The Legal Regime of Crypto Assets in Turkey and the Role of Regulatory Institutions

ADMD Law Firm
Sudenaz Tunç

In recent years, with the rapid development of digital technologies, financial markets have also undergone a radical transformation; one of the most notable elements of this transformation has been crypto assets. Crypto assets, which came to the forefront worldwide with the emergence of Bitcoin in 2009, have created alternatives to traditional financial instruments in many areas such as investment, payment, and storage thanks to their decentralized structure and distributed ledger technology. However, this new type of digital asset has created significant uncertainties and regulatory gaps from a legal perspective due to its technical and economic characteristics. 

These shortcomings have led to significant debates in legal doctrine regarding the legal nature of crypto assets. Different opinions have been put forward as to whether the legal nature of crypto assets can be classified as money, securities, property, or receivables; in particular, uncertainty has arisen as to whether crypto assets can be classified as “intangible property” (digital value without physical existence) in terms of the Law of Obligations and Civil Law. Additionally, there is a need for clear regulations regarding legal safeguards for investor protection and the supervisory powers of public authorities.

As a result of these needs, Law No. 7518 on the Regulation of Crypto Assets (“Law”) was published in the Official Gazette dated July 2, 2024 and numbered 32590 and entered into force. With this Law:

• Crypto Asset Service Providers (“CASP”) have been granted legal status,
• Licensing and supervisory authority has been granted to the Capital Markets Board (“CMB”),
• A segregation obligation has been introduced to protect investors' assets,
• Administrative and criminal penalties have been established to prevent unauthorized activities.

The law has shaped not only the regulatory role of the CMB, but also the positions of institutions such as MASAK, BDDK, TCMB, Takasbank, and the Revenue Administration in the crypto asset market.

Thanks to this multi-actor model, the crypto ecosystem is being integrated into the financial system while providing legal security for users.  In this new era driven by digitalization, the ability of legal systems to produce innovative and flexible solutions will serve not only technology but also social trust.

I. DEFINITION AND LEGAL STATUS OF CRYPTO ASSETS

The technical structure of crypto assets has made it difficult to align them with concepts found in traditional legal systems. Created using cryptography-based distributed ledger technology, these assets do not fully fit into traditional categories such as money or securities due to their decentralized structure and digital nature. As a result, there has been prolonged uncertainty regarding the definition of crypto assets in legal literature and practice.

The first official definition of crypto assets in Turkey was made by the Central Bank of the Republic of Turkey (“CBRT”) in its Regulation on the Prohibition of the Use of Crypto Assets in Payments dated April 16, 2021 and numbered 31456. defining such assets as “non-tangible assets created virtually using distributed ledger technology or similar technology, which are not classified as fiat currency, book money, electronic money, payment instruments, securities, or other capital market instruments.” However, this definition remained within a narrow framework limited to payment law. This gap has been filled by the Law. Pursuant to Article 1 of the Law, crypto assets:

 “Crypto asset: Intangible assets that can be created and stored electronically using distributed ledger technology or similar technology, distributed over digital networks, and that can represent value or rights.” This definition is noteworthy in three key respects:

• The technical structure of crypto assets (distributed ledger technology) has been explained,
• It has been clearly stated that they are intangible assets,
• It has been emphasized that they are distinct from financial instruments defined in the    current legal system.

With the definition provided in the law, the legal nature of crypto assets is now more clearly established as an “independent type of digital asset,” preventing them from being confused with electronic money, securities, or fiat currency.

However, academic debates over whether crypto assets are property or rights to receivables have not been completely resolved. From a civil law perspective, for an asset to be considered property, it must have material substance, whereas crypto assets exist only in the digital realm. For this reason, the view that crypto assets are “intangible property” (non-material property) has gained widespread acceptance.

The definition of crypto assets in this way has legal consequences such as property rights, seizure and bankruptcy, inheritance and disposal, and liability. Although there is now clarity regarding the definition of crypto assets, many legal areas still require development at the application level. Concrete examples of this development include the III-35/B.1 and III-35/B.2 circulars published by the Capital Markets Board (CMB) in the Official Gazette dated March 13, 2025, and numbered 32840. These circulars clearly regulate the conditions regarding the minimum capital amount, managerial qualifications, information system infrastructure, and internal control mechanisms for CASPs applying for a license. Additionally, the areas of activity that can be carried out without obtaining an operating license and the timelines for the transition process have also been determined.

II. THE ROLE AND POWERS OF THE CAPITAL MARKETS BOARD

In addition to defining crypto assets in Turkish legislation, the Law clearly assigns the CMB the task of regulating and supervising this new digital market. Thus, crypto asset service providers have been defined within the capital market regime for the first time and placed under the supervision of a public authority. Pursuant to Article 3 of the Law: “The establishment of crypto asset service providers, the granting of operating licenses, the suspension of their activities, merger and acquisition transactions, and their dissolution are subject to the approval of the Board.”

In addition, Articles 4 and 7 of the Law grant the CMB the following powers:

• To issue secondary regulations regarding the activities of service providers,
• To determine eligibility conditions,
• To impose administrative fines,
• To intervene in unauthorized activities.

Article 9 of the Law stipulates that foreign crypto platforms providing services to persons residing in Turkey are also subject to CMB approval. In this context: “Reports may be made to the Information and Communications Technology Authority regarding foreign-based platforms operating without permission from the Board, and access restrictions may be imposed.” This provision aims to restrict the activities of foreign exchanges targeting users in Turkey but operating without a license, and to redirect competition toward licensed and regulated platforms.

The most notable case involving crypto assets in Turkey is the fraud case against Faruk Fatih Özer, founder of the Thodex exchange, who is accused of defrauding 400,000 users. The case continued after Özer was arrested in Albania and extradited to Turkey in 2021, raising serious public awareness about the lack of oversight of cryptocurrency platforms.

The CMB's new area of authority is not limited to regulation; it also targets public safety, capital market integrity, and investor protection. In particular, the losses suffered on domestic exchanges such as Thodex have clearly demonstrated the systemic risk posed by unregulated crypto markets. In this context, the CMB:

• Prohibiting organizations without operating licenses from conducting transactions,
• Imposing custody requirements to protect investor assets,
• Imposing penalties such as fines and license revocation on platforms that violate the rules.

The CMB has been granted the authority to license, supervise, and, when necessary, impose sanctions on crypto asset service providers in the same manner as traditional brokerage firms. The aim is to ensure that the crypto market develops in a transparent and accountable manner under the supervision of public authorities.

 III.  CRYPTO ASSET SERVICE PROVIDERS (CASP)

One of the most important innovations introduced by the Law is the legal definition of all actors operating in the crypto asset market as “Crypto Asset Service Providers (CASP)” and their subjection to CMB supervision. This definition both grants legal identity and places crypto service providers under regulation on a similar level to traditional capital market institutions. Pursuant to Article 1 of the Law, a Crypto Asset Service Provider is defined as: “Platforms, institutions providing crypto asset custody services, and other institutions designated to provide services related to crypto assets, including the initial sale or distribution of crypto assets, in accordance with regulations issued under this Law.”

According to the law, it is mandatory to obtain a license from the CMB in order to operate as a CASP. A certain transition period has been granted to organizations currently operating; companies that do not apply for a license during this period or whose applications are rejected will be considered to be operating illegally.

According to the CMB's secondary regulations for 2025, CASPs must have the following characteristics:

• Minimum initial capital,
• Qualifications required of managers and partners,
• Information security systems,
• Internal control and risk management structures,

With the CMB's Communiqués No. III-35/B.1 and III-35/B.2 published in the Official Gazette dated March 13, 2025 and numbered 32840, the minimum conditions that must be met in CASP license applications have been specified in detail. In this context, the minimum charter capital for CASPs providing platform services has been set at TRY 100 million, and for institutions providing only custody services, it has been set at TRY 50 million. The aforementioned capital must be paid in full and in cash, serving as a guarantee of the company's financial adequacy at the commencement of its operations.

With regard to management and partnership structure, company executives are required to have at least five years of experience in the capital markets or finance sector; members of the board of directors and senior executives must have a clean criminal record and must not have been convicted of crimes such as fraud, embezzlement, or fraudulent bankruptcy. Additionally, partners who directly or indirectly hold more than 10% of the company's capital are also subject to a similar suitability test.

In terms of information systems and technological infrastructure, CASPs must have ISO/IEC 27001 Information Security Management System certification, data processing centers must be located within Turkey, and backup and disaster recovery plans must be in place. Real-time monitoring and reporting infrastructure is required to protect against system interruptions, cyber-attacks, and data integrity losses. Within this framework, the CMB checks system adequacy at least once a year through independent audit organizations. In addition, it is a legal requirement for CASPs to establish internal control, internal audit, and risk management systems. Within the framework of these systems:

• An electronic complaint tracking mechanism should be established for receiving and monitoring customer complaints.
• An independent audit report should be prepared annually.
• A risk matrix should be created for operational, financial, and technical risks.
• Internal policies, procedures, and business continuity plans should be put in writing.

All these regulations aim to prevent the misuse of investor assets and the victimization of investors in cases such as platform bankruptcy or hacking. These stricter technical requirements, particularly regarding capital adequacy and internal control systems, are aimed at ensuring the transparent and reliable development of the crypto asset market in Turkey, including institutional investors.

One of the most critical provisions of the Law is the obligation of CASPs to store their customers' crypto assets separately from their own assets. In this context: “Customer assets cannot be seized by the service provider's creditors; they cannot be included in the assets to be distributed in the event of bankruptcy.” This regulation aims to ensure investor security and prevent the recurrence in Turkey of examples such as cryptocurrency exchange bankruptcies abroad (e.g., FTX).

CASPs are also considered “obligated parties” under MASAK regulations. In this context:

• Identity verification ,
• Suspicious transaction reporting,
• Identification of the beneficial owner,
• Reporting obligation within 72 hours,

            and other measures to prevent money laundering and terrorist financing.

In particular, MASAK Circular No. 29 dated 2025 has introduced practical control mechanisms such as withdrawal period restrictions, stablecoin limits, and transaction disclosure requirements for CASPs.

IV.  MASAK AND COMPLIANCE OBLIGATIONS

The anonymity feature of crypto assets has raised serious concerns that these assets could be used for crimes such as money laundering and terrorist financing. For this reason, the Financial Crimes Investigation Board (“MASAK”) began developing preventive regulations for crypto asset service providers in 2021; the most comprehensive step in this area was taken with the publication of General Circular No. 29 (“Circular”) in the Official Gazette No. 32940 dated June 28, 2025, which entered into force on the same day.

With this communiqué published by MASAK, crypto asset service providers have been explicitly included among the “obligated” institutions under Law No. 5549 on the Prevention of Money Laundering (“Law No. 5549”). This definition has imposed new obligations on CASPs at both the technical and legal levels.

In accordance with the Communiqué, CASPs:

• Are required to implement Customer Due Diligence processes.
• Are obliged to monitor customer transactions on a risk-based basis and report suspicious transactions to MASAK within 72 hours at the latest.
• Must identify the beneficial owner of the person conducting the transaction.
• They are required to establish internal control mechanisms such as internal audit, training, and policy development.

Article 4 of the communiqué also introduces many new regulations related to implementation:

• Withdrawal Delay Period: New users must wait at least 72 hours for their first withdrawal. Subsequent transactions must be delayed by at least 48 hours.
• Stablecoin Transfer Limit: A daily limit of USD 3,000 and a monthly limit of USD 50,000 have been introduced; the upper limit for high-risk transactions may be doubled.
• Transaction Description Requirement: Users are required to enter a description of at least 20 characters for each transfer; transactions without a description are not permitted.

Thanks to these measures, the traceability of crypto asset transactions has increased, and the aim is to prevent illegal financing activities through sudden fund transfers between platforms. With the entry into force of the Law, all CASPs licensed by the CMB are also responsible for fulfilling their MASAK obligations. Thus, the supervisory obligation has acquired both administrative (CMB) and crime-preventive (MASAK) characteristics, establishing a multi-layered compliance regime for the crypto asset market.

V. TAKASBANK AND CENTRAL DEPOSITORY REGULATIONS

Although the framework for the storage of crypto assets is clearly regulated in the Law, there is no direct reference to Takasbank (İstanbul Takas ve Saklama Bankası A.Ş.) specifically. However, the obligation to store crypto assets belonging to investors separately from the assets of the CASP and the authority of the CMB to appoint custody institutions indicate that public institutions such as Takasbank may be involved in this area. In line with the secondary regulation authority granted to the CMB by the Law, the CMB Circular No. III 35/B.2 issued in 2025 introduced the following principles regarding custody services:

• CSDs may hold customer assets on their own behalf or through a third-party custodian deemed appropriate by the CMB.
• Custodians are required to ensure the security of investor assets, establish contingency plans, and enter into service agreements with customers.
• Custody systems must be institutionally and technically competent and subject to CMB supervision.

This regulation paves the way for Takasbank to be positioned as an “authorized central depository” in the crypto asset market. Takasbank currently provides central depository and settlement services in areas such as securities, Borsa Istanbul transactions, and collateral management in Turkey.

If Takasbank is assigned to handle crypto assets, it could perform the following functions:

• Storage of investor assets in a closed environment using cold wallet storage infrastructure,
• Execution of post-trade reconciliation and settlement processes in a centralized system,
• Transfer verification in over-the-counter (OTC) transactions,
• Development of insurance or public guarantee models for stored assets.

However, it should be noted that Takasbank has not yet been officially authorized by the CMB. Therefore, the appointment should only be considered as a potential option.

In Germany, crypto custody institutions licensed by BaFin are required to hold investor assets in legally segregated accounts and submit regular audit reports. The EU MiCA Regulation defines crypto asset custody as a service and requires platforms wishing to offer this service to obtain a separate license. In Turkey, integrating a state-backed entity like Takasbank into the custody process would both strengthen investor protection and reduce systemic risks in cases of platform bankruptcy or hacking.

VI. TAXATION DIMENSION

Although the law has largely established a regulatory framework for crypto assets in Turkey, the taxation regime has not yet been clarified. With the law coming into force, the legal definition of crypto assets has paved the way for the establishment of a tax infrastructure by the Revenue Administration (RA).

However, there is currently no specific tax law, withholding obligation, or VAT application related to crypto assets. The basic principles that can be taken as a basis for taxation can be applied by interpretation within the framework of the provisions of the current Income Tax Law (GVK) and Value Added Tax (VAT) Law, according to the economic nature of crypto assets.

The RA has stated that income derived from crypto assets is taxable, but that there is currently no specific regulation on how and in what manner this should be declared. In response to the confusion in the public regarding crypto transaction reports submitted to banks in 2024 and 2025, the RA has clarified that the reporting obligation applies only to the relevant type of income and that automatic transaction reports alone do not create a tax liability.

Turkey is in the process of aligning with the OECD's Crypto-Asset Reporting Framework (CARF) system by 2025. The CARF system aims to ensure the transparent reporting of crypto transactions and international tax cooperation. Under the MICA Regulation, entities seeking a CASP license must have capital adequacy, customer protection systems, information security procedures, and audit mechanisms in place. With these regulations, platforms seeking to provide services within the EU face significant obligations (MICA Official EU Regulation Text: Regulation [EU] 2023/1114, European Parliament and Council, May 31, 2023).

During the adaptation process, under this system:

• Crypto platforms will be required to report user transactions to the tax authority on an annual basis,
• There will be automatic information exchange between Turkey and other countries.

In addition, in parallel with the EU's MiCA regulation, it is expected that crypto assets will be taxed on both a transaction and asset basis and that a declaration system will be established. Although the law does not contain direct taxation provisions, it has established a specific legal status for crypto assets through its descriptive and licensing regulations. This status is a prerequisite for integration into tax legislation. In the coming period, it is anticipated that the Ministry of Finance and the Tax Administration will elaborate on elements such as reporting principles based on the type of crypto income, withholding tax and VAT applications, and the definition of investor and platform-based obligations.

VII.  PENALTIES AND SANCTIONS

The law is not limited to definitions and licensing regulations; it also specifies in detail the penalties that will be imposed on crypto asset service providers in the event of illegal activities. These sanctions include both administrative fines and criminal penalties involving imprisonment.

Fundamental Penal Provisions Introduced by the Law

• Conducting Unlicensed Activities

Pursuant to Article 99/A added to the Capital Markets Law No. 6362: “Those who engage in crypto asset service provider activities without obtaining permission from the Board shall be punished with imprisonment for a term of three to five years and a judicial fine of up to five thousand days.” This regulation serves as a deterrent against individuals and organizations conducting unauthorized activities in the crypto field.

• Misuse of Investor Assets and Irregularities

According to Article 35/B of the Law, acts such as misuse of investors' crypto assets, transferring them to other accounts, or using them as collateral for debts may constitute breach of trust and embezzlement. In such cases, Articles 155 and 247 of the Turkish Penal Code No. 5237 may apply.

• Administrative Fines and Suspension of Activities

The CMB may impose sanctions such as revocation of operating license, temporary suspension of activities, and administrative fines (up to TRY 1 million) for violations detected during its inspections. These penalties are particularly applicable in cases of failure to ensure information system security, non-compliance with reporting obligations, or violations of storage rules. 

• Non-compliance with MASAK Obligations

In the event of non-compliance with MASAK obligations, administrative fines ranging from TRY 30,000 to TRY 50,000 up to TRY 4 million may be imposed in accordance with Article 13 of Law No. 5549. and after a warning, these fines may increase to between TRY 500,000 and TRY 1,000,000.

Furthermore, deliberately concealing suspicious transaction reports may constitute a crime under the Turkish Penal Code. The penalties imposed are intended not only to act as a deterrent, but also to ensure investor safety and market integrity. In particular, measures to prevent unlicensed activities, enhance platform transparency, and impose sanctions against the misuse of customer assets demonstrate Turkey's efforts to establish a system aligned with international standards while regulating the cryptocurrency market.

VIII. CONCLUSION

Turkey has integrated crypto assets into its legal system for the first time through legislation, thereby taking an important step toward establishing a robust and regulated infrastructure for the future of digital finance. The effective functioning of this process depends not only on the legislature but also on the coordinated efforts of administrative authorities, supervisory mechanisms, and judicial bodies. Turkey has the potential to establish a balanced structure that both ensures user security and promotes the investment environment in the digital asset market. In conclusion, significant progress has been made in Turkey regarding the legal status of crypto assets with Law No. 7518. However, there are still areas open to development, such as tax applications, platform responsibility, and international compliance. The applicability of legal regulations, developed in collaboration with actors operating in the sector, is of critical importance for both investor security and market stability.