The crypto asset sector, whose fundamental legal framework was established with the amendments made to the Capital Markets Law No. 6362 in 2024, is undergoing a significant transition period with various regulations enacted over the last two years. Through this article, we present our explanations regarding the prominent matters concerning the conditions that CASPs are obliged to fulfil during their establishment and operation stages, as well as their operating principles.

The conditions that crypto asset service providers (“CASPs”) must fulfil during the establishment, commencement of operations, and performance of activities stages, as well as matters regarding their legal obligations and application processes, were initially regulated by the Capital Markets Board’s (“Board”) Principle Decision No. i-SPK.35.B (dated 08/08/2024 and numbered 42/1259) (“Principle Decision”).

Following the completion of regulatory efforts subsequent to the Principle Decision, the aforementioned matters have been regulated more comprehensively under Communiqué on the Establishment and Operating Principles of Crypto Asset Service Providers No. III-35/B.1 (“Communiqué”), published in the Official Gazette dated 13 March 2025 and numbered 32840.

While the compliance and permit processes of CASPs with the Communiqué continue, the Crypto Asset Central Registry System was established by Merkezi Kayıt Kuruluşu A.Ş. (the Central Securities Depository) and the integrated system between platforms, custody institutions, and Merkezi Kayıt Kuruluşu A.Ş. was launched.

Finally on 26 March 2026, in order to enable sector participants to complete their transition processes and to ensure the healthy implementation of the envisaged legal framework, the Board suspended the periods granted for (a) crypto asset platforms to sign agreements with at least one custody institution regarding the custody services they will receive and to submit such agreements and (b) CASPs listed on the List of Operating CASPs to obtain operating licenses, deciding that these periods would be redetermined after the custody institutions to be authorized by the Board begin providing crypto asset custody services to platforms on a widespread basis.

Through this article, we present our explanations on the prominent matters regarding the conditions that CASPs are obliged to fulfil during their establishment and operation stages as well as their operating principles.

1. Conditions of Establishment

Conditions introduced by the Principle Decision and presented in our legal alert dated 12 August 2024 have generally been transferred to the Communiqué; differently, it has been regulated that the subject of operation of CASPs shall be exclusively determined as the performance of the activities authorised by the Board and the phrase “crypto asset custody institution” shall be included in the trade names of the institutions that will provide custody services.

2. Conditions of Operation

Upon obtaining establishment permit and completing procedures of the same, CASPs shall meet the conditions listed in the Communique. These conditions can be listed in general terms as compliance with capital rules, the establishment of service units and determination of policies by fulfilling the requirements regarding personnel and the finalizing the required technical integration and infrastructure criteria.

There are additional conditions for platforms and custody institutions, and crypto asset custody services provided by banks shall be subject to expansion of operations approval by Banking Regulatory and Supervisory Agency. CASPs’ right to be granted operation approval will expire in case they have not applied for operation permit in six months (which can be prolonged to one year) upon establishment approval.

3. Founders, Shareholders, Upper Management and Personnel

In addition to the conditions that are already in force, the condition that no administrative fines have been imposed against the founders and shareholders in the last five years due to market disruptive actions has been added.

Managers and personnel working in CASPs shall fulfil all the conditions required for founders and shareholders, except for the requirement of having the necessary financial strength; and unless otherwise specified in the legislation, shall hold at least four-year undergraduate degrees.

The board of directors of CASPs shall consist of at least three members, provided that the majority hold four-year undergraduate degrees. Existence of professional experience is obligatory for the general managers, deputy general managers or the persons who hold equivalent duties and the approval of the Board is sought for their appointment.

Titles and missions of CASPs’ personnel have been defined. The principles of professional competence, professional care and diligence, honesty and confidentiality applied to the personnel of intermediary institutions will also be applied to the personnel of CASPs.

4. Operating Principles

CASPs are required to comply with the general principles and principles applicable to investment institutions and to be a member of the Capital Markets Association of Türkiye. In addition, CASPs are obliged to comply with the principles set out in the Communiqué on Principles and Procedures Regarding Information Systems Management No. VII-128.10 to prevent their critical activities from becoming inoperable.

4.1. Legal Relationship with the Customer

In the framework agreements to be signed with their customers, CASPs are obliged to present general risks related to crypto assets to their customers and to ensure that the risk notification form is read and understood by the customers. In addition to this general risk disclosure, platforms are obliged to ensure that information on commissions, fees and taxes, information on market makers and liquidity providers, custodian and being a counterparty to customer transactions are read and understood by customers.

4.2. Public Disclosure and Other Publications

CASPs are obliged to publish the services for which they are authorised and, as a minimum, their trade registry information, current shareholding and management structure, telephone number, corporate address, e-mail address and annual reports on the Public Disclosure Platform and their websites. Other minimum content to be published by platforms and custody institutions is also determined by the Communiqué.

CASPs shall be objective in all kinds of advertisements, announcements, publications, promotions and announcements; they shall not make advertisements, announcements, publications, promotions and announcements or other written and verbal statements based on false, inaccurate, or misleading information and exploiting the lack of experience or knowledge of customers.

4.3. Share Transfers

Share acquisitions that cause capital or voting rights of the CASPs to exceed or fall below certain thresholds and transfers of privileged shares or shares carrying usufruct rights are subject to the permission of the Board. Share transfers of the legal entity shareholders of the CASPs are also in the scope of the regulation and can be subject to approval or notice requirements. The rule above shall not apply to changes subject to the authorisation of the Banking Regulation and Supervisory Agency in the shareholding structure of banks that will provide custody services, but these shall be notified to the Board.

4.4. Registration and Announcement

CASPs are obliged to register their business names, trademarks, and to announce these and all kinds of activity permits, temporary suspension of activities or cancellation of activity permits. In addition, CASPs are obliged to notify Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş. (the Capital Markets Licensing Registry and Training Agency) in certain issues and notify the lawsuits and proceedings in certain conditions to the Board.

5. Outsourcing

CASPs will be able to outsource the services that are of an auxiliary nature to fulfil the obligations arising from the capital market legislation, provided that the required workflow procedures and the control mechanisms are established in the scope of an agreement concluded consequent on an assessment report.

The following activities cannot be subject to outsourcing:

• Activities that should be performed exclusively by the board of directors of the CASPs.
• Activities for the provision and marketing of services and operations that require authorisation from the Board.
• Accounting of the transactions of the CASP and preparation of financial statements.
• Activities within the scope of internal audit, internal control and risk management system.

6. Recordkeeping System

In the accounting of crypto assets, the Board’s regulations on the chart of accounts of intermediary institutions shall be applied by analogy, and transaction result form and account statement shall be issued by the platforms, considering the type of activity performed. The minimum contents of the records related to orders and account statements are determined by the Communiqué.

All records regarding the transactions implemented by CASPs or outsourced services are kept in a secure, accessible, traceable manner and in a manner to ensure their integrity, accuracy and confidentiality. Platforms are obliged to keep all kinds of documents received and produced within the scope of their activities for ten years.

7. Risk Management Activities, Internal Control and Internal Audit

CASPs are obliged to develop a risk measurement mechanism to identify and update the main risks to which they may be exposed due to the services they provide and to consistently assess, detect, measure and control the risks to which they are exposed, and to conduct a price surveillance system.

Internal control, as an integral part of the daily activities of CASPs, is carried out for the purposes of conducting the business in accordance with the legislation, technological infrastructure, healthy functioning of accounts and records, and operates under the responsibility of a board of directors’ member who does not have an executive unit reporting to him.

The effectiveness, adequacy and compliance of internal control and risk management processes, including processes and controls related to information systems, shall be audited by internal auditors at least once a year independently from the day-to-day activities of CASPs, and be reported to board of directors.

In addition, CASPs are obliged to establish workflow procedures on certain issues and to establish a recovery plan against the risk of crypto asset loss.

8. Other Matters

CASPs are obliged to have their information systems and internal control systems audited at least once a year and that a proof of reserve audit shall be conducted quarterly; you may find our explanations on this matter in our legal alert dated 21 May 2025.

Businesses and transactions that cannot be carried out by CASPs (e.g. collecting deposits or participation funds, buying and selling real estate for commercial purposes, donations exceeding five per thousand of their shareholders’ equity in a year, etc.) are explicitly listed by the Board.

Similar practices of intermediary institutions have been regulated regarding the voluntary temporary suspension of the activities of CASPs and the complete waiver of their operating licences.

In addition, when the Board detects violations of the legislation and rules in the services and activities of CASPs, it is authorised to grant a period of time for the elimination of these violations, to temporarily suspend the activities, to cancel the authorisations and activity permits, to revoke the signature powers of the managers, to dismiss the members of the board of directors and appoint new ones when required, or to take any other measures it may foresee.

***

A. Baran Çakır, Partner

Mustafa Adıgüzel, Associate