Communiqué III-35/B.1, formally Kripto Varlık Hizmet Sağlayıcıların Kuruluş ve Faaliyet Esasları Hakkında Tebliğ, is Turkey’s Capital Markets Board (CMB/SPK) regulation for the establishment, authorization and operating organization of crypto asset service providers. The communiqué was published in Official Gazette No. 32840 on March 13, 2025 and is in force as of June 6, 2026, subject to transition timing updated by SPK Decision 18/617 on March 26, 2026.
The measure forms part of Turkey’s secondary crypto-asset framework following Law No. 7518, which amended the Capital Markets Law No. 6362 and brought crypto asset service providers under the CMB’s regulatory and supervisory authority. Communiqué III-35/B.1 should be read alongside Communiqué III-35/B.2, which covers operating procedures, listed crypto assets, transfers, custody mechanics and capital adequacy.
Key provisions for Turkish crypto asset service providers
The communiqué covers platforms, crypto custody institutions and other entities designated to provide services connected to crypto assets, including initial sale or distribution activity. It sets rules for corporate establishment, founders and shareholders, managers and staff, operating permissions, share transfers, information systems, outsourcing, recordkeeping, audit infrastructure, prohibited conduct and activity suspension.
- Corporate form and ownership. A non-bank crypto asset service provider must be established as a joint stock company, issue registered shares for cash, maintain minimum capital and equity thresholds set by the CMB, align its articles of association with the law and maintain a transparent ownership structure.
- Authorization to operate. A provider must obtain CMB permission before operating. Conditions include fully paid minimum capital, capital adequacy compliance, organizational units, qualified personnel, senior management standards, TÜBİTAK-aligned security infrastructure, internal audit, internal control and risk-management systems, MKK technical integration and private-key safeguarding infrastructure.
- Platform-specific requirements. Platforms must have a contractual arrangement with at least one CMB-authorized crypto custody institution, open bank accounts for customer cash, maintain complaint-handling procedures and establish a price surveillance system.
- Governance and conflicts. Providers must maintain written conflict-of-interest policies, define staff authority and responsibilities, and structure management in line with internal control and risk-management requirements.
Custody, audit and technology controls
Communiqué III-35/B.1 links crypto custody and technology controls to information-systems supervision. The CMB may require information-systems inspections with TÜBİTAK and other public institutions during authorization review. Annual information-systems independent audits are required, and providers must obtain periodic proof-of-reserve audits for recorded crypto assets and custody compliance at the end of the third, sixth, ninth and twelfth months of the year. Recovery-plan rules also require procedures for moving assets from hot wallets to cold wallets, isolating affected systems, preserving records and notifying the CMB.
Marketing limits and prohibited activities
The communiqué restricts how providers may present their services. Advertising and announcements must be objective and may not rely on false, misleading or exploitative claims. Providers may not promise absolute returns or guarantee against loss except where legislation permits. The text also prohibits activities such as deposit or participation-fund collection, unauthorized use of customer cash or crypto assets, fictitious accounts, off-record transactions, broad customer powers of attorney and conduct that harms customers’ rights or exploits their lack of market knowledge.
Status, phase-ins and transition deadlines
Most provisions entered into force on March 13, 2025, with selected organizational, contract, personnel, outsourcing, record and operational provisions phased in on March 31, 2025 and June 30, 2025. Existing providers on the CMB’s operating list were required to apply for activity permission by June 30, 2025, and submit an information-systems independent audit report by September 30, 2025.
On March 26, 2026, SPK Decision 18/617 updated transition timing for two items: the deadline for platforms to sign and submit custody contracts, and the period for listed providers to obtain authorization certificates. The CMB stated that those deadlines would be determined after CMB-authorized custody institutions begin providing crypto custody services to platforms on a widespread basis. This profile is informational and does not provide legal, tax, investment or compliance advice.
Official sources: CMB/SPK March 13, 2025 announcement; Official Gazette text; SPK Bulletin 2026/18.
