1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern virtual currencies in your jurisdiction?
‘Crypto-assets' are defined for the first time in the Regulation on the Disuse of Crypto Assets in Payments (‘Crypto Payment Regulation') published by the Central Bank of the Republic of Turkey (CBRT) on 16 April 2021. The Crypto Payment Regulation defines ‘crypto-assets' as "intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed via digital networks, but are not classed as fiat money, deposit money, electronic money, payment instrument, securities, or other capital market instruments".
The CBRT made the following announcement on its website about the reasoning behind the Crypto Payment Regulation:
Crypto assets entail significant risks to the relevant parties due to the following reasons:
- they are neither subject to any regulation and supervision mechanisms nor a central regulatory authority,
- their market values can be excessively volatile,
- they may be used in illegal actions due to their anonymous structures,
- wallets can be stolen or used unlawfully without the authorization of their holders, and
- transactions are irrevocable.
Recently, some initiatives have emerged regarding the use of these assets in payments. It is considered that their use in payments may cause non-recoverable losses for the parties to the transactions due to the above-listed factors and they include elements that may undermine the confidence in methods and instruments used currently in payments.
It is uncertain whether this definition will be adopted as the general definition of ‘crypto assets' under Turkish law, or whether this will only apply to the Crypto Payment Regulation. However, this definition excludes fiat money, electronic money, payment instruments, securities and capital markets instruments.
Other applicable laws include the following:
- Crowdfunding: Crowdfunding Communiqué III – 35/A.2.
- Commodities: Commodities are not excluded from the definition of ‘crypto assets', which means that crypto assets will likely be considered as commodities in the future. No specific regulation directly addresses commodities, as there is no definition of a ‘commodity' under Turkish law. However, different regulations cover certain aspects of commodities. The taxation of commodities is regulated under:
- the Income Tax Law (193);
- the Value Added Tax Law (3065); and
- the Corporate Tax Law (5520).
- Transactions involving commodities executed by banks are regulated under the Banking Law (5411). Documents representing commodities are regulated under the Civil Code (4721).
- Know-your-customer requirements:
- The Regulation on the Amendment of the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism; and
- The Law on the Prevention of Laundering Proceeds of Crime (5549).
- Other related laws: The Law on the Central Bank of the Republic of Turkey (1211).
1.2 In broad terms, which legislative and regulatory provisions govern entities that provide services relating to virtual currencies? Must they be registered or licensed by a regulatory authority?
On 1 May 2021, the Financial Crimes Investigation Board of Turkey (FCIB) amended the Regulation on Measures to Prevent Money Laundering and Financing of Terrorism (‘AML Regulation').
As a result of the amendment, cryptocurrency service providers became responsible for compliance with the AML Regulation. In this regard, they must follow KYC procedures and verify the identities of their users before any transaction is executed; and they are now subject to the supervision of the FCIB with respect to their obligations under the AML Regulation. Other obliged parties which must comply with the AML Regulation include banks, financial leasing, factoring companies, brokerage firms and portfolio management companies.
According to the FCIB's Guide to Crypto Asset Service Providers, published on 5 May 2021, ‘crypto asset service providers' are institutions that mediate the trading of crypto assets. Therefore, the term ‘crypto asset service providers' refers to crypto exchange platforms.
Generally, the FCIB is authorised to establish and develop methods and policies for anti-money laundering and counter-terrorist financing (AML/CFT) by:
- collecting and analysing data;
- conducting research and investigations; and
- sharing information and results with the relevant authorities.
The FCIB is also a member of the Financial Action Task Force and accordingly is expected to follow its regulations and principles
Currently, crypto asset service providers need not be registered or licensed by a regulatory authority. However, it is likely that licensing and registration requirements will be imposed on crypto asset exchanges under the unofficially leaked Crypto Assets Legislative Draft, which aims to regulate crypto assets and markets.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The Ministry of Treasury and Finance, the FCIB and the CBRT are responsible for enforcing the applicable laws and regulations.
The FCIB may initiate a complaint or ex officio investigation with regard to crypto exchange platforms to monitor their compliance with AML/CFT requirements. In this context, the Suspicious Transaction Reporting Guide (Crypto Asset Service Providers) published by the FCIB on 18 April 2022 obliges crypto asset service providers to report suspicious transactions to the FCIB by following the procedures and principles set forth in this guide. The FCIB may impose monetary sanctions on crypto asset service providers if they fail to comply with such requirements.
The CBRT may also impose fines if crypto assets are used in payments or if crypto exchange platforms work with payment institutions or e-money institutions.
The ministry, the Banking Regulation and Supervision Agency (BRSA) and the Capital Markets Board (CMB) also have jurisdiction over important aspects of crypto assets, as some crypto assets constitute investment agreements and securities. The CMB has made significant public announcements and evaluations on this matter, and has vowed to investigate those who try to circumvent the capital markets regulations under the pretext of coin offerings.
The CMB has also participated in evaluating the Draft Bill on Crypto Assets:
- On 1 March 2021, the Ministry of Treasury and Finance announced that it is closely following the news and developments in the cryptocurrency sector and its status in Turkey; and is cooperating with the relevant authorities (eg, the CBRT, the BRSA, the CMB) to regulate virtual currencies and trading transactions.
- On 27 December 2021 the vice president of the committee working on the draft bill announced that the draft bill will be shared with the Ministry of Treasury and Finance, the BRSA and the CMB. Having obtained their opinions, the draft bill will finally be introduced to Parliament.
1.4 What is the regulators' general approach to virtual currencies?
In light of earlier developments, the Turkish regulatory authorities seemed to have a positive attitude towards virtual currencies, as crypto assets and blockchain projects are mentioned in several governmental programmes. However, the sudden ban on the use of crypto assets in payments by the CBRT has raised questions about the general approach of the Turkish regulatory authorities to virtual currencies.
The Crypto Payment Regulation bans the use of crypto assets in payments. In other words, no service or product can be provided in exchange for crypto assets.
In addition, payment institutions, e-money institutions and banks are not allowed to develop business models that directly or indirectly use crypto assets in the provision of payment services or the issuance of e-money; and they cannot provide any services related to such business models.
Payment and e-money institutions cannot intermediate fund transfers to and from platforms that provide services involving the trading, custody, transfer or issuance of crypto assets. For example, in light of this ban, Turkish cryptocurrency exchange platform Paribu can no longer work with e-money institution Papara. In other words, Paribu users can no longer transfer funds to Paribu's platform via their Papara accounts.
Some players have filed motions to invalidate the restrictive provisions of the Crypto Payment Regulation, claiming that they contradict the basic principle of freedom of contract guaranteed by the Law of Obligations.
On 1 May 2021, crypto asset service providers became subject to the AML/CFT requirements of the AML Regulation. ‘Crypto service providers' are any entities that mediate in or facilitate the trading of crypto assets; and that will be monitored by the FCIB in terms of their AML/CFT obligations.
The committee working on the Draft Bill on Crypto Assets has reportedly met with three crypto asset exchange platforms operating in Turkey to discuss the bill. On 21 March 2022, the ruling party (AKP) held an internal conference during the Forum Metaverse to discuss the opportunities and risks that the 3D network will present and what can be done in this area.
On 18 April 2022, the FCIB released its Suspicious Transaction Reporting Guide (Crypto Asset Service Providers), which sets forth the procedures and principles that crypto asset service providers must follow when submitting suspicious transaction reporting forms to the FCIB, and includes a comprehensive set of examples of suspicious transactions.
Based on the information obtained from these meetings and unofficial remarks made by attendees, the approach of the regulatory authorities towards crypto assets still seems to be cautiously positive.
1.5 Has there been any notable enforcement action relating to virtual currencies?
On 25 December 2021, the FCIB imposed an administrative fine of approximately €500,000 on Binance within the scope of an ex officio audit, due to its failure to fulfil its AML/CFT requirements.
On 17 February 2022, the FCIB also imposed total administrative fines of approximately €1.125 million on well-known cryptocurrency exchanges Bitci, Icrypex, Paribu and BTC Turk. The penalties were imposed due to the failure of these crypto asset service providers to comply with their obligations under the AML Regulation.
2.1 How are ‘virtual currencies' defined in your jurisdiction? Have there been any judicial decisions which have helped to define virtual currencies or their interplay with the existing body of laws (eg, contracts law, property law)?
The term ‘crypto asset' has been defined for the first time in Turkish law by the Crypto Payment Regulation. The regulation defines ‘crypto assets' as intangible assets that are created virtually using distributed ledger technology (DLT) or a similar technology and distributed via digital networks, but which are not classed as fiat money, deposit money, e-money, payment instrument, securities or other capital markets instruments.
The Crypto Payment Regulation makes no distinction between virtual currencies, digital currencies and cryptocurrencies/crypto assets. However, the Capital Markets Board's (CMB) Research Report on Cryptocurrencies and Bitcoin, issued in December 2016, includes the following definitions:
- ‘Digital currencies' are currencies that can be stored and transferred electronically. Digital currency in a bank account is a representation of fiat money.
- ‘Virtual currencies' are digital currencies. However, virtual currencies are not representations of a physical asset. In this regard, digital currencies other than virtual currencies represent fiat money.
- ‘Cryptocurrencies' are digital values that enable cryptographically secure transactions and initial coin offerings (ICOs). Cryptocurrencies are alternative currencies; they may be classified as both digital currencies and virtual currencies.
Nevertheless, any virtual asset which uses DLT or a similar technology and is distributed via digital networks that is not classified as specified will likely be considered as a crypto asset, regardless of whether it is a virtual currency or digital currency.
2.2 How are ‘initial coin offerings' and ‘security token offerings' defined in your jurisdiction?
The terms ‘initial coin offerings' and ‘security token offerings' are defined under Turkish law. However, in a bulletin dated 27 September 2018, the CMB defined ‘initial coin offerings' as "applications related to collection money by using blockchain technology also known as ‘Virtual Currency Sales' or ‘Token Sales'".
Since its amendment on 28 November 2017, the Capital Markets Law has included the following definition of ‘crowdfunding': "fundraising through funding platforms to provide a project or entrepreneurs with the required funding within the principles set forth by the Board, without being subject to provisions related to investor compensating of the Law."
The law recognises two types of crowdfunding – equity-based crowdfunding and debt-based crowdfunding – based on Crowdfunding Communiqué III – 35/A.2
However, we believe that this communiqué does not directly apply to ICOs; and if an ICO ultimately targets a shareholding in the underlying company or asset, it will be classified as a security under the capital markets legislation.
Although the CMB is yet to issue its much-anticipated regulation on debt-based crowdfunding, depending on the type of debt created by the private contract, we believe that an ICO may potentially fall within the scope of debt-based crowdfunding in case of ‘liability' to offer services and use of the underlying asset, such as an application, utility or service.
2.3 Are stablecoins treated as virtual currencies in your jurisdiction or do they fall under an existing category (eg, electronic money)?
‘Stablecoins' are digital assets designed as equivalent to the value of fiat currencies, such as the US dollar, the euro or the Turkish lira. Since the Crypto Payment Regulation broadly defines ‘crypto assets' as "intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed via digital networks", stablecoins will likely to be considered as crypto assets under Turkish law. However, the regulatory authorities may also classify stablecoins as e-money.
The Payment Law defines ‘e-money' as a monetary value which is:
- issued on the receipt of funds by an e-money issuer;
- stored electronically;
- used to carry out payment transactions, as defined in the Payment Law; and
- accepted as a payment instrument not only by the e-money issuer, but also by natural and legal persons.
Stablecoins may fulfil the abovementioned conditions, especially if users can also use them as a medium of payment. Currently, the Banking Regulation and Supervision Agency excludes Bitcoin and similar cryptocurrencies from the scope of the Payment Law. However, the structure and functions of most stablecoins are not very similar to those of Bitcoin. Nevertheless, it may be speculated that the current approach of the BRSA excludes stablecoins from e-money. Further official statements or regulations are expected from the regulatory authorities on this issue.
3 Virtual currencies market
3.1 Which virtual currencies have become most embedded in your jurisdiction? Does this vary depending on the specific use?
According to the Crypto Currency Research Report published by the Information and Communication Technologies Authority in May 2020, more than 2.4 million people own cryptocurrencies in Turkey. The five most embedded cryptocurrencies are Bitcoin, Ripple, Digibyte, Bitcoin Cash and Stellar. In addition to these cryptocurrencies, Ether, Chainlink, IOTA and Liteceoin are preferred by users in Turkey.
3.2 What different products and services are offered?
There are many trading platforms in Turkey through which users can easily buy and sell virtual currencies.
Turkey's first blockchain-based stablecoin, BiLira, was established in April 2019. BiLira is a stable cryptocurrency that is backed by the Turkish lira. This means that it is always possible to buy and redeem one BiLira for one Turkish lira.
There are also cryptocurrency ATMs across Istanbul.
Finally, two of Turkey's four major football clubs have successfully issued fan tokens using the Socios-Chiliz infrastructure and services, gaining significant revenues and marketing success in the process.
In recent days, non-fungible tokens (NFTs) have become more popular in Turkey. Many celebrities and artists have begun to display and sell their artworks via NFT marketplaces. Moreover, many Turkish NFT marketplaces have been established and have commenced operations. By organising NFT exhibitions, collaborating with artists and arranging conferences about NFTs, the NFT community continues to expand.
3.3 How are virtual currency service providers generally structured? How are they generally financed?
Most virtual currency providers and virtual currency exchange platforms are incorporated as joint stock companies. For example, digital asset trading platforms such as Paribu, BtcTurk, Bitexen and Digilira, and virtual currency issuers such as BiLira –Turkey's first stablecoin issuer – were established as joint stock companies.
Virtual currency exchange platforms are generally financed by the commission they earn from the virtual money transactions they mediate. BiLira, on the other hand, is financed from income obtained from the BiLiras purchased by users through applications such as interest.
3.4 Are virtual currency trading platforms subject to a specific regulatory regime in your jurisdiction? Must they be registered or licensed by a regulatory authority? Does this vary depending on whether the platform accepts legal currency or whether the platform is custodial? Are virtual currency trading platforms subject to any form of ‘market abuse' regulation?
Virtual currency trading platforms (ie, ‘crypto asset service providers' in Turkish legal terminology) are subject to various anti-money laundering/counter-terrorist financing (AML/CFT) obligations.
There are more than 40 cryptocurrency trading platforms in Turkey.
These platforms need not yet be registered with or licensed by the regulatory authorities, because virtual currency trading platforms cannot be considered as:
- ‘brokerage houses' or ‘issuers' according to the capital markets legislation;
- ‘banks or financial institutions' according to the banking legislation; or
- ‘e-money issuers' under the Payment Law.
However, according to the unofficially leaked Crypto Assets Legislative Draft, entities that provide services relating to virtual currencies must obtain permission from the Capital Markets Board (CMB) to conduct their activities in Turkey. Otherwise, the CMB may block access to their websites; and the representatives of the crypto exchanges may be subject to imprisonment and judicial fines. Nonetheless, it is important to note that this is not an official draft and it may be amended before its enactment.
Also, as a generic condition for banks and other financial institutions in Turkey, we expect that shareholders, board members and authorised representatives of crypto asset exchange platforms will be required to have a certain minimum capital, financial good standing, and the integrity and reputation that the business demands. Moreover, the shareholders and board members of crypto asset services providers should never have been declared insolvent, bankrupt or concordat; and should never have committed certain crimes, including AML/CFT offences. Moreover, we expect that the CMB will have the authority to decide on the crypto assets that are listed on crypto exchanges and to delist specific crypto assets from the crypto exchange.
The regulatory authorities as yet have issued no form of market abuse regulation for virtual currency trading platforms.
4 Crossover with banking
4.1 How are virtual currencies positioned within the broader banking landscape in your jurisdiction?
As yet, banks in Turkey cannot execute cryptocurrency exchange transactions, as the Banking Regulation and Supervision Agency has not authorised them to conduct such transactions. However, some Turkish banks are already collaborating with certain virtual currency exchange platforms in Turkey. For example, some banks do not collect bank wire fees for transfers made through certain virtual currency exchange platforms. Some also provide support to integrate applications within their accounts to facilitate fiat-to-crypto and/or crypto-to-crypto transactions.
4.2 What impact could mainstream adoption of virtual currencies have on the ability to control inflation in your jurisdiction?
Although Turkey has some of the highest numbers of cryptocurrency users in the world, considering the overall volume of virtual currency usage, it is not possible to say at this point whether this will have a significant impact on current monetary policy or inflation in Turkey. Inflation in Turkey and the fast-depreciating value of the Turkish lira vis-à-vis major currencies such as the US dollar and the euro are much deeper structural issues which must be addressed.
Currently, in Turkey – as elsewhere in the world – virtual currencies are considered to be more volatile, less user friendly and more incomprehensible in terms of value movements. If virtual currencies become more reliable and widespread in Turkey, it may be expected that people will include them in their investment portfolios to make a profit or simply to protect the value of their money. Moreover, stablecoins such as Tether may be acquired in a flight from the fast-depreciating Turkish lira, as virtual currency trading platforms facilitate the purchase and sale of virtual currencies.
4.3 What other implications could the mainstream adoption of virtual currencies have for the banking system in your jurisdiction (eg, with respect to payment services)?
Although it is now easier to do so than ever before, opening a bank account still requires the fulfilment of certain procedures. On the other hand, a virtual currency wallet can be created online using any device and can be used anytime, anywhere.
Payment and securities settlement systems, payment services and e-money companies are regulated by the Payment Law. However, once an asset is considered e-money, it can no longer qualify as a crypto asset.
The widespread use of virtual currencies will undoubtedly reduce society's dependence on cash.
4.4 Regarding decentralised finance, do the banking regulations in your jurisdiction apply to loans of virtual currencies or interest-bearing deposits of virtual currencies? Does this vary depending on whether stablecoins are loaned or deposited?
Banks have a statutory monopoly over financial services such as extending loans and accepting deposits that attract accrued interest. No entities other than those which hold a banking licence may engage in such activities. The banking regulations do not yet apply to loans of virtual currencies or interest-bearing deposits of virtual currencies. This also applies to stablecoins.
5.1 Is blockchain technology in itself regulated in your jurisdiction and what specific legal issues are associated with its use?
In Turkey, there are no laws, legal regulations or official/administrative authority decisions on blockchain technology. However, the authorities have adopted a positive attitude towards the use of this technology. For example, the 11th Development Plan issued by the Presidency of Strategy and Budget of the Republic of Turkey for 2019–2023, published on 9 July 2019, mentions several strategies focused on the use of blockchain technology. Also, on 18 September 2019 the Ministry of Industry and Technology announced its 2023 Industry and Technology Strategy. In this document, the following strategies are mentioned:
- The development of national blockchain infrastructure will be promoted, to create a network based on this emerging technology;
- In order to improve applications of blockchain technology, the first public-based applications that can be carried out using blockchain infrastructure (eg, land registration, diplomas and customs applications) will be identified and applications will be designed on open source platforms;
- An environment will be created to pilot blockchain infrastructure developed, to test out new, secure business models and processes (eg, supply chain, banking and litigation applications); and
- A ‘regulatory sandbox' will be created with the regulatory authorities to carry out compliance tests of blockchain applications and support investment by facilitating the certification of enterprises that successfully complete the tests.
A blockchain research laboratory, BCLabs, has also been established under the Department of Mathematical and Computational Sciences of the Scientific and Technological Research Council of Turkey Informatics and Information Security Research Centre, to conduct research and development on:
- the infrastructure, installation and security of blockchain technology;
- privacy analysis;
- business models;
- crowdfunding approaches (eg, ICOs); and
- various technical details.
5.2 What other implications could the mainstream adoption of virtual currencies have from a technological perspective?
The advantages of virtual currencies, which facilitate high-speed transactions at low cost, make this technology suitable for use in many different areas. An article entitled "Virtual Currencies" published by the Central Bank of the Republic of Turkey in September 2017 listed several alternative uses of virtual currencies, which are primarily used in financial market infrastructure, non-financial sectors such as health services, title deeds and patent transactions. However, this article also set out some concerns regarding the use of blockchain-based virtual currencies, which may cause problems in terms of delay, efficiency, scalability, data privacy and security.
6 Data security and cybersecurity
6.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for virtual currencies?
As the most valuable virtual currencies run on decentralised and immutable blockchain technology, they have an inherent conflict with the requirements of data protection regulations.
The Law on the Protection of Personal Data (6698) was published in the Official Gazette on 7 April 2016 and entered into force thereafter.
The Turkish Data Protection Authority (DPA) has been established as an independent regulatory authority with organisational and financial autonomy in order to fulfil regulatory and supervisory duties under the Law on the Protection of Personal Data.
The Law on the Protection of Personal Data was prepared based on the EU Data Protection Directive (95/46/EC) and defines ‘personal data' as any information relating to an identified or identifiable natural person.
Based on the term ‘identifiable', any data which singles out one individual from others and can be associated with that individual will be considered as personal data. Therefore, information such as private keys, public keys and wallet numbers will be considered personal, as such information can be used to identify an individual.
Like the General Data Protection Regulation (GDPR), the Law on the Protection of Personal Data contains definitions of ‘data subject', ‘data controller' and ‘data processor'. The law does not define ‘joint controller' or ‘sub-processor'; however, it is anticipated that the DPA will adopt the definitions from the EU General Data Protection Regulation (GDPR) in future decisions, as it has issued some of its previous decisions in parallel with the GDPR.
The DPA has published no specific guidelines on the processing of personal data on blockchain platforms or in virtual currency transactions. However, based on the current provisions of the Law on the Protection of Personal Data, it may be said that virtual currency providers and virtual currency trading platforms are likely to be regarded as data controllers in terms of the processing of users' personal data, as they collect users' personal data for their own purposes, such as:
- making virtual currency transactions;
- providing wallet services; and
- approving the identities of users.
Thus, they will be liable to comply with the obligations of data controllers under the Law on the Protection of Personal Data, such as:
- informing users of processing activities conducted by data controllers;
- responding to requests of data subjects;
- implementing the necessary technical and organisational measures for the protection of personal data; and
- preparing a data processing inventory.
One obligation of data controllers which differs from their obligations under the GDPR is the requirement to register with the Data Controllers' Registry (VERBIS). Data controllers were required to register with VERBIS by 30 September 2020 if they met one of the following criteria:
- The data controller employs more than 50 employees; or
- The annual balance sheet of the data controller is more than TRY 25 million.
If a data controller does not meet either of the above criteria, it need not register with VERBIS. The deadline for VERBIS registration can be postponed by the DPA, which indeed has already twice postponed the previous deadlines for VERBIS registration.
If a data controller commences operations and starts processing the personal data of data subjects in Turkey or meets one of the above criteria after the 30 September deadline, it must register with VERBIS within 30 days of such occurrence.
The DPA has published no guidelines on virtual currency trading platforms, blockchain platforms or similar. Given the complex structure and various types of blockchain platforms, a case-by-case assessment will be needed for the allocation of responsibilities of different actors.
6.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for virtual currencies?
Turkey has no specific legislation covering cybersecurity; instead, cybersecurity issues are dealt with in various provisions scattered throughout different laws and pieces of secondary legislation.
However, a dedicated cybersecurity law is expected, as the National Cyber Security Strategy and the 2013-2014 Action Plan committed to the enactment of specific legislation in this regard.
Turkey is a party to the European Convention on Cybercrime. This has been ratified by the Turkish Parliament, which has introduced it into local law.
Moreover, Turkey is a part of supranational efforts coordinated by institutions such as the United Nations, Interpol and Europol to cooperate on and combat cyber threats, including the UN Translational Organized Crime Convention and the UN Global Programme on Cybercrime.
Some of the most important provisions governing cybercrime in Turkey include the following:
- Articles 243, 244 and 245 of the Criminal Code, which criminalise activities such as:
- accessing IT systems without authorisation;
- obstructing or damaging IT systems;
- using illegal devices and software; and
- undermining the data processed on such IT systems;
- various provisions of the Law on Combating Crimes Committed on the Internet (5651);
- the Law on Electronic Communication (5809);
- the Law on Organization of Law Enforcement Forces (3201);
- the Law on Intelligence Activities (2937);
- the Law on Protection of Personal Data (6698);
- the General Letter on Cyber Security Activities (2018/478);
- the Communiqué on Establishment and Duties of Cyber Security Response Teams; and
- certain other regulations with the force of law, presidential decisions and so on.
In the meantime, Cabinet Decision 2012/3842 issued on 20 November 2012 regulates the execution, management and coordination of national cybersecurity actions. Through this decision, the Ministry of Transportation, Maritime Affairs and Communications became the competent authority to regulate policies, strategies and actions regarding cybersecurity. The ministry supervises and conducts cybersecurity activities with the National Cyber Security Board and National Cyber Incident Response Centre under the administration of the Information Technologies and Communication Authority.
Cybersecurity violations may lead to violations of the data protection laws, including the Law on the Protection of Personal Data, as this law requires data controllers to implement all necessary technical and organisational measures to provide a sufficient level of security to prevent the unlawful processing or accessing of data, and to ensure its retention.
7 Financial crime
7.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for virtual currencies?
The main regulations and guides on anti-money laundering and counter-terrorist financing (AML/CFT) are as follows:
- the Law on Prevention of Laundering Proceeds of Crime (5549) (‘AML Law');
- the Regulation on the Measures Regarding the Prevention of Laundering Proceeds of Crime and the Financing of Terrorism (‘AML Regulation'); and
- the Regulation on the Programme of Compliance with Obligations of Anti-money Laundering and Combating the Financing of Terrorism (‘AML Compliance Programme Regulation').
Certain organisations listed in the AML Law and the AML Regulation are charged with helping to prevent money laundering and the financing of terrorism. They include:
- payment institutions;
- e-money institutions;
- financing and factoring companies;
- asset management companies;
- financial leasing companies;
- brokerage firms;
- precious metals brokerage firms; and
- purchasers and sellers of precious metals, jewellery and stones.
The AML Law states that if there is any information, suspicion or reasonable grounds to suspect that assets which are the subject of transactions carried out or attempted to be carried out within or through such organisations have been acquired illegally or used for illegal purposes, these transactions must be reported to the Financial Crimes Investigation Board of Turkey (FCIB) by such organisations.
According to the AML/CTF Regulation, Turkish law will apply to crypto trading activities if:
- the trading platform is accessible in Turkey;
- the trading platform allows money transfers from Turkey and provides Turkish language support; and
- residents in Turkey can execute transactions on the exchange platform.
On 1 May 2021 the Financial Crimes Investigation Board of Turkey (FCIB) published the Guideline on Suspicious Transaction Reporting to determine which transactions are suspicious and must be reported to the FCIB.
In Version 1.03 of the guideline, which was previously in effect until 11 September 2019, "money transfers for buying Bitcoin from customer accounts to brokerage houses that sell Bitcoin" were described as suspicious transactions. Version 1.03 was replaced with Version 1.04 as of 11 September 2019. Version 1.04 prefers the term ‘cryptocurrency' to ‘Bitcoin', and no longer classifies cryptocurrency money transfers as suspicious transactions. Version 1.04 classifies the following transactions as suspicious:
- money transfers from customer accounts to domestic or international cryptocurrency exchanges or accounts of real or legal persons for the purpose of purchasing cryptocurrency at a frequency and in an amount that do not fit the customer's financial profile; and
- transfers to customer accounts as a result of the sale of cryptocurrency whose source is unknown or that do not fit the customer's financial profile.
As a result of the amendment made to Article 4 of the AML Regulation on 1 May 2021, crypto asset service providers are now included in the description of ‘obliged parties'.
In this regard, trading platforms are subject to certain requirements, as follows.
Identification of traders: Trading platforms must determine the identities of platform users before a transaction is executed. If a trading platform user executes certain transactions on the trading platform on behalf of a third party, the relevant service provider must also identify that third party.
The trading platform user or a third party must be identified if one of the following conditions is met:
- There is a continuous business relationship;
- The value of the transaction or of connected transactions is more than TRY 75,000;
- In the case of electronic transfers, the value of the transaction or of connected transactions is more than TRY 7,500;
- A suspicious transaction report is generated; or
- There are suspicions as to the adequacy or the accuracy of customer personal information that has previously been obtained.
To identify the traders, trading platforms must collect the following information and documents specified in the AML/CFT regulations:
- For natural persons:
- date of birth;
- place of birth;
- parents' names;
- TR identity number for Turkish citizens;
- type of identity document (eg, passport, driver's licence, official ID card) and number;
- sample signature;
- phone number (if available);
- fax number (if available);
- email address (if available); and
- The trading platform must verify the identity of the person by requesting the identity document(s) and/or passport.
- For legal entities registered with the trade registry:
- company name;
- company trade registry number;
- tax identity number;
- area of activity;
- phone number;
- fax number (if available);
- email address (if available); and
- name, surname, date of birth, place of birth, parents' names, TR identity number for Turkish citizens, type of identity document and number and sample signature of the company's authorised representative
Monitoring customer status and transactions: Trading platforms must:
- continuously monitor, within the scope of the permanent business relationship, whether the transactions performed by their customers are compatible with the customers' profession, business activities, business history, financial status, risk profile and funding sources; and
- keep information, documents and records about their customers up to date.
Retention and submission of documents: Trading platforms must:
- all documents, including suspicious transaction reporting forms, books and records regarding their obligations and transactions for eight years from the date of issuance; and
- all identification documents for eight years from the last transaction date; and
- present these to the competent authority if required.
Suspicious transaction reporting: If there is any information, suspicion or reasonable grounds to suspect an unlawful acquisition or unlawful purpose of use of the assets that are the subject of a transaction carried out by or through a trading platform, the trading platform must notify the transaction to the Financial Crimes Investigation Board of Turkey (FCIB) within 10 business days at the latest from the date on which the suspicion arose regarding the transaction, and immediately for urgent cases.
Along with the Suspicious Transaction Reporting Guide (Crypto Asset Service Providers) released on 18 April 2022, the FCIB has provided crypto-asset service providers with extensive examples of suspicious transactions, such as the following:
- carrying out a high volume of transactions at short intervals in a newly opened account;
- using the split method to circumvent transaction limits;
- immediate transferring recently purchased crypto assets to another exchange, especially one operating in another jurisdiction with insufficient AML/CFT regulations;
- withdrawing crypto assets shortly after they are deposited on an exchange;
- converting crypto-assets into multiple crypto-assets soon after they are deposited on an exchange without reasonable grounds, such as portfolio diversification;
- withdrawing crypto assets to a private wallet shortly after they are deposited on an exchange;
- performing similar transactions on the same IP address in a short timeframe;
- accessing multiple accounts from the same IP address;
- creating multiple accounts from the same IP address;
- transferring assets from multiple persons to a single wallet in a foreign exchange;
- transferring assets from one account to multiple wallets on foreign exchanges;
- transferring assets from different accounts in foreign exchanges to a single wallet;
- making a very high initial investment in a new account, which is inconsistent with the account holder's financial profile;
- investing a large amount of money and selling or withdrawing the entire amount that same day;
- sending crypto assets to wallets known to be used for illegal activities such as gambling or illegal betting, or sharing them for this purpose in forums;
- opening a new account at an IP that has previously been reported for suspicious transaction;
- transferring assets to a wallet owned by a person was previously the subject of a suspicious transaction report; and
- executing transactions for people who are well above the average age of platform users and who seem unfamiliar with the technologies relating to crypto-assets.
Trading platforms are under a confidentiality obligation, and thus may not disclose the contents of suspicious transaction reports to anyone, including the parties to the transaction, with the exception of auditors assigned to audit obligations and the courts during a trial.
Periodic reporting: Trading platforms must report transactions to which they are parties or intermediaries that exceed a threshold specified by the Ministry of Treasury and Finance to the FCIB.
Information and documents: When requested by the FCIB or examiners, trading platforms must provide:
- all kinds of information, documents and related records in all formats; and
- all information and passwords necessary to fully and accurately access and retrieve such information.
Trading platforms must retain all documents, books and records and identification documents in all formats for eight years from the date of issue, the last record date or the last transaction date; and must submit these on request. The starting date of the retention period for documents relating to customer identification is the closing date of the account.
E-notification: According to Article 9/A of the AML Law, the notifications required under the law may be submitted electronically and responses may be requested electronically, notwithstanding the procedures relating to electronic notification. Electronic notifications will be deemed complete when they reach the recipient's side. The FCIB is also authorised:
- to construct new technical infrastructure or use existing technical infrastructure to require the use of electronic addresses for notification purposes and the provision of electronic responses; and
- to determine the procedures and principles relating to electronic notifications and responses.
AML compliance programme: Trading platforms should implement an AML compliance programme by adopting a risk-based approach and by:
- establishing corporate policies and procedures;
- conducting risk management activities;
- conducting monitoring and controlling activities;
- appointing a compliance officer and forming a compliance unit;
- conducting training activities; and
- conducting internal control activities.
Trading platforms should draft corporate policies that take into account:
- the size of the organisation;
- the business volume; and
- the type of transaction.
Under Turkish law, corporate policies should include at minimum risk management, monitoring and controlling, training and internal control policies.
Other than these specific regulations, general regulations on the prevention of money laundering and terrorist financing will apply to virtual currency trading platforms, such as the following offences set out in the Turkish Criminal Code:
- Laundering assets acquired through an offence: Anyone who, without participating in the commission of an offence, purchases, accepts, keeps or uses laundered assets while aware of their value and nature will be subject to imprisonment for between two and five years. Where a legal entity is involved in the commission of this offence, it will be subject to security measures specific to legal entities (Articles 282/2 and 282/5).
- Failing report an offence: If a natural person does not report a crime to the relevant authorities, he or she may be sentenced to up to one year's imprisonment (Article 278).
- Purchasing or accepting property acquired through an offence: Anyone who purchases or accepts property which was acquired through the commission of an offence will be sentenced to imprisonment for between six months and three years and a judicial fine of up to 1,000 days (Article 165).
- Failure to provide information: Anyone who, having obtained property through a legal transaction, fails to notify without delay the relevant authorities responsible for upholding law and order upon becoming aware that such property has been acquired through the commission of an offence or as a result of an offence will be sentenced to imprisonment for up to six months or a judicial fine (Article 166).
8 Consumer protection
8.1 What consumer protection provisions apply to virtual currencies in your jurisdiction?
In Turkey, consumer protection is ensured through the Law on Consumer Protection (6502). The law contains no specific provisions on virtual currencies.
The Law on Consumer Protection defines a ‘consumer' as a real person or legal entity acting for non-commercial or non-professional purposes. A ‘consumer transaction' is defined as any kind of contract or legal procedure – including contracts for work, transport, brokerage, insurance, mandate, banking and similar goods or services – entered into between consumers and real persons or legal entities, including public legal entities, acting for commercial or professional purposes, or on behalf or on account of such, in the goods and services markets.
In light of the foregoing, virtual currency holders who obtain services from virtual currency trading platforms will likely be considered as consumers with respect to such services. Generally, the Law on Consumer Protection provides consumers with possible remedies in relation to the provision of services and the supply of goods; and restricts the enforcement of certain contractual clauses against consumers. These provisions might be relevant in the context of virtual currency sales and services.
However, in its 27 September 2018 bulletin, the Capital Markets Board warned consumers, in relation to initial coin offerings (ICOs), that:
- most ICOs are not regulated or supervised by any regulatory bodies due to their structure;
- token values may be subject to excessive fluctuations, as is the case with cryptocurrencies;
- the collected funds may not be used for the stated/communicated purposes by the ICO holders;
- sales documentation for the ICO may contain incomplete or misleading information; and
- the investment project may fail or the investment funds may be lost completely, as funded projects are usually at a premature stage.
8.2 What other implications could the mainstream adoption of virtual currencies have from a consumer perspective?
Turkey is one of the countries with the highest penetration of credit cards, mobile devices, electronic banking, e-wallets and cryptocurrencies.
This mindset and the existing technological infrastructure are very promising for the further development of this market in Turkey.
We expect that this will allow financial institutions to calibrate their services to compete with crypto-functioned money transfer and investment services; and that they will eventually integrate these into their own services and products. This will enhance investment portfolios, reduce service fees and promote decentralised, more secure and more private transactions.
With the advancement of cryptocurrencies, we believe that various use cases of blockchain – such as in relation to escrow services, reconciliation transactions, smart contracts and immutable data server services – will also gradually increase and find their way into legislation and legal commentary by way of academic literature and precedents.
9.1 Do virtual currencies present any specific challenges or concerns from a competition perspective?
As yet, the Competition Authority has issued only one decision in relation to virtual currencies. The decision concerned an e-wallet application that allowed cardholders to shop with virtual money loaded on a university smart card at spending points such as cafeterias on campus. A Turkish private bank sponsored the production of student and personnel ID cards. In return, it requested a commitment not to sell services through other debit cards or cash at the university's spending points. In the complaint, it was claimed that this commitment in the contract between the bank and the university restricted interbank competition. In its decision, the Competition Authority stated that the commitment was reasonable as a measure to ensure the bank a return on its investment and did not restrict competition between banks.
10.1 How are transactions in virtual currencies treated from a tax perspective in your jurisdiction?
The Income Tax Law states that all types of income (even donations), regardless of their nature, are subject to income tax. Such income types include:
- business profits;
- agricultural profits;
- salaries and wages;
- income from independent personal services;
- income from immovable property and rights (rental income);
- income from capital investment;
- income from stock value appreciation;
- income from stock transfers; and
- other income and earnings.
Hence, all economic value generated in any way may be considered as income. This means that economic value generated from digital assets (including cryptocurrency transactions) may also be subject to income tax.
However, thus far, no legislative action has been taken, and the tax authorities have not demanded the filing of tax statements with regard to digital asset holdings or funds and revenues generated therefrom.
Although there are no specific provisions in Turkish law governing the taxation of digital assets in different circumstances, the tax authorities may still take administrative action or issue secondary legislation such as communiqués in relation to digital asset taxation based on the existing general provisions.
11 Trends and predictions
11.1 How would you describe the current landscape and prevailing trends in your jurisdiction as regards virtual currencies? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In light of the opinions and statements of the legal authorities, it is clear that the Turkish regulatory authorities now have a positive attitude towards cryptocurrencies and blockchain, and specific regulations on cryptocurrencies may be expected in the near future. We also expect that licensing or registration obligations will soon apply to crypto-asset service providers.
12 Tips and traps
12.1 What are your top tips for virtual currency providers seeking to enter your jurisdiction and what potential sticking points would you highlight?
- Comply with the laws: Since as yet there is still not a clear and comprehensive regulation governing crypto assets, industry actors, crypto asset service providers and users should consider compliance with the anti-money laundering, counter-terrorist financing (AML/CFT), data protection and banking regulations to which they are and may be subject. In particular, considering the penalties imposed by the Financial Crimes Investigation Board of Turkey, crypto asset service providers should be very careful to ensure compliance with their AML/CFT obligations.
- Stay up to date: The requirements to which virtual currencies are subject are still unclear. It is thus vital to stay up to date on developments and carefully follow all guidance, press bulletins, board bulletins and similar announcements or publications issued by the regulatory authorities.
- Work with a competent law firm: It is important to work with a competent law firm that can legally interpret concepts that may be similar, but also very different, such as cryptocurrencies, digital currencies, virtual currencies and e-money; and that knows the sector and understands technologies such as blockchain.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.