Legichain

MASAK Compliance Guide: Obligations, Reporting, Workflows

How Turkey's Financial Crimes Investigation Board operationalises Law No. 5549 — STRs, CDD, internal controls, training and inspection readiness.

Legichain Team 13 min read 26 May 2026

The Financial Crimes Investigation Board (MASAK), an autonomous unit within the Ministry of Treasury and Finance, supervises every regulated entity's AML/CFT operation under Law No. 5549. This guide translates the MASAK compliance rulebook into the seven operational workflows a compliance team actually runs — banks, payment service providers, e-money institutions, investment firms and crypto exchanges share the same backbone, with sector overlays. Whether you are an international operator entering Turkey or a Turkish compliance lead rebuilding your internal framework, this is the operational layer.

What is MASAK?

MASAK is Turkey's Financial Intelligence Unit (FIU) and simultaneously the supervisory authority for Law No. 5549. It has three functions:

  • Supervision: on-site inspections, information requests, administrative fines.
  • Financial intelligence: collecting suspicious transaction reports (STRs), analysing them, referring cases to law enforcement.
  • Standard-setting: circulars, general letters, guidelines.

MASAK supervision covers individual regulated entities and runs in coordination with the sectoral regulators (BDDK for banks, SPK for capital markets and crypto, CBRT for payments and e-money). The same bank can be inspected by MASAK and BDDK in the same period — different angles, mutually reinforcing findings.

Categories of regulated entities (Law 5549, Art. 2)

Article 2 of Law 5549 lists the following as regulated entities:

  • Banks,
  • Insurers and pension funds,
  • Capital markets firms (brokerage houses, portfolio management companies),
  • Payment institutions and electronic money institutions,
  • Crypto asset service providers (KVHS) — added by Law No. 7518,
  • Authorised currency exchange offices,
  • Precious metal, stone and jewellery intermediaries,
  • Financial leasing, factoring and financing companies,
  • Asset management companies,
  • Real estate agents (above-threshold transactions),
  • Lawyers (for specified transactions — real estate, company formation, trust management),
  • Independent accountants and sworn financial advisors,
  • Notaries (specified transactions),
  • Postal and courier providers (for remittance services).

Being a regulated entity means the MASAK Regulation applies in full. Even if your transaction volumes sit below thresholds, you must still operate an internal control system, training programme and compliance officer structure.

STR (suspicious transaction report): the 10-business-day rule

The STR is the single most operationally critical trigger in MASAK compliance. Article 4 of Law 5549 requires: a regulated entity must report any transaction it suspects relates to laundering of proceeds of crime or terrorist financing.

Deadline

The deadline is 10 business days. The clock starts when the responsible person (operationally interpreted as the compliance officer) becomes aware of the matter — not when the underlying transaction occurred. This nuance matters:

  • A customer transacts on 1 March,
  • A first-line analyst flags the alert on 15 March,
  • The compliance officer receives the escalated file on 18 March,
  • The 10 business days run from 18 March.

This is not licence to delay escalation. Inspectors interpret excessively long internal escalation as designed to obstruct reporting — itself a separate breach.

Format

STRs are filed via the MASAK Online system (formerly MASAK Historical Online). The format is structured: customer identification, transaction detail, basis for suspicion, supporting documents. Free-text is limited; the system enforces mandatory fields.

Tipping-off prohibition

Article 4 of Law 5549 prohibits the regulated entity from informing the customer that an STR has been or will be filed. This is critical for staff handling customer communications; breach is both a separate offence and an administrative fine.

Customer due diligence (CDD)

Article 3 of Law 5549 and Articles 5-25 of the Regulation define CDD. Operationalised:

Identity verification

  • Natural person: Turkish national ID number, full name, date and place of birth, parents' names, nationality, address, contact details.
  • Legal entity: tax ID, trade name, business activity, board members, signing authorities, address, beneficial owners.
  • Documents: Turkish national ID / e-ID / passport / driving licence (for Turkish citizens), passport (for foreigners).
  • Method: in-person, remote verification per BDDK Remote Onboarding Regulation (for banks), or SPK video ID verification (for investment firms).

Beneficial ownership

For legal-entity customers, natural persons holding directly or indirectly more than 25% of shares or voting rights are beneficial owners. Where no single owner exceeds 25% or the structure is opaque, the senior managing official is treated as beneficial owner.

Risk profiling

Each customer receives a risk score. Risk factors:

  • Customer type (natural person, legal entity, public body, NGO),
  • Product/service (high-risk products: private banking, physical-delivery precious metals, anonymous e-money),
  • Geography (high-risk countries — FATF grey/black list),
  • Channel (in-person, digital, via intermediary),
  • PEP or sanctions hit.

For PEP detail see our PEP explainer.

Ongoing monitoring

CDD is not one-off. It runs across the relationship: list updates, behavioural shifts, profile refreshes all feed ongoing monitoring.

Internal control system

MASAK Communiqué Sıra No. 13 sets the framework for regulated entities above defined thresholds (headcount, asset size, transaction volume):

  • Compliance officer: independent, with authority and board-level reporting line.
  • Deputy compliance officer: required for large entities.
  • Internal audit: independent of the compliance function.
  • Annual risk assessment: written self-assessment of inherent and residual risk, with action plan.
  • Written policies and procedures: AML/CFT policy, procedure library, escalation rules.

Training

Regulation Art. 27: training for all staff plus annual refreshers. Content:

  • AML/CFT fundamentals,
  • The regulated entity's own policies and procedures,
  • Suspicious transaction indicators,
  • Tipping-off prohibition,
  • Penalties and liability.

Training records (participants, content, date, test results) must be available on inspection.

Thresholds

MASAK thresholds in practice:

  • Continuous business relationship: ID verification mandatory regardless of amount.
  • One-off transactions: ID required above 75,000 TRY.
  • Multiple linked transactions: assessed holistically.
  • Electronic transfers: originator and beneficiary information travel cross-border (FATF Recommendation 16).
  • High-risk country transactions: enhanced due diligence.

Always verify current thresholds against MASAK's official publications.

Record retention

Article 7 of Law 5549: customer due diligence documents and transaction records retained for 8 years.

  • Electronic or paper (accessible to inspectors),
  • 8 years after the relationship ends,
  • 8 years from STR filing for STR-related records.

The 8-year MASAK requirement exceeds BDDK's general 5-year banking record retention. For banks the binding period is 8 years.

Inspection readiness: a practical checklist

What a compliance team should have ready at any time:

  • AML/CFT policy and procedure documents,
  • Compliance officer appointment letter (board resolution),
  • Annual risk assessment report,
  • Training records (last 2-3 years),
  • STR statistics + sample files (for structural review),
  • Customer count + risk distribution report,
  • Sanctions/PEP screening results (annual summary),
  • Internal audit reports,
  • Sample customer files (ready for random sampling),
  • IT systems inventory (screening, monitoring, reporting tools).

Penalties

Administrative fines as of 2026 (practical ranges):

  • Individual breaches (failure to ID, late reporting): 200,000 — 1,000,000 TRY,
  • Systemic breaches (missing internal controls, no training): 1,000,000 TRY+ and operating-licence restrictions,
  • Failure to file STR: can be prosecuted criminally (assessed jointly with the Turkish Penal Code).

Fines are revalued annually.

Frequently asked questions

Is the MASAK STR deadline really 10 business days?

Yes. Article 4 of Law 5549 and Article 27 of the Regulation explicitly set 10 business days. The clock starts when the responsible person (operationally, the compliance officer) becomes aware. Inspectors expect filings within the 10-day window and consider excessive internal escalation lag as a separate breach. In practice, escalation should complete in 1-3 business days.

Which regulated entities must appoint a compliance officer?

MASAK Communiqué Sıra No. 13 mandates compliance officer appointment for entities above defined headcount, asset size or transaction volume thresholds. Banks and all large financial institutions are mandatorily in scope. The appointment is by board resolution, and the compliance officer must be independent, authorised, and report directly to the board.

Can I perform CDD remotely?

For banks, the BDDK Remote Customer Onboarding Regulation (effective 1 May 2021) permits remote ID verification — see our BDDK remote onboarding guide. Investment firms operate under SPK Decision No. 65/1929 of 23 December 2021 for video ID verification — see our SPK video ID verification guide. PSPs and e-money institutions perform remote verification under the MASAK Regulation, with technical standards run in parallel to BDDK and SPK references.

What happens if I do not perform sanctions screening?

Failure to screen against UN, OFAC, EU, UK and Turkish domestic lists triggers a Law 5549 breach and potential sanctions breach. Consequences include administrative fines, operating-licence restrictions, and disruption to correspondent banking relationships (which is often the most painful operational impact). For background see our AML screening guide.

How long does a MASAK inspection take?

On-site inspections run 1-4 weeks depending on entity size. Information request responses are due within MASAK-set windows (typically 10-30 days). The post-inspection findings report and any defence correspondence can extend the process to 6-18 months before an administrative fine decision is issued.

How Legichain helps with MASAK compliance

Legichain delivers the full MASAK operating layer through a single API: sanctions/PEP/adverse-media screening, customer risk scoring, transaction monitoring, alert management, STR-format output and MASAK Online upload support. The Legichain AML screening API updates Turkish and international lists 24/7; false-positive rates drop up to 80% through the match-grouping layer. Sector pre-configurations are ready for banks, PSPs, e-money institutions and crypto exchanges.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

turkey-regulation

Turkey Financial Compliance: The AML/KYC Regulatory Guide

Turkey's AML/KYC architecture is fragmented across four overlapping regulators (MASAK, SPK, BDDK, CBRT) and a stack of secondary legislation that keeps shifting. This pillar guide gives international operators and Turkish compliance teams a single reference: which law sits under which authority, reporting deadlines, thresholds, customer onboarding rules and the operational details that consume the most analyst hours in real deployments.

Read article
turkey-regulation

SPK-Compliant Video ID Verification for Investment Firms

SPK Decision No. 65/1929 of 23 December 2021 opened video ID verification to Turkish investment firms (brokerage houses and portfolio management companies). This guide walks through the technical requirements, flow design, recording and retention obligations, and the points SPK inspectors actually drill into — with operational detail relevant for both Turkish operators and international firms entering the market.

Read article
turkey-regulation

MASAK Obligations for Turkish PSPs and E-Money Institutions

Turkish payment service providers (PSPs) and electronic money institutions (EMIs) sit under dual supervision: CBRT (licensing, prudential) and MASAK (AML/CFT). This BOFU guide covers the operational obligations under Law No. 6493 + Law No. 5549 + the MASAK Regulation — identity verification, transaction monitoring, e-money limits, STR filing and inspection readiness for both Turkish operators and international PSPs entering the market.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales