Navigating the New Crypto Landscape: Establishment and Operating Conditions for Service Providers Published

Recent Developments

The Communiqué on the Principles Regarding the Establishment and Operating Conditions for Crypto Asset Service Providers numbered III-35/B.1 (the “Communiqué“) is published in the Official Gazette dated 13 March 2025 and numbered 32840. The Communiqué, which is in many respects similar to the regulations of the Capital Markets Board (the “CMB“) on brokerage firms, introduces critical regulations on several matters such as the establishment and operating license processes for crypto asset service providers (the “CASPs”), personnel requirements, principles to be followed during operations, share transfers, subsidiaries and participation limits, outsourcing regimes, internal controls, internal audit and risk management processes, information system audits and activities that cannot be performed by CASPs.

Establishment and Operating License of CASPs

Under the Communiqué, CASPs must meet the following conditions for establishment:

1. They must be a joint-stock company (anonim şirket).
2. Their shares must be in registered form (nama yazılı pay).
3. Their share capital must be paid in cash.
4. Their share capital must not be less than the amount determined by the CMB.
5. Their share capital must be fully paid in cash and their shareholders’ equity must not be less than this amount,
6. Their articles of association must comply with the applicable laws, and their field of activity must be exclusively limited to performing the activities for which they are authorized.
7. The founders must meet the conditions specified in the law.
8. Their shareholding structure must be transparent.

Platforms and custody institutions must include the phrase “crypto asset trading platform” or “crypto asset custody institution” in their trade name.

These conditions will not apply to banks that will provide custody services. However, the preliminary approval of the Banking Regulatory and Supervisory Authority (the “BRSA“) will be required for banks’ applications to provide custody services.  In addition, banks’ provision of crypto asset custody services will be subject to the BRSA’s approval for expansion of operations.

CASPs that obtain establishment licenses from the CMB will need to reapply to the CMB for an operating license within the following six months and meet the following requirements during the application process:

1. The CASPs must continue to meet the conditions for establishment
2. The minimum share capital for the establishment has been paid in cash and in full.
3. The capital adequacy obligations stipulated in the CMB’s regulations have been met.
4. An organizational structure has been established within the company.
5. The requirements for the personnel to be employed have been met.
6. The requirements for general managers and assistant general managers have been met.
7. Security infrastructure has been established and its functionality is ensured.
8. Units, systems and functions for internal audit, control and risk management have been established.
9. The technical and system integration tests with Merkezi Kayıt Kuruluşu A.Ş. (the Turkish Central Securities Depository) have been completed.
10. Infrastructure for the custody of private keys has been established, its security is ensured and integration with the distributed ledger network is completed.

The Communiqué also stipulates several special requirements to be met by platforms and custody institutions in addition to the above requirements.

In this respect, CASPs must establish a written policy to ensure compliance with the Communiqué’s regulations on conflicts of interest. This policy will be published on the CASPs’ websites upon a board of directors’ resolution.

Requirements for the Board of Directors, General Manager and Other Personnel

The Communiqué stipulates certain requirements for CASPs’ board members, general manager, assistant general managers and other personnel.

In this respect, CASPs’ board of directors must consist of at least three members, and the majority of the board members must have a four-year bachelor’s degree. However, this requirement will not apply to banks providing crypto asset custody services.

The general manager and assistant general managers must have at least seven years of professional experience in the field of financial markets, information processing, information technologies or financial technologies. They must also have the integrity and reputation required for the work. The general manager will be employed exclusively for the general manager position, resident in Türkiye and appointed full-time.  Appointment of general managers and assistant general managers will be subject to the CMB’s approval. The conditions regarding general managers and assistant general managers in the Communiqué will not apply to banks that provide custody services.

In addition, directors and personnel must have at least a four-year bachelor’s degree, unless otherwise required. However, for operation personnel who are not responsible for the reconciliation process and information technology operation personnel in charge of system management, software development, testing/quality control, database management and related support services, a two-year degree received from the relevant schools will be sufficient. The principles regarding personnel in the CMB’s regulations on investment institutions will also apply to CASPs’ personnel.

Principles and Rules Regarding Operations

CASPs must comply with the general principles and rules stipulated in the provisions of the regulations on investment institutions referred to in the Communiqué.

Further, platforms will be obliged to disclose the general and specific risks related to crypto assets to their clients within the scope of the services they are authorized to provide.

Platforms must sign a framework agreement with their clients before executing transactions with them. The minimum content of the framework agreement is set out in the Communiqué. The relevant provisions of the CMB’s Communiqué on Remote Identification Methods to be Used by Brokerage Firms and Asset Management Companies and the Establishment of the Contractual Relationship in the Electronic Environment numbered III-42.1 will apply to the remote identification of the client prior to signing the framework agreement and the establishment of the contractual relationship in the electronic environment.

CASPs’ Public Disclosure Platform pages and websites must contain the minimum content set out in the Communiqué, together with the authorized services and introductory information about the company.

As a rule, all client orders must be received through the platforms’ own websites, mobile applications or the platform’s operations personnel via the platforms’ registered phones. Accordingly, client orders cannot be received through other social media channels.

Moreover, CAPSs must comply with the regulations in the Communiqué in all kinds of written announcements, publications, promotions and notices regarding their activities.

Further, the CMB’s approval will be required for amendments to CASPs’ articles of association.

Share Transfer Obligations

Certain transactions that may significantly affect CASP’s shareholding and management structure directly or indirectly will be subject to the CMB’s prior approval, such as share transfers that will directly or indirectly result in exceeding or falling below the shareholding ratios set forth in the Communiqué, or the transfer of privileged shares that give the right to be represented in the CASP’s board of directors or usufruct shares regardless of any ratio. Transfers made in violation of this requirement will be deemed invalid.

In the case of share transfers that do not reach or fall between the relevant ratios set forth in the Communiqué, the CMB must be notified within ten business days following the transfer.

The share transfer obligations in the Communiqué will not apply to changes in the shareholding structure of banks that will provide custody services, but the CMB must be notified of these changes within ten business days. Likewise, for an indirect change in the shareholding structure of a CASP that is a subsidiary of a bank, as a result of transferring the bank’s shares, the CMB must be notified within ten business days once the BRSA approves the relevant transaction.

Subsidiaries and Participation Limits

The Communiqué brings significant restrictions for the companies that CASPs may participate in, except for banks that will provide custody services. Accordingly, crypto asset service providers will be able to invest in capital market institutions, stock exchanges, precious metal brokerage houses, insurance, private pensions, financial leasing, factoring, financing, saving financing and nonperforming loan management companies and other financial institutions deemed appropriate by the CMB, without any limits. The total investments, as set out in the Communiqué, in companies other than these companies cannot exceed 25% of the shareholders’ equity.

Moreover, CASPs will not be able to invest, as set out in the Communiqué, in companies that have more than 10% of their paid-in capital and companies in which their executives individually or jointly own more than 25% of the share capital.

Outsourcing Regime

Pursuant to the Communiqué, CASPs can outsource services when performing the activities they are authorized to provide, within the framework of an agreement whose minimum content is set out in the Communiqué and the principles set out in the Communiqué. However, the following activities cannot be subject to outsourcing:

1. Activities to be performed exclusively by the CASP’s board of directors.
2. Performance of services and activities that require licensing from the CMB and the marketing of these services.
3. Accounting of the CASPs’ transactions and preparation of financial reports.
4. Activities within the scope of the internal audit, internal control and risk management systems.

Unlike the CMB’s legal regime applicable to brokerage firms and asset management companies, CASPs are not obliged to obtain permission from the CMB for or notify the CMB of outsourced services.

In addition, consultancy, training, advertising, security, catering, transportation, cleaning, attorney services, legal consultancy, market data services, postal and courier services, procurement, maintenance, repair and update services of all kinds of technical equipment, fixtures, software or hardware required for the institution’s daily operation, archive services provided that the confidentiality of customer information is protected, and other similar services will not be accepted as outsourcing services within the scope of the Communiqué, similar to the regulations on brokerage firms.

Internal Audit, Internal Control and Risk Management

CASPs must establish internal audit, internal control and risk management units that are compatible with the scope and structure of their activities and that have the quality, competence and effectiveness to respond to changing conditions. CASPs must also establish workflow procedures that include the minimum content specified in the Communiqué and a recovery plan against actions and risks that may result in losing crypto assets.

In this regard, CASPs must carry out audits on compliance with the legislation and workflow procedures at least once a year.

In addition, the board of directors must designate one of its nonexecutive members as responsible for internal control. The CASPs’ internal control units will operate under this member.

Independent Audits of Information Systems

CASPs must carry out an independent audit of their information systems at least once a year.
Further, CASPs and banks limited to custody services, must have an independent audit of information systems at least once a year regarding the functioning of internal control systems and the compliance of their activities with the business processes specified in the Communiqué and the compliance of information systems with TÜBİTAK Infrastructure Criteria.

In addition, as of the end of the third, sixth, ninth and twelfth months of each year, a reserve audit must be conducted by the CASPs to determine whether the  crypto assets held by them are maintained in practice and their custody services are provided in line with the CMB regulations.

Transactions CASPs Cannot Carry Out

Pursuant to the Communiqué, CASPs cannot engage in any industrial and agricultural activity other than business and transactions related to the services for which they obtained a license from the CMB. Accordingly, they cannot engage in certain prohibited activities, such as collecting deposits or participation funds, carrying out commercial activities related to foreign currency trading and transferring foreign currency abroad.

Transition Period

The Communiqué stipulates a gradual transition process. Accordingly, the provisions regarding the organizational structure and conflicts of interest will enter into force on 31 March 2025; provisions regarding the personnel requirements, general manager and assistant general managers will enter into force on 30 June 2025; and provisions that are not specified to enter into force on a specific date will enter into force on the date of publication of the Communiqué.

Platforms included or to be included in the “List of Operating Companies” published by the CMB must apply to the CMB for an operating license by 30 June 2025 and obtain an operating license by 30 June 2026. Platforms that fail to apply or obtain an operating license by these dates will be liquidated and will cease their activities within 15 days.  In addition, custody institutions included in the “List of Operating Companies” and custody institutions that applied before the publication date of the Communiqué will be required to apply for an operating license until 30 June 2025.

The framework agreements entered into between the platforms and their clients before the Communiqué’s publication date must be renewed until 31 December 2025 in accordance with the Communiqué.

In addition, the independent audits of information systems under the Communiqué will be conducted for 2026 for the first time.