation relating to investment activities and support services applies to the provision of these services.

In Türkiye, robo-advisers are not subject to a separate best execution regime. Instead, existing compliance expectations are intensified, particularly in relation to algorithm design, order routing, conflicts of interest, ongoing monitoring and client disclosure. Therefore, the responsible party remains the licensed institution, and the institution should comply with the applicable legislation to prevent any execution issues.

Under Turkish legislation, loans can be classified as commercial loans or consumer loans, based on their utilisation purpose. Consumers may be either individuals or legal entities; the decisive factor is the nature and the intended utilisation purpose of the loan. To be classified as a consumer loan, the intended use must not be commercial. In addition, loans denominated in foreign currency are subject to numerous restrictions and must be extended in compliance with the applicable regulatory limitations.

Consumer Loans

Pre-contractual information obligations and the mandatory content of consumer loan agreements are regulated in detail. The legislation differentiates between fixed-term and indefinite-term loan agreements. Provisions such as consumer rights, early repayment, the right of withdrawal, collaterals and events of default are regulated. Interest rates, the number of instalments, collateral ratios and payment terms are subject to regulatory caps. In line with this regulatory framework, market practice includes consumer loan types such as personal loans, vehicle loans and mortgage loans.

Commercial Loans

Most of the provisions of commercial loan contracts may be freely agreed by parties. Certain matters, such as the fees that banks may charge, are regulated.

Small and medium-sized enterprises (SMEs), as well as certain sectors, may benefit from various state incentives, including interest support, provided that the relevant regulatory conditions are met. Loan interest support mechanisms for SMEs are regulated by the SME Loan Interest Support Regulation issued by the SMEs Development and Support Administration (KOSGEB) and further secondary legislation. Consistent with these regulations, loan offers tailored specifically for SMEs are commonly encountered in practice.

In addition to commercial and consumer loans, the Financial Leasing, Factoring, Financing and Savings Financing Companies Law No. 6361 establishes a separate regulatory framework governing alternative financing methods, including financing company transactions and financial leasing arrangements.

Regulatory Framework

Turkish banking regulations impose strict requirements on underwriting processes. Banks must measure lending risks, regularly analyse counterparty financial strength, obtain necessary information and documents, and establish governing principles. Loans exceeding TRY5 million require account statement documents, while larger loans above BRSA-determined thresholds require audited financial reports and independent audit reports. Certain loans require credit ratings from authorised institutions. Systemically important banks must prepare sectoral and financial analysis reports for concentrated credit risk sectors and maintain them for regulatory review. Banks also face strict AML, KYC and digital onboarding requirements under separate regulations.

Loan Approval Authority

Loan approval authority fundamentally rests with the bank’s board of directors (BoD), which must establish loan approval policies and ensure their effective implementation, monitoring and enforcement. The BoD may delegate its approval authority to the loan committee or general management. All loan approvals require a written proposal from general management. Proposals must include the applicant’s financial analyses and intelligence reports.

The recognised sources of funding for loans can be summarised as follows:

• Deposits: Scope of deposits, deposit banks and licensing requirements are subject to strict regulatory requirements and supervision of the BRSA. No individuals or legal entities other than credit institutions and those authorised under special laws may accept deposits. Institutions are obliged to insure deposits and participation funds they hold with the Savings Deposit Insurance Fund.
• Participation funds (Islamic finance): Participation accounts are accounts formed from funds deposited with participation banks, whereby the account holder participates in the profit or loss arising from the use of such funds. No predetermined return is paid to the account holder, and repayment of the principal is not guaranteed. Participation banks and participation funds are also subject to strict regulation and supervision of the BRSA.
• Peer-to-peer funding: Peer-to-peer funding may be carried out through crowdfunding. Crowdfunding activities are regulated under the CML. Banks meeting the relevant conditions may operate as crowdfunding platforms. In debt-based crowdfunding, interest and similar returns on the debt instruments are determined by the entrepreneur. No crowdfunding activity may be conducted through agreements giving rise to a debtor–creditor relationship (eg, loans), other than the sale of debt instruments, nor in exchange for any capital markets instruments other than the debt instruments offered for sale.
• Lending: In Türkye, various lending structures are utilised, including syndicated loans, bilateral loans and regulatory capital instruments (Tier 1 and Tier 2). Tier 1 and Tier 2 capital instruments are subject to specific regulatory requirements governing subordination, early redemption options, dividend and interest payments, and circumstances requiring prior BRSA approval.
• Capital markets instruments (bonds, securitisations and other debt offerings): These instruments are mainly regulated under the secondary legislation of the CMB. They are subject to the supervision of both the CMB and the BRSA and, where they qualify as regulatory capital, must comply with the relevant BRSA regulations.

Syndicated loans are utilised in market practice and are not subject to a specific regulatory framework; accordingly, the general loan relationship regime applies. Such loans are typically governed by foreign law, most notably English law, although the borrower is a Turkish entity. However, the creation and enforcement of security over assets located in Türkiye are generally subject to Turkish law. Syndicated loans are excluded from liquidity adequacy calculations if evidence of rollover at maturity is submitted to the BRSA at least 45 days prior to maturity.

Under Turkish legislation, payment processors may create or implement new payment rails only to the extent that the conditions set out under the Payment Services Law and applicable secondary legislation are duly satisfied. In order to create or implement a new payment rail, the relevant institution must qualify as a “system operator” and obtain an operation licence from the CBRT.

Any payment rail other than the one(s) covered by the operation licence, as well as any structural change to an existing rail, requires prior CBRT approval. System operators may carry out activities outside the scope of system operation only if such activities are approved by the CBRT and expressly included within the scope of the operating licence.

Payment transactions and remittances are classified as “payment services” under Turkish law and may therefore only be provided by payment and electronic money institutions licensed by the CBRT. Such services are regulated under the Payment Services Law and the related secondary regulations, as well as AML legislation.

In addition, Turkish payment institutions may co-operate with foreign payment or electronic money institutions that are duly authorised in their home jurisdictions and have also obtained the required approval from the CBRT to engage in such co-operation. Such co-operation is limited to cross-border payment services where at least one of the payer or the payee is located abroad, and the foreign entity may not present itself as independently providing payment services to customers in Türkiye.

The sole trading platform for conventional capital market instruments in Türkiye is Borsa İstanbul (Istanbul Stock Exchange, BIST), which is a joint‑stock company established under the CML and, in addition to capital markets legislation, is subject to BIST‑specific secondary legislation. BIST operates several markets and sub‑markets, including:

• Equity Market, with sub‑markets such as BIST Stars, BIST Main, BIST SubMarket, Watchlist, Structured Products and Fund Market, Venture Capital Market, Commodity Market and Pre-Market Trading Platform;
• Debt Securities Market, with sub‑markets such as Outright Purchases and Sales Market, Offering Market for Qualified Investors, Repo-Reverse Repo Market, Repo Market for Specified Securities, Equity Repo Market and International Bonds Market;
• Derivatives Market (VIOP); and
• Precious Metals and Diamond Markets.

All of these markets are subject to listing, trading, clearing and settlement requirements under the rules of the CMB and BIST regulations, and all instruments must be cleared and settled through the authorised central systems.

Crypto-assets are not traded on a centralised exchange like BIST, but may be traded on authorised platforms according to their own listing procedures.

The current scope of crypto-asset regulations does not categorise crypto-assets into classes (eg, stablecoins) subject to separate regulations.

Following the Regulation on the Non-Use of Crypto-Assets in Payments issued by the CBRT in 2021, a comprehensive regulatory framework for crypto-assets was introduced for the first time on 2 July 2024 through amendments to the CML and has since been further developed by CMB Communiqués and principle decisions.

These secondary regulations cover a wide range of issues, including the establishment, operation and supervision of crypto-asset platforms, and impose obligations such as obtaining licences and authorisations from the CMB. The implementation of licensing and compliance requirements is still ongoing.

For conventional capital market instruments such as equities and debt instruments, BIST operates as the relevant exchange and is subject not only to capital markets legislation but also to its own listing directives, rules and requirements.

By contrast, for crypto-asset platforms, the regulatory framework requires platforms to establish a listing committee and to adopt listing procedures setting out the principles for determining which crypto-assets may be listed for trading and the conditions under which trading may be suspended or terminated. In addition, CMB Communiqués set out the general principles applicable to crypto-assets that may be listed and expressly identify certain types of crypto-assets that may not be listed.

For transactions executed on BIST, the exchange operates under its own order handling and trading rules, while investment firms transmit and execute client orders pursuant to the Communiqué on the Principles Regarding Investment Services, Activities and Ancillary Services. This framework sets out the principles and obligations applicable to order transmission and execution, including the requirement for investment firms to implement an order execution policy and to act in accordance with such policy when handling client orders.

In parallel, crypto-asset platforms are required to (i) implement an order execution policy and (ii) execute client orders in a manner that delivers the best possible outcome for the client, taking into account factors such as price, costs, speed, likelihood of execution and settlement, order size, custody and similar considerations. The content and minimum requirements of crypto-asset platforms’ order execution policies, as well as their trading principles, are expressly regulated under the applicable legislation.

There is no clear distinction under the CML between different trading regimes, such as centralised platforms and decentralised exchanges (DEXs), which in practice operate as peer-to-peer (P2P) marketplaces. Except for crowdfunding, which may be regarded as a form of P2P activity, conventional capital market instruments are, as a principle, required to be traded on centralised stock exchange rather than on a P2P basis.

With respect to crypto-assets, the CMB Communiqués expressly qualify activities involving the operation of P2P digital marketplaces that enable the direct buying, selling or exchange of crypto-assets between users as “platform activities”. In the operation of such P2P digital marketplaces, the customer due diligence and KYC requirements and limitations set out under the regulations with regard to the platforms must be complied with.

Furthermore, pursuant to the CMB resolution dated 19 September 2024, in P2P digital marketplaces that allow transactions to be made directly between users, carrying out transactions on their own behalf but on the account of another person as a regular occupation, commercial or professional activity is considered to be unauthorised crypto-asset service provider activity.

Payment for order flow is not a concept that is expressly regulated. The fundamental principles are transparency and the obligation of investment firms to execute client orders in the best possible manner.

Within this framework, investment firms are required to execute orders in a way that achieves the best possible result for the client, in accordance with their order execution policy, by taking into account factors such as price, costs, speed, settlement, custody, counterparty and similar considerations when performing brokerage and trading activities.

Where the client provides a specific instruction to transmit the order to a particular institution or market, the investment firm shall be deemed to have fulfilled its obligation to execute the order in the best possible manner.

In addition, in the context of individual portfolio management, if the portfolio manager receives, for its own benefit, any commission, discount or similar advantage from an issuer or an investment firm in connection with a purchase or sale transaction executed for the portfolio, this must be disclosed to the client prior to the provision of the service.

As per the CML, exchanges are required to establish the necessary surveillance systems within their organisations in order to ensure that transactions are carried out in a reliable, transparent, efficient, stable, fair, honest and competitive manner, and to detect transactions conducted in violation of the CML. Exchanges may also take all necessary preventive measures in this regard.

Under the CML, acts such as insider trading (misuse of information), market manipulation, breach of trust, forgery, unauthorised crypto-asset service provider activities, and embezzlement by crypto-asset service providers are classified as crimes and are subject to sanctions including imprisonment and judicial fines.

Regulatory Framework

In Türkiye, the creation and use of algorithmic and high-frequency trading (HFT) technologies are regulated primarily through market-specific rules issued by BIST, supported by the CML and secondary legislation. The principal BIST regulations governing these technologies include:

• Algorithmic Transactions in Equity Market and BISTECH Pre-Trade Risk Management Procedure (“BISTECH PTRM”);
• Equity Market Procedure; and
• Futures and Options Market Procedure.

BIST imposes requirements on all market members using algorithmic trading systems, including the obligation to register their systems and to provide detailed information on matters such as software ownership, server location, communication protocols (FIX/OUCH) and testing results. Algorithmic and HFT activity is permitted only through licensed BIST members, which bear responsibility for monitoring and controlling their algorithms, with obligations to immediately halt order transmission in the event of malfunction or risk. All market members utilising algorithmic trading systems to generate and transmit orders must utilise the specific BISTECH PTRM application.

The BISTECH PTRM framework imposes limits on maximum order size, price tolerance, order speed (orders per second), repeated orders and instrument-specific risk parameters. Exceeding these limits triggers automatic blocking of the relevant risk group until the issue is resolved.

HFT Users

The servers generating orders on behalf of HFT users must be deployed by the market member at the BIST co-location centre, and BIST must have assigned a distinctive user code. While HFT users are exempt from standard order cancellation fees, they are subject to Order-to-Trade Ratio (OTR) fees. When the ratio of submitted orders to executed trades exceeds thresholds (eg, 5:1 or 15:1), fixed fees apply per excess order, calculated daily and invoiced monthly.

Asset Class Differences

With respect to algorithmic trading and HFT, no distinction is made among asset classes in terms of a separate or specific regime applicable to such activities. However, each asset class is governed by its own general regulatory framework, and algorithmic traders and HFT players are required to comply with the requirements applicable to the relevant asset class.

When acting in a principal capacity, algorithmic or HFT players are not automatically required to be licensed or registered as a market maker. Market making is a separate, optional status subject to a distinct regulatory regime.

The regulations apply uniformly to all market members that engage in such activities, regardless of whether they are acting as dealers or funds. Nevertheless, due to the differences in their legal status, certain distinctions emerge with respect to the allocation of legal responsibility arising from these activities.

Dealers

Dealers may receive client orders, trade on their own account and have direct market access. Dealers engaging in algorithmic trading or HFT operate as BIST members, and are directly subject to exchange rules, pre-trade risk management and OTR requirements, and member-level obligations.

Funds

Funds conduct transactions within the scope of portfolio management activities, acting on behalf of investors, and they do not accept client orders. Unlike dealers, funds do not access the market directly as market participants. Algorithmic trading or HFT activities implemented at the fund level are executed through licensed dealers acting as intermediaries.

In Türkiye, programmers who develop and create trading algorithms and other electronic trading tools are not directly regulated. Responsibility for the legal compliance of such algorithms rests with the market member that uses and provides them.

Under the respective legislation, market members are directly and non-transferably responsible for the algorithmic trading systems. Market members must provide written information to BIST about the software and must provide a written undertaking that these systems have been tested, that their results are predictable and that they will not cause transactions that would disrupt the market.

Insurtech

In the insurtech context, underwriting processes may involve digital onboarding, automated risk assessment, AI-based analytics and alternative data sources. Although insurtech is not specifically regulated under Turkish legislation, insurers remain responsible for underwriting outcomes and must ensure compliance with applicable regulations.

Since insurtech services may be qualified as support services, respective insurers are required to ensure that such services comply with the relevant regulatory framework.

Regulatory Framework of Underwriting

In general, insurers retain discretion over the commercial design and execution of underwriting processes. However, the overall framework is significantly influenced by regulations. General requirements imposed on insurers include the following:

• documenting and monitoring underwriting policies and procedures;
• ensuring pricing adequacy and technical reserves;
• applying actuarial and risk management principles; and
• establishing, operating and maintaining adequate and effective internal systems to monitor and control risks.

Underwriting activities are supervised by Insurance and Private Pension Regulation and Supervision Authority, which has the authority to review and regulate underwriting practices, pricing methodologies and internal control systems.

As insurtech is not explicitly regulated under the applicable legislation, there is no distinct regulatory treatment applicable solely to insurtech activities. However, under general underwriting practices, different types of insurance are treated differently by both industry participants and regulators. Accordingly, insurtech services must also be structured and operated in compliance with these existing regulatory distinctions.

Regtech is not currently regulated as a standalone category in Türkiye. Nevertheless, depending on the nature of the services provided, sector-specific regulatory frameworks – such as those applicable to banking or capital markets – may apply. For example, services obtained by banks or payment institutions from third parties that qualify as support services are regulated in detail under the applicable legislation. Since regtech services may be qualified as support services, respective financial institutions are required to ensure that such services comply with the relevant regulatory framework. Regtech solutions are generally used in Türkiye to support compliance with MASAK, BRSA and CBRT regulations by providing services such as AML, KYC and fraud detection systems.

Banks

Services provided by regtech technology providers fall within the scope of banks’ support services. The applicable legislation regarding support services regulates agreements executed with such service providers.

The key provisions that must be included in agreements may be outlined as follows:

• scope of services;
• BRSA supervision;
• bank audit rights;
• confidentiality and data protection;
• information security;
• termination, continuity and transition;
• sub-outsourcing;
• on-site inspection; and
• termination related to BRSA and other regulatory decisions.

Other Financial Institutions

The regulatory requirements for banks do not apply to other financial institutions. However, other financial entities are subject to their own sector-specific frameworks (eg, capital markets institutions and crypto platforms under CMB rules, payment and e-money institutions under CBRT rules, and insurance entities under Insurance and Private Pension Regulation and Supervision Authority rules) governing outsourcing and third-party service arrangements, which are based on similar principles such as retained regulatory responsibility, audit and access rights, data protection and business continuity. Consequently, agreements executed with third-party regtech providers must comply with such requirements.

In Türkiye, traditional players are increasingly willing to implement blockchain solutions and generally approach blockchain for (i) payment and monetary infrastructure, (ii) asset transfer and settlement, and (iii) identity/data verification and interoperability purposes.

Several blockchain-implemented projects of traditional players are listed below:

• Takasbank BiGA Gold project: Takasbank, which is Türkiye’s central market institution providing services such as clearing, settlement and custody for capital markets and payment systems, has launched the BiGA Gold project. It is a blockchain-based platform operated by Takasbank that enables the issuance and transfer of physically backed digital gold via blockchain technology. It enables secure, traceable and near–real-time 24/7 gold transfers, with each digital unit fully backed by physical gold held in custody.
• CBRT Digital Turkish Lira project: The CBRT is running the Digital Turkish Lira project, shaping how banks may eventually connect to a state-backed digital money/payment rail. According to the Phase II Evaluation Report published by the CBRT, the Digital Turkish Lira project has progressed from initial concept to a more mature prototype, with advancements in programmable payments, offline payments, interoperability, and integration with financial intermediaries, and subject to the completion of Phase II and a policy decision on circulation, the project may proceed to Phase III, which would involve legal arrangements and potential issuance.
• BIST blockchain-based KYC project: BIST launched a blockchain project to use a customer database based on distributed ledger technology (DLT). Under this project, the addition of new customers, updating customer information and document management are all handled through a blockchain network shared among BIST, Takasbank and the Central Registry Agency (MKK), ensuring synchronised information flow and reducing errors in data entry.
• Despite their traditional operational frameworks, Turkish banks are embracing blockchain technology. Türkiye İş Bankası A.Ş. issued Turkey’s first digital Eurobond using DLT via Euroclear’s platform, achieving same-day settlement, and has piloted blockchain-based trade finance solutions through the Marco Polo platform.

Regulators in Türkiye have not yet issued a single “blockchain law” or similar regulations.

Significant legal reforms concerning crypto-assets and crypto-asset service providers were introduced in 2024 and 2025. However, gaps remain in areas such as stable crypto-assets and decentralised finance (DeFi).

Under Turkish law, blockchain assets are not regulated as a separate category of financial instruments. The legislative rationale of the CML states that the purpose of the law is not to regulate blockchain technology itself, but rather to regulate the trading activities of crypto-assets based on this technology carried out through platforms.

The regulatory authority granted to the CMB covers only crypto-assets that provide rights specific to capital market instruments.

Although it is accepted that crypto-assets may provide rights similar to capital market instruments, crypto-assets are not considered capital market instruments under the CML. The issuance of capital market instruments in the form of crypto-assets is not currently regulated and will not be until specific regulations are introduced in this respect. Accordingly, there is currently no issuer-specific regulation for these assets, including crypto-assets, under Turkish law.

Only crypto-asset platforms are regulated under Turkish law. Accordingly, a platform is defined as an entity through which one or more of the following activities are carried out: the buying and selling of crypto-assets; their initial sale or distribution, exchange or transfer; the custody services required for such activities; and any other activities that may be determined.

A crypto-asset service provider is defined more broadly to include platforms, entities providing crypto-asset custody services, and other entities that may be designated under further regulations to provide services in relation to crypto-assets, including the initial sale or distribution of crypto-assets.

Pursuant to the CMB Communiqués, upon the request of clients and within the scope of the framework agreement to be executed with clients, platforms may carry out transactions whereby crypto-assets belonging to the distributed ledger network are locked due to the structure of the network and returned in kind at maturity. Except for such transactions, no written or verbal commitment may be made that crypto-assets will generate a specific return.

Crypto-assets listed on platforms may not be subject to margin trading, short selling or lending transactions.

Crypto-assets listed on platforms may not be traded on a leveraged basis and may not be used as the underlying of derivative instruments or derivative contracts.

In Türkiye, there is no DeFi-specific definition or regulatory framework under the current legislation. Crypto-related activities are instead regulated through the concepts of “platforms” and “crypto-asset service providers”. As a general rule, crypto-asset trading must be carried out by licensed entities.

In Türkiye, capital markets funds may only invest in assets permitted by the CMB. Assets in which each fund may invest are regulated through the CMB’s secondary legislation. Currently, no fund type is explicitly permitted to invest directly in blockchain or crypto-assets. However, funds investing in blockchain technology development companies are encountered in practice.

Under the Payment Services Law, electronic money is defined as “a monetary value issued in return for funds accepted by the electronic money issuer, stored electronically, used to carry out payment transactions defined in the legislation, and accepted as a means of payment by natural and legal persons other than the electronic money issuer”. Banks and electronic money institutions that have obtained the necessary authorisations from the CBRT issue electronic money up to the amount of funds received and convert the funds deposited by the electronic money user into electronic money and make it available for use.

Pursuant to the Regulation on the Non-Use of Crypto-Assets in Payments issued by the CBRT in 2021, crypto-assets cannot be used, either directly or indirectly, as a means of payment by individuals or entities operating in Türkiye. Moreover, payment service providers and electronic money institutions are prohibited from developing or offering business models that involve the direct or indirect use of crypto-assets in the provision of payment services or issuance of electronic money, and cannot act as intermediaries for funds transferred to or from platforms offering crypto-asset trading, custody, transfer or issuance services.

Pursuant to the CMB’s resolution dated 19 September 2024, non-fungible tokens (NFTs) are defined as crypto-assets that are non-fungible and unique in nature, used to record the representation and ownership of digital assets, and such assets, as well as crypto-assets used solely for the purpose of creating or obtaining certain elements in virtual games, fall outside the listing principles under the CML.

Subsequently, under the CMB Communiqués issued thereafter, the activities of entities whose business is to carry out buying, selling, initial sale or distribution, exchange, transfer and custody of such assets are not considered as platform activities. Where platforms provide services in relation to these assets, they must be traded in a separate market distinct from the assets listed in accordance with the CML, and appropriate disclosure must be provided to investors at the point where orders are received, with confirmation that such disclosure has been read and understood prior to order submission.

The current scope of crypto-asset regulations focuses on “crypto-assets that grant rights specific to capital markets instruments” in general, and it is not divided into distinct subcategories. Accordingly, stablecoins are not subject to separate regulations.

Open banking services are explicitly defined under the applicable legislation as electronic distribution channels where customers or parties acting on behalf of customers can remotely access financial services offered by banks through methods such as application programming interfaces (APIs), web services or file transfer protocols to conduct banking transactions or give instructions to the bank.

Although Türkiye has not directly implemented the European Union’s Payment Services Directive (PSD2), PSD2 has significantly influenced the development of open banking regulations in Türkiye, particularly through the amendments introduced to the Payment Services Law in 2019.

In response to data privacy and security concerns, Turkish banks and technology providers are adopting robust technical and organisational measures, including encryption, secure API frameworks and multi-factor authentication protocols, while working within the existing Personal Data Protection Law framework.

The Personal Data Protection Authority’s 2022 Banking Sector Good Practices Guide notes that both banks and service providers may qualify as data controllers, requiring case-by-case compliance with the Personal Data Protection Law. Regarding customer secrets, disclosure relies on customer request or instruction. Service banking transfers to interface providers are exempt from this requirement.

Fraud, in general, is regulated under the Turkish Criminal Code No. 5237. From a capital markets perspective, in addition to offences such as breach of trust, forgery and embezzlement, market fraud (ie, manipulation) is specifically regulated. Market manipulation is defined as carrying out purchase or sale transactions, placing, cancelling or amending orders, or conducting account movements with the aim of creating a false or misleading impression regarding the prices, price movements, supply or demand of capital market instruments. The sanctions include imprisonment and judicial fines.

Under the Turkish Criminal Code No. 5237, fraud committed through the use of information systems, or by using banks or credit institutions as a tool, as well as fraud committed with the aim of procuring the granting of a loan that should not be allocated by a bank or other credit institution, by impersonating an employee of a bank, insurance company or credit institution, or by claiming to be affiliated with such institutions, or by persons who are traders or company directors, or who act on behalf of a company, in the course of their commercial activities qualifies as aggravated fraud. Actions such as intermediary institutions trading an investor’s assets without the investor’s consent or using such assets for their own benefit constitute the qualified form of the offence of abuse of trust and, similar to fraud, are punishable by imprisonment and judicial fines.

Under Turkish law, sanctions in relation to fraud offences are generally criminal in nature and are primarily directed at the perpetrators of the relevant acts; responsibility for customer losses is not comprehensively regulated on an offence-by-offence basis. Accordingly, the responsibility of fintech service providers for losses is governed by general provisions, and there are cases where customers bring claims mainly against banks (given that other fintech service providers are relatively new and established precedent is limited). In such cases, courts assess whether the bank has complied with its duties and the heightened standard of care expected from it as a trust-based financial institution (including the adequacy of security measures, authentication mechanisms and suspicious transaction monitoring). Depending on this assessment, courts may attribute a certain degree of fault to the financial institution and order compensation of losses accordingly.

With respect to crypto-assets, the CML explicitly states that disputes arising from transactions carried out on such platforms are subject to general legal principles, that the fact that platforms are licensed by the CMB does not mean that such transactions are backed by a public guarantee, and that crypto-assets are not subject to investor compensation schemes.