Legal AlertCommuniqué on the Establishment and Operating Principles of Crypto Asset Service Providers (III-35/B.1) Issued by the Capital Markets Board

26 March 2025

Among four significant secondary regulations regarding crypto assets published in the Official Gazette on March 13, 2025, the Communiqué on the Establishment and Operating Principles of Crypto Asset Service Providers (III-35/B.1) (“Communiqué”) issued by the Capital Markets Board (“Board”) stands out with its 57 articles.

Key regulations in the Communiqué can be summarized as follows:

  • Establishment Requirements: The minimum capital requirement set forth in the Board’s principle decision i-SPK.35.B (dated 08/08/2024, numbered 42/1259) is now incorporated into this Communiqué, to be further detailed in the Communiqué on Working Procedures and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2).
  • Conditions for Founders and Shareholders: In addition to the requirements under i-SPK.35.B, a condition is introduced that founders and shareholders must not have received an administrative monetary fine within the past five years under Article 104 of the Capital Markets Law regarding “Market Disruptive Acts”. Banks offering crypto asset custody services are exempt from these requirements.
  • Trade Name and Business Name Conditions: Trade name and business name requirements are introduced for CASPs other than banks providing custody services.
  • Establishment Procedures: Procedures for establishing CASPs are redefined. Instead of submitting the annexed documents and forms listed in i-SPK.35.B, submission of the articles of association, documents related to establishment conditions, and any additional information and documents requested by the Board is required.
  • Changes in Articles of Association and Shareholding Structure: The Board is granted authority to require independent audits or ratings from CASPs and their corporate shareholders during applications for establishment, operating licenses, or shareholding changes. CASPs are also required to obtain the Board’s opinion before amending their articles of association.
  • Operating Conditions: CASPs must fulfill certain conditions to begin operations, including compliance with TÜBİTAK Infrastructure Criteria as stipulated in the Communiqué on the Principles Regarding the Management of Information Systems (VII-128.10), signing an agreement with an authorized crypto asset custodian, opening a bank account for customer funds, and establishing procedures for handling customer complaints and dispute resolution.
  • Custody Service Requirements: In addition to operating conditions, CASPs must establish an exclusively dedicated custody department and employ sufficient personnel. Requirements for banks to offer custody services are defined. For banks’ custody service application to be evaluated, they must obtain a preliminary opinion from the BRSA (Banking Regulation and Supervision Authority) and apply for authorization to expand activities.
  • Organizational Structure: Organizational requirements for CASPs are outlined, including separate provisions for employees, general managers and deputies, and board members.
  • Conflict of Interest Requirements: Principles and procedures are introduced for establishing and managing conflict of interest policies, aimed at ensuring fair and honest behavior that protects customer interests and market integrity.
  • Insurance: CASPs may obtain insurance for customer-held crypto assets and cyber risk insurance suitable to their risk profiles and field of activity.
  • Application and Operating License Requirements: CASPs must obtain an operating license within six months of establishment approval (extendable by the Board up to one year), with detailed requirements and procedures set out.
  • CASP Personnel and Principles: Role definitions are provided for internal auditors, internal control staff, risk managers, operations personnel, information security officers, IT operations personnel, and investment advisors. Personnel principles outlined in Articles 20–23 of Communiqué III-39.1 also apply to CASP personnel.
  • Operating Principles: CASPs are required to comply with the principles and procedures set out in Article 24 of Communiqué III-39.1.
  • Framework Agreement Obligation: Crypto Asset Platforms (“Platform”) must sign a framework agreement with clients before initiating transactions, and their validity conditions and minimum content requirements are specified.
  • Risk Disclosure Obligation: Platforms must provide a general risk disclosure about crypto assets together with the framework agreement. A standard risk disclosure form is included in the Communiqué annex, and a declaration of understanding from the client is required. Additional required disclosures must also be declared to be acknowledged by the client.
  • Client Number Obligation: Platforms must assign a unique client number and match it with the registry number to be obtained from the Central Registry Agency (MKK).
  • Website and Public Disclosure Platform (KAP) Obligations: Platforms and Custodian Institutions must publish certain information on their websites and on KAP. Procedures for such disclosures are regulated.
  • Client Definition and KYC Obligation: CASP clients are defined. In addition to obligations under Law No. 5549 on the Prevention of Money Laundering and related regulations, remote identification procedures as outlined in Communiqué III-42.1 on Remote Identification Methods to Be Used by Investment Firms and Portfolio Management Companies and on Establishing Contractual Relationships in Electronic Environment are permitted. For joint accounts, identity verification must be conducted separately for each beneficial owner.
  • Shareholding Structure Changes: The Communiqué outlines which changes in shareholding structure require Board approval and which require notification.
  • Registration and Announcement Obligation: CASP business names must be registered in the trade registry within 10 business days following service of the Board’s permit.
  • SPL Notification Obligations: The Communiqué regulates notifications CASPs must make to the Capital Markets Licensing Registry and Training Institution Inc. (SPL).
  • Affiliation Limits: The Communiqué sets limits on CASP business affiliations.
  • Advertising, Announcements, Promotions, and Publications: The Communiqué imposes conditions and restrictions on advertisements, announcements, and promotions by CASPs.
  • Outsourcing Principles: The Communiqué identifies services that cannot be outsourced and those not within its scope. The Board is authorized to determine the applicable requirements, and compliance with Communiqué VII-128.10 of the Capital Markets Board on the Principles Regarding the Management of Information Systems (“VII-128.10”), and TÜBİTAK criteria is required for outsourcing information security and DLT integration services. Outsourcing must be formalized by written contracts, and CASPs must establish workflows and control mechanisms in line with VII-128.10. Required elements of such agreements and procedures are specified. The Board is authorized to request information and documents from outsource service providers and to conduct audits and investigations.
  • Document and Record Obligations: Accounting of crypto assets must be aligned with the Board’s regulations on intermediary institutions’ account plans. The Communiqué also regulates the environments in which customer orders are received and the requirements for identity verification and transaction security. Record-keeping and retention obligations for records CASPs created are specified.
  • Transaction Summary and Account Statement Obligations: Platforms are required to prepare and deliver transaction summary forms and account statements, which and all the orders must include specified minimum information.
  • Internal Audit, Control, and Risk Management Obligations: CASPs must establish and operate internal audit, control, and risk management units. The Communiqué outlines minimum requirements and minimum elements, procedures, policies, reporting, authorities, and organizational issues.
  • Workflow Procedures: Minimum required written procedures CASPs must prepare are specified.
  • Recovery Plan: CASPs must prepare action plans and workflows addressing events and risks that could result in crypto asset losses. Plans on application of recovery plans and their workflows must be shared on the CASP’s website. CASPs are also required to undergo a reserve verification audit within 15 days of initiating the recovery plan and notify the Board or institutions Board designated, of the designated responsible individuals’ titles and contact information.
  • Independent Audit Obligations: CASPs must undergo an annual independent audit of their information systems in line with the Communiqué on Information Systems Independent Audit (III-62.2), covering the operation of internal control systems, process compliance, and TÜBİTAK Infrastructure Criteria, and notify this audit to the Board. Additionally, quarterly (at the end of 3rd, 6th, 9th and 12th months of the year) reserve evidence verification audits must be performed including  findings on safeguarding of crypto assets tracked in dematerialized form, on compliance of custody service with Board regulations, and these must be notified to the Board.
  • Voluntary Suspension and Waiver of Activities: The Communiqué outlines procedures for CASPs to voluntarily suspend operations or waive their authorization.
  • Measures: The Board is granted authority to impose various measures based on specific conditions, including limitations or revocation of licenses, temporary suspension, cancellation of licenses, removal and replacement of board of directors members, and requests to strengthen financial structures.
  • Transition Periods and Validity:
  • Applications by Platforms included in the “List of Active Entities” under decision i-SPK.35.B or submitted before publication of this Communiqué remain valid but will be reviewed under the new rules. Platforms with pending establishment applications will be included in the list after approval of their articles of association and verification of establishment conditions.
  • These entities must apply for an operating license by June 30, 2025. Otherwise, the liquidation provisions in Article 6 of the Communiqué will apply. Custody-related requirements must be met at this stage.
  • Platforms must sign agreements with at least one custodian and ensure necessary integrations by December 31, 2025, or their applications will be dismissed. Crypto assets must be transferred to the custodian following the agreement, with reconciliation and verification of the process. Custody agreements with banks require a preliminary opinion from the BRSA.
  • Activity License applications must include reserve verification reports for two randomly selected dates in the two months prior to application. Activity License applicants must submit their Information systems audit reports prepared per Communiqué III-62.2 by September 30, 2025.
  • These entities must obtain an authorization document by June 30, 2026. Those failing to do so will be subject to liquidation under Article 6.
  • Companies undergoing liquidation that engage in activities falling under the definition of a Platform must cease such activities within fifteen (15) days, and from that date onward, must not carry out any new sales, distributions, or listings related to any crypto assets. In this context, they must not accept new customers and must, without harming the rights and interests of existing customers, fulfill their customers’ requests to convert their crypto assets into cash and to transfer cash and/or crypto assets—without being subject to the fifteen (15) business day limitation—based on notifications sent to the customers via email, text message, phone, or similar communication channels.
  • Platform-client framework agreements must be updated by December 31, 2025.
  • Custodian institutions listed in the “List of Active Entities” or having pending applications must apply for a license by June 30, 2025.
  • Integration tests with the Central Registry Agency (MKK) must be completed within the MKK’s compliance period. Within three months of this period’s end, client registry numbers must be obtained and matched with account numbers.
  • Contracts between CASPs and outsourced service providers must be updated in line with the Communiqué.
  • Independent audits not subject to specific transition deadlines will commence for the year 2026.
  • Effective Date: Articles 10, 11, and 12 on conflicts of interest; Article 24 on websites and public announcements; Article 39 on documentation; Article 41 on complaint records; Article 46 on workflows; and Article 47 on recovery plans will enter into force on March 31, 2025.

Article 9 on operating conditions; Articles 13–15 on personnel and board structure; Article 18 on CASP personnel; Article 23 on client numbers and accounts; Articles 26–30 on CASP obligations; Articles 31–34 on outsourcing; Article 36 on document record systems; Article 38 on identity and transaction security; Articles 42–45 on audit and risk management; Article 40(2) on IP, log, and voice records; and Article 20(1)–(3) on general principles and compliance with Communiqué VII-128.10 will enter into force on June 30, 2025.

All other provisions enter into force upon publication.

Full text of the Communiqué is available at: https://www.resmigazete.gov.tr/eskiler/2025/03/20250313-5.htm

You may always contact us for detailed information and professional support regarding the compliance process.

This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.