Authors: Atty. Mustafa Şahin

Introduction

Communiqué on the Establishment and Operating Principles of Crypto Asset Service Providers (III-35/B.1), Article 4

The binding regulatory framework governing crypto asset markets in Türkiye was established through Communiqué No. III-35/B.1, published in the Official Gazette dated 13 March 2025 and numbered 32840. Article 4 of the said Communiqué introduced, for the first time, a statutory definition of the concept of “crypto asset” under Turkish capital markets law.

Pursuant to this provision, a crypto asset is defined as an intangible asset that is created, stored, and distributed electronically through distributed ledger technology or similar technologies, and that represents a value or a right. The explicit inclusion of the element “representing a value or a right” in the definition is not incidental. The Capital Markets Board of Türkiye (“CMB”) has deliberately approached crypto assets not as mere technical data or software outputs, but as a category of assets capable of producing economic or legal consequences for investors.

Accordingly, the mere fact that a digital element is generated on a distributed ledger, structured through a smart contract, or technically transferable does not, in itself, suffice for the application of the crypto asset regime under Communiqué No. III-35/B.2. For the regime to apply, the relevant element must, within a defined ecosystem, represent a value, service, or right as envisaged under III-35/B.2, and must express an economic value capable of being traded in the market or a legally protectable right.

I. Digital Elements Not Deemed Crypto Assets

Communiqué on the Operating Procedures and Principles and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), Articles 7 and 10/6

The boundaries of the crypto asset concept can be properly understood not only through its statutory definition, but also by examining which digital elements are deliberately excluded from the scope of regulation. Communiqué No. III-35/B.2 expressly clarifies this distinction, particularly under Article 7 and paragraph 6 of Article 10, which limits the scope of platform activities.

Under these provisions, the following digital elements are not deemed crypto assets:

• Non-fungible tokens (NFTs) that merely create a unique digital representation or ownership record and do not function as an investment or exchange instrument;
• In-game digital assets designed exclusively for use within a specific game, application, or closed ecosystem, whose economic value does not form freely in an open market;
• Digital elements created for collection, representation, or utility purposes that are not subject to market transactions from an investor perspective.

The legal consequence of excluding these assets from the crypto asset definition is significant. The purchase, sale, custody, or transfer of such digital elements does not, per se, constitute a crypto asset service. Indeed, Article 10/6 of Communiqué No. III-35/B.2 explicitly provides that entities whose principal activity relates solely to such assets shall not be deemed to be engaging in platform activities.

II. Crypto Asset Services and the Activity-Based Regulatory Approach

Communiqué No. III-35/B.2, Articles 5 and 6

The core logic of the crypto asset regulatory regime is founded upon an activity-based, rather than asset-based, approach. Article 5 of Communiqué No. III-35/B.2 exhaustively enumerates the crypto asset services and activities that may be carried out subject to authorization from the CMB.

Within this framework, crypto asset services encompass the purchase and sale, exchange, transfer, initial sale or distribution of crypto assets, as well as custody services required for the execution of such transactions. The regular and commercial performance of any of these activities confers upon the relevant person or entity the status of a crypto asset service provider.

Article 6 of Communiqué No. III-35/B.2 expressly prohibits the performance of such activities without obtaining authorization from the CMB. The provision of services via the internet, through a foreign-based structure, or under the guise of a purely technical software service does not circumvent this prohibition. From the perspective of the CMB, the decisive criterion is whether a crypto asset service is being provided in fact.

III. Establishment and Authorization Regime of Crypto Asset Service Providers

Communiqué No. III-35/B.1, Articles 5–11
Communiqué No. III-35/B.2, Article 6 and Articles 34 et seq.
Capital Markets Law Articles 35/B, 99, and 101

Pursuant to Article 35/B of the Capital Markets Law, crypto asset service provision constitutes a capital markets activity subject to the authorization of the CMB. The provision of services relating to the purchase, sale, exchange, transfer, initial sale or distribution of crypto assets, as well as related custody services, may not be carried out without obtaining such authorization.

The authorization regime is structured as a two-tier system consisting of (i) establishment authorization and (ii) operating authorization. These two authorizations are legally distinct and are not interchangeable.

IV. Establishment Authorization and Establishment Requirements

Communiqué No. III-35/B.1, Articles 5–8

Applicants for establishment authorization must be incorporated as joint stock companies. All shares must be registered shares and issued in exchange for cash consideration. The articles of association must exclusively allocate the company’s field of activity to crypto asset service provision. Structuring the company to engage in additional commercial activities alongside crypto asset services is contrary to the Communiqué.

At the establishment stage, the company’s paid-in capital must be fully paid and must not be less than the minimum amount to be determined by the CMB. The Communiqué does not specify a numerical threshold, instead authorizing the CMB to determine such amounts through principle decisions or announcements. Capital contributions in kind or through borrowing are not permitted; the capital must effectively exist within the company.

The CMB examines the shareholding structure, including direct and indirect ownership and control relationships. Establishment authorization shall not be granted where shareholding or control is concealed through indirect structures.

V. Requirements Concerning Founders and Shareholders

Communiqué No. III-35/B.1, Articles 6 and 8

In order to obtain establishment authorization, founders and shareholders must satisfy the conditions set forth in the Communiqué, not only at the application stage but throughout the duration of operations.

Accordingly, founders and shareholders must:

• not have been declared bankrupt, not have initiated or be subject to concordat proceedings;
• not have been subject to liquidation;
• not have been direct or indirect controlling shareholders of entities whose operating licenses were revoked due to violations of capital markets legislation;
• not have been convicted of embezzlement, extortion, bribery, fraud, breach of trust, fraudulent bankruptcy, smuggling, or similar disgraceful offenses, nor of capital markets crimes, money laundering, or terrorist financing offenses.

The CMB’s assessment extends beyond direct shareholders to include indirect shareholders and persons exercising de facto control. The same qualifications apply to foreign-resident founders and shareholders.

VI. Operating Authorization and Commencement of Operations

Communiqué No. III-35/B.1, Articles 9–11

Obtaining establishment authorization does not entitle an entity to commence crypto asset service provision. To interact with investors, receive orders, and provide crypto asset services, an operating authorization must also be obtained.

At the operating authorization stage, the company must have:

• established the crypto asset platform infrastructure in compliance with Communiqué No. III-35/B.2;
• implemented the custody framework;
• completed integration with the Central Securities Depository (MKK);
• established and operationalized internal control, risk management, and internal audit systems.

The CMB may conduct on-site inspections, require technical reports, or request additional information and documentation. Any engagement with investors, receipt of orders, or operation of the platform prior to obtaining operating authorization constitutes unauthorized activity.

VII. Unauthorized Activity and Sanctions Regime

Capital Markets Law Articles 35/B, 99, and 101
Communiqué No. III-35/B.2, Article 6

Providing crypto asset services without establishment and operating authorization constitutes unauthorized capital markets activity. In such cases, the CMB may order the suspension of activities, block access to relevant websites and applications, and make public announcements.

Additionally, administrative fines may be imposed under Article 99 of the Capital Markets Law, and depending on the nature and severity of the violation, notification to the Public Prosecutor may be made pursuant to Article 101.

VIII. Crypto Asset Platform Activity and Operational Structure

Communiqué No. III-35/B.2, Articles 10–23

Crypto asset platform activity lies at the core of the crypto asset market. Article 10 of Communiqué No. III-35/B.2 regulates platforms not merely as technical software infrastructures, but as the primary legal structures within which market transactions relating to crypto assets are conducted.

Platform activities include receiving customer orders, matching such orders with other investor orders or acting as counterparty, and intermediating the exchange, transfer, initial sale, or distribution of crypto assets. Platforms therefore function, in effect, as crypto asset market operators.

A framework agreement must be executed with investors to establish the platform–investor relationship (Communiqué No. III-35/B.1, Article 22). This agreement must clearly regulate counterparty transactions, custody arrangements, and the segregation of investor assets from platform assets.

Crypto assets cannot be freely displayed or traded on platforms without undergoing a listing process. Pursuant to Articles 20 et seq. of Communiqué No. III-35/B.2, platforms must establish a listing committee, and listing decisions must be based on technical, legal, and market-based criteria. Delisting decisions must also be transparent and non-arbitrary.

Crypto Asset Custody Activity and Key Management

Communiqué No. III-35/B.2, Articles 24–31

Article 24 of Communiqué No. III-35/B.2 regulates custody as a distinct and independent legal activity separate from platform operations. Within the regulatory system, custody is associated not with trading activities, but with the protection of investor crypto assets and the private keys enabling access to such assets. Accordingly, custody is treated not as a mere IT service, but as a financial infrastructure activity directly aimed at safeguarding investor assets.

Custody encompasses the secure storage of crypto assets and private keys, execution of transfers upon investor instructions, and protection against unauthorized access. While custody services may be provided either within the platform or through a separate custody institution, the Communiqué clearly separates these structures legally and organizationally.

A common misconception in practice is that outsourcing custody eliminates the platform’s liability toward investors. The regulatory framework does not permit such an outcome. Even where custody services are outsourced, the platform remains ultimately responsible due to its legal relationship with investors. The custody institution acts as a service provider, not as a substitute counterparty.

Private Key Management

Communiqué No. III-35/B.2, Article 27

Private key management lies at the heart of the custody regime. Article 27 expressly prohibits private keys from being controlled by a single person or system, mandating segregation of duties.

Custody institutions and platforms must distribute access authorizations among different individuals, maintain access logs, and ensure traceability. Key management is regulated not merely as a technical safeguard but as a compliance area giving rise to legal liability. Loss or misuse of keys due to unauthorized access may trigger liability toward investors, subject to fault assessment.

Hot and Cold Wallet Structure

Communiqué No. III-35/B.2, Article 28

Article 28 mandates the segregation of hot and cold wallets in custody operations, aiming to prevent a model in which all investor assets are stored online.

Cold wallets refer to offline wallets with restricted access and enhanced security, whereas hot wallets are online wallets used for daily operations. Custody structures must reflect a functional allocation between these two wallet types. Ratios between hot and cold wallets and justifications for transfers from hot wallets are subject to regulatory scrutiny.

Custody Agreement

Communiqué No. III-35/B.2, Article 31

A separate custody agreement must be executed with investors. This agreement is legally independent from the platform framework agreement and must regulate the legal status of investor assets, transfer principles, liability regime, and emergency procedures. Absence of such an agreement or non-compliant content renders the custody activity unlawful.

Reconciliation System and Central Securities Depository (MKK) Integration

Communiqué No. III-35/B.2, Articles 32–33

One of the most critical integration mechanisms with traditional capital markets infrastructure is reconciliation and MKK integration. Article 32 mandates customer-based record-keeping and regular reconciliation to ensure accuracy.

Platforms and custody institutions must ensure consistency between internal records and actual crypto asset balances. Regular reconciliation and documentation are essential for both investor dispute resolution and regulatory audits.

Article 33 introduces MKK integration, rendering crypto assets traceable on a customer basis and enabling their tracking in enforcement, injunction, and insolvency proceedings. This effectively eliminates the perception of crypto assets as “legally invisible.”

Capital Adequacy and Financial Soundness

Communiqué No. III-35/B.2, Article 34 et seq.

Capital adequacy is as critical as technical infrastructure. Articles 34 et seq. regulate minimum capital levels, equity calculations, and financial soundness requirements. The objective is to ensure that service providers maintain sufficient financial resilience against volatility and operational risks.

Capital adequacy must be maintained continuously. Should equity fall below required thresholds, the CMB may impose restrictions, require additional measures, or suspend operating authorization.

IX. When Foreign-Based Crypto Asset Platforms Are Deemed to Operate in Türkiye

Capital Markets Law Article 35/B – Communiqué No. III-35/B.2, Article 6

A frequently overlooked issue concerns when foreign-based platforms are deemed to operate in Türkiye. The regulatory approach is based on the principle of territorial effects.

The decisive factor is not the platform’s place of incorporation, but whether crypto asset services are offered to persons resident in Türkiye. Providing Turkish language options, conducting marketing targeting Türkiye, or failing to deliberately block access from Türkiye may lead to a finding of domestic activity.

Platforms operating without authorization may therefore be subject to access blocking, administrative sanctions, and other enforcement measures. In practice, this creates a risk of “unintentional regulatory capture.”

Conclusion

Through Communiqués No. III-35/B.1 and III-35/B.2, Türkiye has established an integrated regulatory framework for the crypto asset market, spanning from the definition of “crypto assets” to the conditions under which related services may be provided and by whom. The point of departure of this framework is the recognition that crypto assets are not to be treated merely as technical infrastructure components or digital data outputs, but rather as a class of assets that represent value or rights from an investor perspective and therefore fall within the protective ambit of capital markets law (III-35/B.1, Art. 4).

A second defining feature of the regime is that its scope is delineated not only through the statutory definition, but also through deliberate exclusions. NFTs, in-game digital assets, and representational/utility-oriented elements used within closed systems have been expressly carved out of the crypto asset definition under Communiqué No. III-35/B.2 (Arts. 7 and 10/6), and it has been made clear that activities relating to such elements will not in every case qualify as crypto asset services or platform activities. In this respect, the Communiqués do not constitute a general digital asset regulation covering the entire market; instead, they adopt a targeted and limited scope aimed at specific risk areas from the standpoint of capital markets law.

Third, the regulatory architecture is structured around an activity-based, rather than an asset-based, approach. The services subject to CMB authorization are exhaustively listed under Communiqué No. III-35/B.2 (Art. 5), and unauthorized performance of such activities is explicitly prohibited under Article 6. Within this system, the decisive factor is not how an activity is labelled or the technical architecture through which it is delivered, but whether a crypto asset service is being provided in fact. Accordingly, characterisations such as “technology company,” “marketplace,” or “intermediary software” do not alter the legal assessment under the Communiqué regime.

From the perspective of incorporation and commencement of operations, a two-tier authorization system has been adopted, clearly distinguishing the legal effects of establishment authorization and operating authorization (III-35/B.1, Arts. 5–11). At the establishment stage, the provider must be incorporated as a joint stock company, with registered shares issued for cash consideration, an exclusively dedicated business purpose limited to crypto asset services, and compliance with the minimum capital thresholds to be determined by the CMB; founders and shareholders are also subject to financial and reputational suitability assessments (III-35/B.1, Arts. 6 and 8). At the operating authorization stage, the provider must have effectively implemented the platform’s operational structure, custody arrangements, MKK integration, and internal systems and rendered them fully functional (III-35/B.1, Arts. 9–11). Activities conducted without these authorizations constitute unauthorized capital markets activity in connection with Article 35/B of the Capital Markets Law; in addition to the CMB’s powers to impose administrative measures, access blocking, and administrative fines, referral to the Public Prosecutor may also arise depending on the nature of the conduct (Capital Markets Law, Arts. 99 and 101).

Finally, the regime established by the Communiqués is not confined to authorization and organizational requirements. It also introduces a continuous compliance framework that separates platform and custody functions, targets market integrity through a listing committee and listing criteria, and establishes record-keeping and traceability through private key management rules, hot–cold wallet segregation, reconciliation obligations, and MKK integration (III-35/B.2, Arts. 10–23 and 24–33). From this perspective, the regulatory design prioritizes the segregation and protection of investor assets and the migration of crypto asset market activity onto a transparent and auditable foundation.