Back to Insights

Overview of the MASAK Guide on Basic Principles of Crypto Asset Service Provider Obligations


The increased use of crypto assets and the fast-paced growth of crypto-asset markets have emphasized the need for governments to introduce regulation. In addition to the increase in the number of transactions, the fact that crypto asset transactions may facilitate money laundering, and finance terrorism has motivated governments to extend their anti-money laundering laws to include crypto assets. Within this scope, Turkish legislative authorities have recently recognized and introduced a definition for crypto assets under Turkish law and in order to mitigate the risks associated with crypto assets money laundering, key regulations have been amended.


As part of the Economic Reform Package announced on 12 March 2021, the beginnings of a specific regulatory framework for crypto assets had been established under Turkish law. The Central Bank of the Republic of Türkiye ("CBRT") published the Regulation on Non-Use of Crypto-Assets in Payments ("Payment Regulation") on 16 April 2021 in the Official Gazette numbered 31456. The payment Regulation provides a definition for crypto assets and introduces crypto asset service providers for the first time. The payment Regulation defines crypto assets as “intangible assets that are created virtually using distributed ledger or similar technologies and are distributed over digital networks, and that are not qualified as money, registered money, electronic money, payment instrument, security or any other capital markets instrument”. (See our News Alert on the Payment Regulation here.)

CBC Law has translated the MASAK guide into English. Click here to read the translation.

It is widely recognized that, due to a number of factors, crypto assets have the potential to be used for money laundering and terrorist financing. In order to prevent the risk of laundering the proceeds of crime and financing terrorism through crypto assets, Presidential Decree No. 3941 ("Decree") has been published in the Official Gazette dated May 1, 2021 and numbered 31471. According to the Decree, the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism ("Regulation") has been expanded to ensure that the obligations defined in the Regulation are also applied to crypto asset service providers.

On May 1, 2021, pursuant to the Decree, the Regulation Amending the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism ("Amended Regulation") was published in the Official Gazette. In this context, the scope of Article 4 of the Regulation that determines who is obligated has been expanded. As a result, starting from the Amended Regulation’s publication date, crypto asset service providers are considered to be obligated under the Regulation and will be responsible for the prevention of laundering proceeds of crime and financing terrorism. Banks, capital market brokerage houses and portfolio management companies, payment service providers and electronic money providers are among other obligated parties.

According to the Amended Regulation, crypto asset service providers will also have to comply with prevention measures and obligations stipulated under the Regulation and will be subject to investigation by the Financial Crimes Investigation Board ("MASAK"). While liabilities stipulated for obligated parties under the Regulation differ, the current obligations foreseen for crypto asset service providers are as follows: (i) conducting due diligence proceedings for their customers; identifying and verifying them (KYC Proceedings), (ii) assessing and reporting suspicious transactions to MASAK, (iii) providing information and documents when they are requested, (iv) retaining customer transaction documents, books and records for eight years and submitting them upon request and (v) reporting transactions that exceed the amount determined by the Ministry of Treasury and Finance to MASAK.

To clarify crypto asset service providers’ obligations foreseen under the Amended Regulation, MASAK, the competent authority in regard to measures for the prevention of money laundering and financing terrorism, has published a guide (“Guide”).

What does the Guide Say?

The Guide provides no further definition for crypto assets beyond that made under the Payment Regulation. However, both the Payment Regulation and Amended Regulation fail to provide a definition for the term crypto asset service provider.

Once again, the lack of detailed uniform definitions shows the risk of regulating this area in a piecemeal manner and underlines the need for a more general overarching legislative approach.

Within the scope of the Amended Regulation, crypto asset service providers’ obligations are clarified under the Guide as follows:

  • Customer Identification

According to the Guide, since it is essential for a contract to exist between crypto asset service providers and their platform users and that transactions will be carried out in line with the establishment of the contract, the business relationship is defined as a "permanent business relationship". In this context, the Guide requires crypto asset service providers to obtain and verify information regarding the identity of the platform users and those acting on their behalf during the conclusion of the contract, regardless of the amount of the transaction.

Crypto asset service providers that do not establish a permanent business relationship with a customer should identify users regardless of transaction amounts under these circumstances:

  • In cases that require a suspicious transaction to be reported,
  • In any case where there is a suspicion about the adequacy and accuracy of previously obtained customer credentials,
  • When a single transaction amount or the total amount of multiple linked transactions is equal to TRY 75,000 or more.

Also, it should be noted that identification must be completed before establishing a permanent business relationship or conducting transactions. Permanent business relationships cannot be established, and transactions cannot be carried out unless information regarding the purpose of the transaction is provided and the identity of the customer is adequately verified.

The key point relating to crypto asset service providers on the identification of customers is how to enable identification in cases where the contracting parties are not face-to-face. Although the Regulation only directs real persons and legal entities to carry out face-to-face identification proceedings, the Amended Regulation allows and regulates the remote identification of real persons. The remote identification process is clarified in the Guide. It states crypto asset service providers can fulfill their identification obligations through courier and external support units (support service providers).

Additionally, the Guide considers these courier and external support units acting on behalf of crypto asset service providers. Consequently, the Guide has highlighted that these support units cannot be considered third parties, and relevant crypto asset service providers are responsible for their transactions within this scope.

A contractual relationship between parties is required in order to outsource the services. The subject and scope of the support service and the responsibilities of the parties must be clearly and comprehensibly stated in the contract in question. Crypto asset service providers can consider the relevant provisions regarding the procurement of support services foreseen under the “Regulation on Procurement of Support Services by Banks” published by the Banking Regulation and Supervision Agency and “Communiqué on Establishment and Operation Principles of Investment Firms” published by the Capital Markets Board while conducting a contract with support service providers.

Non-compliance with the customer identification obligation would trigger an administrative fine of TRY 30,000[1].

  • Suspicious Transaction Reporting

Suspicious transactions are those in which there is information, suspicion, or reasonable grounds to suspect that assets subject to transactions or attempted transactions carried out by or through the obligated parties have been acquired illegally or used for illegal purposes, in this scope for terrorist activities or by terrorist organizations, or those who finance terrorism. It is sufficient to have "information", "suspicion," or "an issue that requires suspicion" in order to consider a transaction as a “suspicious transaction”.

Suspicious transaction reports to MASAK are another key principle for the prevention of money laundering and financing terrorism. Crypto asset service providers are obliged to report all suspicious transactions, regardless of the transaction amount, within ten working days to MASAK of the date that suspicions were aroused. Crypto asset service providers are also obliged to provide continuous information to MASAK, in addition to reporting suspicious transactions as described above. Therefore, in cases where a crypto asset service provider reports a suspicious transaction while providing continuous information, they will still be obliged to report such suspicious transaction separately from the report that is continuously submitted to MASAK.

It should also be emphasized that the term “suspicious transaction” is not limited to a single transaction but can include more than one transaction. In such cases, a single “Suspicious Transaction Reporting Form” can be submitted for a number of related transactions. Submissions should be conducted by the authorized representatives of the crypto asset service providers physically or via the online system.

The suspicious transaction reporting process is confidential and cannot be declared to any party other than the inspectors from MASAK or a court if there are any ongoing proceedings. Breach of confidentiality carries a sentence of imprisonment from one to three years and a judicial fine of up to 5,000 days.

The Guide also explains the types of suspicious transactions with a list of examples. Additionally, “Sectoral Suspicious Transaction Reporting Guides” offer insight into cases that should be deemed as suspicious for obligated parties. However, it should be noted that suspicious transactions are not limited to the examples provided, and obligated parties are required to report any kind of suspicious transaction.

Violation of this obligation carries an administrative fine of TRY 50,000[2] imposed by MASAK.

  • Providing Information and Documents

According to Article 31 of the Regulation, obligated parties must provide information and documents on customers, transactions, and other documents that may be requested by MASAK or supervisory officers. This obligation covers public institutions and organizations, real and legal persons, and organizations without legal personality, as well as crypto asset service providers.

  • Obligation to Retain and Submit

Article 46 of the Regulation foresees an obligation to retain paperwork. As per the relevant article, obligated parties must retain documents, books and records, identification documents, and records kept in all forms regarding transactions for eight years starting from the drawn-up date, the last record date, and the last transaction date, respectively and must submit them when requested.

  • Periodic Reporting

Another obligation foreseen under the Regulation is periodic reporting. Obligated parties shall provide information continuously to MASAK regarding transactions to which they are parties or intermediaries exceeding the amount determined by the Ministry. Crypto asset service providers are required to provide continuous information within the procedures and principles determined by the Ministry.

As per the Law on Prevention of Laundering the Proceeds of Crime numbered 5549, MASAK will impose an administrative fine of TRY 30,000[3] for the violation of this obligation.


The evolving nature of crypto assets will require a continuous assessment of risks and re-evaluation of regulations. Even though Turkish legislative authorities have defined crypto assets under Turkish law and anti-money laundering regulations have been expanded to cover crypto asset service providers as obligated parties under the Regulation, the rapid evolution of crypto assets could quickly leave recent efforts outdated.

Additionally, there are still some areas of uncertainty that need to be clarified. While it is a welcome development that crypto assets have been recognized and defined, the current piecemeal approach has left many areas unregulated. Although the Regulation and Amended Regulation have introduced an obligation on crypto asset providers, this ongoing regulatory uncertainty, due to the lack of an overarching legislative measure, has added to the operational burdens and considerations of the commercial stakeholders.

Even before these recent developments, crypto assets and crypto asset platforms had been an important topic in Turkish public and regulatory discourse. While naturally, it would be impossible to prove correlation, following the first instance of regulatory recognition and oversight over crypto assets in the form of the Payment Regulation, Thodex, a cryptocurrency exchange, abruptly ceased its operations and was faced with allegations of embezzlement of funds. This incident triggered a number of legal actions and investigations into the platform, most of which are ongoing. Another example is the platform Vebitcoin, which announced that it had ceased all activities, citing financial strain.

Therefore, depending on the approach and intended use of crypto assets, increased regulatory oversight may be welcomed by investors and crypto asset adopters seeking better protection and legitimization of the crypto asset ecosystem.

In the light of abovementioned regulations and developments, we are of the opinion that there will be new legislative measures governing crypto asset service providers in the future. While this will have the impact of granting increased legitimacy through regulatory recognition and oversight, it will undoubtedly pose a challenging compliance process for crypto asset service providers.

Eventually, considering the Economic Reform Package announced on 12 March 2021, we believe that Turkish legislators will work in this field for some time, and different and stricter approaches to crypto assets may be forthcoming.

With thanks to Ümmü Sena Altuntaş for her assistance on this article.

Click here to read the original Guide published by MASAK in May 2021 (Available in Turkish only).

[1] The administrative penalty amounts determined under the Law on Prevention of Laundering the Proceeds of Crime numbered 5549 are revised each year. Mentioned amounts are the amounts applicable in 2021.

[2] The administrative penalty amounts determined under the Law on Prevention of Laundering the Proceeds of Crime numbered 5549 are revised each year. Mentioned amounts are the amounts applicable in 2021.

[3] The administrative penalty amounts determined under the Law on Prevention of Laundering the Proceeds of Crime numbered 5549 are revised each year. Mentioned amounts are the amounts applicable in 2021.