Introduction

The long-awaited crypto-asset regulation in Türkiye entered into force on July 2, 2024. The legislator, rather than drafting a standalone code regulating the crypto-asset market, preferred to amend the Capital Markets Law (“CML”) and insert the relevant provisions into it.

In this article, we will provide a detailed summary of the newly introduced crypto-asset provisions under Turkish law.


Definitions

When considering the definition of a ship, Lord Justice Scrutton famously said "he could not define an elephant, but he knew what it was when he saw one". Given its endless obscurities at this stage, this is perhaps not the case when it comes to definitions in the crypto-asset universe. Hence, the Turkish legislator started with providing a few definitions for the pivotal terms in the industry.

The terms “wallet”, “crypto-asset”, “crypto-asset service provider”, “crypto-asset custodian service” and “platform” are defined in the regulation in line with the universal usage of such terms. It is important to note that the scope of the term “crypto-asset service provider” is wide as it includes providers of all kinds of services in the crypto-assets industry, including but not limited to “crypto-asset custodian service”, “platform” services as well as other services such as those related to initial coin offering (“ICO”) and distribution of crypto-assets. 


Capital Markets Board as the Gatekeeper

The regulation points the Capital Markets Board (“CMB”) as the gatekeeper and authorises it to implement the regulation by issuing further bylaws to introduce more detailed rules. Within this context, the CMB is authorised to set forth principles regarding the issuance of capital market instruments as crypto-assets and monitoring them on the electronic mediums where such crypto-assets will be created and stored by the crypto-asset service providers.

The records of the electronic mediums will be the basis for proving the rights to crypto-assets, be it having or transferring such rights or asserting them towards third parties. Again, the CMB is authorised to set forth detailed rules in relation to the application of the general rules. 

The CMB is further authorised to issue licenses for the crypto-asset service providers to be incorporated and operate in Türkiye. In line with the authority granted by the law, the CMB is expected to issue detailed rules with respect to incorporation and operations of the crypto-asset service providers, their shareholders, management, personnel, organisational structure, capital and capital adequacy, personal liability, information technologies and technological infrastructure, share transfers, permitted activities, circumstances for temporary or permanent suspension of their activities and the principles and rules they must adhere to during their operations. 

The validity of all share transfers is subject to the permit granted by the CMB. The unpermitted transfers cannot be registered in the share register of the company providing crypto-asset services and any such registration will be null and void.

The CMB is authorised to regulate the procedures and principles regarding the sale and purchase of crypto-assets through platforms and the ICOs or distribution thereof, clearing, transfer and custody of crypto-assets and to impose relevant measures and sanctions. Furthermore, the CMB may determine principles with regards to the contracts to be made between the crypto-asset service providers and their customers, their scope, amendment mechanisms, fees and expenses, expiry and termination, and the compulsory content to be included in these contracts.

The CMB is further authorised to issue bylaws on investment counselling and asset management and publications, announcements, advertisements and announcements and all kinds of commercial communications.

Within its supervisory authority, the CMB may request relevant information and documents, examine all books, records and other information-containing means, including those kept in electronic media, information systems, request access to and take samples of them, audit transactions and accounts, receive written and oral information from those concerned, and prepare the necessary minutes. When requested, it is not possible to refrain from providing information on the grounds of confidentiality and further, it is a criminal offence not to provide the requested information, documents, and records or to prevent the CMB personnel authorized to collect such information, documents, and records. Furthermore, the concerned persons as well as others are obliged to keep the existence and nature of the examination confidential. Again, making disclosures to others regarding the information or documents requested within the scope of the inspection or audit activity is a criminal offence.


Crypto-asset Service Providers

Crypto-asset service providers must take all necessary measures and establish necessary internal control units and systems in order to manage their systems in a secure manner. In order for the CMB to grant a license and authorise the establishment and/or commencement of operations of crypto-asset service providers, compliance with the criteria to be determined by TUBITAK (Scientific and Technological Research Council of Türkiye) in terms of information systems and technological infrastructures is sought. When a bank applies for a license for providing crypto-asset services, approval of the Turkish banking authority (“BDDK”) is also required.

When the crypto-asset services are provided or funds are collected from the public through crowdfunding platforms or leveraged and derivative transactions are executed for the persons residing in Türkiye via the internet without a license, the CMB will take decisions to remove the content and/or block access to the publications made via the internet. Such decisions are sent to the Turkish Association of Access Providers for implementation.

The regulation stipulates the transparency of the shareholding structure of the crypto-asset service providers as a condition. The direct or indirect shareholders of and those who have significant control (having a minimum fifty per cent of the dividend rights and representation in the board) over a crypto-asset service providing company, must have “clean” records, i.e. they may not have personally bankrupted or declared concordatum, restructured their debts or got their bankruptcy postponed by a court decision or convicted for financial, taxation or terrorism-related crimes and sentenced to at least 5 years in jail. Furthermore, those who had at least 10% direct or indirect shareholding in the financial institutions operating licences of which were cancelled cannot hold shares in crypto-asset service providers. Apart from the aforementioned objective criteria, the shareholders must also have a good-standing, financial strength, honesty and reputation required for this line of business.   

Those who lose their qualifications to be the shareholder of a crypto-asset service provider may not use their voting rights at the General Assembly and are given 6 months to transfer their shares to persons who have the required qualifications as mentioned in the above paragraph. 

The regulation provides that the board members, except for the financial strength requirement, will be evaluated with the same criteria that are required from the shareholders and must have the same “clean” record. 

Crypto-asset service providers are obliged to observe the KYC and customer due diligence rules strictly within the context of local and international AML regulations. 

The regulation stipulates that the crypto-asset service providers must apply Turkish Capital Markets Association to become members within three months following the issuance of their licenses. The operations of the crypto-asset service providers which do not apply for membership on time are suspended by the CMB. 

Financial audit and information systems audit of crypto-asset service providers shall be performed by independent audit institutions included in the list announced by the CMB. 
Crypto-asset service providers are liable for damages arising from their unlawful activities and failure to fulfil cash payment and/or crypto-asset delivery obligations. In the event that the damage cannot be compensated from the crypto-asset service providers, the members of the crypto-asset service providers, i.e. the chairman and members of the board of directors, real person shareholders who legally or actually hold the management or control of the company, are liable to the extent that the damages can be attributed to them personally according to their fault as the case may be.

Crypto-asset service providers are responsible for crypto-asset losses arising from the operation of information systems, all kinds of cyber-attacks, acts such as information security breaches or any behaviour of their personnel. In the event that the losses cannot be compensated from the crypto-asset service providers, the members of the crypto-asset service providers, i.e. the chairman and members of the board of directors, real person shareholders who legally or actually hold the management or control of the company, are liable to the extent that the losses can be attributed to them personally according to their fault as the case may be.

Apart from being responsible for the damages and losses, the crypto-asset service providers as well as their members in breach of the relevant regulations may be subject to administrative fines as defined under the CML. 

The records regarding the wallets, incoming and outgoing crypto-asset transfers must be kept by crypto-asset service providers in a secure, accessible and traceable manner. The accuracy and confidentiality of all transaction records must be ensured. The crypto-asset service providers must closely monitor and follow the local and international AML regulations for the transfers executed on their platforms. 


Platforms

The platforms have to maintain clear listing rules covering ICOs, trading and delisting of crypto-assets. The CMB is authorised to stipulate conditions and principles in relation to the listing rules. 

The platforms are obliged to establish internal mechanisms to effectively resolve customer complaints regarding their transactions.

The regulation stipulates that, except for the transactions related to major crypto-assets that are traded and the prices of which are formed in the international markets, the general provisions of the CML applicable to the market disruptive acts will apply to price actions and transactions which cannot be explained by a reasonable economic or financial justification. Apart from the liability of the persons who commit market disruptive acts, the platforms are also under the obligation to take necessary measures to prevent such market disruptive activities and further report such activities to the CMB.


Custody Services

The crypto-assets of the customers must essentially be kept in the customers' own wallets. When the customers do not prefer to keep their crypto-assets in their own wallets, the custody service must be provided by banks licensed by the CMB and approved by BDDK or other institutions which are allowed to provide custody services for crypto-assets. 

The customers’ cash amounts must, in any case, be kept in bank accounts.

Whether kept as crypto-assets or cash at bank accounts, such amounts are not within the deposit insurance scheme, i.e. not guaranteed against loss in the event of a bank failure. 

The regulation expressly states that customers’ cash and crypto assets are separate from the assets of crypto-asset service providers and records must be kept accordingly.

The cash and crypto-assets of the customers in the custody of the crypto-asset service providers cannot be seized, pledged, included in the bankruptcy estate and no precautionary measures can be placed on them due to the debts of the crypto-asset service providers, and, in the same line, the assets of the crypto-asset service providers cannot be seized, pledged, included in the bankruptcy estate and no precautionary measures can be placed on them due to the debts of the customers, including the public receivables.

Furthermore, the customers’ crypto-assets or cash held at bank accounts cannot be used as collateral for the loans granted to the crypto-asset service providers, and no pledge and similar encumbrances may be established on such assets in favour of the crypto-asset service providers.


Sanctions

In the case of unlawful activities and transactions of crypto-asset service providers, the CMB is authorised to request elimination of the violations within a period of time determined by itself and to ensure compliance with the law, business purposes and principles, or directly limit or temporarily suspend the scope of the activities of these service providers, or cancel their authorisations in whole or in respect of certain activities, or take any other measures it deems appropriate. The CMB may further temporarily or permanently revoke the licences held by the executives and employees who are found to be responsible for the unlawful activities or transactions, or limit or remove their signature powers from the date of the decision to file a criminal complaint against them until the conclusion of the trial, or dismiss the members of the board of directors whose responsibility in the unlawful activities or transactions is determined by a court decision and appoint new ones until the first general assembly meeting to be held. The opinion of the BDDK is obtained before taking any action to dismiss the members of a board of directors when the service provider is a bank.

Irrespective of whether the crypto-asset service provider is located within or outside of Türkiye, when the crypto-asset services are provided without a license, the CMB may take all necessary measures to stop unauthorised activities and file a lawsuit, within one year from the date of detection and in any case within five years from the date of occurrence, for the cancellation of the consequences of unauthorised activities and transactions and for the return of cash or capital market instruments to the right holders. For the executives and employees whose responsibility is determined in providing crypto-asset services without a license, the CMB may take the same list of actions against them as mentioned in the preceding paragraph. When the crypto-asset services are provided via the internet to the persons residing in Türkiye without a license, the CMB will decide to remove the content and/or block access to the publications made via the internet. Such decision is sent to the Turkish Association of Access Providers for implementation.

In addition to the criminal prosecution of those responsible, in cases where there is an inconvenience in delay, the publications, announcements, advertisements and announcements and all kinds of commercial communications made by the crypto-asset service providers which do not have a license may be suspended in accordance with the relevant legislation, and such documents, announcements and advertisements may be confiscated and such workplaces may be temporarily closed by the local authorities upon the request of the CMB.

The activities are deemed to be directed to persons resident in Türkiye in the presence of any of the following situations: 

a)    Opening a place of business in Türkiye, 
b)    Creating a website available in Turkish language, and
c)    Engaging in promotional and marketing activities directly and/or through persons or institutions resident in Türkiye in relation to the crypto-asset services offered by platforms located abroad. 

The CMB is authorised to provide further criteria to decide whether certain services are directed to persons resident in Türkiye or not. 

In the event that the CMB determines that a crypto-asset service provider cannot fulfil its cash payment and crypto-asset delivery obligations, or that its financial structure is seriously weakening, or that its financial situation has weakened to the extent that it cannot meet its commitments, the CMB is authorised to request the strengthening of its financial structure within an appropriate period of time not exceeding three months, or temporarily suspend the activities of such crypto-asset service provider directly without granting any period of time, or remove its operating authorisations, or limit or remove the signature authorities of managers and employees who were found to be responsible for the situation. The assets of such a crypto-asset service provider may not be transferred, pledged, put up as security, imposed injunction, seized, except for the transactions to be carried out by the CMB, from the date of the temporary suspension decision until the date of the permission to start operating again, and all seizures and all precautionary measures and all execution and bankruptcy proceedings against such service provider automatically cease. In respect of a crypto-asset service provider whose activities are decided to be continued by the CMB, all transactions that existed prior to the cessation of activities and which have been suspended will be resumed.

In the event that announcements, advertisements and notices are made, or investment counselling and asset management services for crypto-assets are provided via internet in violation of the principles or prohibitions determined by the CMB, or crypto-asset services are provided without a license via internet, the CMB will decide to remove the content and/or block access to the publications. Such decision is sent to the Association of Access Providers for implementation. When such announcements, advertisements and notices are made through channels other than the internet in violation of the principles determined by the CMB, these announcements and advertisements may be suspended in accordance with the relevant legislation, and the published documents, announcements and advertisements may be confiscated.

The real persons and officials of the legal entities operating as crypto-asset service providers without obtaining a license from the CMB are sentenced to imprisonment from three to five years and a judicial fine from five thousand days to ten thousand days.

Irregularities in legal books, accounting records and financial statements and reports may lead to criminal offences. As such, those who deliberately fail to keep the books and records they are legally obliged to keep in accordance with the relevant procedures are sentenced to imprisonment from six months to two years and a judicial fine up to five thousand days. Similarly, those who deliberately prepare financial statements and reports in a manner that does not reflect the truth, or those who open false accounts, or those who make any kind of accounting fraud in the records, or those who prepare false or misleading independent audit and valuation reports, or the responsible members of the board of directors or responsible managers of the issuers who ensure such preparation, are sentenced in accordance with the relevant provisions of the Turkish Criminal Code.

Sale and distribution of crypto-assets and ICOs made against the procedures and principles stated under the CML or bylaws to be issued by the CMB may be sanctioned under the general provisions of the CML which regulate prospectus liability. Under such characterisation, the responsible persons may be subject to a judicial fine and imprisonment under the unauthorised public offering and capital market activity provision of the CML.

The regulation stipulates that, except for the transactions related to major crypto-assets that are traded and the prices of which are formed in the international markets, the general provisions of the CML applicable to the market disruptive acts will apply to price actions and transactions which cannot be explained by a reasonable economic or financial justification. The persons who commit market disruptive acts may face criminal charges and be imposed an administrative fine. Furthermore, if any economic benefit is obtained by such act, the amount of the administrative fine cannot be less than twice the amount of such benefit.


Seizure of Crypto-Assets

The regulation provides that all kinds of administrative and judicial requests such as injunction, attachment, etc. regarding the customers’ cash and crypto-assets are fulfilled exclusively by crypto-asset service providers. The relevant provisions of the Turkish Bankruptcy and Enforcement Code apply to the enquiry of cash and crypto-assets through information systems and their seizure electronically. For receivables to be pursued in accordance with the provisions of the Law on Collection Procedure of Public Receivables (No. 6183), queries may also be made through information systems and seizure may be applied electronically. In the event that the customers’ cash and crypto assets are seized by judicial authorities, the seized assets shall be kept in the wallets established with the institutions providing custody services authorised by the CMB.


Embezzlement in Crypto-asset Service Providers

There were a number of embezzlement cases in the crypto-asset industry in Türkiye in the past. Hence, the legislator included detailed provisions in relation to embezzlement committed by the persons in control of the crypto-asset service providers. 

The chairman and members of the board of directors and other members of the crypto asset service providers who embezzle money or tokenized securities, other goods or crypto-assets entrusted to them due to their duty as a crypto-asset service provider or which they are obliged to protect, store and supervise, are sentenced to imprisonment from eight to fourteen years and a judicial fine up to five thousand days. Such persons are further sentenced to compensate the damage of the crypto-asset service provider in question.

If the offence is committed by fraudulent behaviour to ensure that the embezzlement is kept secret, the perpetrator is sentenced to imprisonment from fourteen to twenty years and a judicial fine up to twenty thousand days. Furthermore, the amount of the judicial fine may not be less than three times the damage suffered by the crypto-asset service provider and its customers.

If the real person partners of a crypto-asset service provider operating licence of which has been revoked, who have legally or actually held the management or control (“Control”, under this provision in parallel with its meaning under the Banking Code (No. 5411), means direct or indirect ownership of the majority of the capital of a legal entity, without the requirement of owning at least fifty-one per cent of the capital, or the power to appoint or dismiss the majority of the members of the board of directors by any means whatsoever, or by holding privileged shares even if such majority is not held, or by disposing of the majority of voting rights based on agreements made with other shareholders.) of the crypto-asset service provider, cause damage to the crypto-asset service provider or its customers by using the resources of the crypto-asset service provider or its customers directly or indirectly for their own or others' interests in a way that jeopardises the safe operation of the crypto-asset service provider by any means whatsoever, it is deemed to be embezzlement under the regulation. Those who commit these acts may be sentenced to imprisonment from twelve years to twenty-two years and a judicial fine up to twenty thousand days. The amount of the judicial fine may not be less than three times the amount of the damage suffered by the crypto-asset service provider and its customers. In addition, the perpetrators are severally responsible for the damage incurred.

The penalty to be imposed is reduced two thirds in the event that the embezzled money or tokenised securities, other goods or crypto-assets are returned in kind or the loss incurred is fully compensated before the investigation is initiated. In the event that the embezzled money or tokenised securities, other goods or crypto-assets are voluntarily returned in kind or the damage incurred is fully compensated before the prosecution begins, half of the penalty to be imposed is reduced. Finally, if this situation occurs before the judgement, one third of the penalty to be imposed is reduced.

If the value of the money, tokenised securities, other goods or crypto assets that constitute the subject of the offence of embezzlement are considered “low” at the date of the offence by the court, the penalty to be imposed is reduced from one third to one half.

Unless the persons convicted for embezzlement pay the debts and compensations owed to the Treasury or these debts and compensations can be collected from their assets, the conditional release provisions under the Turkish Criminal Code shall not apply to them. 

For embezzlement cases, the provisions regarding confiscation as well as the appointment of a trustee for the management of the companies under the Code of Criminal Procedure (Law No. 5271) may apply.


Personal Liability

The chairman and members of the board of directors, other members and real person shareholders who are legally or de facto in control of the management of the crypto-asset service provider and found to have made decisions and transactions deemed as embezzlement within the scope of the CML, may be declared bankrupt by the court directly upon the request of the CMB, in order to ensure that the customers are compensated primarily from the amount determined to have been embezzled. If these decisions and transactions are made for the purpose of providing benefits to third parties, such third parties and their estate are also treated in the same manner. The assets of those against whom a personal bankruptcy decision has been taken are used to pay the losses of the customers first. After the customer losses are fully recovered, the remaining part, if there is any, is returned to those for whom a personal bankruptcy decision has been made. In case the customer losses cannot be recovered in full, payment is made in accordance with the ratio of the customers’ receivables. 


Disputes between Crypto-asset Service Providers and Customers

The regulation expressly provides that the legal relation between those who collect funds from the public through ICOs or distribution of crypto-assets and those who provide funds to them are subject to general provisions of law. In the same parallel, the disputes arising between the platforms and their customers due to the transactions carried out on the platforms are subject to general provisions.

The regulation stipulates that any contractual terms that eliminate or limit the liability of crypto-asset service providers to their customers are void.

Finally, the approval of the technological features of a crypto-asset by the TUBITAK and the authorisation of their sale or distribution by the CMB does not constitute a State guarantee. Hence, the customers of a failing crypto-asset service provider may not sue TUBITAK, CMB or any other related governmental entity for such failure. 


Annual Fees

Each year, one per cent of all revenues, excluding interest income, of the platforms is paid to the CMB and a further one per cent is paid to be used in the development of blockchain and related information technologies to the TUBITAK budget until the end of May of the relevant year. 

The payment of annual fees to the CMB and TUBITAK over the revenues of the platforms will start in 2025 over the revenues of 2024.


Interim Articles

The crypto-asset service providers, within one month following the regulation entering into force, i.e. until August 2, 2024, have to submit a declaration to the CMB that they will make the necessary applications to obtain an operating licence by meeting the conditions stipulated in the secondary regulations to be issued in accordance with the relevant provisions of the CML, or that they will take a liquidation decision within three months without damaging customer rights and interests and that they will not accept new customers during the liquidation process.

The institutions to be liquidated are required to announce such situation on their websites and notify their customers via electronic mail, text message, telephone and similar communication tools.

Failure to fulfil the transfer requests of customers who have accounts in the institutions which opt for going into liquidation or do not apply to the CMB within the specified period constitutes the offence of providing crypto-asset services unauthorised.

The crypto-asset service providers which are not located in Türkiye are required to terminate their activities for Turkish residents within three months following the date of entry into force of the regulation, i.e. October 2, 2024.

The activities of ATMs and similar electronic transaction devices located in Türkiye, which allow customers to exchange crypto-assets into cash or cash into crypto-assets and to transfer crypto-assets, need to be terminated within three months following the effective date of the regulation, i.e. October 2, 2024. The ATMs that do not terminate such activities shall be closed by the competent authorities. The relevant provisions of the CML apply to those who continue to operate and those who enable them to do so.