Legichain

Turkey Financial Compliance: The AML/KYC Regulatory Guide

MASAK, SPK, BDDK and crypto (KVHS) obligations consolidated into a single operating reference for banks, PSPs, e-money institutions and crypto exchanges.

Legichain Team 22 min read 26 May 2026

Operating a regulated financial institution in Turkey means juggling four overlapping authorities (MASAK, SPK, BDDK, CBRT), constantly evolving secondary legislation and parallel reporting workflows. This guide is built as the reference international operators and Turkish compliance teams actually use: from the foundational logic of Law No. 5549 to the March 2025 transfer of crypto oversight to SPK, from the MASAK STR format to BDDK's remote onboarding regime. It maps which article creates which obligation, with concrete examples and operational detail — the kind of detail a generic Turkey AML compliance overview rarely surfaces.

Quick summary

  • Foundational law: Law No. 5549 on the Prevention of Laundering Proceeds of Crime (11 October 2006, Official Gazette 26323).
  • Primary authority: MASAK — Financial Crimes Investigation Board (under the Ministry of Treasury and Finance).
  • Sectoral regulators: SPK (investment firms, crypto), BDDK (banks, leasing, factoring, financing companies), CBRT (payment service providers, e-money institutions).
  • STR deadline: Suspicious transaction reports filed with MASAK within 10 business days of detection.
  • Onboarding rules: BDDK Remote Customer Onboarding Regulation (effective 1 May 2021); SPK Decision No. 65/1929 of 23 December 2021 for video ID verification by investment firms.
  • Crypto: Law No. 7518 (21 May 2024) moved supervision to SPK; the secondary KVHS Regulation has been in force since March 2025.

1. The architecture of AML/KYC regulation in Turkey

Turkey's AML/KYC framework is not a single statute. It is a four-layer stack:

  1. Framework law: Law No. 5549 — defines obligations of all regulated entities (customer due diligence, reporting, training, internal controls).
  2. Framework regulation: the Regulation on Measures to Prevent the Laundering of Proceeds of Crime and the Financing of Terrorism (2008) — operationalises the law.
  3. Sectoral rules: BDDK (banking), SPK (capital markets and now crypto), CBRT (payments and e-money), MASAK (general guidance and circulars).
  4. Authority guidance: MASAK guidelines, BDDK good-practice notes, SPK opinions — formally non-binding but treated as binding in inspections.

The category of regulated entity you fall into determines which secondary instruments are binding. A bank is subject to Law 5549 plus the BDDK Remote Onboarding Regulation; a crypto exchange falls under SPK's KVHS Regulation; an e-money institution sits under Law No. 6493 plus the MASAK regulation. No single map covers everyone.

2. MASAK: Turkey's AML authority

The Financial Crimes Investigation Board (MASAK) sits under the Ministry of Treasury and Finance. It is the supervisor and reporting counterparty for every regulated entity under Law 5549. MASAK has three core functions:

  • Supervision: on-site inspections, information requests, administrative fines.
  • Financial Intelligence Unit (FIU): collects suspicious transaction reports, analyses them, refers cases to law enforcement.
  • Standard-setting: circulars, general letters, guidelines.

Core MASAK obligations

The minimum every regulated entity must do:

Obligation Statutory reference Operational reality
Customer due diligence (CDD) Law 5549 Art. 3, Regulation Arts. 5-25 ID verification + risk profiling + ongoing monitoring
Suspicious transaction report (STR) Law 5549 Art. 4 Filed via MASAK Online within 10 business days
Record retention Law 5549 Art. 7 All records kept for 8 years
Training Regulation Art. 27 All staff + periodic refreshers
Compliance officer Communiqué Sıra No. 13 Required above defined thresholds
Internal audit & risk management Communiqué Sıra No. 13 Written policies + annual assessment

For depth, see our MASAK compliance guide.

Thresholds

MASAK thresholds shift over time; as of 2026 the headline figures we track operationally:

  • Continuous business relationship: ID verification mandatory (no amount threshold).
  • One-off transactions: ID required above 75,000 TRY.
  • Electronic transfers: originator and beneficiary information travel cross-border.
  • High-risk jurisdictions: enhanced measures for FATF grey- and black-listed countries.

Always confirm the current threshold against MASAK's official publications.

3. Law No. 5549: the framework

Law No. 5549, published in the Official Gazette (No. 26323) on 11 October 2006, is the bedrock of Turkey's AML regime. It defines three pivotal concepts:

  • Regulated entity (yükümlü): banks, payment institutions, e-money institutions, capital markets firms, insurers, crypto asset service providers (KVHS), bureaux de change, precious-metal intermediaries, lawyers (for specific transactions), accountants, real estate agents, and others.
  • Suspicious transaction: any transaction the regulated entity suspects relates to the laundering of proceeds of crime or terrorist financing.
  • Customer due diligence: identity verification, beneficial owner identification, purpose of business relationship, ongoing monitoring.

For a deeper walkthrough see our Law No. 5549 guide.

4. SPK: investment firms and KVHS

The Capital Markets Board (SPK) supervises two distinct populations:

4.1 Investment firms (brokerage houses, portfolio management companies)

SPK's Decision No. 65/1929 of 23 December 2021 authorised investment firms to onboard customers via video ID verification. The process requires:

  • A live (synchronous) session between at least two firm representatives and the customer,
  • Live verification of the identity document,
  • Full audio/video recording and retention,
  • Defined minimum audio/video quality standards.

For the operational detail see our SPK video ID verification guide.

4.2 Crypto Asset Service Providers (KVHS)

Law No. 7518 (21 May 2024) amended the Capital Markets Law and placed crypto asset service providers under SPK supervision. The secondary KVHS Regulation has been in force since March 2025. Core KVHS obligations:

  • SPK authorisation,
  • Minimum capital + own-funds requirements,
  • Segregation of customer assets,
  • AML/CFT internal control system aligned with MASAK regulation,
  • Travel Rule data transmission (FATF Travel Rule standard used as reference).

See our Turkey crypto VASP regulation guide for the breakdown.

5. BDDK: banks and remote onboarding

The Banking Regulation and Supervision Agency (BDDK) oversees banks, financial leasing companies, factoring firms, financing companies and asset management companies. The standout AML/KYC instrument is the Remote Customer Onboarding Regulation, effective 1 May 2021. The core logic: a bank may onboard customers without a physical branch visit through a combination of video verification, biometric liveness detection and electronic reading of the identity document (NFC chip preferred).

Required technical standards:

Control Requirement
Video session Live (not asynchronous) with bank staff
Identity document TR national ID / e-ID card / passport (NFC preferred)
Liveness Active or passive biometric liveness
Recording Full session recorded, 5-year retention
Fallback Face-to-face verification when doubt arises

For the deep dive, our BDDK remote onboarding guide for banks.

6. CBRT and Law No. 6493: PSPs and e-money

Payment services and electronic money institutions are governed by Law No. 6493 (Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions). Critical historical note: supervision transferred from BDDK to CBRT on 22 January 2020. Many institutions still operate on legacy BDDK-era circulars and need to refresh their internal references.

MASAK obligations for PSPs and e-money institutions mirror the standard regulated-entity framework, with additions:

  • Originator and beneficiary information for wire transfers,
  • MASAK thresholds applied to e-money loading limits,
  • Extra restrictions for anonymous e-money products.

See our MASAK obligations for PSPs and e-money institutions guide.

7. Operational compliance: what actually happens

Knowing the law is not enough. Compliance teams run seven core operational workflows daily:

  1. Customer onboarding: ID verification + risk scoring + initial sanctions/PEP screening. A mid-sized Turkish e-money institution onboards roughly 1,200 new customers per business day; 0.3-0.5% of those produce sanctions/PEP hits requiring enhanced review.
  2. Continuous customer monitoring: re-screening the existing customer base whenever lists update. A Tier-1 Turkish bank may run 5-8 million daily re-screens.
  3. Transaction monitoring: anomaly detection, rules-based plus risk-score triggers.
  4. Alert investigation: analyst review, close or escalate to STR.
  5. STR filing: transmission to MASAK Online within 10 business days.
  6. Annual risk assessment: written self-assessment of inherent and residual risk.
  7. Training and internal audit: annual personnel training + independent compliance audit.

Sanctions and PEP screening

Lists Turkish regulated entities must screen against:

  • UN Security Council sanctions,
  • US OFAC SDN,
  • EU consolidated sanctions list,
  • UK HM Treasury (FCO Sanctions),
  • Turkish domestic lists (Law 5549 and Law 6415),
  • PEP lists (domestic and foreign, broad scope),
  • Adverse media.

For the underlying infrastructure see our AML screening guide and the PEP explainer.

8. Penalties and risk

Administrative fines under Law 5549 and secondary legislation vary by sector and breach type. As of 2026 the practical ranges:

  • Individual breaches (failure to ID, late reporting): 200,000 — 1,000,000 TRY band,
  • Systemic breaches (missing internal controls, no training): 1,000,000 TRY+ and possible operating-licence restrictions,
  • Failure to file STR: can be prosecuted criminally (assessed jointly with the Turkish Penal Code).

Fines are revalued annually; check MASAK's annual fine tables for current figures.

9. Turkey AML/KYC compliance: decision map

Which framework applies depends on your category of regulated entity:

Entity type    →  Binding instruments                              →  Primary authority

Bank           →  Law 5549 + MASAK Regulation + BDDK Remote        →  MASAK + BDDK
PSP / E-money  →  Law 5549 + MASAK Regulation + Law 6493 + CBRT    →  MASAK + CBRT
Investment fm. →  Law 5549 + MASAK Regulation + SPK communiqués    →  MASAK + SPK
KVHS (crypto)  →  Law 5549 + MASAK Regulation + KVHS Regulation    →  MASAK + SPK

Every regulated entity has dual supervisors: MASAK (AML/CFT substance) plus the sectoral regulator (licensing, prudential, sector-specific operational standards).

10. Parts of this pillar

The cluster articles — read each one for depth:

Frequently asked questions

What is the deadline for filing a suspicious transaction report (STR) with MASAK?

A regulated entity must file the STR with MASAK within 10 business days of the moment the suspicion arises — which is the date the responsible person (usually the compliance officer) becomes aware, not the date of the underlying transaction. Internal escalation must therefore run in hours (or minutes), not days. Late filings trigger administrative fines and signal weak governance.

Which institutions are "regulated entities" under MASAK?

Article 2 of Law 5549 gives a broad list: banks, insurers, pension funds, capital markets firms, payment institutions, e-money institutions, crypto asset service providers, bureaux de change, precious-metal intermediaries, leasing, factoring, asset management, real estate agents, lawyers (for specified transactions), accountants. The full enumeration sits in Article 2 plus secondary instruments.

Beyond banks, who does the BDDK Remote Onboarding Regulation cover?

It applies to banks, factoring companies, financial leasing companies and financing companies. Insurers, payment institutions and capital markets firms fall under different regulators. Investment firms use SPK's video ID decision; PSPs and e-money institutions follow CBRT guidance and the MASAK regulation.

Is Turkey's crypto regulation (KVHS) in force, and since when?

Law No. 7518 was published on 21 May 2024 and made SPK the primary supervisor of crypto asset service providers. The secondary KVHS Regulation has been in force since March 2025. This means crypto exchanges must apply for SPK authorisation and operate under SPK supervision. As of 2026 the transition is complete; supervision is active.

How is jurisdictional overlap between MASAK and the sectoral regulator (BDDK/SPK/CBRT) handled?

MASAK is always the substantive AML/CFT authority — STR filing, CDD standards and training obligations sit with MASAK. The sectoral regulator (e.g. BDDK for a bank) handles licensing, prudential rules, operational technical standards and sector-specific applications. The two supervisors overlap in practice but their objectives differ; institutions must be inspection-ready for both.

How Legichain helps with Turkey AML/KYC compliance

Legichain provides Turkey-regulated entities with a single API for sanctions/PEP/adverse-media screening, NFC + video ID verification, transaction monitoring, STR-filing support and KVHS Travel Rule data transmission. Our solution for banks maps to the BDDK Remote Onboarding Regulation; our PSP and e-money configurations align with the CBRT + MASAK framework; our crypto exchange stack ships with the SPK KVHS Regulation plus FATF Travel Rule baked in. To discuss your specific architecture, request a demo.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

turkey-regulation

SPK-Compliant Video ID Verification for Investment Firms

SPK Decision No. 65/1929 of 23 December 2021 opened video ID verification to Turkish investment firms (brokerage houses and portfolio management companies). This guide walks through the technical requirements, flow design, recording and retention obligations, and the points SPK inspectors actually drill into — with operational detail relevant for both Turkish operators and international firms entering the market.

Read article
turkey-regulation

MASAK Obligations for Turkish PSPs and E-Money Institutions

Turkish payment service providers (PSPs) and electronic money institutions (EMIs) sit under dual supervision: CBRT (licensing, prudential) and MASAK (AML/CFT). This BOFU guide covers the operational obligations under Law No. 6493 + Law No. 5549 + the MASAK Regulation — identity verification, transaction monitoring, e-money limits, STR filing and inspection readiness for both Turkish operators and international PSPs entering the market.

Read article
turkey-regulation

MASAK Compliance Guide: Obligations, Reporting, Workflows

Turkey's Financial Crimes Investigation Board (MASAK) supervises every AML/CFT obligation under Law No. 5549. This guide translates the statute into the seven operational workflows compliance teams actually run: STR filing, CDD, sanctions/PEP screening, transaction monitoring, training, internal audit and inspection readiness — with concrete deadlines and thresholds.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales