Frequently Asked Questions

io40 provides end-to-end fintech and blockchain solutions including crypto exchange setup, e-money licensing, VASP/CASP registration, KYC/AML compliance systems, blockchain development, enterprise software, mobile applications, and white-label financial platforms. With offices in Istanbul, Tallinn, Solingen, Antalya, and Sindirgi R&D, we serve clients globally across every major financial regulatory jurisdiction.

io40 serves clients globally with core expertise in Turkey, the EU (particularly Germany and Estonia), and emerging markets across the Middle East and Central Asia. We hold operational offices in Istanbul, Tallinn, Solingen, Antalya, and Sindirgi R&D. Our multi-jurisdictional expertise allows us to handle complex cross-border regulatory requirements.

io40 has been providing fintech and blockchain technology services since 2018, giving us over seven years of hands-on experience in regulatory licensing, crypto infrastructure, and financial software architecture. We have successfully delivered over 50 fintech projects across 15 countries.

We work with cryptocurrency exchanges, e-money institutions, payment service providers, investment platforms, digital banks, insurance companies, healthcare organizations, supply chain enterprises, and corporate entities seeking to leverage blockchain technology. Our expertise spans regulated financial services and enterprise blockchain applications.

Visit our contact page, send an email to info@io40.tr, or call +90 216 606 40 99. We typically respond within one business day with a tailored project proposal and preliminary timeline.

An e-money institution (EMI) is a licensed entity authorized to issue electronic money — a digital representation of monetary value — and provide payment services. In Turkey, EMIs are regulated by the Banking Regulation and Supervision Agency (BDDK) under the Payment and Securities Settlement Systems Law (Law No. 6493). EMIs can hold customer funds, issue prepaid cards, and provide digital wallets.

The BDDK e-money license process typically takes 6 to 12 months from initial application to final approval. The timeline breaks down as follows: document preparation (2-3 months), official submission and administrative review (3-6 months), and final regulatory approval decision (1-3 months). io40 streamlines this process through our deep regulatory expertise and pre-approved document templates.

As of 2025, Turkish e-money institutions must maintain a minimum paid-in capital of 5 million Turkish Lira. Additionally, institutions must hold own funds equal to at least 2% of the average outstanding e-money in circulation. Capital must be fully paid-in cash before application submission. io40 assists with capital structuring, shareholder due diligence documentation, and regulatory capital calculations.

Yes. Foreign companies can apply for a Turkish e-money license by establishing a Turkish subsidiary or joint venture. The Turkish legal entity must have local directors with clean criminal records, a physical registered office in Turkey, qualified senior management, and full compliance documentation in Turkish. io40 provides end-to-end guidance for foreign investors entering the Turkish fintech market.

An e-money institution can both issue e-money (store monetary value electronically on behalf of users) and provide payment services. A payment institution can only provide payment services without issuing or storing e-money. E-money licenses have higher capital requirements (5M TRY vs 2M TRY) but offer broader business scope including digital wallet issuance.

Yes. Following the Crypto Asset Service Providers Law (Law No. 7518, effective 2024), crypto exchanges in Turkey must register with the Capital Markets Board (SPK) as Crypto Asset Service Providers (CASPs). The regulatory framework establishes clear rules for licensing, capital requirements, AML obligations, and customer protection. Operating without SPK registration is illegal and subject to significant penalties.

VASP (Virtual Asset Service Provider) and CASP (Crypto Asset Service Provider) are regulatory designations for businesses offering cryptocurrency services such as exchange, custody, transfer, or brokerage. In Turkey, SPK handles CASP registration under Law No. 7518. In the EU, MiCA regulation governs CASP authorization. io40 assists with both Turkish CASP registration and EU MiCA authorization. See our VASP License service page for details.

The total cost depends on project scope and requirements. Technology infrastructure ranges from $150,000 to $500,000+. Regulatory licensing and legal fees add another $50,000 to $200,000. Ongoing compliance and operational costs vary by volume. io40 offers phased engagement models to manage upfront costs, and our white-label solutions can significantly reduce initial investment.

The SPK CASP registration process includes: (1) incorporation of a Turkish company with appropriate share capital, (2) appointment of qualified personnel meeting SPK fitness and propriety criteria, (3) preparation of comprehensive application documentation including business plan, AML/CFT program, IT security assessment, and risk management policies, (4) official submission to SPK, (5) regulatory review and possible requests for additional information, and (6) final SPK approval. See our complete guide for step-by-step details.

Any business that facilitates peer-to-peer crypto trading by providing matching, custody, escrow, or intermediation services in Turkey must register as a CASP with SPK. Pure P2P software platforms without custody or intermediation functions may have different requirements, but the regulatory boundaries are complex. io40 provides case-by-case legal analysis to determine your specific licensing obligations.

Turkish crypto companies must comply with the Anti-Money Laundering Law (Law No. 5549), MASAK (Financial Crimes Investigation Board) regulations, and SPK CASP rules. Core requirements include: customer identity verification (CDD/EDD), beneficial ownership identification, politically exposed persons (PEP) screening, transaction monitoring, suspicious activity report (SAR) filing with MASAK, and record retention for minimum five years.

The Travel Rule (FATF Recommendation 16) requires Virtual Asset Service Providers to collect and transmit originator and beneficiary information for crypto transfers above threshold amounts. In Turkey, this threshold is currently 15,000 TRY per transaction. The information must be transmitted to the receiving VASP before or concurrent with the transfer. io40 provides Travel Rule compliance solutions integrated into exchange infrastructure.

io40's AML platform combines rule-based triggers and machine-learning behavioral models to analyze transaction patterns in real time. The system screens all wallet addresses and transactions against global sanctions lists, identifies suspicious patterns including structuring, layering, and rapid fund movement, generates automated SAR drafts for compliance officer review, and produces regulatory reports in the format required by Turkish MASAK.

io40 screens against OFAC SDN (US), EU Consolidated Sanctions List, UN Security Council Consolidated List, HM Treasury Financial Sanctions (UK), MASAK Turkey Domestic List, and custom watchlists. Screening covers individuals, legal entities, and crypto wallet addresses. We use commercial blockchain analytics platforms combined with proprietary screening engines for comprehensive coverage.

Biometric verification is not universally mandated but is strongly recommended for remote digital onboarding under MASAK enhanced due diligence (EDD) guidelines. Remote KYC processes typically require liveness detection, document optical character recognition (OCR), and biometric face match. io40 integrates with leading biometric identity verification providers to create compliant remote onboarding flows.

MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the European Union's comprehensive regulatory framework for crypto assets and related service providers. It establishes unified rules for crypto asset issuance (including stablecoins), authorizes Crypto Asset Service Providers (CASPs), creates an EU passporting system allowing single-license operation across all EU member states, and sets investor protection and market integrity standards. See our MiCA compliance service.

MiCA became fully applicable on December 30, 2024. Titles III and IV (governing asset-referenced tokens and e-money tokens respectively) applied from June 30, 2024. National Competent Authorities across EU member states began accepting CASP authorization applications throughout 2024. Existing operators benefit from transition periods varying by jurisdiction, typically 12 to 18 months.

Turkish companies must comply with MiCA if they actively serve EU customers, operate through EU branches or subsidiaries, or market their services to EU residents. The key trigger is whether services are actively directed at EU consumers. io40 provides legal analysis to determine MiCA applicability and advises on EU market entry strategies including EU subsidiary structures for MiCA authorization.

Turkish CASP registration and EU MiCA authorization are separate regulatory regimes with different requirements. However, building strong compliance infrastructure for Turkish SPK registration creates an excellent foundation for MiCA authorization. Both frameworks share core requirements around AML, governance, capital adequacy, and customer protection. io40 designs dual-compliant architectures from the outset.

Yes. io40 provides integrated licensing services covering Turkish SPK CASP registration, BDDK e-money licensing, and EU MiCA CASP authorization. Our teams in Istanbul and Tallinn cover both jurisdictions. We design compliance frameworks that satisfy both Turkish and EU requirements simultaneously, enabling clients to operate in both markets under a single technology and compliance infrastructure.

io40 builds on proven enterprise-grade technology: custom or open-source matching engines (C++, Java) for high-frequency trading, microservices architecture (Go, Node.js, Python) for scalability, blockchain integrations (Ethereum, Bitcoin, BSC, Solana, Polygon), PostgreSQL and TimescaleDB for transactional data, Redis for caching, Kafka for event streaming, and cloud infrastructure on AWS or Azure with multi-region redundancy.

Timeline varies by project scope: minimum viable crypto exchange — 4 to 6 months; full-featured exchange with compliance modules — 9 to 18 months; e-money platform — 6 to 12 months; enterprise blockchain solution — 3 to 9 months; white-label deployment — 3 to 4 months. Regulatory licensing runs in parallel with development. io40 provides detailed Gantt chart project timelines during scoping.

Yes. io40 offers white-label crypto exchange platforms, e-money wallet systems, KYC/AML modules, and payment processing APIs that can be branded and deployed under your company identity. White-label solutions reduce time-to-market from 18 months to as little as 3 to 4 months and significantly lower development costs while maintaining enterprise-grade quality.

io40 designs all systems for 99.99% uptime (less than 53 minutes downtime per year) with multi-region redundancy, hot standby failover, and horizontal auto-scaling. Our exchange engines handle up to 100,000 transactions per second with sub-millisecond matching latency. Uptime guarantees and SLA commitments with financial penalties are included in all enterprise contracts.

io40 follows a structured delivery methodology: (1) requirements analysis and system architecture design, (2) smart contract development and independent security auditing, (3) backend API development and blockchain node integration, (4) frontend web and mobile application development, (5) automated testing and penetration testing, (6) compliance and regulatory review, (7) phased launch with monitoring, and (8) ongoing maintenance and support with SLA guarantees.