Legichain

Turkey's Crypto Asset Service Provider Regulation: What to Expect

Law No. 7518 (21 May 2024) moved crypto supervision to SPK; the KVHS Regulation has been in force since March 2025. Operational obligations for Turkish crypto exchanges.

Legichain Team 14 min read 26 May 2026

Turkey took its first comprehensive regulatory grip on crypto asset service providers (KVHS — kripto varlık hizmet sağlayıcı) with the publication of Law No. 7518 in the Official Gazette on 21 May 2024. The law amended Capital Markets Law No. 6362 to make SPK the primary supervisor of crypto activity. The secondary Regulation on Crypto Asset Service Providers has been in force since March 2025; as of 2026 the transition is complete and supervision is active. This guide covers KVHS licensing structure, AML/CFT obligations, customer asset segregation, capital adequacy and FATF Travel Rule compliance — written for Turkish exchanges and for international VASPs evaluating market entry.

Context

Turkey's crypto sector ran largely unsupervised until 2021. The sudden collapse of large local exchanges (Thodex, Vebitcoin) and the resulting loss of user assets accelerated regulatory action. The first intervention was the 16 April 2021 CBRT circular banning the use of crypto for payments. A comprehensive sectoral framework only emerged in 2024.

The substance of Law No. 7518:

  • KVHS are now capital markets institutions under Law No. 6362,
  • SPK holds supervisory and licensing authority,
  • MASAK AML/CFT obligations apply through Law No. 5549,
  • Minimum capital, customer asset custody, IT security and AML/CFT internal control requirements are now mandatory.

The secondary regulation (March 2025) operationalises this framework.

Scope: who is a KVHS?

The regulation defines "crypto asset services" to include:

  • Operating a crypto trading platform (exchange),
  • Crypto asset custody,
  • Crypto asset transfer / swap services (wallets, transfers),
  • Initial offering intermediation (token sale platforms),
  • Portfolio management (crypto asset portfolios),
  • Investment advisory (crypto).

Any entity providing one or more of these services in or directed at Turkey is a KVHS and requires SPK authorisation.

Access to Turkey for foreign exchanges

For foreign-headquartered exchanges accepting Turkish customers, the practical paths:

  1. Obtain KVHS authorisation in Turkey (local entity or branch),
  2. Stop accepting Turkish customers (geo-fencing, KYC refusal).

Is purely passive access (a non-Turkish website reachable from Turkey) sufficient? SPK's reading hardened across 2025-2026: exchanges marketing in Turkey, offering Turkish-language support or supporting Turkish lira are treated as operating unlicensed in Turkey.

Licensing application

The KVHS application package submitted to SPK:

  • Corporate documents: trade registry extract, articles of association, signature circulars.
  • Capital structure: minimum capital commitment, ownership, beneficial owners.
  • Management: board members, senior management fit-and-proper assessments.
  • Capital adequacy: activity-specific minimum capital + own funds.
  • Risk management: written risk policy, risk committee structure.
  • IT infrastructure: wallet architecture, security design, penetration test reports.
  • AML/CFT internal control: compliance officer appointment, AML policy, training programme, sanctions/PEP screening architecture, STR mechanism.
  • Customer asset custody plan: hot/cold wallet split, cold storage percentage, backups.
  • User agreements and risk disclosure documents.

SPK conducts interviews and on-site review after submission. Typical application timelines run 9-18 months depending on completeness.

Minimum capital and own funds

The KVHS Regulation defines activity-specific minimum capital. General framework (practical 2026 figures):

Activity Approximate minimum capital
Trading platform 150 million TRY+
Crypto custody 100 million TRY+
Portfolio management 30 million TRY+
Investment advisory 5 million TRY+

Minimum capital may be revalued annually; consult SPK publications for current figures. Own-fund adequacy is computed against an operational-risk-based ratio in addition.

Customer asset segregation

KVHS must strictly segregate customer assets from their own. Operational rules:

  • Account segregation: customer crypto assets and fiat accounts separated from the entity's commercial accounts.
  • Cold storage ratio: a minimum share of customer assets (e.g. 95%+) kept in cold storage; the exact ratio set in SPK guidelines.
  • Custody partner: if third-party custody is used, the partner must hold an SPK licence or equivalent authorisation.
  • Customer asset reporting: periodic reporting (typically monthly) to SPK.
  • Bank settlement: customer fiat assets are held with an SPK-approved custodian bank.

These rules are designed against Thodex-style failures; the practical effect is a customer-asset "lock-in" mechanism.

AML/CFT framework

KVHS are MASAK regulated entities under Law No. 5549. The KVHS Regulation adapts that framework to the sector:

Customer due diligence (CDD)

  • ID verification for all customers (no anonymous accounts),
  • Risk-based approach (high volume, high risk → enhanced CDD),
  • Beneficial owner identification (for corporate customers),
  • Ongoing monitoring.

For Turkish nationals, NFC + video session ID verification (paralleling the bank model) is strongly advised. See our digital KYC guide for detail.

Sanctions and PEP screening

KVHS must screen against:

  • UN Security Council sanctions,
  • US OFAC SDN (including OFAC-tagged crypto addresses),
  • EU consolidated sanctions list,
  • UK HMT,
  • Turkish domestic lists (Law 5549 + Law 6415),
  • PEP lists (broad scope),
  • Adverse media (crypto-specific sources).

For the underlying infrastructure see our AML screening guide and sanctions screening guide.

Blockchain AML / on-chain screening

The KVHS Regulation does not explicitly mandate on-chain risk screening, but the MASAK enhanced-CDD expectation makes it operationally necessary:

  • Deposit address screening: risk score of the source address for inbound crypto deposits.
  • Withdrawal address screening: risk score of the destination address for outbound transfers.
  • Risk tags: mixer, darknet market, ransomware, sanctions, scam.

See our blockchain AML guide for the detail.

Suspicious transaction reporting

The MASAK STR obligation applies with the same rules: 10 business days from the moment of suspicion. STR scenarios that recur for KVHS:

  • Mixer-mediated deposits,
  • High-frequency, low-value "structuring",
  • New accounts running high-volume activity within hours,
  • Transfers from sanctions-tagged wallets,
  • Customer profile inconsistent with transaction volume.

FATF Travel Rule (Turkish implementation)

The KVHS Regulation implements FATF Recommendation 16 (Travel Rule): for crypto transfers above 1,000 EUR (or equivalent), originator and beneficiary information must be exchanged with the counterparty VASP. Practical implementation:

  • IVMS 101 standard (for inter-VASP communication),
  • Travel Rule infrastructure integration (TRP, Sygna, Notabene, OpenVASP, Veriscope and similar networks),
  • Refusal or reporting of transfers lacking Travel Rule data (sunrise problem management).

For the Travel Rule regime in Turkey see our FATF Travel Rule guide.

Comparison with MiCA

The Turkish KVHS regime shares structural similarities with the EU's MiCA (Markets in Crypto-Assets), with important differences. For depth see our what is MiCA explainer and the EU financial regulation pillar. Summary comparison:

Topic KVHS (Turkey) MiCA (EU)
In force March 2025 30 December 2024 (CASP)
Authority SPK National NCA + ESMA coordination
Passporting No (local licence required) Yes (within EEA)
Minimum capital 5M-150M+ TRY 50K-150K EUR (CASP)
Stablecoins Not explicit E-money token + ART distinction
AML framework MASAK AMLD + TFR

A practical example

A mid-sized Turkish crypto exchange (50,000-200,000 trades/day) typically runs:

  • New onboarding: 800-1,500 new customers/day,
  • NFC + liveness + video verification: 70-80% completion rate,
  • First-pass sanctions/PEP hits: 0.5-1.5% of applications,
  • On-chain risk score: 2-4% of inbound transfers carry mixer/darknet/sanctions tags,
  • Rejected deposits: 20-40% of tagged transfers are operationally rejected (remainder monitored),
  • STR volume: 30-80 per month (varies with exchange size).

These figures show operational capacity; compliance is not "knowing the rules" but "making 1,000+ correct decisions per day".

Frequently asked questions

Is the KVHS Regulation actually in force?

Yes. Law No. 7518 was published on 21 May 2024; the secondary KVHS Regulation has been in force since March 2025. As of 2026 the transition is complete and supervision is active. Entities without SPK authorisation cannot operate in Turkey.

I am a foreign exchange accepting Turkish customers. Do I need a licence?

If you market in Turkey, offer Turkish-language support, or support Turkish lira, SPK will most likely treat you as operating in Turkey and require a licence. The boundary for purely passive access (a non-Turkish global platform) is unclear; obtain an SPK opinion or legal advice. Without a licence, the only safe path is to stop serving Turkish customers (geo-fencing, KYC refusal).

What are the minimum capital requirements?

They vary by activity; trading platforms run at 150 million TRY+ as a practical reference, custody at 100 million TRY+. Full current figures are in SPK communiqués. Capital is revalued annually.

Can KVHS hold customer assets in its own wallets?

No, strict segregation is mandatory. Customer assets must sit in separate accounts/wallets from the institution's commercial assets. Cold storage ratio must be high (practical reference 95%+). Third-party custody requires SPK licence or equivalent authorisation for the partner.

Is Travel Rule infrastructure mandatory?

In practice yes. The KVHS Regulation requires FATF Travel Rule compliance for transfers above 1,000 EUR. Inter-VASP communication in IVMS 101 plus integration with a Travel Rule network (Sygna, Notabene, TRP, Veriscope, OpenVASP and similar) is necessary. High-value transfers without Travel Rule data should be refused or reported via STR.

How Legichain helps with KVHS compliance

Legichain's crypto exchange solution covers every operational obligation in the KVHS Regulation: NFC + video ID verification, MASAK sanctions/PEP/adverse-media screening, on-chain risk scoring (mixer, darknet, sanctions-tagged addresses), FATF Travel Rule infrastructure (IVMS 101 + network integrations) and STR-ready export. Our blockchain AML module provides per-wallet risk reporting. SPK-inspection-ready audit logs and 8-year retention ship by default.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

turkey-regulation

Turkey Financial Compliance: The AML/KYC Regulatory Guide

Turkey's AML/KYC architecture is fragmented across four overlapping regulators (MASAK, SPK, BDDK, CBRT) and a stack of secondary legislation that keeps shifting. This pillar guide gives international operators and Turkish compliance teams a single reference: which law sits under which authority, reporting deadlines, thresholds, customer onboarding rules and the operational details that consume the most analyst hours in real deployments.

Read article
turkey-regulation

SPK-Compliant Video ID Verification for Investment Firms

SPK Decision No. 65/1929 of 23 December 2021 opened video ID verification to Turkish investment firms (brokerage houses and portfolio management companies). This guide walks through the technical requirements, flow design, recording and retention obligations, and the points SPK inspectors actually drill into — with operational detail relevant for both Turkish operators and international firms entering the market.

Read article
turkey-regulation

MASAK Obligations for Turkish PSPs and E-Money Institutions

Turkish payment service providers (PSPs) and electronic money institutions (EMIs) sit under dual supervision: CBRT (licensing, prudential) and MASAK (AML/CFT). This BOFU guide covers the operational obligations under Law No. 6493 + Law No. 5549 + the MASAK Regulation — identity verification, transaction monitoring, e-money limits, STR filing and inspection readiness for both Turkish operators and international PSPs entering the market.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales