0 / 30 SavedReset
SECTION 1 · 8 ITEMS
Obligation Determination
Identify whether your activity falls within CASP perimeter under Law No. 7518 (Official Gazette 32788 / 02.07.2024) and CMB Communiqué III-35/B.1 (Official Gazette 32839 / 13.03.2025).
01 CASP definition under Article 35/B of Capital Markets Law (CML) Crypto-asset trading platforms, brokerage of crypto-assets, custody and transfer services fall within CASP scope. Activity without authorization is criminally sanctioned. (CML Art. 35/B as added by Law 7518)
02 Platform (exchange) vs custody-only classification Platforms operating order books or matching engines require platform license (paid-in capital ≥ TRY 150M). Custody-only services require custody license (paid-in capital ≥ TRY 500M). (Communiqué III-35/B.1)
03 Brokerage / dealer activity (alım-satıma aracılık) Buy/sell intermediation on behalf of customers, OTC desks, RFQ pricing services — all platform-license scope. Includes algorithmic execution and market-making for customer flow.
04 Transition regime — existing operators (08.2024 declaration) Operators active as of 02.07.2024 were required to file declaration by 02.08.2024 and complete faaliyet izni (operating license) application by 13.06.2025 to benefit from transitional regime.
05 Foreign CASP operators serving Turkish residents Active solicitation to Turkish residents — Turkish-language site, TRY pricing, TR domain, local marketing — pulls foreign operators into scope. Reverse-solicitation safe harbor is narrow.
06 Token coverage scope: utility, payment, security, NFT Crypto-asset definition is technology-neutral. Security tokens may simultaneously be subject to traditional capital markets rules. NFT case-by-case (collectibles vs financial use).
07 Stablecoin and asset-referenced tokens Local fiat-pegged or asset-backed tokens face additional scrutiny. Custody and trading of such tokens within CASP scope; issuance may require parallel licensing.
08 Affiliated service exemption (advisory/software-only) Pure software vendors, non-custodial wallet developers, and informational services may fall outside CASP scope — but blurred lines (combined with order routing or custody) trigger licensing.
SECTION 2 · 8 ITEMS
License Application Preparation
Capital, governance, personnel, AML/CFT, and information security framework — all required at filing.
09 Minimum paid-in capital threshold met Platform license: paid-in capital ≥ TRY 150,000,000. Custody license: paid-in capital ≥ TRY 500,000,000. Capital must be fully paid in cash and free of any encumbrance.
10 Anonim şirket form with registered (nama yazılı) shares CASP must be Turkish joint-stock company (anonim şirket) with registered shares. Bearer shares (hamiline yazılı) prohibited. Single-shareholder structure permissible.
11 Founding shareholder qualifications No bankruptcy, no conviction for embezzlement, fraud, money laundering, terrorism financing, or capital markets violations. Foreign founders subject to source-of-funds review.
12 Board and senior management qualifications Board members and general manager: minimum 5 years relevant sector experience, capital markets / banking / fintech / crypto-asset background, no disqualifying convictions, CMB-recognized certification.
13 Organizational structure: 3 lines of defense Independent internal control, internal audit, and risk management functions. Compliance officer (uyum görevlisi) and information security officer mandated.
14 AML/CFT compliance program (Law 5549 / MASAK) Compliance officer appointed, written policies, customer due diligence (CDD/EDD), transaction monitoring, suspicious transaction reporting (STR), employee training, periodic risk assessment.
15 Information security framework — ISO 27001 + CMB criteria ISO 27001 certification or equivalent, penetration testing, vulnerability management, segregation of cold/hot wallet infrastructure, multi-signature controls, key custody procedures.
16 Business continuity and disaster recovery Documented BCP/DRP, RTO and RPO targets, offsite backup, periodic recovery testing, customer-asset reconciliation under failure scenarios.
SECTION 3 · 8 ITEMS
Operational Compliance
Day-to-day execution that determines whether the license remains in good standing.
17 Customer due diligence (KYC/CDD) Identity verification under Law 5549, simplified/enhanced due diligence tiering by risk, beneficial-ownership identification, ongoing monitoring. PEP screening and sanctions screening at onboarding.
18 Travel Rule implementation (FATF R.16) Originator and beneficiary information exchange for VASP-to-VASP transfers above threshold. Counterparty VASP due diligence; non-counterparty (self-hosted wallet) procedures documented.
19 Cold storage and customer asset segregation Customer crypto-assets segregated from CASP proprietary assets, majority in cold storage with multi-signature, daily reconciliation, no rehypothecation.
20 Customer fiat segregation Customer TRY/FX balances held at licensed banks in segregated accounts in customer-name pooled or individual structure, daily reconciliation.
21 Transaction monitoring and STR reporting Real-time monitoring with rule-based and behavior-based scenarios, suspicious transaction reports filed with MASAK within mandated timelines, internal escalation procedures.
22 Cybersecurity controls — penetration testing Annual external penetration test, continuous vulnerability scanning, incident response plan, 24/7 SOC capability, threat intelligence integration.
23 Record-keeping — 8 years minimum Customer records, transaction logs, communications, KYC documents retained for 8 years (Law 5549 Art. 8). Production-ready for MASAK and SPK audits within mandated timelines.
24 CMB and Public Disclosure Platform (KAP) integration Material event disclosure obligations to KAP, periodic SPK reporting (financial, operational, risk metrics), management responsibility statements.
SECTION 4 · 6 ITEMS
Post-License Monitoring
Sustained compliance, reporting, and renewal cycle — losing license is far more costly than getting it.
25 Periodic SPK reporting cadence Quarterly financial reports, monthly operational reports, ad-hoc material event disclosures, annual independent audit report submission to SPK.
26 Capital adequacy monitoring Maintain minimum paid-in capital threshold continuously; variable adequacy ratios for risk concentration, customer assets under custody, and operational risk exposure.
27 Independent annual audit Annual external audit by CMB-recognized auditor, internal audit and internal control reports, audit committee oversight.
28 Administrative and criminal penalty exposure Operating without authorization is a criminal offense under CML Art. 109/A. Authorized CASPs face administrative fines, suspension, and license revocation for violations.
29 License renewal, amendment, and change-of-control Changes in shareholder structure (≥10% threshold), board composition, scope of services, and capital require SPK approval before implementation.
30 Investor compensation and crisis management Participation in any applicable investor compensation mechanism, customer-asset return procedures in resolution scenarios, communication plan for service disruption.
Decision Matrix — Are We CASP-License Ready?
How your checked items distribute shows your license-readiness maturity:
Section 1 7+/8: License need is clear. Activity classification correct.Section 2 6+/8: Application file standing. Capital, governance, AML framework ready.Section 3 6+/8: Operational controls live. KYC, cold storage, monitoring functioning.Section 4 4+/6: Post-license reporting and audit line entrenched.Section 2 weak, capital short: Without capital increase and cash inflow, application is rejected.Section 3 weak, cold storage / Travel Rule missing: Application is not mature without operational compliance infrastructure built.Transition regime deadline missed: Legacy-operator protection lapses. Reverts to clean-slate application regime.All four sections above threshold: Application mature. CMB pre-meetings can begin.
Legal notice. This document is for informational purposes only and does not constitute legal advice. The Law No. 7518, Capital Markets Law provisions, CMB Communiqué III-35/B.1, Law No. 5549, and FATF recommendations referenced are general references; applying them to your company requires evaluation by a lawyer experienced in CMB licensing. Vircon Legal:
[email protected]
