Guidelines on the Secondary Legislation on Crypto Asset Service Providers

13.05.2025

Guidelines on the Secondary Legislation on Crypto Asset Service Providers Communiqué on the Establishment and Operating Principles of Crypto Asset Service Providers (Communiqué: III-35/b.1)

The Communiqué on the Establishment and Operating Principles of Crypto Asset Service Providers (Communiqué: III-35/B.1) (“Principles Communiqué”), which was published in the Official Gazette dated March 13, 2025, and numbered 32840 by the Capital Markets Board (“CMB”), sets out the procedures and principles regarding the establishment, operation, and activities of crypto asset service providers.

A gradual system has been adopted for compliance with the obligations introduced in the Communiqué on Principles, and you can access the summary of the regulations introduced by the Communiqué on Principles and the Table regarding the effective dates of the obligations below.

Conditions for Establishment

• Crypto asset service providers must be established as a joint stock company.

• Shares must be registered and paid in cash.

• The minimum establishment capital cannot be below the amount determined by the CMB.

• The shareholding structure must be transparent and traceable; there must be no convictions for crimes such as money laundering and fraud.

• Founders and managers must have professional competence, integrity, and reputation.

Requirements for Operating License

• A reserve evidence report for two random dates, as well as an independent audit report on information systems, must be submitted to the CMB at the time of application for an

operating license.

• Information systems and technological infrastructure must meet the criteria of the Turkish Scientific and Technological Research Council (“TSTRC”).

• The custody infrastructure should be securely established and integrated.

• A complaint resolution mechanism should be established for customer transactions.

• Central Registry Agency (“CRA”) integration and price surveillance system should be established.

• Internal control, audit, and risk management systems should be established.

Organization and Governance Structure

• Specific service units such as internal audit, internal control, and risk management should be established.

• A recovery plan should be prepared by crypto asset service providers in case of asset loss, and a reserve evidence audit should be conducted within 15 days of the activation of such plans.

• A conflict of interest policy should be prepared and disclosed to the public.

• The majority of managers should have a bachelor's degree; the general manager should be appointed exclusively for this duty.

• Internal audit teams should audit compliance with legislation and workflow procedures no less than once a year, and audit results should be presented to the Board of Directors.

• External services to be received should be carried out within the framework of an agreement in writing and relevant workflows should be established.

• The compliance of internal processes should be audited at least once a year, and a reserve evidence audit should be conducted every 3 months; such reports should be submitted to the Board of Directors.

Implementation Principles, Customer Orders and Transaction Safety

• CMB's regulations on the intermediary institution chart of accounts should be applied comparatively in the accounting of crypto assets.

• Customer orders should be received by the platforms' websites, mobile applications, or the platforms' operation personnel via the registered phone numbers of the customers, and customer orders shall not be received via social media channels.

• Platforms should issue transaction result forms and account statements, and such forms should be sent to the e-mail address of the customers, or customers should be provided with electronic access to their account statements in a manner that includes the information specified in the

Communiqué on Principles.

• Records of the transactions realised and all documents received during the remote identification should be retained for 10 years by adopting the information security measures.

• A complaint system should be established by crypto asset service providers to address customer complaints, and information records regarding complaints received through such systems should be retained for 10 years.

Prohibitions and Restrictions

• No crypto service can be provided without a CMB license.

• Changes exceeding 10%, 20%, 33%, or 50% in the shareholding structure of crypto asset service providers, privileged share transfers, and share transfers of their partnerships are subject to CMB authorisation.

• Business names and trademarks must be registered, and any changes thereto must be announced.

• Phrases that are misleading or create a false impression cannot be used in advertisements, promotions or titles.

COMMUNIQUÉ ON OPERATING PROCEDURES AND CAPITAL ADEQUACY OF CRYPTO ASSET SERVICE PROVIDERS

(COMMUNIQUÉ: III-35/B.2)

The Communiqué on Operating Procedures and Capital Adequacy of Crypto Asset Service Providers (Communiqué: III-35/B.2) (“Capital Adequacy Communiqué”), which entered into force after being published in the Official Gazette dated March 13, 2025 and numbered 32840 by the CMB, sets out principles and guidelines regarding the services and activities that crypto asset service providers may offer, listing principles of crypto assets, settlement system and capital adequacy.

A gradual system has been adopted for compliance with the obligations introduced in the Capital Adequacy Communiqué, and you can access the summary of the regulations introduced by the Capital Adequacy Communiqué and the

Table regarding the effective dates of the obligations below.

Types of Operations (subject to CMB license)

• Trading, clearing and transfer of crypto assets and custody services required by these transactions.

• Initial offering or brokerage activities for the offering.

• Custody and management of crypto assets or private keys.

• Investment advisory services only for certain investors (minimum size requirement of TRY 50 million).

• Other activities as may be determined by the CMB.

Capital Adequacy Criteria

• Platforms are required to have a minimum capital of TRY 150,000,000.

• Custody institutions are required to have a minimum capital of TRY 500,000,000.

• Custody institutions can hold customer assets up to TRY

1,000,000,000. In case of providing custody services above this amount, they are required to have additional equity equal to 1.5% of the amount exceeding TRY 1,000,000,000.

For equity amounts above TRY 1,500,000,000 this additional equity requirement will not be sought.

• The amounts related to capital adequacy will be re- determined by the CMB by taking into account the re- evaluation rate announced by the Ministry of Treasury and Finance of the Republic of Türkiye every year. The re- evaluated capital adequacy amounts must be complied with by the end of June of each year at the latest.

Platform Activities

• Transactions such as order receipt, matching, clearing, settlement, initial offering, and transfer can be performed in accordance with the principles of the customer framework agreement.

• Orders may be executed on the platform's own trading environment or from its own wallet as a counterparty.

• The necessary unit should be established for the management of the price surveillance system, the functioning of which is determined in accordance with written procedures. Mechanisms for reporting unreasonable actions and transactions should be established.

• Different market structures may be established (e.g. only for certain types of investors).

• Market-making activities may be carried out by the platforms to ensure the liquidity of other platforms.

Listing and Initial Offering (ICO/IDO) Rules

• The minimum elements required to be included in smart contracts should be checked. The first offering of crypto assets that do not meet the listing criteria shall not be brokered.

• For tokens that are subject to the authority of other institutions (BRSA, FCIB, etc.), compliance checks should be carried out.

• The first listing on each platform is considered as “brokerage to the first offering” and requires new approval for that platform.

• The criteria for the listing and delisting of the assets to be listed should be determined in writing and published on the platform website.

• A Listing Committee should be established, and the reports to be prepared by this committee will determine which crypto assets will be listed or which listed crypto assets will be delisted. Listing and delisting transactions should also be reported to the CRA.

Reconciliation System, Custody, Wallet Management and Transfer Principles

• Platforms and custody institutions are required to report their customers' asset balances to CRA.

• CRA creates a “central registry report” as a basis for customer inquiries.

• Custody services to be received by the customer may be provided by banks and other authorised financial institutions deemed appropriate by the Banking Regulation and Supervision Agency.

• 95% of customer assets should be held with custody institutions, and 5% should be held in wallets.

• Customer assets may be stored separately in a collective wallet. In this case, a maximum of 5% of the assets stored collectively can be kept in a hot wallet. If the criteria announced by TSTRC are met, this rate is applied as 10%.

• The platform can self-custody for 6 months in certain cases.

• Private keys can be generated and stored in accordance with the principles set out in TSTRC Infrastructure Criteria. In the event that the private keys are divided into parts, such private key parts must be stored in Türkiye, and the private keys must be controlled by the crypto asset service providers.

• Specific technical and operational rules should be applied for hot and cold wallets.

• In executing transfer orders, the Financial Crimes Investigation Board’s (“FCIB”) regulations on financial crimes, money laundering, and the financing of terrorism should be complied with, multi-factor authentication should be used, and measures should be taken to ensure the confidentiality of multi-factor authentication data.

• As of the moment the transfer order is submitted, it is possible to approve transfer requests not exceeding TRY 1,000,000 through fully automated processes.

Transaction Policies and Order Execution

• A best execution policy should be established: criteria such as price, speed, cost, and custody should be taken into account.

• Transaction principles, such as order types, validity periods, and cancellation rules, should be determined in detail.

• Investors shall be informed of transactions involving risk of loss.

Prohibited Transactions

• Leveraged, credit transactions and derivative products are prohibited.

• Crypto assets cannot be subject to short selling or lending transactions.

• Platforms cannot accept physical cash from customers, and cash amounts can be managed through bank accounts.

• Crypto asset service providers are prohibited from borrowing in such a way that the sum of all short and long-term debts on their balance sheets exceeds 3 times the minimum capital adequacy amounts. In determining the amount of debts, current values are taken into account.

Foreign Institutions

• Foreign entities cannot provide direct advertising, marketing or website services in Türkiye without obtaining a license from the CMB.

• Otherwise, they are subject to Turkish legislation and their activities are considered illegal.

OBLIGATION ARTICLE DEADLINE FOR COMPLIANCE

Operating License Application III-35/B.1 – Provisional Article 1 (2) 30.06.2025

Reserve Evidence Audit Report III-35/B.1 – Provisional Article 1 (2) 30.06.2025

Submission of Information Systems Audit Report III-35/B.1 – Provisional Article 1 (2) 30.09.2025

Agreement and Integration with Custody Institutions III-35/B.1 – Provisional Article 1 (5) 30.12.2025

Obtaining an Authorisation Certificate III-35/B.1 – Provisional Article 1 (3) 30.06.2026

Custody Infrastructure Compliance III-35/B.2 – Provisional Article 1 (1) 30.06.2025

Compliance with Capital Adequacy Requirements III-35/B.2 –Provisional Article 1 (1) 30.06.2025

Periodic Information Systems Audit Report III-35/B.2 – Provisional Article 1 (11) Audit for 2026 Activity Year

Reserve Evidence Audit III-35/B.2 – Provisional Article 1 (11) Every 3 Months from the Activity Year 2026

Deadlines for Obligations to Be Complied with by Crypto Asset Service Providers Pursuant to Communiques Information Systems and Technological Infrastructure Criteria for Crypto Asset Service Providers

The Information Systems and Technological Infrastructure Criteria for Crypto Asset Service Providers (“TSTRC Criteria”) prepared by TSTRC was published as a draft on the website of TSTRC.

The TSTRC Criteria set out the principles regarding the information systems and technological infrastructure of crypto asset service providers, and crypto asset service providers are required to comply their information systems and technical infrastructure with the TSTRC Criteria.

It is envisaged that the draft TSTRC Criteria will be revised and finalised in line with the opinions and suggestions of the relevant sector stakeholders and the CMB.

General Purpose and Scope

• Criteria for the technological infrastructure and information systems to be used by the crypto asset service providers authorised by the CMB are set by the TSTRC Criteria.

• The criteria cover issues such as secure wallet usage, key management, access control, information security and distributed ledger integration.

Wallet Security - General Principles

• Access Control Process: Transfers cannot be realized without completing “Transaction order → Review → Approval

→ Compliance check → Policy check” steps.

• Authentication: For the execution of transfer orders, the relevant officials must be authenticated with a remotely manageable mobile device, smart card or similar.

• Private Key Usage: Only possible with hardware security modules (HSM).

• Multiple Signature / Threshold Cryptography: Risk analysis should be performed and integrated into business continuity plans.

• Verified Address List: Customer transfers can only be made to verified addresses.

• Pre-Transfer Controls: Elements such as policy compliance, limit controls, and address approval should be carried out with components audited by TSTRC.

Cold Wallet Security Criteria

• Physical Isolation: Cold wallets should be retained in an isolated environment, closed to the internet (air gap, cross-network access).

• Data Transfer: Only authorised data types can be transferred; the principle of separation of duties should be applied.

• Transfer Restriction: Transfers can only be made to addresses controlled by the same custodian.

• Manual Approval: Transactions must be checked by at least two authorised persons.

Hot Wallet Security Criteria

• Access Control: Authorised user authentication should be performed with multi-factor systems.

• Restricted Transfer Authorisation: Transactions can only be made within certain policies and only to defined addresses.

• Hardware Security: Hot wallet components should work with secure hardware modules.

• Backup and Key Management: Keys should only be generated, stored and backed up within crypto asset service providers.

Key Management and Cryptographic Criteria

• Master Key and Private Keys: Can only be generated with authorised secure hardware modules.

• Outsourcing: Hardware/software products should be selected in a way that does not create dependency.

• Key Sharing: Stored private keys cannot be shared with other organisations under any circumstances.

• Policy-Based Controls: Transaction orders are only processed if they comply with predefined policies.

Information Security and Risk Management

• Risk Management: Crypto asset service providers must conduct risk analysis and implement controls for all processes.

• Identity and Access Management: Crypto asset service providers must record all access traces to information systems and ensure authorisation control.

• Data Security: Cryptographic protection methods must be applied, and data must be protected against cyberattacks.

• Information Security Breaches: Incident detection and response mechanisms must be established and reported.

• Physical Security: Hardware infrastructure must also be protected against physical threats.

Distributed Ledger Integration

Criteria

• Monitoring and Updating: Platforms should have the infrastructure to track forks, transaction fees, etc. in the blockchain network.

• Integration Security: Transaction orders and data should be transferred to the chain in secure ways and verified.

Provisional and Supporting Matters

• Cryptographic Mechanism Transition: Temporary use of previous systems may be permitted, but a roadmap for secure hardware transition is required.

• Software and Hardware Updates: Critical system updates should be logged and tested in a secure environment.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.

Sermaye Piyasası Kurulu’nun Piyasa İstikrarını Sağlamak Amacıyla Aldığı Tedbir ve Uygulamaların Devamına İlişkin İlke Kararı Yayımlandı

SPK’dan Yeni Karar: Açığa Satış Yasağı ve Pay Geri Alım Kolaylığı Süresi Uzatıldı

The Capital Markets Board's Announcement on the Continuation of Measures and Practices Taken to Ensure Market Stability Has Been Published

Limitation of Pre-emptive Rights in Joint Stock Companies

Establishing a Joint Stock Company in Türkiye: Strategic Legal Framework for Foreign Investors

Bağımsız Denetim Eşiklerinde ve Esas Alınacak Finansal Dönemlerde Güncelleme Yapıldı

Definition and Limits of Technology Undertaking from the Perspective of Competition Law

Two-minute Recap of Competition Law Matters Around the Globe May 2025

Rekabet Kurumu Yerinde İnceleme Süreçlerinin Etkin Yönetimi: Teşebbüsler için Rehber

Construction Law Wrap Up 2024

Construction Arbitration: Türkiye - Part 4

Construction Arbitration: Türkiye - Part 3

Two-Minute Recap of Data Protection Law Matters Around the Globe - May 2025

Mandatory Legal Systems for Compliance in Türkiye – Part I: Understanding VERBİS

Veri Koruma ve Gizlilik Bülteni - Mayıs 2025

The Constitutional Court Published Its Decision No. 2024/169 E. and 2025/72 K., Ruling a Violation of the Right to Property Based on the Principles of Public Interest and Proportionality

2025 Yılı Nisan Ayı İçtihat Raporlaması

April 2025 Legal Precedent Report

Elektronik Ticaret ve Tüketici Hukuku Mevzuatında Yakın Zamanda Yapılan Kapsamlı Değişiklikler

Mesafeli Sözleşmeler Yönetmeliği’nde Değişiklik: Cayma Hakkında İade Masrafları Artık Tüketicilere Yüklenemeyecek

Amendment to the Distance Contracts Regulation: Consumers Will No Longer Bear Return Costs

Elektrik Piyasasında Toplayıcılık Yönetmeliği Ne Getiriyor?

Kamuda Enerji Performans Sözleşmesi Uygulaması

Ulusal Taşıt Tanıma Sistemi Uygulama Genel Tebliği Hakkında Bilgilendirme

Green Claims Under Scrutiny - Legal Consequences and Compliance Risks

İklim Kanunu Teklifi TBMM Çevre Komisyonu'nda Kabul Edildi

Türkiye Sürdürülebilirlik Raporlama Standartları Uygulama Kapsamında Değişiklikler Yapıldı

Kripto Varlık Merkezi Kayıt Sistemi: MKK ile Kripto Varlık Hizmet Sağlayıcılar Entegre Oluyor

Kripto Varlık İşlemleri Kayıt Altına Alınıyor: MKK Entegrasyonu ve Kayıt Sistemi Faaliyete Geçti

Crypto Asset Central Registry System – Central Securities Depository and CASPs Integrating

Sigorta Şirketlerinin Sermaye Yükümlülükleri ve Mali Bünyelerinin Zayıflaması Halleri

Insurance Litigation 2025 in Turkey

Capital Obligations of Insurance Companies and Circumstances of Financial Weakening

Reklam Mevzuatı Uygulamaları I Seri 1: 16.01.2025 Tarihli Reklam Bülteni Işığında Sektör Paydaşları Bakımından Kimi Reklam İlkeleri

Anayasa Mahkemesi’nin 2024/176 E. ve 2025/42 K. Sayılı Kararı Sınai Mülkiyet Hakkı ve Net Kazanç Seçimlik Hakkına İlişkin Değerlendirme

Advertising Law Principles and Practices I Series 2: Not Just an “Advertising”; But Communication, Strategy, Economic Growth, and Stability

The BR International Trade Report: June 2025

Court of International Trade Sets Aside Presidential IEEPA Tariffs and Federal Circuit Postpones Nationwide Injunction

Gradual Lifting of the Syria Sanctions

Key Updates Under Turkish Labour Law in 2025

Yapay Zeka Çağında Algoritmik Yönetim ve Çalışan Hakları

Choice of Law in Employment Agreements With a Foreign Element Found Unconstitutional

Notification Obligation in Case of Supply Interruption of Medical Devices

Panic: Trump’s Attempts to Reduce Drug Prices Will Impact the Rest of the World

Panik: Trump’ın İlaç Fiyatlarını İndirme Çabaları Dünyanın Kalanını da Etkileyecek

RTÜK'ün Son Açıklamaları Çerçevesinde Yayıncılıkta Denetim Yaklaşımı

RTÜK’s Recent Announcements: A Shift in Regulatory Approach In Broadcasting

Reklam Kurulu Kararları Işığında Örtülü Reklamın Tanımı, Unsurları ve Hukuki Çerçevesi

Amendments to the Capital Movements Circular

M&A Essentials: A Practical Guide for Buyer, Seller, and Advisors

Legal Due Diligence in M&A Deals: Key Areas and Compliance Focus

Taşınmaz Ticareti Hakkında Yönetmelikte Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

The Regulation Amending the Regulation on Real Estate Trade Has Been Published

Kat Mülkiyetine Tabi Yapılarda Riskli Yapı Tespiti Sonrası Alınan Karara Karşı Azınlığın Hakları

İpoteğin Paraya Çevrilmesi Yolu İle İlamsız ve İlamlı İcra Takip Türleri ve İpotek Kat İhtarnamesi: Hukuki ve Uygulamalı Analiz

İcra ve İflas Kanunu Uyarınca Yapılacak Satışların İlanlarına İlişkin Parasal Limitlerin Güncellenmesi Hakkında Tebliğ Yayımlandı

Communiqué on the Update of Monetary Limits for Announcements of Sales to Be Made Under the Enforcement and Bankruptcy Law is Published

Startup Investments: A Handbook for Investors and Entrepreneurs

TEKMER (Teknoloji Geliştirme Merkezi) Nasıl Kurulur ve Girişimcilere Hangi Destekleri Sunar?

Ters Hak Ediş (Reverse Vesting) Nedir?

Pillar One – Amount B will not Apply to Transactions of Distributors, Sales Agents and Commissioners Operating in Türkiye

9487 Sayılı Cumhurbaşkanı Kararı ile Gelir Vergisi Kanunu Geçici 67. Maddesi Kapsamında Değişiklikler

Amendments Enacted Under Presidential Decree No. 9487 within the Scope of Provisional Article 67 of the Income Tax Law

Two-Minute Recap of Recent Developments in IT Law Around the Globe - May 2025

Algorithmic Management and Employee Rights in the Age of AI

How the Provisions of the AI Act Will Impact Turkish Companies

Liability Regulations in Cargo Damage During Sea Transport: A Comparative Analysis of Turkish and English Maritime Law

Regulation on Pilotage and Towage Services Published

Limanlar Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

Gizli Kahramanları Destekleyin!

Dokunduğunuz Paraya Dikkat Edin!

Delik Terlikte mi Yoksa İtibarda mı? Crocs’un Satış Kanallarını Şişirme Krizi

Guidelines on the Secondary Legislation on Crypto Asset Service Providers

Popular Articles on Fintech

Latest Insights from Biçer Güner Attorneys at Law

Subscribe to our newsletter