Turkish payment service providers (PSPs) and electronic money institutions (EMIs) are supervised by two authorities in parallel: the Central Bank of the Republic of Turkey (CBRT) for licensing and prudential rules, and MASAK for AML/CFT. This BOFU guide covers how Law No. 6493 + Law No. 5549 + the MASAK Regulation translate into the day-to-day MASAK obligations PSPs and EMIs actually run — customer due diligence, e-money limit management, transaction monitoring, STR filing and inspection readiness.
Sectoral framework
PSPs and EMIs operate under Law No. 6493 — Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (2013). A historically critical point: supervision of PSPs and EMIs transferred from BDDK to CBRT on 22 January 2020. Institutions still operating on BDDK-era references must rebase their internal documentation to CBRT.
The AML/CFT stack:
- Law 6493: licensing, prudential, technical rules for payment services.
- Law 5549: the AML/CFT framework statute.
- MASAK Regulation (2008): operational AML/CFT detail.
- CBRT communiqués: sector-specific technical rules.
PSPs and EMIs face inspection from both authorities. CBRT and MASAK may review in parallel or in sequence.
Customer due diligence (CDD)
CDD obligations for PSPs and EMIs flow from Law 5549 Art. 3 and the MASAK Regulation. Sector-specific points:
What thresholds mean
- Continuous business relationship: ID verification mandatory regardless of amount (e.g. subscription-based payment service).
- One-off transaction: ID required above 75,000 TRY.
- E-money loading: ID verification required when loaded amount crosses defined thresholds (see below).
- Cross-border payments: originator/beneficiary information travels (FATF Recommendation 16 equivalent).
Anonymous e-money limits
Turkish e-money rules impose strict limits on anonymous products. Typical structure (current practical ranges):
| Product | Annual load limit | ID verification |
|---|---|---|
| Anonymous prepaid card | ~1,500-2,500 TRY (annual) | Not required |
| Simplified-ID e-money | ~10,000-20,000 TRY | Lightweight identity data |
| Fully-verified e-money | Unlimited (bank-tier) | Full CDD |
Thresholds are periodically revalued by MASAK and CBRT; consult official publications for current figures.
Remote ID verification
PSPs and EMIs are not within the scope of the BDDK Remote Customer Onboarding Regulation (not BDDK-supervised entities) — but can apply equivalent technical standards under the MASAK Regulation. CBRT guidance and MASAK good-practice expectations point to the NFC + liveness + video session combination. For technical detail see the parallel architecture in our BDDK remote onboarding guide and the digital KYC guide.
Transaction monitoring
The transaction monitoring framework for PSPs and EMIs parallels other regulated entities, with sector-specific suspicious signals:
PSP-specific signals
- Rapid in/out: funds loaded, then immediately transferred to a third party.
- Structuring: multiple transactions just below the 75,000 TRY threshold.
- Geographic anomaly: transactions from countries outside the customer's profile.
- IP/device anomaly: single customer account accessed from many devices/IPs.
- Third-party beneficiary: sustained transfers to someone other than the account holder.
- High frequency + low value: many small operations (card creation, card top-up).
EMI-specific signals
- Bulk anonymous card loading: the same individual buying many anonymous e-money cards.
- Cross-border concentration: foreign-source loadings concentrated into one e-money account.
- Dormant account suddenly active: an unused account running high-volume activity.
A practical example: a mid-sized Turkish EMI handles around 1,200 new onboardings per business day and ~80,000 daily transactions; 0.2-0.4% generate alerts requiring enhanced review. More than half are cleared by analysts; the remainder escalate to compliance or STR.
Sanctions and PEP screening
PSPs and EMIs screen against the same lists as other regulated entities:
- UN, OFAC, EU, UK,
- Turkish domestic lists,
- PEP lists,
- Adverse media.
See our sanctions screening guide.
The high-volume + low-value profile of PSPs/EMIs makes deferred (post-trade) screening look attractive — but for sanctions matches it is operationally unacceptable. Sanctions screening must run pre-trade in real time.
STR filing
The MASAK STR obligation applies with the same rules: filing on MASAK Online within 10 business days of the moment of suspicion. Typical sector scenarios:
- Suspected mixer/darknet-source loading (for PSPs accepting crypto adjacent flows),
- Structuring to stay below thresholds,
- Sanctions match that cannot be cleared,
- Dormant account suddenly running high-volume activity,
- Transaction volume inconsistent with stated occupation/income.
STR volumes vary with size — typical range is 10-100 per month. Very low STR counts (e.g. fewer than 5 per month for a 100K-customer base) draw "your monitoring system is not working" findings on inspection.
CBRT inspection vs MASAK inspection
| Topic | CBRT | MASAK |
|---|---|---|
| Authority area | Licensing, prudential, payment-service technical | AML/CFT substance |
| Instruments | Law 6493 + communiqués | Law 5549 + Regulation + communiqués |
| Inspection cadence | Full inspection every 1-2 years | Risk-based, complaint-based, periodic |
| Penalties | Licence restriction, administrative fines | Administrative fines, licence restriction, criminal referral |
The two authorities may inspect in parallel or sequentially. Findings are processed separately but operationally affect each other.
Penalties
For PSPs and EMIs on breach:
- MASAK administrative fine: 200,000 — 1,000,000 TRY+ depending on breach (2026 range).
- CBRT administrative fine: licence restrictions, Law 6493 Art. 27 penalties.
- Failure to file STR: joint assessment with Article 282 TPC, possible imprisonment.
- Systemic breach: licence withdrawal.
Fines are revalued annually.
Inspection-readiness checklist
What a PSP/EMI should have ready for both MASAK and CBRT inspection:
- Law 6493 licensing dossier and compliance,
- AML/CFT policy and procedure documents,
- Compliance officer appointment letter,
- Annual risk assessment,
- Training records (last 2-3 years),
- STR statistics + sample files,
- Customer count + risk distribution report,
- Sanctions/PEP screening architecture + results,
- Anonymous e-money limit management reports,
- Transaction monitoring rule set + alert statistics,
- Internal audit reports (independent compliance audit),
- CBRT reporting files (payment-service statistics, etc.),
- IT systems inventory + connection mapping,
- Third-party service provider contracts.
Frequently asked questions
What is the core difference between PSP/EMI AML obligations and bank AML obligations?
The core MASAK obligations (CDD, STR, training, internal controls) are identical. The differences sit in sectoral overlays: banks operate under the BDDK Remote Customer Onboarding Regulation, while PSPs and EMIs sit under CBRT payment-service communiqués and the MASAK good-practice expectation. E-money-specific rules (anonymous limit, loading limit) do not apply to PSPs but are critical for EMIs.
Is ID verification required for anonymous e-money cards?
For anonymous prepaid products below the annual loading threshold (~1,500-2,500 TRY) full CDD is not required. Above the threshold, simplified or full ID verification activates. Thresholds are updated; current figures sit in MASAK + CBRT publications. Even when individual card volume is low, rising card counts per individual should be monitored as a structuring signal.
As a PSP I accept crypto. What additional obligations apply?
The 2021 CBRT circular prohibits using crypto assets as payment, so classic PSPs cannot accept crypto-denominated payments. Operating as a crypto asset service provider (KVHS) requires separate licensing and a separate operating framework — see our KVHS regulation guide. PSPs contemplating any crypto-linked flow need legal and regulatory advice.
Will I face jurisdictional overlap between CBRT and MASAK?
The two authorities' supervisory areas overlap but their objectives differ. CBRT covers licensing and prudential; MASAK covers AML/CFT substance. The same institution can face two separate inspections, separate findings reports and separate penalties. The authorities share information operationally; a finding from one can trigger the other.
Is remote onboarding possible for PSPs and EMIs?
Yes. Remote ID verification is permitted under the MASAK Regulation. Technical standards parallel BDDK's bank-side rules (NFC + liveness + video session). CBRT payment-service communiqués may add conditions. Legal advice and prior dialogue with CBRT are advisable.
How Legichain helps with PSP/EMI MASAK compliance
Legichain's PSP solution and e-money solution cover the MASAK + CBRT frameworks on a single platform: NFC + video ID verification (aligned with Law 5549 and the MASAK Regulation), sanctions/PEP/adverse-media screening, transaction monitoring (with PSP/EMI-specific rule sets ready), e-money limit management, STR-ready export and audit-ready 8-year retention. The Legichain AML screening API clears 80% of sanctions hits automatically via the match-grouping layer; analysts see only marginal cases. Full audit log exports in CBRT + MASAK-ready format.
Next steps
- Turkey AML/KYC pillar guide — cluster hub.
- MASAK compliance guide — operational depth.
- Law No. 5549 guide — statutory articles.
- BDDK remote onboarding — bank comparison.