1. Introduction: Turkey's Crypto Regulation Landscape
Turkey has emerged as one of the most dynamic cryptocurrency markets in the world. With over 52% of the population aware of crypto assets and millions of active traders, the country ranks consistently among the top globally in crypto adoption indices. Yet until recently, the legal framework for operating a cryptocurrency exchange or service provider remained largely undefined.
That changed fundamentally with the passage of Crypto Asset Law No. 7518 in July 2024, which brought crypto asset service providers under the oversight of Turkey's Capital Markets Board (Sermaye Piyasası Kurulu — SPK). This landmark legislation aligned Turkey with FATF (Financial Action Task Force) recommendations and created a clear, if demanding, pathway to legal operation.
For any company wishing to provide crypto exchange, custody, transfer, or related services in Turkey, obtaining SPK CASP (Crypto Asset Service Provider) registration — commonly referred to as a VASP license — is now mandatory. This comprehensive guide explains everything you need to know.
Key Takeaway
As of 2025, all crypto asset service providers operating in Turkey — whether exchanges, custodians, transfer services, or portfolio management platforms — must be registered with the SPK. Unregistered operations are subject to criminal prosecution under Turkish law.
2. What is VASP/CASP? Definitions and FATF Context
The term VASP (Virtual Asset Service Provider) was introduced by the Financial Action Task Force (FATF) in its 2019 Recommendation 15 guidance. FATF defines a VASP as any natural or legal person who conducts one or more of the following activities as a business:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets (custodian services)
- Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset (ICO/token issuance)
In Turkey, the domestic equivalent is the CASP (Crypto Asset Service Provider), defined under Law No. 7518 and the SPK's implementing regulations. The terminology differs but the substance is identical: a CASP is a Turkish-incorporated entity licensed by SPK to provide crypto asset services to retail and institutional clients.
Turkey's regulatory approach is notable for adopting FATF's Risk-Based Approach (RBA), meaning that the compliance obligations scale with the perceived risk profile of the services offered. An exchange handling high-volume retail transactions faces more stringent requirements than a B2B custody provider serving institutional clients.
3. SPK Registration Requirements
SPK CASP registration comes with substantial requirements across five core dimensions. Understanding each is essential before initiating an application.
3.1 Capital Requirements
The 50 million Turkish Lira minimum capital must be fully paid-in (not pledged) and maintained as free capital at all times. SPK may require higher capital for certain service categories, particularly spot exchange platforms handling large retail order flow.
3.2 AML/KYC Systems
Applicants must demonstrate a fully operational AML/KYC framework compliant with both SPK regulations and MASAK (Mali Suçları Araştırma Kurulu — Turkey's Financial Intelligence Unit) standards:
- Customer Due Diligence (CDD): Identity verification for all customers, including Enhanced Due Diligence (EDD) for high-risk profiles
- Transaction Monitoring: Automated real-time monitoring with configurable risk rules and alert thresholds
- Suspicious Transaction Reporting (STR): Mechanism for filing reports with MASAK within required timeframes
- Travel Rule Compliance: VASP-to-VASP information sharing for transfers exceeding USD 1,000 equivalent
- PEP/Sanctions Screening: Real-time screening against Turkish and international sanctions lists
See our detailed guide on KYC/AML automation solutions for technical implementation guidance.
3.3 IT Infrastructure
The technical infrastructure must meet SPK's security and reliability standards:
- Certified trading platform with matching engine and real-time order book
- Hot/cold wallet custody architecture with multi-signature security
- ISO 27001-aligned cybersecurity framework
- Disaster Recovery and Business Continuity Plan (DRP/BCP)
- Regular third-party penetration testing and security audits
- Core data infrastructure hosted in Turkey or approved jurisdictions
3.4 Board Members and Management
SPK applies "fit and proper" criteria to all persons in control positions:
- Board members must have no criminal convictions related to financial crimes
- Senior management must hold relevant qualifications (finance, law, technology)
- At least one Turkish resident must be on the board
- Shareholders holding more than 10% must pass SPK background checks
3.5 Compliance Officer
A dedicated, full-time Compliance Officer (CO) is mandatory. The CO must be registered with SPK, hold relevant AML/compliance certifications (CAMS or equivalent), and report directly to the board. The CO is personally responsible for MASAK reporting obligations and cannot hold dual roles that create conflicts of interest.
4. Step-by-Step Application Process
The SPK CASP application process follows five distinct phases, each with specific deliverables and timelines.
Pre-Application Preparation
Establish a Turkish joint-stock company (A.Ş.), meet the 50M TRY capital requirement, recruit your Compliance Officer, and build your technical infrastructure. Prepare the full documentation package: articles of incorporation, shareholder declarations, AML policy manual, IT system documentation, and business plan.
Formal Documentation Submission
Submit the complete application dossier to SPK via the e-BDDK system. The package must include: notarized corporate documents, capital adequacy certificate from a bank, AML/KYC system technical description, IT infrastructure audit report, CVs and background clearances for all board members, and the signed Compliance Officer agreement.
SPK Preliminary Review
SPK conducts an initial completeness check and may issue a Request for Information (RFI) requiring additional documentation or clarifications. This phase typically involves 1-3 rounds of document requests. Prompt, high-quality responses are critical to avoid timeline delays. SPK may also conduct on-site visits to inspect IT systems and management premises.
Conditional Approval & Remediation
If the preliminary review is positive, SPK may grant conditional approval specifying outstanding requirements: system tests to pass, additional capital to be deposited, or policies to be finalized. The applicant has a set period (typically 6 months) to complete these conditions and return for final assessment.
Final License Grant
Upon satisfying all conditions, SPK publishes the CASP registration in the Official Gazette and updates its public registry. The company is now a licensed Crypto Asset Service Provider and may begin commercial operations. The license is subject to annual renewal and ongoing compliance monitoring.
5. Timeline & Costs
5.1 Timeline Overview
| Phase | Duration | Key Activities |
|---|---|---|
| Pre-Application | 1–2 months | Company setup, capital, CO recruitment, IT build |
| Document Preparation | 1–2 months | Policy drafting, system documentation, notarizations |
| SPK Preliminary Review | 2–3 months | RFI responses, on-site inspections, clarifications |
| Conditional Approval | 2–4 months | Outstanding conditions remediation, system testing |
| Final License | 1–2 months | SPK board approval, Official Gazette publication |
| Total | 6–12 months | Full CASP registration complete |
5.2 Cost Breakdown
One-Time Setup Costs
- Minimum capital requirement50M TRY
- Company incorporation15,000–30,000 TRY
- IT infrastructure build€150,000–500,000
- AML/KYC system€30,000–100,000
- Legal & compliance consulting€50,000–150,000
- Security audit€20,000–60,000
Annual Operating Costs
- Compliance Officer salary€60,000–120,000
- AML software licensing€20,000–50,000
- Infrastructure & hosting€30,000–80,000
- Annual security audit€15,000–40,000
- SPK annual supervision feeVariable
- Legal retainer€24,000–60,000
6. Key Compliance Requirements
Holding a CASP license is only the beginning. Licensed entities face continuous compliance obligations that require dedicated internal resources and robust systems.
6.1 Travel Rule
Turkey's implementation of the FATF Travel Rule requires CASPs to collect and transmit originator and beneficiary information for virtual asset transfers exceeding USD 1,000 equivalent. This applies to both outgoing and incoming transfers and requires technical integration with a Travel Rule solution provider. The key data fields are: originator full name and account identifier, beneficiary full name and account identifier, and transaction amount and date.
6.2 Transaction Monitoring
Licensed CASPs must maintain a transaction monitoring system capable of: detecting patterns indicative of money laundering, terrorist financing, or market manipulation; generating automatic alerts for transactions above specified thresholds; tracking wallet addresses against known illicit address databases; and producing audit trails for regulatory examination.
6.3 Reporting Obligations
CASPs must file the following reports on a regular basis:
- Monthly: Transaction volume and value reports to SPK
- Quarterly: Financial statements, capital adequacy reports
- Immediate: Suspicious transaction reports (STRs) to MASAK, typically within 10 business days of suspicion arising
- Annually: Compliance audit report, management effectiveness review
- Ad-hoc: Material changes notification to SPK within 10 business days
7. Why Choose Turkey for Your VASP License?
Turkey presents a compelling case for crypto businesses seeking a regulated operational base, particularly when compared to the EU MiCA framework or other emerging market jurisdictions.
Advantages
- ✓Large domestic market: 85M population, ~52% crypto awareness
- ✓Regulatory clarity: clear SPK framework since 2024
- ✓Strategic geography: bridges Europe, MENA, and Central Asia
- ✓Competitive tech talent pool with lower costs than Western Europe
- ✓Lower capital threshold than most EU member states
- ✓Faster timeline than MiCA authorization (typically 6–12 months vs 18+ months)
Considerations
- !No EU passporting — Turkish license does not grant EU market access
- !Currency risk: TRY-denominated capital requirements exposed to FX fluctuation
- !Evolving regulatory landscape: SPK may update requirements
- !Local presence requirements add operational complexity for foreign companies
For businesses targeting Turkish residents or the broader MENA-Turkey corridor, a Turkish CASP license represents an efficient route to market. For businesses primarily targeting EU clients, a parallel MiCA authorization strategy may be more appropriate — and io40 can support both tracks simultaneously.
8. How io40 Helps
io40 is Turkey's leading technology and compliance partner for fintech and crypto businesses. We offer end-to-end support throughout the VASP licensing journey and beyond, combining regulatory expertise with deep technical capability.
SPK Application Management
Complete document preparation, SPK liaison, and RFI response management from submission to license grant.
AML/KYC System Implementation
Full deployment of transaction monitoring, CDD workflows, sanctions screening, and Travel Rule compliance infrastructure.
Trading Platform Development
SPK-compliant exchange engine, order book, wallet management, and custody architecture development and integration.
Compliance Framework Setup
Policy and procedure library creation, compliance officer training, MASAK reporting workflows, and internal audit preparation.
Board & Management Advisory
Fit and proper assessment preparation, board composition advisory, and senior management qualification support.
Ongoing Compliance Support
Post-licensing regulatory monitoring, SPK correspondence management, annual audit support, and regulatory change management.
Our VASP licensing clients benefit from io40's unique combination of regulatory advisory and in-house technical execution — a single partner that can both write the compliance framework and build the systems that implement it.
Learn more about our dedicated VASP license consulting services and our cryptocurrency exchange technology solutions.
9. Frequently Asked Questions
What is a VASP license in Turkey?
What is the minimum capital requirement for SPK CASP registration?
How long does the SPK CASP application process take?
What AML/KYC systems are required for a VASP license?
Can a foreign company obtain a VASP license in Turkey?
What is the difference between VASP and CASP in Turkish regulation?
Is Turkey a better choice than EU/MiCA for crypto licensing?
What IT infrastructure is required for SPK CASP?
What ongoing compliance obligations apply after getting a VASP license?
How can io40 help with the VASP licensing process?
10. Conclusion
Obtaining a VASP license in Turkey through SPK's CASP registration framework is a significant but achievable undertaking. With the right preparation, the right technology stack, and the right compliance partner, the 6-12 month journey can be navigated efficiently and with confidence.
Turkey's combination of regulatory clarity, large market size, strategic location, and competitive cost structure makes it one of the most attractive jurisdictions for crypto businesses in the MENA-Europe corridor. Companies that move quickly to secure their SPK CASP registration will gain a significant first-mover advantage as the market matures.
io40 has the regulatory knowledge, technical expertise, and proven track record to take your business from concept to licensed operation. We have supported multiple CASP applications through the SPK process and continue to serve clients as their ongoing compliance partner.
Ready to Start Your VASP Licensing Journey?
Contact io40 today for a confidential consultation. We'll assess your specific situation and provide a tailored roadmap to SPK CASP registration.