Crypto Law Profile
Turkey’s CMB/SPK communiqué sets establishment, authorization, governance, systems, audit and conduct rules for crypto asset service providers.
Communiqué III-35/B.1, formally Kripto Varlık Hizmet Sağlayıcıların Kuruluş ve Faaliyet Esasları Hakkında Tebliğ, is Turkey’s Capital Markets Board (CMB/SPK) regulation for the establishment, authorization and operating organization of crypto asset service providers. The communiqué was published in Official Gazette No. 32840 on March 13, 2025 and is in force as of June 6, 2026, subject to transition timing updated by SPK Decision 18/617 on March 26, 2026.
The measure forms part of Turkey’s secondary crypto-asset framework following Law No. 7518, which amended the Capital Markets Law No. 6362 and brought crypto asset service providers under the CMB’s regulatory and supervisory authority. Communiqué III-35/B.1 should be read alongside Communiqué III-35/B.2, which covers operating procedures, listed crypto assets, transfers, custody mechanics and capital adequacy.
The communiqué covers platforms, crypto custody institutions and other entities designated to provide services connected to crypto assets, including initial sale or distribution activity. It sets rules for corporate establishment, founders and shareholders, managers and staff, operating permissions, share transfers, information systems, outsourcing, recordkeeping, audit infrastructure, prohibited conduct and activity suspension.
Communiqué III-35/B.1 links crypto custody and technology controls to information-systems supervision. The CMB may require information-systems inspections with TÜBİTAK and other public institutions during authorization review. Annual information-systems independent audits are required, and providers must obtain periodic proof-of-reserve audits for recorded crypto assets and custody compliance at the end of the third, sixth, ninth and twelfth months of the year. Recovery-plan rules also require procedures for moving assets from hot wallets to cold wallets, isolating affected systems, preserving records and notifying the CMB.
The communiqué restricts how providers may present their services. Advertising and announcements must be objective and may not rely on false, misleading or exploitative claims. Providers may not promise absolute returns or guarantee against loss except where legislation permits. The text also prohibits activities such as deposit or participation-fund collection, unauthorized use of customer cash or crypto assets, fictitious accounts, off-record transactions, broad customer powers of attorney and conduct that harms customers’ rights or exploits their lack of market knowledge.
Most provisions entered into force on March 13, 2025, with selected organizational, contract, personnel, outsourcing, record and operational provisions phased in on March 31, 2025 and June 30, 2025. Existing providers on the CMB’s operating list were required to apply for activity permission by June 30, 2025, and submit an information-systems independent audit report by September 30, 2025.
On March 26, 2026, SPK Decision 18/617 updated transition timing for two items: the deadline for platforms to sign and submit custody contracts, and the period for listed providers to obtain authorization certificates. The CMB stated that those deadlines would be determined after CMB-authorized custody institutions begin providing crypto custody services to platforms on a widespread basis. This profile is informational and does not provide legal, tax, investment or compliance advice.
Official sources: CMB/SPK March 13, 2025 announcement; Official Gazette text; SPK Bulletin 2026/18.
Non-bank CASPs must be joint stock companies with registered cash-paid shares, CMB-set capital/equity levels, compliant articles and transparent ownership.
Operating permission depends on capital, organization, qualified staff, TÜBİTAK-aligned security, internal controls, risk management, MKK integration and private-key safeguards.
Platforms must contract with at least one CMB-authorized crypto custody institution, open customer-cash bank accounts, maintain complaints procedures and price surveillance.
CMB approval applies to ownership changes crossing 10%, 20%, 33% or 50% thresholds and to certain privileged or usufruct share transfers.
CASPs must obtain annual information-systems audits and periodic proof-of-reserve audits for recorded crypto assets and custody compliance.
Advertising must be objective and not misleading. The communiqué restricts guaranteed-return claims, deposit-like activity, fictitious accounts and unauthorized use of client assets.
The CMB may limit, suspend or revoke authorizations for inactivity, misstatements, lost eligibility, unlawful conduct or serious financial deterioration.
Turkey’s 2024 amendments to Capital Markets Law No. 6362 placed crypto asset service providers under CMB/SPK oversight.
The communiqué was published in Official Gazette No. 32840 with immediate effect for provisions not assigned later phase-in dates.
Selected organization, conflict, records, internal-control and recovery-plan provisions entered into force.
Existing listed providers had to apply for activity permission; several operational provisions also phased in on this date.
Activity applicants were required to add an information-systems independent audit report by this date.
SPK Decision 18/617 deferred custody-contract and authorization-certificate timing until broad authorized custody service availability.
Banking Regulation and Supervision Agency (BDDK), Capital Markets Board of Turkey (CMB/SPK), Central Registry Agency (MKK), TÜBİTAK
Crypto assets
Turkey uses “SPK” in Turkish and “CMB” in English for Sermaye Piyasası Kurulu. This profile treats the Turkish Official Gazette text as controlling and notes the March 26, 2026 SPK transition update.
