Communiqué Regarding Principles on the Establishment and Operation of Crypto-Asset Service Providers (III-35/B.1)
CHAPTER ONE
Preliminary Provisions
Purpose
ARTICLE 1 – (1) The purpose of this Communiqué is to set down the procedures and principles regarding establishment, launching, activities, and suspension of activities, of crypto asset service providers.
Scope
ARTICLE 2 – (1) This Communiqué covers and regulates procedures and principles regarding establishment of crypto asset service providers, their founders, managers, shareholders and personnel, operational principles, organization, obligations and liabilities, transfers of shares, information systems and technological infrastructures, outsourcing of services, actions and activities they are not permitted to do, documentation and recording systems, internal audit, internal control and risk management systems, and temporary or permanent suspension or termination of their operations.
Basis
ARTICLE 3 – (1) This Communiqué is issued and enacted in reliance upon articles 35/B,
35/C, 99/A and 99/B of the Capital Markets Law 6362 of 06.12.2012.
Definitions and Abbreviations
ARTICLE 4 – (1) For the purposes and in the context of this Communiqué:
a) Public key: Refers to a key uniquely addressing the wallet for transfer of crypto assetsfrom one wallet to another via distributed ledger network;
b) Bank: Refers to deposit and participation banks as well as development and investment banks as defined in Article 3 of the Banking Law 5411 of 19.10.2005;
c) BRSA: Stands for the Banking Regulation and Supervision Agency;
ç) Association: Stands for Capital Markets Association of Türkiye (TCMA);
d) Integrity: Refers to the feature of protection of accuracy and completeness of information;
e) Wallet: Refers to software, hardware, systems or applications ensuring the transfer of crypto assets and the custody of these assets or private and public keys regarding said assets;
f) Accessibility: Refers to the feature of information being accessible and usable by authorized users, application or system upon demand;
g) Confidentiality: Refers to accessibility of information systems and information only by authorized users, application or system;
ğ) Public Disclosure Platform (PDP): Refers to the electronic system employed in order to disclose with electronic signature all and any information required to be made public pursuant to the applicable laws;
h) Law: Stands for the Capital Markets Law 6362 of 06.12.2012;
ı) Crypto asset: Refers to intangible assets expressing a value or right, which can be created and stored electronically by using distributed ledger technology or a similar other technology, and are distributed via digital networks;
i) Crypto asset service provider: Refers to both platforms, and institutions providing crypto asset custody services, and other institutions specified for provision of services regarding crypto assets, including initial sales or distribution of crypto assets;
j) Crypto asset custody service: Refers to custody and management of crypto assets of customers or private keys providing the right of transfer of these assets from wallet, or other custody services to be determined by the Board;
k) Board: Stands for the Capital Markets Board;
l) Agency dematerialised system: Refers to the records which are not inserted in the distributed ledger network, and are included in trading platform / trading book / order book and accounting system of platform;
m) MASAK: Stands for the Ministry of Treasury and Finance, Presidency of the Financial Crimes Investigation Board;
n) MKK (CRA): Stands for Merkezi Kayıt Kuruluşu Anonim Şirketi (Central Registry Agency);
o) Private key: Refers to secret keys providing the right of transfer from wallets;
ö) Shareholders’ equity: Refers to shareholders’ equity calculated in accordance with the current regulations of the Board pertaining to capital and capital adequacy of crypto asset service providers;
p) Personnel: Refers to internal auditor, internal control personnel, risk management personnel, operations personnel, information security officer, information technologies operations personnel and investment advisor as further defined in this Communiqué;
r) Platform: Refers to institutions where any one or more of crypto asset trading, initial sales or distribution, clearing, transfer and associated custody transactions or other transactions that may be specified in relation therewith are executed and performed;
s) Depository institution: Refers to an institution authorized by the Board for provision of crypto asset custody services;
ş) Hot wallet: Refers to a wallet technology, connected to internet, not specified as a cold wallet, which is used by crypto asset service providers in order to execute crypto asset transfers for their customers;
t) Cold wallet: Refers to a wallet technology where keys ensuring the control of crypto assets are protected by physical, administrative and technical information security controls, and which allow execution of critical transactions like transaction approval and transaction signature with intervention of authorized personnel in offline environments isolated from internet by physical or technical air gaps;
u) SPL: Stands for Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş. (Capital Markets Licensing Registry and Training Agency Co., Inc.);
ü) Full-time working: Refers to being on duty continuously in the work environment and not to professionally deal with any other job, for the sake of institutionalisation;
v) Transfer: Refers to transfer of crypto assets available in wallets to other wallets via distributed ledger technology;
y) TÜBİTAK: Stands for the Scientific and Technological Research Council of Türkiye;
z) TÜBİTAK Infrastructure Criteria: Refers to a document prepared and issued by TÜBİTAK with regard to information systems and technological infrastructures of crypto asset service providers;
aa) Executives: Refers to members of board of directors, general manager, deputy general managers, managers of all levels working in organization units to which personnel are assigned, and all employees (vice managers, supervisors, directors and similar others) working in levels between executives and personnel in those organization units;
bb) Communiqué III-35/B.2: Refers to the Communiqué Regarding Establishment and Operating Principles and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), published in the Official Gazette edition 32840 on 13.03.2025;
cc) Communiqué III-39.1: Refers to the Communiqué Regarding Principles of Establishment and Activities of Investment Firms (III-39.1), published in the Official Gazette edition 28854 on 17.12.2013;
çç) Communiqué III-42.1: Refers to the Communiqué Regarding Remote Identification Methods to be Used by Intermediary Institutions and Portfolio Management Companies, and Establishment of Contractual Relations in Electronic Environment (III-42.1), published in the Official Gazette edition 31744 on 08.02.2022;
dd) Communiqué III-62.2: Refers to the Communiqué Regarding Independent Audit of Information Systems, published in the Official Gazette edition 30292 on 05.01.2018;
ee) Communiqué VII-128.10: Refers to the Communiqué Regarding Procedures and Principles of Management of Information Systems (VII-128.10), published in the Official Gazette edition 32840 on 13.03.2025.
CHAPTER TWO
Establishment Conditions and Licensing of Crypto Asset Service Providers
Establishment Conditions of Crypto Asset Service Providers
ARTICLE 5 – (1) In order to be eligible for licensing by the Board, crypto asset service providers are subject to the following establishment conditions:
a) They are required to be established in the form of a joint-stock company;
b) All of their capital shares should be registered shares;
c) Their capital shares should be issued against cash payment;
ç) Their initial capital must not be less than an amount to be determined by the Board, not being below the minimum capital amount stipulated pursuant to the current regulations of the Board pertaining to capital adequacy of crypto asset service providers, and their capital must be fully paid in cash, and their shareholders’ equity must not also be less than said amount;
d) Their articles of association must be in compliance with the pertinent provisions of the Law and the related regulations, and their fields of business must be arranged so as to exclusively cover the business activities for which they are authorized by the Board;
e) Their founders must satistify the conditions specified in the Law and related regulations;
f) Their shareholding structure should be transparent and open.
(2) The provisions of tje first paragraph shall not be applicable to banks intending to deal with crypto asset custody services.
Conditions Regarding Founders and Shareholders
ARTICLE 6 – (1) Founders and shareholders of crypto asset service providers:
a) Must not have been adjudged bankrupt, must not have entered into composition with their creditors, must not have filed an application for restructuring via reconciliation duly approved, or must not have been subject to an order for postponement of bankruptcy, according to the pertinent provisions of the Execution and Bankruptcy Law 2004 of 09.06.1932 or other applicable laws and regulations;
b) Must not directly or indirectly hold capital shares of ten percent or more in the capital of, or directly or indirectly control management of bankers subject to liquidation, or factoring, financial leasing, finance, savings finance, asset management, insurance, reassurance, pension companies and payment system operators, payment service providers or other institutions operating in money and capital markets operating licenses of which were cancelled, with the exception of voluntary liquidation;
c) Must not have been convicted of simple embezzlement or misappropriation, embezzlement, extortion, bribery, theft, swindling, fraud, betrayal of trust, fraudulent bankruptcy or similar other shameful offences, or smuggling offences other than smuggling for own use or smuggling for own consumption, or bid rigging in official auctions and trading, rigging in terms of discharging of an obligation, hindrance or destruction of information systems, destruction or alteration of data, abuse of bank debit or credit cards, laundering proceeds of crime, financing of terrorism, crimes listed in Article 5 of the Law Regarding Prevention of Financing of Proliferation of Weapons of Mass Destruction No. 7262 dated 27/12/2020, crimes committed against the state, crimes committed against the symbols of sovereignty or the esteem of bodies of the state, crimes committed against state security, crimes committed against the constitutional order and its functioning and the national defence, crime of disclosure of state secrets, crimes against state secrets, espionage, crimes committed against relations with foreign states, crimes covered by the Anti-terrorism Law no. 3713 dated 12/4/1991, tax evasion crimes, and must not have been an accomplice in such crimes, pursuant to the repealed Turkish Criminal Code no. 765 dated 1/3/1926, the Turkish Criminal Code no. 5237 dated 26/9/2004, or other applicable laws pertaining thereto, or must not have been sentenced to imprisonment for five years or more due to any intentionally committed crimes, or must not have a finalized conviction due to crimes listed in this Law, even if pardoned later, with the exception of negligent offences;
ç) Must not have been banned from making transactions pursuant to subparagraph (a) of the first paragraph of Article 101 of the Law;
d) Must have the financial strength, honesty and reputation required for conduct of business;
e) Must not be among persons liable forfor the incident leading to such sanction in any institutions which have had one of the operating licenses cancelled by the Board;
f) Must not have been ordered to pay an administrative fine during the last five years in reliance upon Article 104 of the Law.
It shall be deemed sufficient for the condition defined in subparagraph (ç) to be fulfilled as of the date of filing the application for establishment and the date of finalization of the application.
(2) Natural persons who are alone entitled to get more than half of distributable profit of a crypto asset service provider, or are alone eligible to be represented in board of directors by selecting or nominating more than half of full number of directors pursuant to the corporate articles of association are also required to meet the conditions listed in first paragraph hereinabove.
(3) Shareholders of legal entity founding shareholders of a crypto asset service provider, holding capital shares directly or indirectly representing ten percent or more of capital shares or voting rights therein, or holding privileged shares granting the right to be represented in board of directors thereof, even if below the aforesaid threshold, are also required to meet the conditions listed in the first paragraph above. In case of changes in shareholding structure at any time after establishment, legal entity shareholders of crypto asset service providers, holding capital shares directly or indirectly representing ten percent or more of capital shares or voting rights therein, or holding privileged shares granting the right to be represented in board of directors thereof, even if below the aforesaid threshold, and its other shareholders holding capital shares directly or indirectly representing ten percent or more of capital shares or voting rights therein, or holding privileged shares granting the right to be represented in board of directors thereof, even if below the aforesaid threshold, shall also be required to meet the conditions listed in the first paragraph.
(4) In cases where natural person or legal entity shareholders of crypto asset service providers, holding capital shares directly or indirectly representing ten percent or more of capital shares or voting rights therein, or holding privileged shares granting the right to be represented in board of directors thereof, even if below the aforesaid threshold, or its shareholders referred to in the third paragraph, lose the qualifications listed in the first paragraph hereinabove, except for subparagraph (d) of first paragraph, they are required to transfer their capital shares to persons meeting the conditions specified in the first paragraph within six months.
(5) The provisions of this Article shall not be applicable to banks intending to deal with crypto asset custody services.
Trade Name and Company Name
ARTICLE 7 – (1) Trade name of platforms is required to contain the phrase “crypto asset trading platform” with the purpose of indicating the services they provide.
(2) Trade name of institutions intending to offer crypto asset custody services is required to contain the phrase “crypto asset depository institution” with the purpose of indicating the services they provide.
(3) If crypto asset service providers wish to use a company name or trademark with respect to the activities within the scope of authorization, they are required to receive a prior consent of the Board in connection therewith.
(4) Crypto asset service providers are under obligation to use their trade name in all types of promotions and advertisements published in the press and media and in all of their correspondences. However, they may also use their registered company name or trademark, instead of trade name, in their promotions and advertisements to be published as per this paragraph.
(5) Trade names of crypto asset service providers may be changed only in case of a change in shareholding structure or change in trade name of the shareholder holding majority of voting rights therein in such manner to lead to a change in management control, or for performance of legal obligations and liabilities.
(6) The provisions of this Article are shall not be applicable to banks intending to deal with crypto asset custody services.
Establishment Procedures of Crypto Asset Service Providers
ARTICLE 8 – (1) Founders shall file an application to the Board with articles of association duly prepared in accordance with the establishment conditions and other submittals proving that they satisfy the conditions specified in Article 6. In application for establishment, if deemed necessary by the Board, additional information and documents may be requested from founders.
(2) In applications for establishment, operating license or change in shareholding structure, the Board may request the crypto asset service provider and its legal entity shareholders to have an independent audit or rating to be conducted specially.
(3) In amendments to articles of association of crypto asset service providers, it is required to receive a prior assent of the Board.
CHAPTER THREE
Operational Conditions and Operating License of Crypto Asset Service Providers
Conditions for Launching Activities
ARTICLE 9 – (1) In order to be eligible for permission from the Board, crypto asset service providers are required to meet the following general conditions:
a) They must not have lost their qualifications sought for establishment;
b) Their minimum original capital must have been fully paid in cash;
c) They must perform their obligations specified in the current regulations of the Board pertaining to capital adequacy of crypto asset service providers;
ç) They must build an organization structure meeting the conditions listed in Article 10;
d) They must meet the conditions stipulated in Article 13 with respect to their personnel;
e) They must meet the conditions stipulated in Article 14 with respect to their general manager and deputy general managers;
f) They must have built and made operative a security infrastructure in compliance with the conditions and rules specified in the Communiqué VII-128.10 and with TÜBİTAK Infrastructural Criteria;
g) They must have built all organization units, systems and functions regarding internal audit, control and risk management within the frame of the principles set forth in this Communiqué, including prevention of fraud of every description which may cause loss of crypto assets;
ğ) They must have completed their technical and system integration tests with MKK (CRA);
h) They must have built an infrastructure for storage of private keys, and provision of their security, and have completed its integration with distributed ledger networks, in accordance with the the principles set forth in the Communiqué III-35/B.2.
(2) In addition to the conditions listed in the first paragraph, platforms are further required to meet and comply with the following conditions:
a) A contract setting down the mutual powers and responsibilities of parties thereto and describing how the flow of information needed by parties for performance of their duties and obligations will be provided is required to be signed with at least one institution duly authorized by the Board as a crypto asset depository institution, and all technical processes and integrations required within the frame of settlement system must be provided;
b) An account is required to be opened in a bank for cash funds of customers;
c) Internal mechanisms allowing effective and efficient resolution of probable objections and complaints relating to customer transactions must be established, and a written procedure must be documented in connection therewith;
ç) A price monitoring system must be established, and a written procedure must be documented in connection therewith.
(3) In order to be eligible for an operating license for crypto asset custody services, in addition to the conditions stipulated in the first paragraph, organization unit or units which are solely and exclusively responsible for custody services must be built, and an adequate number of personnel must be employed.
(4) In the process of examination of applications filed for an operating license for crypto asset service providers, if deemed necessary, upon demand of the Board, an audit shall be conducted on information systems together with TÜBİTAK, and institutions or organizations affiliated or related to or associated with ministries, and other public organizations. In these audits, adequacy of not only the processes and technological infrastructure related to information systems, but also the wallets and distributed ledger technology based transactions used by crypto asset service providers shall be examined within the frame of audit principles to be set down in the Communiqué III-62.2.
(5) In order for banks to engage in crypto asset custody services, they must meet the general conditions listed in subparagraphs (c), (ç), (d), (f), (g), (ğ) and (h) of the first paragraph. In the case of a resolution of board of directors certifying that internal systems established by banks in accordance with banking laws and regulations meet and satisfy the conditions specified by the Board for internal audit and control systems, the condition defined in subparagraph (g) of the first paragraph shall be deemed to have been satisfied.
(6) Before assessment of an application filed by banks for engagement in crypto asset custody services, a prior assent is required to be received from the BRSA. Banks are required to file with the BRSA, an application for permission of an expansion to their activities, in reliance upon results of the assessment made by the Board with respect to their applications for engagement in custody services. The provision of crypto asset custody services as demanded by banks shall be subject to receipt of a prior consent from BRSA for expansion of their fields of activity.
(7) Platform executives and personnel may not work in depository institutions, and executives and personnel of depository institutions may not work in platforms. However, the provisions of this paragraph shall not be applicable to executives of banks that will provide custody services.
(8) In applications filed for an operating license by crypto asset service providers, the Board may, if deemed fit and necessary, require additional conditions depending on the application.
(9) If deemed necessary, the Board may request at the stage of granting an operating license or during the course of business operations, a professional liability insurance cover to be taken for the sector in general or for certain crypto asset service providers.
Organization Structure
ARTICLE 10 – (1) In order for crypto asset service providers to be eligible for an
operating license, their organization structure is required to meet the following conditions:
a) All service units must be built, all personnel must be employed, and spaces and technical equipment needed by them must be provided in line with the pertinent provisions of this Communiqué and the associated regulations;
b) A management structure must be established within the frame of provisions of this Communiqué pertaining to internal audit, internal control and risk management system;
c) Job definitions and powers and responsibilities of all personnel must be established in writing;
ç) Their organization structure must be established in accordance with principles set down in Articles 11 and 12.
Management of Conflicts of Interest
ARTICLE 11 – (1) In the course of provision of services within the scope of their authorization, crypto asset service providers shall act fairly and honestly with due regard to interests of their customers and integrity of market.
(2) For the purpose cited above, for their relations with customers, crypto asset service providers shall establish and organization structure and take all of the actions and measures needed for management of potential conflicts of interest between themselves or their shareholders, employees or executives or persons directly or indirectly related to them on one side and their customers on the other side or between a customer and another customer.
(3) Crypto asset service providers are required to formulate a written conflict of interest policy in order to assure full compliance with the principles cited in this Article, and to periodically check and assess the efficiency of that policy, and to update the same if and when deemed necessary. It is required to take a resolution of board of directors for approval of that policy and to have it published on their internet website.
(4) Principles stipulated in this Communiqué with respect to conflict of interests may not be used or applied so as to result in actions or activities in conflict with the applicable laws.
Conflict of Interest Policy
ARTICLE 12 – (1) In formulating their conflict of interest policy, crypto asset service providers shall take into consideration their trading volume, number of customers, number of listed crypto assets, complexity of their business activities, organization structure, and services within the scope of their authorization. If a crypto asset service provider is a member of a group of companies within the meaning ascribed thereto by Article 195 of the Turkish Commercial Code 6102 of 13.01.2011, its conflict of interest policy is required to be formed by also taking into consideration the organization structure of group of companies and the business activities of its other members.
(2) Conflict of interest policy must contain potential events or situations that may be contrary to interests of customers, and measures that may be taken for prevention of such events or situations, and procedures to be followed if a conflict of interest cannot be prevented.
(3) With the purpose of detecting potential circumstances that may be contrary to interests of customers, crypto asset service providers shall prepare a conflict of interest policy that duly considers relations between themselves and their shareholders, employees and executives, and persons directly or indirectly related to them domestically or abroad, within the framework of the following points as a minimum:
a) Incidents whereby they derive a financial profit or avoid a financial loss to the disadvangate of a customer;
b) Those who are in a position to derive benefits from services and activities provided to the customer, although the customer does not have any interest therefrom;
c) Incidents whereby a customer or a group of customers derive benefits as a result of preference of that customer or group of customers to another customer or group of customers;
ç) Incidents whereby they derive a financial profit, other than standard fee and commission, from a person or entity other than the customer, or from an application, due to services and activities provided to the customer;
d) Incidents whereby they derive a financial profit by imposing an obligation to use a distributed ledger network belonging to themselves or their subsidiaries with respect to crypto assets to be listed.
(4) Measures adopted accepted for prevention of potential conflicts of interest must include the following actions and measures as a minimum:
a) Measures for prevention or management of flow of information within the organization of the crypto asset service provider or between members of its group of companies;
b) Measures for supervision of organization units being the subject of a conflict of interest and of employees of said units;
c) Measures relating to the remuneration of employees of organization units of crypto asset service providers being the subject of a conflict of interest.
(5) Conflict of interest policy shall be formulated so as to provide security of customer data and information under the Personal Data Protection Law 6698 of 24.03.2016.
Conditions on Personnel
ARTICLE 13 – (1) Executives and personnel of crypto asset service providers are required to meet all conditions, with the exception of the required financial strength condition, sought for in founding shareholders thereof as mentioned in Article 6.
(2) Executives and personnel are required to be graduated from at least four-year universities, unless stated otherwise in the applicable laws in relation therewith.
(3) It shall be sufficient for operations personnel not entrusted with a task related to the settlement process, and information technologies operations personnel involved in system management, software development, test/quality control, database management and associated support services to be a graduates of an associate degree program.
(4) For executives and personnel to be employed in organization of crypto asset service providers, the Board may seek different educational and professional experience conditions depending on their job activities and duties. They may be held obliged to receive and hold a certificate proving license or professional competence as stipulated in regulations of the Board pertaining to licensing and registration.
(5) The conditions set down in this Article shall be sought for only in executives and personnel of banks working in organization units related to custody services.
General Manager and Deputy General Managers
ARTICLE 14 – (1) General manager and deputy general managers to be assigned in crypto asset service providers are required to have a past professional experience of minimum seven years in financial markets, data processing, information technologies or financial technologies fields, and to have honesty and reputation as required for their jobs.
(2) General manager to be assigned in crypto asset service providers is required to be employed exclusively for this job position, be resident in Türkiye, and be appointed on a full time basis. General manager’s being a member of board of directors of crypto asset service provider does not constitute a conflict with this provision.
(3) The post of general manager may not be deputized for more than six months during the last twelve months.
(4) A prior assent of the Board shall be obtained for the appointment of the general manager or deputy general managers by crypto asset service providers.
(5) If general manager or deputy general managers leave office for any reason whatsoever, the reasons of departure from office shall be reported by the crypto asset service provider to the Board and the Association within three business days.
(6) Any personnel working in positions equivalent to general manager or deputy general manager in terms of their powers and duties, even if officially employed as coordinator, director or with similar other job titles shall be subject to provisions of this Communiqué pertaining to the general manager, deputy general managers and personnel.
(7) The conditions specified in this Article shall not be sought for in general manager and deputy general managers working in banks intending to provide crypto asset custody services.
Board of Directors
ARTICLE 15 – (1) Board of directors of crypto asset service providers shall be comprised of minimum three members. Majority of the members of board of directors are required to be graduates of four-year universities.
(2) Members of board of directors, natural persons representing a legal entity member of board of directors, and persons authorized to represent the crypto asset service provider, though not being a member of board of directors, are required to meet all conditions, other than the financial strength, sought for shareholders in the first paragraph of Article 6.
(3) In cases where the board of directors wishes to delegate managerial powers to executive directors, at least two members thereof are required to be appointed as executive directors, and the scope of authorization and responsibility of each of them are required to be determined beyond question or doubt.
(4) In cases where a director has entered into any employment, capital or commercial relations or affairs during the last two years or has a kinship by blood or an affinity by marriage, up to third degrees, including spouse, with any person being a party to or involved in resolutions to be taken by board of directors, that director must report such relations or affinity, together with justification thereof, to board of directors and have the same duly recorded in meeting minutes.
(5) Provisions of the Law 6102 pertaining to conditions of election, ban on participation in negotiations, ban on trading with company, ban of borrowing from company, and ban on competition with company with respect to members of board of directors are, however, reserved.
(6) The conditions specified in this Article shall not be sought for in members of board of directors of banks providing crypto asset custody services.
Insurance of Crypto Assets and Cyber Security Insurance
ARTICLE 16 – (1) Crypto asset service providers may take out insurance cover for crypto assets of customers. Principles set down in the sixth paragraph of Article 30 shall be applicable in the notification of said insurance cover to customers.
(2) A cyber security insurance cover approporiate for the fields of business and the risk profile of the crypto asset service provider may be taken out so as to fully or partially cover financial losses that may be caused by potential cyber attacks or intrusions, data breaches and business continuity interruptions which may arise out of information security or cyber security risks. In this case, the policy shall be reviewed yearly and updated in accordance with the risk profile.
(3) In the case of insurance of crypto assets under this Article, information relating to subject matter, term, sum insured and if any, special conditions of the insurance policy shall be fully and accurately disclosed to customers in writing or in electronic media so as to leave no room for question or doubt.
Application and Operating License
ARTICLE 17 – (1) If a crypto asset service provider fails to file an application for an operating license within six months after receiving an establishment license from the Board, it forfeits its right to obtain an operating license. The Board may, if deemed necessary, extend this period time of time so as not to exceed a total of one year.
(2) A crypto asset service provider that fails to file an application with the Board for operating license in a timely manner or of which application for operating license is not found acceptable is, within maximum three months after receipt of a notice in relation therewith, under obligation to take a decision of dissolution, or to revise and amend the provisions of its articles of association relating to trade name, objectives and fields of activity in such manner not to cover services regarding crypto assets, and to send to the Board a copy of the related edition of Turkish Trade Registry Gazette within ten business days following the date of announcement of said amendment therein.
(3) In order for crypto asset service providers to be eligible for receiving an operating license from the Board with regard to the related business activities, it must be accepted by the Board that they meet both the general conditions stipulated in this Communiqué and the special conditions specified in regulations of the Board pertaining to crypto asset service providers, and that they are qualified for and capable of performance of their activities in strict compliance with the pertinent regulations of the Board.
(4) Crypto asset service providers shall file an application with the Board with documents proving that they meet the general and special conditions envisaged in this Communiqué, and with other information and documents that may be requested by the Board. Applications failing to meet the standards determined by the Board shall be returned without any assessment. Information and documents to be submitted to the Board must be signed by authorized signatories of crypto asset service provider, and must be complete for proof of satisfaction of the conditions sought for operations. If additional information and documents requested by the Board are not completed within a period of time not being less than ten days, the related application shall be deemed cancelled.
(5) If deemed fit by the Board, crypto asset service providers shall be provided a certificate of authorization showing the services and activities they are authorized to perform. Activities may not be started before this certificate of authorization is received.
(6) Before the certificate of authorization is granted, required public fees must be deposited pursuant to the Law on Public Fees 492 of 02.07.1964, and the payment receipt must be submitted to the Board. If a payment receipt evidencing payment of public fees is not presented to the Board within maximum one month after delivery by the Board of a notice relating to operating license, the related operating license shall be cancelled.
(7) Those who do not obtain an operating license from the Board for crypto asset service provider activities or those whose operating license is cancelled may not engage in such services and activities, and may not use any word or phrase in their articles of association, trade name or promotions and advertisements in such manner to create the impression of said services and activities. Those whose business activities are temporarily suspended shall also be also subject to the same principles, with the exception of their articles of association and trade name.
(8) Crypto asset service providers are obliged to maintain their compliance with said general and special operational conditions also during the performance of their activities after getting an operating license. In case of loss of compliance with said conditions, crypto asset service providers are liable to inform the Board thereabout within three business days.
(9) As for crypto asset service providers whose business activities are temporarily suspended, if it is determined by the Board that the breaches leading to such sanction are remedied and corrected, they may resume and restart their business activities if deemed fit by the Board by taking into consideration the general and special conditions relating to their business activities.
(10) The Board may determine different principles as for the applications to be filed by Borsa İstanbul AŞ, İstanbul Takas ve Saklama Bankası AŞ, MKK (CRA), and public entities and administrations, and other institutions and organizations that may be determined by the Board under this Communiqué.
CHAPTER FOUR
Personnel of Crypto Asset Service Providers and Principles Regarding Personnel
Personnel of Crypto Asset Service Providers
ARTICLE 18 – (1) Internal auditor is a staff member in charge of performance of audit activities in order to provide an assurance as to conduct of activities of crypto asset service provider in compliance with the regulations of the Board and other legislation applicable thereon, and the crypto asset service provider’s articles of association and its written procedures pertaining to internal control.
(2) Internal control personnel are personnel other than internal audit personnel, assigned exclusively to carry out monitoring and inspection activities regarding efficiency and adequacy of all of the information systems of the crypto asset service provider and its other established processes and controls and their compliance with the relevant applicable laws, also including the performance of obligations arising out of MASAK regulations, to report the errors, deficiencies and failures detected therein, and to send and deliver these reports to the related units which are required to take actions in connection therewith.
(3) Risk management personnel are liable to effectively define, assess, monitor and manage all operational, financial, compliance and strategic risks, including information systems of the crypto asset service provider, to monitor said risks, to determine and formulate risk mitigation strategies, to report the same to senior management and board of directors, and to manage the price monitoring system to be built pursuant to the Communiqué III-35/B.2.
(4) Operations personnel are the personnel who receive customer orders via order transmission channels, control daily balances in customer accounts, inform customers about their accounts, track and check customer identity information, carry out marketing activities, and manage settlement processes between the platform and depository institution, and conduct similar other transactions fullly or partially.
(5) Information security officer is a staff member employed on a full time basis, as further specified in the Communiqué VII-128.10.
(6) Information technologies operations personnel are the personnel assigned for system management, software development, test/quality control, database management and other associated support services, and the personnel in charge of performance of duties relating to cryptology and distributed ledger network integration.
(7) Investment advisor is a staff member liable to provide influential comments and investment advice to customers about crypto assets in the platforms, and to carry out the business activities mentioned in the first paragraph of Article 15 of the Communiqué III-35/B.2.
(8) Personnel using the powers and performing the duties associated with certain job titles, even if employed with other job titles, shall be governed by the provisions of this Communiqué pertaining to personnel. Provided, however, that those who are employed by crypto asset service providers as personnel of the related business units are under obligation to use the job titles listed in this Article.
(9) The provisions of this Article are applicable to personnel to be assigned to crypto asset custody service units of banks engaged in crypto asset custody services. However, they may use their own job titles as well, apart from the aforementioned job titles.
Principles Regarding Personnel
ARTICLE 19 – (1) Principles pertaining to personnel principles set forth in Articles 20, 21, 22 and 23 of the Communique III-39.1 shall also be applicable for the personnel of crypto asset service providers.
(2) In banks engaged in crypto asset custody services, personnel assigned in business units established for these services shall also be governed by the provisions of the first paragraph.
CHAPTER FIVE
Principles and Rules on Activities of Crypto Asset Service Providers
General Principles and Rules Required to be Complied During Activities
ARTICLE 20 – (1) Crypto asset service providers are required to comply with the general principles and rules set down in the first paragraph of Article 24 of the Communiqué III-39.1.
(2) Crypto asset service providers are liable to be a member of the Association.
(3) Compliance with principles stipulated in the Communiqué VII-128.10 shall be ensured with respect to preventing the critical activities of crypto asset service providers from becoming inoperable.
Obligation to Report Risks to Customers
ARTICLE 21 – (1) Platforms are, within the scope of services they are authorized to offer, under obligation to declare general risks regarding crypto assets to their customers at the time of signature of the framework agreement with customers, and to this end, to obtain a written or electronic declaration from the customer, together with the framework agreement signed with the customer, stating that the risk statement form, provided in ANNEX-1 and issued with the minimum contents determined by the Board, is fully read and understood by the customer, and provid the customer with a copy of the form or to ensure access to and viewability of the form in the electronic environment upon informing the customer thereabout.
(2) Platforms are, within the scope of services they are authorized to offer, under obligation to disclose the following points to their customers, in addition to the general risk declaration received as per the first paragraph, and to obtain a written or electronic declaration from the customer stating that the disclosures are fully read and understood by the customer, and to provide the customer with a copy of disclosures ot to ensure access to and viewability of the disclosures in electronic environment upon informing the customer thereabout. These disclosures must contain the following information:
a) Amounts or rates of all kinds of commissions, fees and taxes relating to transactions,
b) Information about market maker and liquidity provider, if any,
c) Place of storage and deposit of the crypto assets and cash funds of customers,
ç) Whether or not customer transactions are met as counterparty, and if met, how the notification relating thereto will be made.
The points listed above are essentially required to be disclosed by using quantiative or concrete examples or cases, as far as possible, rather than general and ambiguous statements or references made to regulations.
Obligation to Sign a Framework Agreement
ARTICLE 22 – (1) Platforms, before starting to transact with their customers, are under obligation to sign an agreement on the services to be provided in relation therewith either in writing or in the form of a distance contract by using remote communication means or via an information or electronic communication device, whether distantly or not, designated by the Board as an acceptable substitute of written form contracts. This contract is a framework agreement signed once initially, setting down the basis of individual transactions and generally regulating the relations of platforms with their customers.
(2) Crypto asset service providers shall implement the pertinent provisions of the Communiqué III-42.1 for remote customer identification and about framework agrements entered into with customers in electronic environment. In the case of agreements to be entered into in electronic environment, is shall not be necessary to provide a copy containing seal and signature to the customer. However, it is mandatory to provide the customer with a copy of the agreement or to send the same to an electronic mail address to be designated by the customer or to ensure access to and viewability of the agreement in electronic environment upon informing the customer thereabout.
(3) In cases where the agreement is entered into in writing, agreements shall be issued with consecutive serial numbers and in at least one copy, and a copy thereof, stated to be same as its original, containing signature of approver and seal of platform, shall be provided to the customer. On the original copy of the agreement retained by the platform, a statement verifying that a copy thereof was received by customer shall be written and undersigned.
(4) Platforms may later modify the framework agreements signed with their customers in electronic environment. In this case, first of all, the customer must have expressed consent to platforms for revision of framework agreements in electronic environment. In order to modify framework agreements in electronic environment, either a qualified electronic signature must be used or the access of customer to electronic environment must be provided by means of a password assigned by platforms to customers, and the customer must provide consent in electronic environment stating that they have read and understood the related revisions and modifications. Thereupon, the provisions of the second paragraph shall be valid and applicable in terms of burden of proof and storage of information.
(5) Agreements to be signed between platforms and customers shall as a minimum, contain information about transmission, execution, clearing and netting of orders, and pre- and post-transaction obligations, order types, cash depositing and withdrawal operations, crypto asset transfer transactions and if any, limits applied thereto, in which banks the customer cash funds will be kept, and principles of reinvestment thereof, depository institution with which the platform has mutually agreed for custody of crypto assets, security of user and password information, fees, commissions and other expenses, as well as other rights and obligations of the parties thereto.
(6) Framework agreements shall in no case contain provisions in contradiction with capital market legislation, or provisions which severely breach the rights of customers, or limit or eliminate the liabilities of crypto asset service providers towards their customers.
(7) In the case of change of customer or customers, being a party to a agreement, in such universal succession events like transfer, merger or inheritance, or due to such reasons as acceptance of new owners to joint accounts or departure of some owners therefrom, the agreement must be renewed. However, if the new account owners do not wish to sign an agreement, after the rights associated with joint account are transferred to universal successors in reliance upon documents of proof of universal succession, the joint account shall be closed and it shall be duly notified to MKK (CRA) within three business days.
(8) General legal provisions shall be implemented with respect to matters in which the agreements remain silent.
Customer Number and Customer Accounts
ARTICLE 23– (1) A unique customer number shall be assigned to each customer with whom a framework agreement is signed by platforms. Customer number allocated to a customer may not be assigned to another customer before the end of ten years after the date of termination of the framework agreement.
(2) With respect to each customer with whom a framework agreement is signed, platforms shall obtain a registry number from MKK (CRA), and this registry number shall be matched to the customer number, prior to the acceptance of an order from said customer or transmission of an order placed in the name of the customer. If there is a registry number received previously, it shall be ensured to be matched to customer number. Said receipt of registry number from MKK (CRA) and registry number matching in the name of customer shall be conducted in accordance with electronic transaction methods to be determined by MKK (CRA).
(3) Platforms may not accept orders from accounts for which a registry number is not received from MKK (CRA) or for which registry number is not matched as cited above.
Internet Sites and PDP Statements of Crypto Asset Service Providers
ARTICLE 24 – (1) Crypto asset service providers shall present introductory information about their company and the services they are authorized to offer in the PDP and their internet websites. Company introductory information must be comprised as a minimum, of trade registry information, the current shareholding and management structure, phone number, corporate address information, e-mail address and annual reports.
(2) Internet websites of platforms must contain as a minimum:
a) Crypto assets listed in the platform;
b) Risks stated in risk statement form, provided in ANNEX-1, with regard to crypto asset transactions;
c) If any, institutions and organizations contracted by the platform as liquidity provider or for provision of two-way price quotation to the platform with respect to crypto assets listed by the platform, as well as explanations as to whether or not the platform has direct or indirect shareholding relations with said institutions and organizations;
ç) Conditions of storage and use of personal data collected;
d) Cash and crypto asset transfer policies;
e) Order execution policies;
f) Principles as to notifications to be sent to customers in electronic environment;
g) Contact information that may be used by customers in emergencies and contingencies in accordance with contingency plans prepared against potential risks, and minimum actions and measures taken for diminishing the risks of customers;
ğ) A statement that the information provided on the page is general by nature, and that the page may not contain adequate information for supporting the trading decisions of customers;
h) In the case of occurrence of such contingencies as economic, political, technological or systemic events, and liquidity shortage in market, suspension of trade, and technical failures, cyber attacks or natural disasters affecting the operation of platforms, which may lead to sudden and unexpected fluctuations in market prices, explanations about such events or contingencies, and actions and measures taken thereagainst;
ı) A statement that customers may compare the records relating to assets notified to MKK (CRA) system by using E-investor application of MKK (CRA);
i) Listing procedure, and these internet websites must be kept current and up-to-date.
(3) Internet websites of depository institutions must contain:
a) Names of contracted platforms,
b) List of crypto assets for which they provide custody services, and these internet websites should be kept current and up-to-date.
(4) General information to be presented in the PDP shall be published in the PDP by using the form to be determined by PDP operator. In case of a change in such information, an update shall be provided within 2 business days.
Customer Definition and Know Your Customer Rule
ARTICLE 25 – (1) Customer stands for all natural persons and legal entities or unincorporated organizations to which services are provided by crypto asset service providers.
(2) Crypto asset service providers shall take all kinds of measures under the know-your- customer principle pursuant to the provisions of the Law Regarding the Prevention of Laundering of Proceeds of Crime 5549 of 11.10.2006. Information on an equivalent number such as tax identity number or social security number assigned by the countries they are resident in shall also be included among identification information.
(3) Crypto asset service providers may conduct onboarding via remote identification as per the pertinent provisions of the Communiqué III-42.1. However, out of address and identity information received for identification purposes, first and last names, birth date and Turkish Republic identification number information shall be verified via the Interior Ministry, Directorate General of Population and Citizenship Affairs identification sharing system database.
(4) In joint accounts, identification shall be conducted separately for each account owner.
(5) Apart from the customer, only persons duly authorized by the customer by a power of attorney granted via a notary public may act and transact in the name and account of customer. In identification of third parties acting for and on behalf of the customer, provisions of the Regulation Regarding Measures on the Prevention of Laundering of Proceeds of Crime and Financing of Terrorism enacted and issued by a Decree of Council of Ministers, no. 2007/ 13012, dated 10.12.2017 shall be applicable.
CHAPTER SIX
Obligations of Crypto Asset Service Providers
Consent and Notification Obligations in Changes of Shareholding Structure of Crypto Asset Service Providers
ARTICLE 26 – (1) Both acquisitions of shares resulting in a person’s becoming a crypto asset service provider shareholder by acquiring shares directly or indirectly representing 10% or more of capital shares or voting rights of crypto asset service provider, or the shares of a shareholder exceeding directly or indirectly 10%, 20%, 33% or 50% of capital shares or voting rights of crypto asset service provider, and changes in shareholding structure resulting in reduction of capital shares of a shareholder below the percentages cited in this paragraph are subject to a prior consent of the Board.
(2) Transfer of privileged shares granting the right to be represented in the board of directors of a crypto asset service provider or dividend shares, even if it remains below the percentages cited in the first paragraph, is also subject to a prior consent of the Board, regardless of rates thereof.
(3) Transfer of shares by legal entity shareholders of crypto asset service providers resulting in the shares of that shareholder exceeding directly or indirectly 10%, 20%, 33% or 50% of capital shares of the crypto asset service provider, and also, where a legal entity has privileges in the management of the crypto asset service provider, changes of shareholding structure of that legal entity equal to 10%, 20%, 33% or 50% of capital shares, or changes of shareholding structure including transfer of privileged or preferential shares, are subject to a prior consent of the Board in terms of operational conditions of crypto asset service providers. Transfer of shares with management privileges of legal entity shareholders holding more than 10% of capital shares of crypto asset service providers is also subject to a prior consent of the Board in terms of operational conditions of crypto asset service providers.
(4) In transfer of shares by a person, which do not directly or indirectly reach the percentages set forth in the first, second and third paragraphs in capital shares or voting rights of the crypto asset service provider, or which remain between these percentages, a notice is required to be sent to the Board within ten business days following the date of transfer.
(5) The provisions of this Article shall not be applicable to direct or indirect changes in shareholding structure subject to a prior consent of BRSA of banks that will provide custody services. However, a notice is required to be sent to the Board about said changes within ten business days. For indirect changes occurring in shareholding structure of non-bank crypto asset service providers as a result of a bank’s transfer of shares, a notice is required to be sent to the Board within ten business days following the date of consent of BRSA.
(6) Share transfers executed in violation of this Article shall not be registered in the share register, and records inserted in the share register in conflict with this provision shall be null and void.
(7) In the context of implementation of this Article, shares owned and held by:
a) a natural person and that person’s spouse or children under custody, or any corporations or partnerships participated by him/her with unlimited liability or where he/she serves as president of board of directors, director, general manager or deputy general manager,
b) corporations or partnerships participated by a legal entity or by those listed in subparagraph (a) directly or indirectly in 25% or more of capital shares, except for public sector legal entities,
c) persons or entities determined by the Board to be acting in concert due to employment relations, contractual relations or other reasons,are deemed and treated to be owned by one person.
(8) The regulations of BRSA are, however, reserved in calculation of indirect shareholding in terms of banks.
Registration and Announcement Obligations
ARTICLE 27 – (1) Company names of crypto asset service providers shall be registered in the related trade registry and announced in the Turkish Trade Registry Gazette within ten business days following receipt of consent of the Board in relation therewith. Trademarks of crypto asset service providers shall be registered in the Turkish Patent and Trademark Office in the name of related crypto asset service providers after receipt of consent of the Board in relation therewith pursuant to the Industrial Property Law 6769 of 22/12/2016.
(2) All types of operating licenses and company name or trademark use permissions of crypto asset service providers shall be published on PDP and on the internet website of crypto asset service providers after delivery of consent of the Board in relation therewith.
(3) In the case of temporary suspension of activities or cancellation of operating license, this circumstance shall be duly published immediately on PDP and on the internet website of crypto asset service providers following notification by the Board.
(4) Costs incurred for advertisements published as per this Article are in the account of the related crypto asset service provider.
Notices Sent by Crypto Asset Service Providers to SPL
ARTICLE 28 – (1) Crypto asset service providers shall report to SPL within ten business days following the date of commissioning each of their executives and personnel, with such information as job titles determined as per Article 18, service unit they are assigned to, documents of proof of satisfaction of the conditions specified in Article 13, and curriculum vitae showing their detailed past business experiences. Departure of said executives and personnel from office, change of job title or service unit, and all kinds of similar other changes relating to them shall also be reported to SPL within ten business days thereafter.
(2) Crypto asset service providers shall send to SPL their existing authorized signature lists showing their authorized signatories, and in case of change therein, the updated authorized signature lists within ten business days following the date of adoption or change as the case may be.
(3) Crypto asset service providers are under obligation to report to SPL within ten business days following the date of becoming aware thereof, legal actions and proceedings commenced by them against their shareholders, personnel, customers and other natural persons or legal entities, and legal actions and proceedings commenced by said persons against them, together with results thereof. If the amount in dispute in said legal actions and proceedings as of the date of litigation or judgment exceeds 10% of shareholders’ equity, it shall be further notified to the Board.
(4) Crypto asset service providers shall report to SPL within ten business days following the date thereof, information about audit firms selected by them for independent audit of their financial statements and information systems under regulations of the Board pertaining to independent audit, and about any changes therein.
(5) Banks are subject to provisions of the third and fourth paragraphsonly in respect of crypto asset custody services they offer.
Participation and Limits of Participation
ARTICLE 29 – (1) To hold the unlisted shares of a company, and to own 10% capital shares or voting rights or the right to be represented in board of directors of a company or not to dispose of acquired shares within a period of more than one year shall be considered and treated as shareholding for participation purposes.
(2) Crypto asset service providers may participate in capital market institutions, stock exchanges, precious metals intermediary institutions, insurance, private pension, financial leasing, factoring, finance, savings finance and asset management companies and other financial institutions deemed fit by the Board without any limitation. However, in any case, crypto asset service providers may not participate in companies holding more than 10% of their paid-up capital or in companies where their executives separately or collectively hold more than 25% of capital shares.
(3) Total sum of participations of crypto asset service providers in companies other than those listed in the second paragraph may not exceed 25% of their shareholders’ equity. Company shares acquired free of charge due to capital increase and increases in value of capital shares not requiring any fund outflow shall not be taken into account in calculation of participation limits.
(4) The provisions of this Article are not applicable to banks operating as a depository institution.
Advertisements, Announcements, Publications, Promotions and Notices
ARTICLE 30 – (1) Crypto asset service providers are required to be objective in their advertisements, announcements, publications, promotions and notices published via any communication channels such as printed press, internet, telephone, radio, television and cinema, as well as all and any written, visual and electronic communication means and media such as outdoor communications and printed materials, in respect of services they are authorized to provide hereunder. Crypto asset service providers are not allowed to publish advertisements, announcements, publications, promotions and notices or to issue other written and verbal statements based upon false, inaccurate or misleading information and exploiting the lack of experience and knowledge of customers.
(2) In their advertisements, announcements, publications, promotions and notices, crypto asset service providers may not provide any guarantee or assurance on absolute return on investment and/or against loss, unless otherwise permitted by the applicable laws.
(3) In advertisements, announcements, publications, promotions and notices, figures relating to financial situation of crypto asset service providers, and expressions verfiable by official data such as total “amount of crypto assets kept in custody”, “number of customers”, “trading volume” or similar other points may be used only with a reference to sources underlying such statements.
(4) Any kinds of advertisements, announcements, publications and notices that may be published by crypto asset service providers in channels referred to in the first paragraph may not contain:
a) Statements that customer will in any case make a profit or will in no event incur a loss therein;
b) Statements that either certain professional groups or various segments of society such as university students or housewives or generally customers will generate additional income or revenue or increase their existing income;
c) Statements that trades are executed under guarantee or safely or under assurance or guarantee of the Board or other public authorities;
ç) Statements that trades do not pose any risk, do not require any knowledge, or one may become informed about trades and may make investments through a short-term training;
d) Deceptive statements and/or statements leading to unfair competition in conflict with good faith in such manner to highlight the related crypto asset service provider without relying upon any statistical or concrete data;
e) Statements used towards religious, cultural or social sensitivities of customers;
f) A certain price target;
g) Persons or subjects in such manner to create a wrong or misleading impression.
(5) Crypto asset service providers may not organize promotional campaigns:
a) towards winning of products with a very high financial value which may, under normal economic and financial conditions, be won or acquired by individuals only by saving money for certain periods of time and/or by using external sources (loan facilities and similar other sources);
b) so as to cover products with a very high financial value which may lead investors to act only with the motive of winning the prize to be granted thereat;
c) containing the provision of all kinds of interests or benefits to persons who bring new customers by any methods whatsoever or to customers brought as such;
ç) with an unforeseeable cost;
d) containing a promise for a certain return on investment provided to customers or directing customers to invest in any one or more crypto assets.
(6) Insurance covers taken under Article 16 may not be the subject of promotion or advertisement in publications, announcements and notices of crypto asset service providers.
(7) Principles described in this Article shall be complied with also in one-to-one promotions or information towards customers.
(8) Where customer information collected by crypto asset service providers are shared with other institutions, the pertinent provisions of the Law 6698 shall be complied with.
CHAPTER SEVEN
Principles on Outsourcing of Services by Crypto Asset Service Providers
Outsourcing of Services and Scope
ARTICLE 31 – (1) Crypto asset service providers may, by a contract the conditions of which are described in Article 34 hereof, outsource any services supporting the performance of their obligations arising out of capital markets legislation in the course of their services and activities covered by their scope of authorization to another service provider.
(2) However, the following activities of crypto asset service providers may not be outsourced:
a) Activities which are required to be performed exclusively by the board of directors of the crypto asset service provider;
b) Activities for provision and marketing of services and activities requiring a prior consent of the Board;
c) Accounting of transactions and preparation of financial reports of the crypto asset service provider;
ç) Activities within internal audit, internal control and risk management system.
(3) Advise, training, promotion and advertisement, security, meal, transportation, cleaning, attorneyship, legal counsel, market data services, mail and cargo services, and provision, maintenance, repair and update of all kinds of technical equipment, fixtures, software or hardware needed for inhouse daily business operations, archiving services, provided that customer information is kept in strict confidence, and similar other services, not used directly in conduct of activities under this Communiqué are not included in the scope of this Communiqué.
(4) Procurement of services relating to personnel to be temporarily or permanently assigned for works listed in the third paragraph in crypto asset service providers, though being employed in another company, is not included in the scope of this Communiqué.
(5) Crypto asset service providers may outsource call centre services limited to transfer to crypto asset service provider of customer requests not related to transmission of orders, such as reminder calls, technical support and help desk, provision of account information to customers, and update of personal data of customers. Where it is required to call customer from a telephone number registered in crypto asset service provider, before making such call, it shall be checked that the call is not forwarded to another phone number.
(6) The Board is, when deemed necessary, authorized to determine the subjects of outsourcing by crypto asset service providers, or limit or prohibit the subjects of outsourcing separately for platforms or depository institutions, or oblige them to take out a liability insurance, or require the receipt of a prior consent for outsourced services depending on the kind and nature thereof.
(7) Principles set forth in the Communique VII-128.10 and TÜBİTAK Infrastructural Criteria shall be complied with in outsourcing of services on subjects relating to information security and distributed ledger network integration.
Principles of Outsourcing of Services
ARTICLE 32 – (1) Services shall be outsourced under a written contract to be entered into between crypto asset service provider and external service provider in accordance with the kind and nature of outsourced services.
(2) Crypto asset service providers intending to outsource services shall create the work flow procedures and establish the required control mechanisms under conditions set forth in this Communiqué and the Communiqué VII-128.10. Information on potential risks of outsourcing of services, and an action plan to be activated in case of interruption or hindrance of services in any manner whatsoever, and management of these risks, and substitutability of outsourced services shall be provided in an emergency plan.
(3) External service providers shall promptly report to crypto asset service providers all kinds of events and developments that may materially impact their capacity to perform and provide services efficiently, effectively and in compliance with pertinent laws.
(4) External service providers are under obligation to safeguard all confidential information about crypto asset service providers and their customers both during outsourcing of services and after termination of outsourcing contract.
(5) When customer information is required to be supplied to a external service provider at any time during outsourcing of services, it is required to include customer information details in the framework agreement or to send a notice to customers thereabout.
(6) Outsourcing of services does not relieve crypto asset service providers from their responsibilities and liabilities arising out of capital markets laws or from other applicable laws, also including the laws on prevention of laundering of proceeds of crime, financing of terrorism, and financing of proliferation of weapons of mass destruction. Legal liabilities arising out of relations entered into with customers with respect to services outsourced to external service providers, lie with crypto asset service providers.
(7) Outsourcing of services shall not relieve crypto asset service providers from theirobligations to keep and store in their own organization all kinds of accounts, records, information and documents they is legally liable to maintain under applicable laws.
(8) Outsourcing of services shall not preclude crypto asset service providers from performing their legal duties and obligations, or complying with applicable laws, or being effectively audited in connection therewith.
(9) In outsourcing of services relating to information systems, in addition to principles set forth in the Communiqué VII-128.10, as for the obligations necessitated by platform and custody services provided with respect to crypto assets pursuant to capital markets legislation, crypto asset service providers should have the power and responsibility to take decisions on such functions as management, design of contents, access, control, audit, update, receipt of information or reports in the course of said services.
(10) Where external service providers or their subcontractors are resident abroad or carry out their business activities through their foreign branches, subsidiaries or affiliates, the applicable laws, regulations and practices of the foreign country they operate in should not contain any clauses or provisions preventing the Board to collect all of the needed information and documents timely, completely and accurately and to conduct audits relating to services outsourced to them. In cases where a crypto asset service provider outsources a service to an instutition operating abroad under this Communiqué, it shall be liable to consider country risk, and to make ready and available action plans needed for business continuity and for receipt of the same service from an alternative provider, if required, in case of interruption or stoppage of service for any reason or under any circumstances whatsoever.
Contents of Assessment and Work Flow Procedures Relating to Outsourcing of Services
ARTICLE 33 – (1) Before starting outsourcing, crypto asset service providers are liable to make assessments on whether the subject activity is a service eligible for outsourcing, and on expected benefits and costs thereof, and to determine whether or not the external service provider has technical equipment, financial strength, experience, know-how and human resources at a level adequate for performance of the subject services as demanded.
(2) A report containing the aforementioned determinations and assessments, together with the following assessments at the minimum, as a basis for the decision of outsourcing of services, under the first paragraph, shall be submitted by the general manager to the board of directors of crypto asset service providers for decision making purposes:
a) Which services are needed to be outsourced, by the subjects of activity;
b) How the transformation, internal arrangement, infrastructural and training works needed at the stage of transition to outsourcing will be carried out;
c) Potential effects of interruptions or failures that may be faced during outsourcing of services on reputation and financial situation of crypto asset service provider and on conduct of its operational activities;
ç) Potential effects of outsourcing of services on services to be provided by crypto asset service provider to its customers;
d) Potential effects of outsourcing of services on the capacity of the crypto asset service provider to meet and perform its legal duties and obligations and on its capacity of adaptation to probable changes;
e) Cost of outsourcing of services;
f) Shareholding, participation and other relations between the external service provider and crypto asset service provider;
g) A statement as to whether external service provider satisfies the conditions set forth in this Communiqué;
ğ) A statement relating to selection of an alternative external service provider, if needed, and time needed for performance of activities within organization of crypto asset service provider, and potential difficulties that may be faced therein.
(3) For use during the term of outsourcing of services, crypto asset service providers shall prepare procedures containing powers, duties, functions, responsibilities and work flows on:
a) determination and management of measures to be taken and risks that may arise with respect to uninterrupted performance of obligations arising out of capital markets legislation and other pertinent laws,
b) monitoring and if needed, audit of external service provider.
Outsourcing Contract
ARTICLE 34– (1) Contract to be entered into between crypto asset service provider and external service provider is required to be clear and coherent and should as a minimum contain the following points:
a) Subject, scope and duration of services to be outsourced, fee payable in consideration of services, information introducing parties, and mutual rights, obligations and responsibilities of parties;
b) Obligation of external service provider to provide any information that may be demanded by the Board or by other institutions deemed fit by the Board at the time and in the quality desired under the capital market legislation, and the right of the Board or other institutions deemed fit by the Board to access to all kinds of information, documents and records deemed necessary in the external service provider with respect to services provided under the contract;
c) Principles on continuous monitoring and assessment by crypto asset service providers of the activities and operations of the external service provider under the contract;
ç) Principles regarding termination of contract, clause stating that services shall be continued until transfer of the activities covered by outsourcing of services to another external service provider or to the crypto asset service provider itself;
d) Procedure for resolution of disputes that may arise between crypto asset service providers and external service providers;
e) Clause for incorporation of contractual provisions relating to obligations of the external service provider appointed for outsourcing of service also into the contracts to be signed with subcontractors as a binding clause;
f) Clause stating that the external service provider or its subcontractors may not transfer or assign their contractual obligations to another natural person or legal entity without approval of the crypto asset service provider;
g) In cases where applicable legislation imposes obligations on crypto asset service providers with respect to activities covered by outsourcing of services, a clause stating that such duties and obligations will be ensured to be performed also by the external service provider;
ğ) Clause stating that the external service provider will immediately inform the crypto asset service provider about all kinds of incidents or developments which may materially affect its capacity to perform and provide its services effectively, efficiently and in compliance with applicable legislation;
h) Clause stating that information and documents belonging to the crypto asset service provider or its customers, obtained by the external service provider in the course of its services, shall not be used for any purposes other than the purposes clearly stated in contract, and shall not be disclosed to third parties even if the contract is terminated;
ı) Clause enabling the crypto asset service provider to decide termination of outsourcing from external service provider and to terminate the contract before the end of its term, in cases whereoutsourcing of services is limited or prohibited by a decision of the Board.
(2) The contract shall not contain provisions removing, eliminating or changing the principles determined in this Communiqué.
Supervision of the Board with Respect to Outsourcing of Services
ARTICLE 35– (1) The Board is authorized to request from external service providers all kinds of information relating to pertinent provisions of the Law and this Communiqué, to inspect all of their books and documents, and all records, including records kept in electronic, magnetic and similar other media, other tools containing data and information, and data processing system, to request a right of access to them, to receive copies thereof, to inspect their transactions and accounts, to receive written and verbal information from related persons, and to issue the required minutes, and the related persons are under obligation to provide access to all books and documents, all records, including records kept in electronic, magnetic and similar other media, other tools containing data and information, data processing system, and to provide copies of records and other tools containing data and information, to provide written and verbal information, and to sign the minutes thereof.
CHAPTER EIGHT
Documentation and Recordkeeping System of Crypto Asset Service Providers
Codes of Practice
ARTICLE 36 – (1) Regulations of the Board relating to chart of accounts of intermediary institutions shall be applied by analogy also in account keeping for crypto assets.
(2) Banks shall comply with the provisions of this Communiqué pertaining to documentation and recordkeeping, with the exception of the provisions of the first paragraph, solely with respect to their crypto asset service provision activities.
Media of Receipt of Customer Orders
ARTICLE 37 – (1) All orders of customers are essentially required to be received via the platforms’ own internet websites or mobile applications or their registered phone numbers through the platform operations personnel. Customer orders may not be received by other means or through different social media channels. A customer alleging that no transaction is executed in spite of placing a bid or ask order is under burden of proof of placement of said order.
Identity Verification and Transaction Security
ARTICLE 38 – (1) Principles set down in Article 5/A of the Communiqué Regarding Documentation and Recordkeeping Regarding Investment Services and Activities and Ancillary Services (III-45.1), published in the Official Gazette edition 29432 on 01.08.2015, pertaining to customers’ identity verification and transaction security shall also be applied for platforms.
Documents to be Issued
ARTICLE 39 – (1) Platforms are obligated to issue a trading results form and an account statement by considering the types of their activities.
(2) Records regarding all received orders, also including the orders cancelled, not executed and modified, are required to contain the following information:
a) Customer number or account number,
b) Traded crypto asset,
c) Order type,
ç) Whether order is a bid or ask order, d) Order price information
e) Order quantity,
f) Date and time of receipt and transmission of order,
g) Order validity time,
ğ) Order serial number, and
h) Currency or parity to be traded.
(3) A trading results form is required to be issued with consecutive serial numbers in such manner to show the kind, amount and price of crypto assets bought and sold, and the commissions and provisions for expenses accrued on the customer. Platforms are under obligation to send the issued trading results form to the electronic mail address designated by the customer by the end of day at the latest, or to allow access of its customers to their account statements in electronic media.
(4) Platforms are under obligation to send the account statements of customers to the electronic mail address designated by the customer on a monthly basis within five business days following the end of the related period, or to allow access of its customers to their account statements in electronic media. An account statement may not be sent to customers not engaged in any trading during the related period. Account statements should clearly and coherently contain at least the following data and information with respect to the related period:
a) Names of all crypto assets bought, sold or transferred, and dates, times, prices and amounts of purchase, sales or transfers;
b) All activities regarding crypto assets of a customer held with platform and depository institution or regarding cash funds of customer held with banks; and
c) All kinds of commissions, fees and taxes accrued on the account.
(5) The burden of proof as to delivery of all notices and reports required to be sent by platforms to customers or as to their accessibility via electronic media lies with platforms. Nonliability clauses stating that information contained in said notices and reports will be deemed to have been accepted by customer after lapse of a certain period of time shall not be inserted in framework agreements and other related documents. Such clauses are deemed to be null and void.
Storage of Documents
ARTICLE 40 – (1) All records created by crypto asset service providers shall be kept safely, accessibly, traceably and in such manner to be able to keep them integral, accurate and in strict confidence. The provisions of this paragraph are applicable also on transactions executed via outsourcing of services.
(2) Platforms are under obligation to keep records as to date, time, amount and price of orders, received via internet or in all types of electronic media, also including orders not executed, cancelled or modified, as well as records as to IP (Internet Protocol) numbers of customers placing the order, separately on customer basis, and electronic log records so as to show the source of order, and voice records relating to customer orders received by phone, in such manner to be documented in writing and to be transmitted promptly if and when demanded by the Board.
(3) Account activities of all customers, prices reflected onto customers, also including those received from institutions serving as market maker or liquidity provider, in such manner to show timing information, and all records mentioned in the second paragraph, are required to be kept and stored indelibly, irreversibly and unforgeably, and so as to assure their accuracy and integrity instantly, the file integrity values are required to be issued and stored with a time stamp in daily periods. In addition, on documents and records kept in writing, no deletion or erasure shall be done, and all corrections shall be done so as not to prevent the visibility of erroneous entries, and no blank lines should be left therein.
(4) Platforms are further obliged to keep regularly in a classified form for ten years as per Article 82 of the Law 6102, all kinds of documents they receive and produce in the course of their activities, and all electronic records, also including all documents and videos received during the remote identification process as per the Communiqué III-42.1. The documents and records required to be kept and stored hereunder, if disputed for any reason, are required to be kept until the related dispute is completed, without being limited by the time specified in this paragraph.
(5) All and modifications to the data processing infrastructure shall be recorded, together with information as to by whom they are done. Information security breaches and errors in data processing infrastructure, and remedial actions taken against them shall also be recorded.
(6) Crypto asset service providers are under obligation to keep and store for the time specified in the fourth paragraph, all kinds of documentation in relation to their communications with investors, either in writing, or verbal, or in any type of electronic media, also including their advertisement, promotion, marketing and similar other activities, as well as all kinds of information and documents they produce in line with settlement principles.
Records of Customer Complaints
ARTICLE 41 – (1) As a minimum, the following information is required to be kept in the system to be built by platforms for resolution of customer disputes and disagreements pursuant to subparagraph (c) of the second paragraph of Article 9:
a) Name, surname, address and account number of complainant,
b) Date of complaint,
c) Summary of complaint, and which law provisions are alleged to be breached, and
ç) Summary of actions taken by the platform with respect to the complaint.
(2) Information and documents produced for inspection of customer complaints shall be kept until the end of the time mentioned in the fourth paragraph of Article 40.
(3) Address and communication date of units to which customers may direct and file their complaints are required to be provided in documents sent to customers and on the internet website of the platform.
CHAPTER NINE
Internal Audit, Internal Control and Risk Management Activities of Crypto Asset Service Providers
Internal Audit, Internal Control and Risk Management Obligations
ARTICLE 42 – (1) Crypto asset service providers are required to establish internal audit, internal control and risk management units in their organization in a manner consistent with the coverage and structure of their activities and having sufficient quality, adequacy and effectiveness to respond to changing conditions, and related activities are required to be maintained and developed by said units.
Internal Audit Activity
ARTICLE 43 – (1) Internal audit refers to audit activity conducted by internal auditors with the intention of providing assurance to senior management and board of directors relating to efficiency, effectiveness, adequacy and compliance of internal control and risk management processes, also including the processes and controls relating to information systems of crypto asset service providers.
(2) Internal audit activity refers to a systematic audit process which is independent from daily activities of the crypto asset service provider, and is conducted by internal auditors in the form of audits of compliance with laws and policies depending on needs of management and organization structure of the crypto asset service provider, and covers all activities and units of the crypto asset service provider, especially the functioning of the internal control system, and ensures performance of an assessment with respect to said fields, and wherein evidences and findings used in assessments are obtained as a result of reporting, monitoring and inspection activities.
(3) Internal audit activity shall be carried out so as to cover all activities and units of the crypto asset service provider. Internal audit shall cover such actions as onsite inspection and audit of all assets, accounts, records and documents of the crypto asset service provider, and all other components that may affect the security of crypto asset service provider, and if needed, making an investigation, taking testimonies and statements, requesting a defense, seizure of documents and information, and if deemed necessary, suggestion to board of directors of the crypto asset service provider of the removal of responsible personnel from office temporarily until investigation is completed. Reports to be issued and underlying documents of proof of said reports are required to be kept for the period of time specified in provisions of thisCommuniqué pertaining to documentation and recordkeeping, or in the case of a legal dispute arising during that time, until the related dispute is resolved.
(4) As a minimum, audits on compliance with laws and work flow procedures shall be carried out once annually, and audit results shall be presented to the board of directors.
(5) Crypto asset service providers are obliged to create an internal audit unit in their organization and to employ an adequate number of internal auditors for working exclusively in that unit. Internal audit unit shall directly report to and is responsible towards the board of directors. Board of directors may delegate its powers relating to this unit to at least two directors, other than the general manager.
(6) Internal auditors shall take office upon a resolution of the board of directors, and have the right of access to all kinds of documents. The right of internal auditors to access to all kinds of information and documents kept by the crypto asset service provider shall be clearly stated in written policies in relation therewith.
(7) Internal auditors shall exercise due care of confidentiality of all information they acquire in the course of performance of their job duties. They cmay not in any case use such information for their own personal benefits or in a manner in conflict with laws, other legislative arrangements or professional ethics. They may not be involved in any functions or relations which may prevent them from performing their job duties in an unbiased manner, nor may they accept any duties or responsibilities that may lead to such consequences. Upon occurrence of any event which may impair their neutrality during their activities, the internal auditor shall report such event to their unit supervisor, and in addition, upon occurrence of any event that may affect their neutrality during any specific work, the internal auditor is liable to disclose such event impairing neutrality as well, together with results of that work.
(8) Principles specified in the Communiqué VII-128.10 shall be applicable in internal audit activities relating to information systems.
Internal Control Activity and Unit
ARTICLE 44 – (1) Internal control refers to an organization plan implemented by crypto asset service providers, and all principles and procedures associated therewith, with a view to ensuring that all works and actions of crypto asset service providers are carried out regularly, effectively and efficiently in accordance with management strategies and policies and within the frame of all applicable laws and rules, also including MASAK regulations, that the integrity and reliability of accounting and recordkeeping system, timely and accurately accessibility of all information in the data system, and confidentiality, integrity and accessibility of information systems and technological infrastructure are assured and maintained, that errors, frauds and corruptions, and such crimes as illegal betting and swindling are prevented and detected.
(2) Internal control activity is comprised of internal control management and information systems internal control management components.
(3) Internal control activities relating to services provided by crypto asset service providers shall be arranged and conducted as an integral part of daily activities in such manner to allow the monitoring of detected risks as well. All strategies, policies and procedures created for this purpose shall be put into writing, and brought into force upon a resolution of the board of directors.
(4) In order to ensure effective internal control, the obligation of all personnel to perform their own job duties in compliance with written procedures, and their duties and powers as to reporting to senior management of such events as applications in breach of professional principles or illegal activities or actions in conflict with corporate policies shall be duly defined in writing and notified to the related personnel. Internal control mechanism shall be formed in such manner to ensure effective participation of personnel of all levels.
(5) Crypto asset service providers shall establish a unit for management of the internal control system. Board of directors of crypto asset service providers shall appoint one of their members, to whom executive units are not linked or connected, as director in charge of internal control. Internal control unit shall report to the director in charge of internal control.
(6) In the internal control unit, an adequate number of internal control personnel shall be employed in conformity with the coverage and structure of internal control activities. Internal control personnel entrusted with the tasks of continuous control activities may not assume any duties and responsibilities other than internal control. Internal control personnel shall be authorized to request additional explanations from crypto asset service provider’s personnel about the matters they monitor, inspect and, to consult them for knowledge and opinions, when deemed necessary, to make suggestions to inspection unit on areas to be inspected, and to issue warnings to other organization units of the crypto asset service provider.
Risk Management Activity and Unit
ARTICLE 45 – (1) Risk management activity covers all processes needed for definition, identification and update of basic risks the crypto asset service provider may be exposed due to its services, development of a risk measurement mechanism containing consistent assessment, detection, measurement and control of risk exposures, and conduct of the price surveillance system.
(2) In definition of risks, all security components of the crypto asset service provider shall be taken into account. As a minimum, risks that may arise out of operation of information systems, unauthorized changes that may be made in information systems, acquisition of assets by unauthorized persons, failure of users to access the system as a result of an intrusion, physical security problems, cyber attacks and intrusion of any kind, information security breaches, illegal activities of personnel or behaviours of personnel due to external compulsion or similar other reasons shall be taken into consideration.
(3) Crypto asset service providers shall build a unit in charge of administration of the risk management system, and appoint an adequate number of risk management personnel to the unit.
(4) Upon occurrence of risks identified under the risk management activity, or in any case, upon detection of any incident which may weaken the financial status of the crypto asset service provider, pose a threat for customer assets, or lead to any unusual consequences, the risk management unit, working in coordination with the internal control unit, shall determine the current circumstances and conditions and issue a report containing the damages caused or that may be caused by them and shall present its report to the board of directors as soon as possible.
Work Flow Procedures
ARTICLE 46 – (1) Crypto asset service providers are required to prepare and issue written procedures in the following subjects as a minimum:
a) Processes relating to opening of customer accounts and know-your-customer,
b) Transfers of cash to or from customers,
c) Receipt and execution of customer trading and transfer orders,
ç) Creation and storage of private keys by the crypto asset service provider,
d) Creation of hot and cold wallets by the crypto asset service provider,
e) Keeping of trading and transaction records and posting of records to the accounting system,
f) Delivery of documents which are required to be presented to customers under Board regulations of the Board,
g) Determination of measures and standards for identification of risks which the crypto asset service provider may potentially be exposed to, also including information systems and security, for management of these risks, and for their elimination to the extentpossible,
ğ) Crypto asset trading, exchange and transfer activities,
h) Statements and reports required to be prepared with respect to financial structure,
ı) Procedures and methods of storage and protection of all documents required to be issued and kept pursuant to applicable legislation,
i) Processes for operations of the settlement system to be built between the platform and depository institution, creation and sharing of reports, and control, and if needed, correction of problems or errors that may occur in these processes,
j) Processes for operations of the reporting system to be built by crypto asset service providers with MKK (CRA), creation and sharing of reports, and control, and if needed, correction of problems or errors that may occur in these processes,
k) Methods to be followed in erroneous transactions,
l) Determination of personnel policy, and duties, powers and responsibilities of personnel,
m) Processes stipulated in the Communiqué VII-128.10,
n) Working procedures and principles of the internal audit unit,
o) Recovery plan,
ö) Principles as to risk management system,
p) Principles as to outsourcing of services,
r) Principles as to listing and delisting.
Recovery Plan
ARTICLE 47 – (1) Recovery plan shall determine the actions and risks that may lead to loss of crypto assets of crypto asset service providers and include actions to be taken upon occurrence of these actions and risks pursuant to the ninth paragraph of Article 99/B of the Law. Adequacy of said plan shall be revised annually or if deemed necessary by the board of directors, before the end of the annual period, and required changes shall be made in the related procedures accordingly.
(2) Work flow procedures in relation to the recovery plan shall contain the following points as a minimum, upon consideration of the size and needs of crypto asset service providers:
a) Processes used for urgent transfer of crypto assets included in hot wallets to cold wallets;
b) Processes used for insulating systems and wallets under threat or affected due to an incident from other systems and wallets;
c) Assessment of existing circumstances in terms of affected systems, wallets, and systematic weaknesses that may arise out of an incident;
ç) Ensuring that all documents and records required to be kept pursuant to applicable legislation are continued to be kept;
d) Processes showing how the threat may be removed and how the system and wallet security may be provided again;
e) Tools and methods that may be used in detection of sources of threat or weakness causing the incident;
f) If it is decided by crypto asset service providers that the activities cannot be continued, the method of transfer of crypto assets owned by customers;
g) Notification of the Board about the measures taken.
(3) In cases where the recovery plan is put into practice, the risk management unit shall prepare an assessment report checking whether the plan is conducted in accordance with work flow procedures or not, and relating to the potential financial effects of the existing circumstances on customer assets and crypto asset service provider, and shall submit this report to the board of directors. A copy of this report shall be presented to the Board immediately.
(4) If recovery plans are to be put into practice, crypto asset service providers shall provide information to their customers on their internet websites as to how the recovery plans will be implemented, and about the work flow procedures associated therewith.
(5) Crypto asset service providers are under obligation to have a reserve evidence audit conducted within a period of fifteen days following the date of activation of recovery plan.
(6) Recovery plan and associated work flow procedures are required to be approved by the board of directors of the crypto asset service provider, and two personnel, at least one of them being a deputy general manager, are required to be appointed by the board of directors as personnel in charge of implementation of recovery plan, and names and titles of these persons and all kinds of communication data, including electronic mail address, telephone and fax numbers, are required to be reported to the Board and to other institutions or organizations to be designated by the Board.
CHAPTER TEN
Audit Obligations of Crypto Asset Service Providers
Independent Audit Obligations of Crypto Asset Service Providers
ARTICLE 48 – (1) Under provisions of the Communiqué III-62.2, crypto asset service providers are under obligation to have an information systems independent audit conducted at least once a year by entering into contract with an organization included in list of independent auditors authorized for independent audit of information systems provided on the internet website of the Board, and to submit the audit results to the Board. The provisions of this paragraph are not applicable to banks.
(2) Crypto asset service providers are under obligation to have an independent audit conducted at least once a year by independent auditors authorized for independent audit of information systems with regard to compliance of the functioning of their internal control systems and their operations with business processes cited in Article 46, and compliance of their information systems with TÜBİTAK Infrastructural Criteria, and to submit the audit results to the Board. The provisions of this paragraph are applicable on banks solely with respect to their custody services.
(3) Crypto asset service providers shall appoint any one of independent auditors authorized for independent audit of information systems as shown on the internet website of the Board as of the ends of third, sixth, ninth and twelfth months of each year for a reserve evidence audit containing determinations and findings as to protection of reserves regarding crypto assets tracked on book-entry basis in the organization of crypto asset service provider and as to compliance of custody services with the pertinent regulations the Board, and shall submit the resulting audit report to the Board.
(4) Audit reports mentioned in first and second paragraphs may be prepared and issued together.
(5) The Board may, if deemed necessary, request the issuance of an additional audit report under this Article.
(6) Periods determined for presentation of information systems independent audit reports to the Board shall also be applied for audit reports referred to in the second and third paragraphs.
(7) The Board is authorized to determine procedures and principles relating to audit reports to be issued pursuant to this Article.
CHAPTER ELEVEN
Activities and Actions Crypto Asset Service Providers are not Permitted to Deal With Prohibited Activities and Actions
ARTICLE 49– (1) Crypto asset service providers:
a) May not engage in any industrial or agricultural activities other than activities and actions relating to services permitted by the Board.
b) May not issue any notes or instruments containing their own financial commitments, unless permitted otherwise by applicable legislation.
c) May not deal with trading of real estate for commercial purposes.
ç) May not collect deposits or participation funds as defined in the Law 5411, and may not deal with activities and actions that may result in collection of deposits or participation funds.
d) May not provide any written or verbal commitment or promise as to a certain return on investment in crypto assets, with the exception of transactions effected pursuant to the fourth paragraph of Article 10 of the Communiqué III-35/B.2.
e) May not dispose of customer-owned crypto assets and cash funds in their own favour or in favour of third parties unless they are specifically entitled and empowered to do so.
f) May not allow their employees and customers to trade in their own name and account by making use of facilities other than the usual customer – crypto asset service provider relations.
g) May not open fictitious accounts, or leave their transactions out of record, or keep records which do not accord with the truth.
ğ) May not transact in the name or account of their customers by obtaining power of attorney from their customers or in such manner to produce the same outcome, or in reliance upon an authorization vested by customer in connection therewith through their executives, personnel or employees, containing such broad powers as placing orders for trading of crypto assets, signature of documents required to be approved or signed by customers as per applicable legislation, and depositing and withdrawal of cash, and transfer of crypto assets.
h) May not engage in any transactions impairing the rights and interests of customers, act in contradiction with good faith rules, confer benefits or profits in their own interests or in interests of third parties by influencing trading decisions of customers by making use of ignorance or inexperience of customers about the market.
ı) With the intention of increasing their income by any way whatsoever, may not lay the groundwork for trading by customers in unnecessary and/or excessive amounts, provide customers with funds or sources for compensation of losses incurred by customers due to their transactions, or for trading by customers, or for inclusion of customers in a certain group, may not direct customers to this end, and may not trade for and on behalf a customer without prior instruction of that customer.
i) May not make donations in an amount in excess of five per mill of their shareholders’ equity in any fiscal year. Procedures and principles regarding implementation of this subparagraph shall be determined by the Board.
j) May not engage in trading activities relating to trading of foreign currencies and may not transfer foreign currencies abroad under the Law on Protection of Value of Turkish Currency 1567 of 20/2/1930 and related legislation. May not use in their trade name, company name, business license, promotions and advertisements, workplaces and premises or internet sites, any word, expression or sign which may create the impression of their engagement in trading of foreign currencies.
(2) Provisions of subparagraphs (a), (b), (c), (ç), (i) and (j) of the first paragraph shall not be applicable to banks authorized to provide crypto asset custody services.
CHAPTER TWELVE
Voluntary Suspension of Activities, and Waiver from Operating Licenses
Voluntary Suspension of Activities
ARTICLE 50 – (1) Crypto asset service providers may apply to the Board with a request of temporary suspension of all of their business activities. If a positive response is provided for this request, crypto asset service providers shall be granted an appropriate period of not more than two years by the Board. This period shall commence as of the date of decision of the Board. Upon demand of crypto asset service providers, an additional period may also be granted in such manner to ensure than total time granted with respect to temporary suspension of activities does not exceed two years. In cases where, crypto asset service providers whose business activities have been suspended in their own volition file for voluntary re-suspension of their activities at any time within five years after resuming their activities, the previous period of suspension shall also be taken into account in calculation of this total period of two years as cited above.
(2) Provisions of Article 51 shall be applied in case of applications filed under the first paragraph.
(3) In cases where crypto asset service providers do not file an application to the Board for resuming their business activities at the end of the time granted as above, all operating licenses belonging to them shall be cancelled.
Complete Waiver from Operating Licenses
ARTICLE 51 – (1) In cases where crypto asset service providers completely waive their authorization on activities, the Board shall cancel their operating licenses.
(2) In order for an application filed by platforms for a complete waiver from their operating licenses to be assessed by the Board:
a) it is required to publish a statement on PDP and on the platform’s internet website via a pop-up window verifying that the operating licenses of platform will be cancelled, and after cancellation, platform will cease its business activities through dissolution or a change to its fields of business, and said statement must also state that customers may transfer their assets to any wallets they choose, as well as the deadline for fulfilment of transfer requests of customers;
b) it is required to publish the notification text provided in ANNEX-2 on the platform’s internet wesite, PDP, and at least two nationwide daily newspapers among ten newspapers with the highest circulation, with the intention of inviting the creditors to declare their claims, and to send a copy of each of these notifications to the Board;
c) it is required to enter into an account settlement with all customers in writing or in electronic media in lieu of written format, and to deliver the settlement list to the Board;
ç) at the end of the time notified to customers as per subparagraph (a) of this paragraph, the platform is required to cease all of its business activities, and to enter into account settlement with depository institution as of the end of day under principles determined in applicable legislation, and thereafter, to transfer to the depository institution all of the customer crypto assets held with it;
d) it is required to refund customer-owned cash funds to bank accounts of customers, and to share receipts of refund with customers in electronic media;
e) in respect of assets of customers who cannot be reached or with whom an account settlement cannot be made by the procedure referred to in subparagraph (c) of this paragraph, as of the end of the time provided in the notification published under subparagraph (b) of this paragraph, and in respect of customer disputes in which the platform is also involved, both the amount in dispute in the pending legal case and if any, crypto assets or their current values being the subject of legal proceedings pending under the Law 2004 are required to be reported to the depository institution, and to be blocked in depository institution;
f) in the absence of any customer who cannot be reached or with whom an account settlement cannot be made by the procedure referred to in subparagraph (c) of this paragraph or in absence of any investor dispute to which the platform is also involved, a notary-certified resolution of the board of directors determining such absence is required to be sent to the Board;
g) a letter of undertaking to be received from all shareholders of the platform holding 10% or more of capital shares of platform, or in the case of shareholders having a share less than 10% in capital of platform, from other shareholders total shares of which represent at least 90% of the existing capital, declaring that they are responsible in proportion to their capital shares for all outstanding debts of the platform arising out of its crypto asset services, as well as the letter of undertaking provided in ANNEX-3 are required to be submitted to the Board.
(3) In order for an application filed by depository institutions for complete waiver from their operating licenses to be assessed by the Board:
a) it is required to publish the notification text provided in ANNEX-2 on PDP, and at least two daily nationwide newspapers among the ten newspapers with the highest circulation, and depository institution’s own internet website, with the intention of inviting creditors to declare their claims, verifying that the operating licenses of depository institution will be cancelled, and after cancellation, depository institution will cease its business activities through dissolution or a change to its fields of business, and to send a copy of each of these notifications to the Board;
b) at the end of the period referred to in subparagraph (a) of this paragraph, the depository institution is required to enter into account settlement with the platform as of the end of day under principles envisaged in applicable laws, and thereafter, to transfer all customer crypto assets held with it to another depository institution designated by the platform, and to cover the fees for these transfers;
c) at the end of the period referred to in subparagraph (a) of this paragraph, with respect to customer disputes in which the depository institution is also involved, it is required to block in another depository institution, the amount in dispute in the pending legal case and/or crypto assets being the subject of legal proceedings pending under the Law 2004;
ç) in the absence of any investor dispute to which the depository institution is also involved, a notary-certified resolution of the board of directors determining such absence is required to be sent to the Board;
d) a letter of undertaking to be received in the form provided in ANNEX-3 from all shareholders of the depository institution holding 10% or more of capital shares of depository institution, or in the case of shareholders having a share less than 10% in the capital of the depository institution, from other shareholders total shares of which represent at least 90% of the existing capital, declaring that they are responsible in proportion to their capital shares for all outstanding debts of depository institution arising out of its crypto asset services, is required to be submitted to the Board.
(4) Within a maximum of three months following the date of delivery of the decision of the Board concerning cancellation of their operating licenses, crypto asset service providers are required to take a decision of dissolution or to amend their articles of association so as not to cover crypto asset services, also including corresponding modifications in their company name, objectives and fields of business. The advertisement of these changes and amendments published in the Turkish Trade Registry Gazette shall be sent to the Board within ten business days following the date of publication.
(5) Assets blocked with respect to customer disputes shall be released by the depository institution for return to the party in whose favour the related legal action or proceeding is concluded, upon submission and delivery to depository institution of a copy of finalized court judgment or a certificate evidencing the completion of legal proceedings within the frame of the Law 2004. If these assets are released in the name of customers, the depository institution is required to collect and receive a notary-certified certificate of release from each customer. If the legal actions or proceedings are completed in favor of customers, in payments to be made to customers, it is essentially required to use the assets blocked at the depository institution.
(6) The Board may request replacement of depository institution in the implementation of subparagraph (b) of the second paragraph.
(7) Obligations arising out of the documentation and recordkeeping regulations of crypto asset service providers filing an application to the Board under this Article shall remain in effect.
CHAPTER THIRTEEN
Measures Relating to Crypto Asset Service Providers
Limitation of Operating Licenses, and Suspension or Cancellation of Business Activities
ARTICLE 52 – (1) Upon occurrence of any of the following events, by considering the nature and materiality of event, the Board may limit the scope of services and activities of crypto asset service providers on the basis of services and activities within scope of their authorization, temporarily suspend the same, or may cancel their operating licenses:
a) Failure of the crypto asset service provider to enter into any transaction covered by its operating license for one year following the date of award of the operating license;
b) If operating license is originally received by making untrue or misleading statements or by other unlawful or illegal means;
c) If it is detected by the Board that the crypto asset service provider does not meet any one of the conditions stipulated for establishment, start of business activities, or award of operating licenses, shareholders, executives or personnel of crypto asset service providers do not meet any conditions or do not have any qualifications listed in the Law or the regulations of the Board, or have lost the same thereafter, and if these conditions cannot be complied with again by the end of a period to be granted by the Board up to three months following the date of detection cited above;
ç) If unlawful or illegal activities or actions of crypto asset service providers are detected under Article 53;d) If the financial standing of the crypto asset service provider deteriorates as specified in Article 54.
(2) A an appropriate period of maximum two years shall be granted by the Board to crypto asset service providers whose business activities are decided to be temporarily suspended pursuant to this Communiqué. This period shall commence as of the date of relevant decision of the Board. The period granted with respect to temporary suspension of business activities may be extended so as not to exceed two years in total by the Board ex officio or upon demand of crypto asset service providers. If crypto asset service providers fail to resume their business activities after completion of this period, all of their operating licenses shall be cancelled.
(3) For crypto asset service providers whose business activities are suspended in their entirety twice in two years, this measure shall not applied for a third time, and their operating licenses shall be cancelled.
(4) Provisions of second and third paragraphs of Article 51 shall be applicable to crypto asset service providers whose operating licenses are fully cancelled by the Board.
(5) Upon occurrence of any one of the events listed in the first paragraph, the Board is authorized to temporarily suspend or permanently terminate the provision of any other services regulated by the Communiqué III-35/B.2, either for all crypto asset service providers or for individual crypto asset service providers.
(6) Obligations arising out of the documentation and recordkeepinging regulations of crypto asset service providers whose business activities are limited, or temporarily suspended, or operating licenses are cancelled, under this Article shall remain in effect.
(7) A prior assent of BRSA is required to be taken in the implementation of this article for the banks providing custody services.
Measures to be Implemented with Respect to Unlawful Activities or Transactions of Crypto Asset Service Providers
ARTICLE 53 – (1) Upon detection of activities of crypto asset service providers in contradiction with applicable legislation, the standards determined by the Board, and provisions of articles of association, the Board is authorized to request the related persons to remedy and correct the non-conformities within a period to be determined by the Board, and to ensure compliance with the Law and the operational objectives and principles, or directly to limit the scope of business activities of these organizations, to suspend them temporarily, to cancel their authorizations, or to take all kinds of other actions and measures that may be deemed necessary.
(2) With respect to executives and employees who are found to be responsible in aforesaid unlawful or illegal activities or actions, the Board is authorized:
a) to temporarily or permanently cancel their licenses;
b) to limit or cancel their signature authorizations for the time from the decision taken for filing a criminal complaint thereagainst to the completion of legal proceedings and trials.
(3) The Board is further authorized to dismiss directors who are found by a court judgement to be criminally liable for unlawfulness or for subject transactions, and to appoint new directors in their place until the next general assembly meeting to be convened.
(4) The event shall be reported to BRSA in order to ensure that the required actions are taken under the related Articles of the Law 5411 about directors who are found by a court judgement to be criminally liable for unlawfulness or for subject transactions.
Measures to be Implemented in Case of Deterioration of Financial Standing
ARTICLE 54 – (1) In cases where it is determined that crypto asset service providers fail to fulfil their capital adequacy liabilities, or to perform their obligations of cash payment or delivery of crypto assets arising out of their services and activities within the scope of their authorization, or fail to perform the same in a short time, or regardless of such events, their financial standing is severely weakening, or their financial standing has weakened to an extent to fail to repay their debts and obligations, the Board is authorized:
a) to request their financial standing to be strengthened within an appropriate period of time to be granted up to three months;
b) to temporarily suspend the business activities of these institutions directly without granting any time;
c) to remove their authorizations and cancel their operating licenses completely or for only certain services and activities;
ç) to limit or remove the signature authorizations of executives and employees who are found to be liable;
d) if required, to dismiss their directors and to appoint new directors in their place until the next general assembly meeting.
(2) The implementation of measures listed in the first paragraph on banks shall be decided upon by BRSA. Implementation of said measures about banks whose management or supervision is transferred to Saving Deposits Insurance Fund pursuant to the pertinent provisions of the Law 5411 shall be decided by the Saving Deposits Insurance Fund.
CHAPTER FOURTEEN
Miscellaneous and Final Provisions
Periods of Time
ARTICLE 55 – (1) Periods of time cited in this Communiqué may be extended by the Board.
Operating License Application Time and Compliance with Provisions of this Communiqué
TRANSITIONAL ARTICLE 1 – (1) Out of those which have already filed a establishment application under the Board’s Resolution, no. i-SPK.35.B (decision 42/1259 of 08.08.2024), applications of platforms included in the “List of Actively Operating Institutions” as of the date of publication of this Communiqué, and of platforms which have already appliedprior to the date of publication of this Communiqué shall be valid, and are to be examined within the frame of the provisions of this Communiqué, other than the condition with respect to capital. If any non-conformity to establishment conditions is detected in the examination process or upon service providers’ own demands, their applications shall be cancelled, and liquidation provisions shall be applied on these service providers within the frame of the sixth paragraph. With respect to service providers which are not subject to liquidation provisions and are included in the “List of Actively Operating Institutions”, a separate establishment license shall not be awarded and establishment conditions shall be evaluated as within their application for operating licenses pursuant to the third paragraph of Transitional Article 11 of the Law. Those which have filed an application for establishment under the Board’s Resolution no. i- SPK.35.B (decision 42/1259 of 08.08.2024), but have not yet completed the process as of the date of publication of this Communiqué shall be included in the “List of Actively Operating Institutions” after approval of their articles of association aned their establishment conditions are certified.
(2) Institutions covered by the first paragraph are obliged to file an application for an operating license until 30.06.2025 by meeting the operational conditions determined by the Board. Liquidation provisions shall be applied under principles set down in the sixth paragraph about companies that do not file an application until that date. In operating license applications of these institutions, reserve evidence reports are required to be issued for two different dates to be randomly selected within two months prior to the date of application for operating license. Institutions filing an application for license are required add to their applications until 30.09.2025, information systems independent audit report prepared and issued pursuant to the principles set forth in the Communiqué III-62.2.
(3) Institutions covered by the first paragraph are required to receive a certificate of authorization until 30.06.2026 in accordance with the principles specified by the Board in the operational conditions. Liquidation provisions shall be applied under principles set down in the sixth paragraph about institutions which fail to obtain a certificate of authorization until that date. The Board shall continue to publish the “List of Actively Operating Institutions” togetherwith the institutions which receive a certificate of authorization until 30.06.2026.
(4) The “List of Actively Operating Institutions” shall be kept current according to the provisions to be made effective as per this Communiqué and the regulatory actions to be taken by the Board pursuant to the first, second and third paragraphs.
(5) In operating license applications to be filed under the second paragraph, all required conditions relating to custody must be satisfied, with the exception of the provisions of subparagraph (a) of the second paragraph of Article 9. Pursuant to the provisions of subparagraph (a) of the second paragraph of Article 9, platforms are required to sign a contract with at least one depository institution and to complete the required technical processes and integrations within the frame of settlement system until 31.12.2025. Applications of platforms which fail to perform the obligations set forth in this paragraph until 31.12.2025 shall be cancelled. After a contract is signed between depository institutions and platforms, customer- owned assets shall be transferred to depository institutions, and completion of the transfer process shall be checked through settlement performed on the list. In order for platforms to be able to sign a custody agreement with banks, the related bank must have received prior assent of BRSA.
(6) Liquidated companies are required to terminate their business activities covered by definition of platform within fifteen days, and thereafter, not to engage in any new sales, distribution or listing activities with respect to any crypto asset, and accordingly, not to accept any new customers, and to fulfil without any restriction of fifteen business days all requests of their customers for conversion of their crypto assets into cash and for transfer of cash funds and/or crypto assets without any damage to rights and interests of their existing customers within the frame of a notice to be sent by them to their customers in connection therewith by electronic mail, short message, phone or similar other communication means. In any case, assets owned by customers which do not make any request for a period of one month after receipt of a notice regarding transfer of crypto assets shall be converted into cash over their current value, and the proceeds thereof shall be credited to the customer’s bank accounts. Obligations of crypto asset service providers liquidated as such arising out of Article 40 shall remain in force.
(7) Framework agreements signed between platforms and their customers before the date of publication of this Communiqué are required to be renewed until 31.12.2025 in accordance with provisions of this Communiqué. These contracts may also be renewed in electronic environment according to the pertinent provisions of this Communiqué.
(8) Depository institutions included in the “List of Actively Operating Institutions” as of the date of publication of this Communiqué, and depository institutions which have filed an application prior to the date of publication of this Communiqué are required to file an application for an operating license until 30.06.2025.
(9) The period of adaptation to be determined by MKK (CRA) is to be applied in the implementation of subparagraph (ğ) of the first paragraph of Article 9. Institutions covered by the first paragraph are under obligation to get a registry number for their existing customers and to match the same to the related account numbers as per Article 23 within three months following the end of the adaptation period determined by MKK.
(10) Contracts signed between crypto asset service providers and external service providers prior to the date of publication of this Communiqué are required to be renewed in compliance with the provisions of this Communiqué.
(11) Without prejudice to the second and fifth paragraphs, independent audits envisaged in Article 48 shall be performed for the first time for the year 2026.
Effective Date
ARTICLE 56 – (1) In this Communiqué:
a) Articles 10, 11, 12, 24, 39, 41, 46 and 47 shall become effective as of 31.03.2025;
b) Articles 9, 13, 14, 15, 18, 23, 26, 27, 28, 29, 31, 32, 33, 34, 36, 38, 42, 43, 44 and 45, first and third paragraphs of Article 20, and second paragraph of Article 40 shall become effective as of 30.06.2025;
c) All other provisions shall become effective as of the date of publication.
Enforcement
ARTICLE 57 – (1) The provisions of this Communiqué shall be enforced by the Capital Markets Board.