Turkey: Compliance Process And Obligations As Mandated By The Financial Crimes Investigation Board Of Turkey (MASAK)

In the complex world of finance, compliance with regulatory standards is critical to maintaining an organization's integrity and public trust. This article delves into the intricacies of the compliance process and obligations as mandated by the Financial Crimes Investigation Board of Turkey (MASAK).

Established to combat money laundering and terrorism financing, MASAK has set forth rigorous guidelines to ensure transparency, accountability, and legality within financial operations in Turkey.

This exposition will help readers navigate these regulations, fostering a more profound understanding of the practical implications and necessary steps for compliance. With insights relevant to financial institutions, business owners, and legal practitioners, we aim to shed light on the often misunderstood labyrinth of financial regulation.

What is MASAK?

MASAK, the "Financial Crimes Investigation Board", is a financial intelligence unit established by Law No. 4208 on the Prevention of Laundering Proceeds of Crime. It commenced its operations on February 17, 1997, and is an institution that operates under the Ministry of Treasury and Finance.

What is The Purpose of MASAK?

The primary objective of MASAK is to maintain control over financial values derived from crime, particularly to take preventive measures against illegal activities such as money laundering, financing terrorism, and financing the proliferation of weapons of mass destruction.

The main regulations regarding the duties, authorities, and working principles of MASAK are established by the Convention on Laundering, Search, Seizure, and Confiscation of the Proceeds from Crime ("Convention"), which Turkey is a party to, and Law No. 5549 on Prevention of Laundering Proceeds of Crime ("Law").

In addition, there are various regulations containing provisions relating to the activities of MASAK. Under this legislation, the obligations imposed by the State on private organizations to prevent money laundering have been regulated.

What Are The Obligations of States Under The Convention on Laundering, Search, Seizure, and Confiscation of The Proceeds From Crime?

The Convention aims to establish a common penal policy among states to protect society against money laundering. In developing this penal policy, modern and effective methods have been carefully utilized, and one of the effective methods used in combating crime is the belief in depriving the criminal of the benefit obtained from the crime.

The Convention includes comprehensive and detailed provisions on combatting crimes involving crime proceeds. In this context, firstly, the principles and measures related to the confiscation (referred to as seizure in the Convention) by states of proceeds from crime (Convention Articles 1-6) have been regulated. These measures are:

• States are obliged to take necessary measures to prevent transactions related to the disposal or transfer of the property subject to seizure in order to enable the identification and tracking of such property (Convention Article 3).
• As part of the measures to be taken under Convention Article 3, it is envisaged that courts and other competent authorities will be given the authority to request or seize commercial records when necessary. It will not be possible to act contrary to these provisions on the grounds of the confidentiality of bank accounts. Moreover, special investigative techniques such as detecting communication, tracing wire transfers, accessing computer systems, and requesting private documents can be utilized to identify and track crime proceeds (Convention Article 4).
• States must take legal measures to protect the rights of persons affected by the execution of these measures (Convention Article 5).

Article 6 of the Convention introduces some principles on which actions can be considered as money laundering crimes under the regulations to be made in the domestic legislation of states. Accordingly:

1- Parties will take the legal and other measures that may be necessary to make the following acts intentionally committed crimes under their domestic Law:

• a. Conversion or transfer of property, knowing that such property proceeds from crime, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of the crime to evade the legal consequences of their actions,
• b. Concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property proceeds from crime and is subject to the constitutional principles and basic concepts of the legal systems of each Party State,
• c. Acquisition, possession, or use of property, knowing at the time of receipt that such property proceeds from crime,
• d. Participation in, association or conspiracy to commit, attempts to commit, aiding, abetting, facilitating, and counseling the commission of any of the offenses established in accordance with this Article.

2- For the purpose of implementing or applying paragraph 1 of this Article:

• a. Whether the predicate offense is subject to the jurisdiction of the Party-State will not be considered,
• b. The offenses mentioned in paragraph 1 are not required to be applicable to persons who committed the predicate crime,
• c. Information (knowledge), intent, or purpose required as an element of an offense under paragraph 1 of this Article can be inferred (deduced) from objective, material conditions.

3- Parties may take measures necessary to consider certain or all acts mentioned in paragraph 1 of this Article as crimes under their domestic Law if the accused:

• a. Presumes that the property proceeds from crime,
• b. Acts with the aim of making a profit,
• c. Acts with the aim of facilitating the continuation of criminal activities.

What Are The Measures Taken and Obligations of Private Institutions in accordance With Law No. 5549 on Prevention of Laundering Proceeds of Crime and The Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism?

Within the framework of the Law, the institutions and organizations obligated to prevent the laundering of assets derived from crime are listed as follows;

Further in the Law, the obligations to which the obligors must comply are arranged. These obligations are as follows;

Customer Recognition

According to Article 3 of the Law, obligors are obliged to identify those who perform transactions or on whose behalf transactions are performed before the transactions are made or intermediated by them and to take necessary other measures.

These mentioned measures are explained in detail between Articles 5-26/A in the third chapter titled "Principles on Customer Recognition" of the Measures Regulation.

Under the measures for customer recognition; measures against technological risks, relations with risky countries, and tightened measures should be fulfilled by both financial and certain non-financial jobs and professions ("FOBIM"); while measures for third-party trust relationships, correspondent relationships, and electronic transfers should only be fulfilled by financial institutions.

Simplified measures that are not included in these, refusal of the transaction and termination of the business relationship, and identity determination measures like customer recognition measures should be fulfilled by all obligors.

An administrative fine of 30.000,00 TL will be imposed on obligors who do not fulfill their obligations related to customer recognition.

Suspicious Transaction Report

According to Article 4 of the Law, obligors are held responsible for reporting to the MASAK Presidency if they see a suspicious situation in the relevant transactions, that the asset involved in the transaction was obtained illegally or used for illegal purposes.

In Article 4 of the Measures Regulation, "Suspicious transaction" is defined as follows:

The criteria for what suspicious transactions could be are indicated in the Guides prepared by MASAK. Some examples of suspicious transactions given according to the Guide to Combating Financing of Terrorism For Certain Non-Financial Businesses and Professions (FOBIM) are as follows;

• Negative news about the customer in the media that they are affiliated/connected to a terrorist organization,
• Unusually short-term rentals being desired,
• Signs that transactions are made with funds coming from risky countries, regardless of whether the customer resides in the related country or region,
• Foreign persons whose visa period in Turkey has ended wanting to do business.

What Are The Procedure and Principles Regarding Suspicious Transaction Reporting?

How the Suspicious Transaction Report ("STR") will be made, what deadlines will be adhered to, etc., are detailed in the fourth section of the Measures Regulation; according to the second paragraph of Article 27 of the Measures Regulation, the suspicious transaction report will be made by the real person obligor themselves, the legal representatives of the legal person obligor, the managers of those without legal personality or those authorized by them, and by the compliance officers in obligors where a compliance officer is appointed.

In provision 28/2 of the Measures Regulation, it is stated that;

Submission via Paper Medium

The form that has been prepared will be signed with a wet signature by the person who prepared the form in accordance with the relevant legal provisions. The Suspicious Transaction Report (STR) form can be hand-delivered or sent to the Presidency by registered mail or fax. Notifications to be made to the Presidency via registered mail or fax are made to the postal address and fax number located on the official website of the Presidency.

The original of the STR form sent by fax is delivered to the Presidency either by registered mail or by hand. For suspicious transaction reports to be sent in paper format, the obligated party must take a copy and physically retain it. These suspicious transaction report forms and their attachments fall within the scope of the "Preservation and Presentation" obligation under Article 8 of the Law, and failure to retain them for a period of 8 years and/or not presenting them to the Presidency and/or the inspection officers assigned to the audit requires a criminal penalty within the scope of Article 14 of the Law.

Submission in Electronic Environment

The possibility of submitting a Suspicious Transaction Report (STR) electronically depends on the permission given by the Financial Crimes Investigation Board (MASAK).

Those obligors who want to report suspicious transactions in an electronic environment and are deemed appropriate by MASAK can report suspicious transactions in an electronic environment. Those obligors who are given the opportunity to prepare the STR form electronically must submit their suspicious transaction reports electronically via EMIS.ONLINE (https://online.masak.gov.tr) from the date of permission.

Those obligors cannot make reports in paper format after this date. Information on the use of the EMIS.ONLINE system is included in the "EMIS.ONLINE User Guide". If the notification cannot be made electronically due to technical reasons, the notification is made to MASAK by hand, mail, or fax using the form in the annex of the relevant guide, specifying the reason why it cannot be sent in the electronic environment.

The STR form sent this way is immediately sent electronically when the system is operational. In suspicious transaction reports to be sent in an electronic environment, the obligor must take an electronic image (pdf) of the form before sending it to MASAK and keep it in an electronic environment.

The said Suspicious Transaction Report Guide, Suspicious Transaction Report Forms, and annexes are within the scope of the "Preservation and Presentation" obligation within the scope of the 8th Article of the Law, and it is a criminal penalty under the 14th Article of the Law, not to be kept for eight years and not to be presented to MASAK and/or the audit officers appointed for audit.

An administrative fine of 50.000,00 TL will be imposed on the obligor if the mentioned obligations are not fulfilled.

In case of violation of the confidentiality of the report to be made to the Ministry, those who violate the confidentiality are sentenced to imprisonment from one year to three years and a judicial fine of up to 5.000 days. Specific security measures are taken for legal entities.

Creation of Compliance Program

According to Article 5, titled "Training, Internal Audit, Control and Risk Management Systems and Other Measures" of the Law; The Ministry of Treasury and Finance has the authority to determine the obligors and procedures and principles related to the application, including appointing a manager at the administrative level equipped with the necessary authority, to take necessary measures to establish training, internal audit, control, and risk management systems and to ensure compliance with the obligations brought by this Law, taking into account the sizes and volumes of the businesses.

These procedures and principles are regulated by the Regulation on The Compliance Program Regarding the Obligations For Preventing Laundering of Crime Revenues and Financing of Terrorism ("Compliance Regulation") published in the Official Gazette No. 26999 dated 16.09.2008. Explanations about the compliance process within the scope of the Compliance Regulation will be detailed separately.

According to Law number 13/2, a written warning is made to the obligor who violates the obligation to create a compliance program, and a period of not less than thirty days is given.

If the deficiencies are not completed at the end of this period, an administrative fine of five hundred thousand Turkish lira (500.000,00) is applied.

With the notification of the administrative fine, a new period of not less than sixty days is given with a written warning.

If the deficiencies are not completed at the end of this period, an administrative fine of twice the first administrative fine is applied. If the deficiencies are not completed within thirty days from the notification of the second administrative fine, the situation is reported to the relevant institution to take measures to suspend, restrict the operations of the obligor for a certain period, or to cancel the operation permit.

If the board member responsible for the violation of the obligation is not present, the administrative fines mentioned above will be applied at a rate of 1/4 to the senior executive.

Continuous Information Provision

According to Law Article 6, the obliged parties, or intermediaries, are held responsible for informing the Ministry of Treasury and Finance if their transactions exceed a certain amount. The transaction amount that will trigger this reporting obligation will be determined by the Ministry.

The obligation of continuous information provision is regulated between Articles 32-34 in the Measures Regulation, while the procedures and principles for the supervision of the fulfillment of this obligation are regulated between Articles 36-40 in the same regulation.

Article 13 of the Law and the subsequent Articles regulate the sanctions to be applied if the obliged parties violate their obligations.

In case of violation of the continuous information provision obligation, the obliged party will be fined 30.000,00 TL as an administrative penalty.

Information and Document Provision

According to Article 7 of the Law and Article 31 of the Measures Regulation, the Presidency and inspection staff are obliged to provide all kinds of information, documents, and all kinds of records related to these, as well as all information and passwords necessary to access these records or make them readable, fully and accurately, and facilitate as necessary.

Those who are requested cannot avoid providing information and documents by invoking provisions written in special laws, with provisions related to the right to defend being reserved.

Those who violate the obligation to provide information will be sentenced to imprisonment for one to three years and a judicial fine up to 5.000 days.

Legal entities will be subject to security measures specific to them.

Preservation and Presentation

According to Article 8 of the Law, the obliged parties are required to keep all kinds of documents related to their obligations and transactions in any environment from the date of issuance; books and records from the last recording date, identity verification documents from the date of the last transaction, for eight years and present them to the authorities when requested.

Those who violate this obligation will be sentenced to imprisonment for one to three years and a judicial fine of up to 5.000 days.

Legal entities will also be subject to security measures specific to them.

Obligations Related to Electronic Notification

Within the framework of the Law, notifications can be made electronically, and responses can be requested electronically. Notifications made in this way are considered to have been delivered when they reach the other party. There is no need for these notifications to comply with the procedures related to electronic notification regulated in Article 7/A of Notification Law No. 7201.

Obliged parties failing to fulfill their obligations within this scope will be fined 40.000,00 TL by the Ministry. The amount of the administrative fine given to the obliged party within one year cannot exceed 1 million TL.

Compliance Process Within The Framework of The Compliance Regulation

The Regulation on the Compliance Program For Obligations Related to The Prevention of Laundering of Crime Revenues and Financing of Terrorism, published in the Official Gazette of the Republic of Turkey No. 26999 dated 16.09.2008, regulates the procedures and principles related to the establishment of a compliance program by the obliged parties and appointment of a compliance officer, for the implementation of the Law.

The basis of the regulation is Article 5 of the Law titled 'Education, Internal Audit, Control and Risk Management Systems and Other Measures'. The relevant provision is as follows:

(1) The Ministry; in accordance with the purpose of this Law, with a risk-based approach, the establishment of education, internal audit, control and risk management systems and the fulfillment of the obligations brought by this Law, including the appointment of an administrative-level officer equipped with the necessary authority to ensure compliance at the level of the obliged and financial group, has the authority to determine the obliged parties and the procedures and principles related to the implementation, taking into account the sizes and business volumes of the businesses.

(2) Affiliated institutions of the financial group can share information within the group regarding the recognition of the customer and the accounts and transactions to ensure the measures specified in the first paragraph are taken at the group level. Information sharing cannot be avoided by invoking provisions in special laws. The Ministry has the authority to determine the information subject to sharing and the principles related to the application.

The financial group mentioned in the Article text refers to the group consisting of financial institutions resident in Turkey, which are affiliated with or under the control of a parent organization located in Turkey or abroad, and their branches, agents, representatives, and similar affiliated units, according to Law Article 2.

The compliance program regulated in the content of the Regulation refers to the whole of the measures to be established for the prevention of laundering of crime revenues and financing of terrorism, the scope of which is determined in the 5th Article.

>How to Create a Compliance Program?

Obliged Entities to Create a Compliance Program

The fourth Article of the Regulation lists the obliged entities responsible for creating a compliance program. Accordingly:

• Banks (excluding the Central Bank of the Republic of Turkey and development and investment banks),
• Capital market intermediary institutions,
• Insurance and pension companies,
• Post and Telegraph Corporation Joint Stock Company (limited to banking activities),
• A Group of authorized institutions specified in the Foreign Exchange Legislation,
• Finance, factoring, and financial leasing companies,
• Portfolio management companies,
• Precious metals intermediary institutions,
• Electronic money institutions,
• Payment institutions (excluding those exclusively providing intermediary services for invoice payments, exclusively initiating payment orders, and exclusively providing information related to payment accounts).

The compliance program consists of a set of measures to be developed based on a risk-based approach by the aforementioned obliged entities to achieve compliance with the regulations under the jurisdiction of MASAK. The measures included in the compliance program are as follows:

• Establishment of institutional policies and procedures,
• Conducting risk management activities,
• Carrying out monitoring and control activities,
• Appointment of a compliance officer and establishment of a compliance unit,
• Execution of training activities,
• Execution of internal audit activities.

Establishment of Institutional Policies and Procedures

The purpose of the institutional policy is to ensure compliance of the obliged party with the obligations related to the prevention of money laundering and financing of terrorism and to evaluate their customers, transactions, and services based on a risk-based approach, determining strategies, internal controls and measures, operational rules, and responsibilities to reduce the risks they may face (Regulation, Art. 7/2).

The institutional policy to be established by the obliged party will be developed in line with the compliance program, taking into account factors such as the business volume, nature of operations, and size of the business.

The responsibilities for implementing the procedures and rules set by the institutional policy within the organization, as well as the functioning of the internal control mechanism, should be clearly defined. It is particularly important to establish a meticulous audit mechanism, ensuring that the personnel performing the transactions to be audited are different from those conducting the audit.

These procedures should be written and established with the participation of all units within the obliged party, under the supervision and coordination of the compliance officer.

Conducting Risk Management Activities

Obliged parties establish a risk management policy within the institutional policy framework, considering the size of their operations, business volume, and the nature of their transactions. The risk management policy aims to identify, assess, monitor, evaluate, and mitigate the risks that the obliged party may be exposed to (Regulation, Art. 11).

The risk management activities, as outlined in Article 12 of the Regulation, including the classification of services, customers, and transactions according to their risk levels, reporting high-risk customers, transactions, or services to the authorized units based on the assessments made, taking necessary measures to mitigate these risks, and regularly reporting the results of risk monitoring to the management board.

Additional measures for high-risk groups are listed in Article 13 of the Regulation.

Conducting Monitoring and Control Activities

Monitoring and control activities refer to the continuous supervision of whether the activities of obliged parties within the scope of the Law and relevant legislation comply with institutional policies and procedures.

Some examples of these activities, as listed in the Regulation, include monitoring and controlling high-risk customers and transactions, monitoring and controlling transactions with risky countries, monitoring and controlling complex and unusual transactions, conducting sampling checks to ensure that transactions above a certain threshold determined by the risk policy are in line with the customer profile, monitoring and controlling linked transactions exceeding the threshold that requires identity verification when considered together, controlling the information and documents that need to be maintained electronically or in writing about customers, and controlling and updating the information required to be included in electronic transfer messages, monitoring whether transactions conducted by customers are in continuous compliance with their business, risk profile, and fund sources, controlling transactions carried out through systems enabling non-face-to-face transactions, and conducting risk-focused controls for services that may become susceptible to abuse due to the introduction of new products and technological developments.

Appointment of a Compliance Officer and Establishment of a Compliance Unit

Activities related to the implementation of the compliance program are carried out by the appointed compliance officer within 30 days of obtaining the operating license.

The compliance officer is exclusively appointed as an institution's employee, reporting to the board of directors or one or more members to whom the board of directors has delegated authority. The compliance officer may also have other duties that do not impede the execution of the compliance program, excluding sales and marketing responsibilities (Regulation, Art. 16/2).

The compliance officer's qualifications are listed in Article 17 of the Regulation. Accordingly, the person to be appointed as a compliance officer must:

• Be a citizen of the Republic of Turkey,
• Not be deprived of public rights,
• Hold at least a bachelor's degree from a four-year higher education institution,
• Not be a qualified shareholder or member of the board of directors in the obliged party or its subsidiaries,
• Not be the spouse or up to the second-degree relative (including this degree) by blood or marriage of the qualified shareholder, board members, or general manager of the obliged party,
• Not have been sentenced to imprisonment for more than five years, excluding negligent crimes, regardless of whether they have been granted amnesty, under the repealed Turkish Penal Code No. 765 and other laws, or sentenced to imprisonment for more than three years under the Turkish Penal Code No. 5237 and other laws, or convicted of offenses that carry a prison sentence according to the repealed Banking Law No. 3182, the Banking Law No. 4389, the Banking Law No. 5411, the Capital Markets Law No. 2499, and the legislation on lending activities, except for embezzlement and misuse of public funds, or have not been convicted of crimes such as simple or qualified embezzlement, misappropriation, bribery, theft, fraud, forgery, abuse of trust, except for smuggling related to consumption and exploitation, crimes against the dignity of the State and its organs, crimes against the confidentiality of State secrets, crimes against the security of the State, crimes against the constitutional order and its functioning, crimes against national defense, crimes against State secrets and espionage, crimes against relations with foreign countries, tax evasion, money laundering, and financing terrorism,
• Have at least five years of experience as a manager, expert, or auditor at one of the financial institutions listed in Article 4 of the Regulation (including the Central Bank of the Republic of Turkey and development and investment banks), or as an auditing staff listed in the first paragraph of Article 2 of the Law, or as a manager or expert at the Presidency.

Execution of Training Activities

Within the scope of the institutional policy, obliged parties establish an education policy that covers the functioning of training activities, identification of responsible parties, determination of personnel and trainers who will participate in training activities, their training, and education methods.

The purpose of the education policy is to ensure compliance with the obligations introduced by the Law, regulations, and communiqués, increase the awareness of the personnel regarding institutional policies, procedures, and risk-based approaches, and create an organizational culture while updating their knowledge (Regulation, Art. 21).

The training topics will generally cover basic concepts related to money laundering and terrorist financing, as well as the legislation established in this context, institutional policy and procedures, and the obligations stipulated by the Law.

Execution of Internal Audit Activities

Internal audit involves the annual examination and inspection of the effectiveness and adequacy of the compliance program of the obliged party.

The deficiencies, errors, and malpractices revealed through internal audits, as well as recommendations to prevent their recurrence, are reported to the board of directors (Regulation, Art. 27/1).

Regarding the internal audit activities conducted, statistics including information such as the annual transaction volume of the obliged party, the total number of employees, the total number of branches, agencies, and similar affiliated units, the number of audited branches, agencies, and similar units, dates of the audits conducted in these units, total audit duration, personnel involved in the audit, and the number of transactions audited, shall be reported to the Presidency by the compliance officer by the end of March of the following year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.