Crypto gets a New Lira of Scrutiny: An Analysis of Turkey’s new Crypto Asset Framework

KEY TAKEAWAYS

• New communiqués by the Capital Markets Board, Turkey have been published to introduced strict rules for CASPs to enhance market stability, security, and transparency, aligning with global standards.
• CASPs must meet stringent licensing, capital (Turkish Lira 150 MN), and operational requirements, with full compliance by 30 June 2025.
• Regulated entities must implement cybersecurity policies, conduct risk assessments, and appoint security officers to safeguard data.
• CASPs must maintain liquidity, hold 95% of customer assets in authorised custodians, and are banned from leveraged/margin trading.
• The regulations create a secure framework while allowing CASPs to innovate within clear operational boundaries.

INTRODUCTION

In a major move to consolidate the regulatory framework for digital asset operations, three recent communiqués[1] have established stringent requirements for crypto asset service providers (“CASPs”), enhanced information systems security, and clarified working procedures along with capital adequacy benchmarks. These measures are set to come into force on varying dates, most notably with a broad range of obligations effective by 30 June 2025.

OVERVIEW AND OBJECTIVES

The Communiqués establish a structured regulatory framework to ensure that CASPs operate transparently, securely, and in compliance with capital market regulations. The objectives include:

• Outlining licensing and establishment criteria
• Laying out the operational and security standards
• Outlining the governance and personnel requirements
• Ensuring customer protection and market transparency

KEY PROVISIONS

First Communique:[2] Strengthening the Foundation for CASPs

The first communique focuses on the establishment and operational principles of CASPs. It outlines several key obligations that all licenced entities must meet to ensure a robust and transparent digital asset marketplace.

• Capital and Equity Requirements: CASPs must maintain a minimum paid-in capital and shareholders’ equity – set at Turkish Lira 150 million in cash – ensuring that CASPs have the financial resilience to safeguard client assets.[3] Compliance deadlines for these requirements vary, with some obligations effective as early as the publication date (13 March 2025) and others by 30 June 2025.[4]
• Operational Structures and Internal Controls: The communique mandates a clearly defined organisational structure,[5] the appointment of qualified management with at least seven years of experience in financial markets or IT-related fields,[6] and strict internal audit, risk management, and control frameworks.[7] These measures are designed to ensure that all transactions and operational procedures are transparent and managed according to best practices.[8]
• Customer and Market Safeguards: In addition to internal controls, CASPs are required to implement detailed customer information procedures,[9] establish conflict of interest policies,[10] and ensure that trade names and trademarks are managed under strict regulatory oversight.[11] These steps are crucial for building trust among market participants and protecting customer interests.

Second Communique:[12] Information Systems Management

The second communique expands the regulatory oversight to encompass information systems management, applying not only to CASPs but also to other institutions under the Capital Markets Board (CMB). Key highlights include:

• Information Security Frameworks:Institutions must establish comprehensive information security policies approved by the board of directors.[13] This includes regular risk assessments,[14] penetration testing, and the adoption of access and authorisation controls[15]—all aimed at safeguarding sensitive data.[16]
• Governance and Oversight: Senior management is tasked with the continuous review of information security measures, ensuring that any vulnerabilities are addressed promptly.[17] An appointed Information Security Officer, who must possess substantial technical expertise, plays a central role in reporting and managing security risks.
• Operational Continuity and Incident Response: The regulations demand that entities develop robust business continuity plans,[18] disaster recovery strategies,[19] and incident response protocols.[20] Such measures ensure that, in the event of a security breach or system failure, the organisation can maintain operational stability while protecting customer data.[21]

Third Communique:[22] Operational Procedures and Capital Adequacy

The third communique addresses the operational procedures of CASPs in conjunction with capital adequacy requirements. This document bridges the gap between innovative digital asset services and traditional financial stability by imposing several operational constraints and benchmarks:

• Scope of Services and Operational Restrictions: CASPs are permitted to provide a range of services—from trading and custody to investment consultancy – but must adhere to strict conditions.[23] For instance, the prohibition on leveraged trading, margin-based transactions, and certain derivative products aims to prevent excessive risk-taking in volatile markets.[24]
• Order Execution and Market Surveillance: Providers are required to establish detailed order execution policies that prioritise transparency, fair market practices, and customer protection.[25] Additionally, a dedicated price surveillance unit must be established to monitor transactions for economic anomalies or manipulative behaviour.[26]
• Capital Adequacy and Liquidity Requirements: The communique sets out comprehensive capital base and liquidity requirements, ensuring that CASPs maintain sufficient reserves to cover customer assets.[27] Custody rules dictate that at least 95% of customer crypto assets must be held in authorised custodian institutions, with strict limits on assets held in the company’s own wallets.[28]

CONCLUSION

The newly introduced regulatory framework marks a significant step toward ensuring financial stability, market integrity, and consumer protection in Turkey’s digital asset sector. By imposing stringent licensing, capital adequacy, and cybersecurity requirements, the regulations align with global trends in digital asset governance.

Notably, these developments echo regulatory approaches seen in jurisdictions like the UAE, where entities such as the Dubai Virtual Assets Regulatory Authority and the Financial Services Regulatory Authority have established similarly robust frameworks for CASPs. While the UAE has a much more evolved and robust framework, Turkey is now moving in the same direction.

As the Turkish framework takes full effect by mid-2025, CASPs must navigate evolving compliance requirements while balancing innovation and regulatory adherence. By doing so, the sector can foster greater investor confidence, strengthen institutional adoption, and enhance the credibility of digital asset markets on a broader scale.

***

TLP Advisors is a dynamic and forward-thinking consulting, strategy and law firm specialising in providing cutting-edge solutions to our diverse clientele. With our roots deeply embedded in financial services, gaming, web3, and emerging tech, we offer unparalleled knowledge and support tailored to these rapidly evolving sectors’ unique challenges and opportunities.

TLP Advisors has consistently been the firm of choice for L1 chains, DeFi protocols, gaming companies, fintech and payment companies, foundations, funds, and investors. We have built a reputation for excellence through frequent collaborations with regulators, funds, and technology incubators. Our deep understanding of the intricate regulatory landscapes and industry dynamics allows us to provide strategic guidance and innovative solutions that empower our clients to navigate complex challenges and seize emerging opportunities.

www.techlawpolicy.com

***

[1] This article is based on our translation and interpretation of the original regulatory publications. While we have taken care to ensure accuracy, there may be discrepancies or nuances that differ from the official text. This article is for informational purposes only and should not be relied upon as legal or regulatory advice. Readers are strongly advised to consult official sources and seek professional legal counsel before making any decisions based on the information provided. The official links to the Communiqués are below:

• Communiqué on the Establishment and Activity Principles of Crypto Asset Service Providers (III-35/B.1) available at: https://www.resmigazete.gov.tr/eskiler/2025/03/20250313-5.htm.
• Communiqué on the Working Principles and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2) available at: https://www.resmigazete.gov.tr/eskiler/2025/03/20250313-6.htm.
• Communiqué on the Establishment and Operating Principles of Information Systems Management (III-39.1) available https://www.resmigazete.gov.tr/eskiler/2025/03/20250313-8.htm.

[2] Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[3] Article 5/1(c), Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[4] Article 9/1, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[5] Article 10/1 (a), Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[6] Article 14/1, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[7] Article 421, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[8]Article 17/3, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[9] Article 25/1, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[10] Article 11/1, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[11] Article 7/3, Communiqué on the Establishment and Activity Principles of Crypto Asset Service.

[12] Communiqué on Information Systems Management.

[13] Article 6, Communiqué on Information Systems Management.

[14] Article 8, Communiqué on Information Systems Management.

[15] Article 16, Communiqué on Information Systems Management.

[16] Article 18, Communiqué on Information Systems Management.

[17] Article 7, Communiqué on Information Systems Management.

[18] Article 27, Communiqué on Information Systems Management.

[19] Article 25, Communiqué on Information Systems Management.

[20] Article 24, Communiqué on Information Systems Management.

[21] Article 22, Communiqué on Information Systems Management.

[22] Communiqué on Working Procedures and Capital Adequacy of CASPs.

[23] Article 5-6, Communiqué on Working Procedures and Capital Adequacy of CASPs.

[24] Article 14, Communiqué on Working Procedures and Capital Adequacy of CASPs.

[25] Article 18, Communiqué on Working Procedures and Capital Adequacy of CASPs.

[26] Article 13, Communiqué on Working Procedures and Capital Adequacy of CASPs.

[27] Article 34-38, Communiqué on Working Procedures and Capital Adequacy of CASPs.

[28] Article 39, Communiqué on Working Procedures and Capital Adequacy of CASPs.