Regulatory Compliance and Reporting Obligations

1 Anti-Money Laundering (AML) Obligations

Under Turkish AML law, crypto asset service providers are considered “obliged institutions” (“yükümlü kuruluşlar”). Key compliance requirements:

• Customer Due Diligence (KYC): Verification of customer identity, including government-issued ID and address.

• Suspicious Transaction Reporting: Reporting any suspicious transactions or activities to MASAK without delay.

• Record Keeping: Maintaining records of all transactions, customer data, and compliance actions for at least 8 years.

• Training and Internal Controls: Regular AML/CTF training for staff and the implementation of written internal control procedures.

• Appointment of Compliance Officer: Mandatory designation of a responsible manager for AML/CTF matters.

3.2 Data Protection (KVKK)

Crypto companies must comply with Turkish data protection law (KVKK), including:

• Registration with the Data Controllers Registry (VERBIS).

• Obtaining informed consent for data processing.

• Ensuring data security and breach notification procedures.

3.3 Reporting to Authorities

• Regular (monthly/quarterly) reports to MASAK on transaction volumes, new customer registrations, and suspicious activities.

• Instant reporting for transactions above legal thresholds (e.g., above TRY 75,000).

3.4 Capital Markets Board (SPK) Oversight

If the crypto business involves token issuance, ICO/STO, or investment schemes, SPK oversight may be triggered:

• Prospectus approval may be required for public offerings.

• Marketing and investment activities may be subject to strict rules and bans.