TURKEY Law and Practice Contributed by: Sera Somay, Merve Kurdak and Doğa Pınarlı Dedebaş, Paksoy
misappropriation of client assets may result in severe criminal sanctions, including imprisonment and judi - cial fines, as well as mandatory compensation of loss - es and, in certain cases, personal liability of managers extending to personal bankruptcy. Across all verticals, entities that are defined as “obli - gors” under AML legislation may be subject to AML- related enforcement by MASAK, including adminis - trative and criminal sanctions, reflecting that each competent authority may take robust enforcement action within the scope of its statutory powers. 2.11 Implications of Additional, Non- Financial Services Regulations For banks, the Regulation on Banks’ Information Sys - tems and Electronic Banking Services governs infor - mation systems; for payment and electronic money institutions, the applicable framework is set out in the Communiqué on the Information Systems of Payment and Electronic Money Institutions and the Data Shar - ing Services of Payment Service Providers; and for capital markets institutions and crypto-asset service providers, the relevant rules are provided under the Communiqué on the Principles Regarding Informa - tion Systems Management (VII-128.10). Issues such as information systems governance, cybersecurity and data confidentiality are primarily regulated under these sector-specific regulations. In addition, to the extent relevant, horizontal legislation such as AML legislation, the Law on the Protection of Personal Data No. 6698 (“Personal Data Protection Law”) and the Consumer Protection Law No. 6502 may also apply alongside these rules. 2.12 Review of Industry Participants by Parties Other Than Regulators The activities of industry participants are reviewed through mandatory independent audits conducted by audit firms authorised by the Public Oversight, Accounting and Auditing Standards Authority (KGK) and, where required, by licensed valuation and credit rating firms. Mandatory membership of industry asso - ciations (such as the Turkish Banks Association (TBB)) introduces additional standard-setting and peer over - sight, while the Credit Bureau (operating in conjunc - tion with the TBB Risk Center) reviews and aggregates customer risk data shared by market participants. For
crypto-asset platforms in particular, compliance with information systems and technological infrastruc - ture criteria set by the Scientific and Technological Research Council of Türkiye (TÜBİTAK) is required, and technical aspects may be subject to its testing and certification. Additionally, where professional lia - bility insurance is required, insurance companies are also involved in the oversight framework. 2.13 Conjunction of Unregulated and Regulated Products and Services Under Turkish law, regulated fintech entities are per - mitted to carry out only those activities expressly listed in their governing legislation and licence conditions; activities falling outside this scope are not allowed. However, where the applicable legislation expressly allows, a regulated entity may also engage in activi - ties that are not themselves fintech-regulated, such as banks acting as insurance agents alongside their core banking activities. 2.14 Impact of AML and Sanctions Rules Fintech companies are classified as “obligors” under Turkish AML legislation, meaning that they must com - ply with the obligations set out in the AML framework and are subject to the supervision of the competent authority, MASAK. In this capacity, they are required to comply with a broad set of obligations, including customer due diligence and KYC requirements, trans - action monitoring, establishment of internal compli - ance programmes, record-keeping and suspicious transaction reporting. 2.15 Financial Action Task Force (FATF) Standards As a member of the FATF since 1991, Türkiye’s AML and CTF framework is largely aligned with the stand - ards and recommendations of the FATF. The core legislation, including the Law on the Pre - vention of Laundering Proceeds of Crime No. 5549 and the related secondary regulations, incorporates the main FATF requirements regarding customer due diligence, beneficial ownership identification, risk- based approach, record-keeping, suspicious transac - tion reporting and internal compliance programmes. Obligors, including fintech companies, are required
887 CHAMBERS.COM
Powered by FlippingBook