The long-awaited legislative amendment of the Financial Crimes Investigation Board of the Republic of Türkiye Ministry of Treasury and Finance ('MASAK') took place on 25 December 2024.
Within the scope of the relevant amendment ('Amendment'), MASAK has made various amendments to the following regulations within the scope of MASAK legislation, taking into account the recent FATF guidelines and local reviews.
- Regulation on Measures to Prevent Laundering Proceeds of Crime and Financing of Terrorism ('Measures Regulation')
- Regulation on the Programme for Compliance with the Obligations Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism ('Compliance Regulation')
- Regulation on the Procedures and Principles Regarding the Electronic Notification System of the Financial Crimes Investigation Board ('E-Notification System Regulation')
- The Financial Crimes Investigation Board General Communique No: 5 ('Communiqué №5')
- The Financial Crimes Investigation Board General Communique No: 19 ('Communiqué №19')
- Regulation on Laundering Offence Investigation
Frequently asked questions and answers regarding the relevant Amendments on Crypto Asset Providers ("CASPs") are as follows.
What was The Status Of CASPs In The MASAK Legislation Before The Amendments?
With the new amendments, we can chronologically summarise the relationship of CASPs with the MASAK legislation as follows.
- May 2021. CASPs became obliged with the addition to the Measures Regulation, to MASAK
- May 2021. MASAK published the Guideline on obligations for CASPs and stated that CASPs may onboard customers through simplified due diligence process ("SDD") within the scope of the article 'Obligors Carrying Out Their Activities Exclusively in Electronic Environment' (Article 2.2.2.10) of the Communiqué No.5.
- April 2022. MASAK published the Suspicious Transaction Notification Guide ('STN Guide') for CASPs.
- July 2024. MASAK's Suspicious Transaction Reporting Guideline for CASPs was updated.
- December 2024. Recently included within the scope of the Capital Markets Law, CASPs were included among financial institutions under the MASAK legislation and the measures that CASPs must take to prevent laundering proceeds of crime and terrorist financing were tightened.
Did the Amendments Change The Status Of CASPs Under MASAK Legislation?
With the amendment made to the Measures Regulation, CASPs have been included among the 'Financial Institutions' within the scope of MASAK legislation.
On the other hand, another critical change is the inclusion of CASPs among the Compliance Programme Obligors.
What Does It Mean To Be Included As A Financial Institution?
The inclusion of CASPs as Financial Institutions means that their obligations under the secondary MASAK legislation will increase, but they will also have certain opportunities.
For example, from now on, CASPs are required to take the necessary measures to monitor transactions conducted outside of a continuous business relationship with a risk-based approach and to establish an appropriate risk management system for these purposes.
On the other hand, it has become possible for CASPs to acquire customers by using the 'reliance on third party" mechanism granted to Financial Institutions.
!!! CASPs should compare their new obligations and existing processes within the scope of MASAK legislation as a Financial Institution and take the necessary steps operationally and software-wise.
What Does It Mean To Be Obliged Party To Establish A Compliance Programme?
MASAK legislation imposes an obligation to establish a Compliance Programme for certain obliged parties.
In order to prevent the laundering of proceeds of crime and the financing of terrorism, these obliged parties, which include CASPs, are required to establish a compliance programme that meets the conditions in Article 5 of the Compliance Regulation with a risk-based approach in order to ensure the necessary compliance with the Law and the regulations and communiqués issued pursuant to the Law.
Is It Sufficient For CASPs To Appoint A Single Compliance Officer?
No. It is not. Since CASPs are obliged to establish a compliance programme, they are obliged to appoint an assistant compliance officer in addition to the compliance officer pursuant to Article 5 of the Compliance Regulation.
Are There Any Special Issues That Casps Should Pay Attention To In Their Institutional Policy?
Yes. Pursuant to the amendment made to Article 7 of the Compliance Regulation, measures should be taken for continuous monitoring of customers and transactions by taking into account asset freezing decisions and potential matching criteria in the monitoring and control activities within the scope of the Institituonal policy.
In this context, the obligation to take into account the sender and recipient information in the electronic transfer and crypto asset transfer messages has been imposed on CASPs.
What is The 'Travel Rule' Imposed on Casps?
The Travel Rule ('Travel Rule') within the scope of the FATF legislation, which increases the traceability of financial transactions, requires certain information during financial transactions to 'travel' through a network of financial intermediaries together with the information belonging to the initiator and the recipient of the transaction.
The purpose of the relevant rule is to make funds traceable and to detect illegal activities.
For Which Amount of Transactions are CASPs Subject to the Travelling Rule?
This rule, which is recommended by FATF for transactions above the USD 1000 threshold, has been made mandatory by MASAK in different details for transactions above and below TL 15,000 for CASPs.
In the messages related to the crypto asset transfer transaction of 15,000 TL or more mediated by the CASPs, the sender's;
- Identity. Name and surname, title of the legal entity registered in the trade registry, full name of other legal entities and organisations without legal personality,
- Wallet Information. Wallet address, or in the absence of a wallet address, the reference number related to the transaction,
- Identifying Information. It is mandatory to include at least one of the information used to identify the sender such as address or place and date of birth or customer number, citizenship number, passport number, tax identification number, and the accuracy of this information must be confirmed.
In crypto asset transfer messages, the identity and wallet information regarding the recipient must also be included, but confirmation of this information is not mandatory.
On the other hand, in transfer messages below 15,000 TL, the Identity and Wallet Information of the sender or recipient is included, although confirmation is not mandatory.
What Should The Receiving Casps Do When There is A Lack Of Information In The Transfer Message?
If the above-mentioned information is not included in the transfer message, the crypto asset service provider receiving the crypto asset transfer message,
- Must request the cryptoasset service provider sending this message to complete the missing information, and
- Must return the crypto asset transfer, if the information is not completed.
What Should The Receiving CASPs Do If The Transfer Messages Continuously Contain Incomplete Information?
In the event that the sent messages continuously contain incomplete information and this information is not completed despite the request, the receiving crypto asset service provider should consider rejecting the transfers from the sending crypto asset service provider or limiting the transactions with the crypto asset service provider in question or terminating the business relationship.
Does Anything Change in Terms Of The Content Of The Transfer Message in Cases Where There Are Intermediary CASPs?
No, it does not. In the message chain from the crypto asset service provider where the transfer order is given to the crypto asset service provider that is the addressee of the final transfer, the information that should be included in the crypto asset transfer messages regarding the sender should be included by all crypto asset service providers that mediate the transfer and special attention should be paid to transfer this information at every stage of the transfer.
When and How Should Transfer Message Information be Sent?
Information regarding the sender and receiver must be sent securely simultaneously with the transfer.
It is possible to use software applications and technological tools that allow messaging such as distributed ledger technology, another independent messaging platform or application interface to send the data contained in the transfer messages.
What to Pay Attention to in Transfer Messages in the Case of Unregistered Wallet Addresses?
In crypto asset transfers sent to or received from a wallet address that is not registered with any crypto asset service provider, the following information must be taken from the customer who is a party to the transfer in question before the crypto asset service provider, i.e. who is the sender or receiver of the unregistered wallet address:
- name and surname for natural persons,
- for legal entities, title information
- A declaration regarding at least one of the information used to identify the person such as address or place and date of birth or customer number, citizenship number, passport number, tax identification number, etc.
!!! The above process should be carried out within the framework of a risk-based approach, and in this context, additional information and documents should be requested from the customer about the parties to the transfer. At the same time, the CASPs should also take into account that if sufficient information cannot be obtained about the parties to the transaction, the transfer should not be executed or the transactions with the financial institution in question should be limited or the business relationship should be terminated.
How will the Travel Rule be applied for Transfers to Non-Resident CASPs?
In a cryptoasset transfer received from or sent to a cryptoasset service provider or a financial institution authorised to transfer cryptoassets, which is resident abroad and is not obliged to share information about the sender and recipient according to its own legislation, following information must be taken from the customer who is a party to the transfer in question at the cryptoasset service provider;
- Name and surname for natural persons,
- For legal entities, title information
- A declaration regarding at least one of the information used to identify the person such as address or place and date of birth or customer number, citizenship number, passport number, tax identification number must be obtained.
If the service provider or financial institution resident abroad uses software applications and technological tools that allow messaging such as distributed ledger technology, another independent messaging platform or application interface, the information in the first paragraph may be included in the messages through the system used.
!!! The above process should be carried out within the framework of a risk-based approach, and in this context, additional information and documents should be requested from the customer about the parties to the transfer. At the same time, the CASPs should also take into account that if sufficient information cannot be obtained about the parties to the transaction, the transfer should not be carried out or the transactions with the financial institution in question should be limited or the business relationship should be terminated.
Is it Possible for CASPs to Act in Reliance on a Third Party?
Yes. Since CASPs have the status of Financial Institutions, customer acquisition can be carried out based on the third party reliance mechanism.
In order to benefit from this mechanism, CASPs must fulfil the conditions specified in Article 21 of the Safeguards Regulation.
Under Which Circumstances Should CASPs Conduct Customer Due Dilligence?
CASPs should conduct customer due diligence (CDD) in permanent business relationships and transactions and electronic transfers exceeding a certain threshold.
In this context, CASPs must perform CDD in one of the following situations:
- In the establishment of a permanent business relationship regardless of the amount,
- When the transaction amount or the total amount of multiple related transactions is 15.000 TL or more,
- In crypto asset transfers, when the transaction amount or the total amount of multiple interconnected transactions is 15,000 TL or more.
What is the MASAK Status of CASPs with Other Financial Institutions?
Pursuant to the additions made to Article 13 of the Compliance Regulation, other financial institutions (e.g. banks) are required to assess CASPs as a high-risk group and take the necessary measures in the article.
In this context, other financial institutions should at least take the following measures in establishing a business relationship with CASPs:
- Obtaining as much information as possible about the source of the assets subject to the transaction and the funds belonging to the client,
- To learn about the purpose of the process,
- Keep the business relationship under close supervision by increasing the number and frequency of controls applied and identifying the types of transactions that require additional controls.
On the other hand, other financial institutions are required to subject the establishment of a business relationship with CASPs to the approval of the senior officer.
What is the Deadline for the Appointment of Compliance Officers and Deputy Compliance Officers by CASPs?
The deadline for the appointment of compliance officers and deputy compliance officers by the CASPs declared to be in operation by the Capital Market Boards (SPK) of Türkiye was 25 January 2025.
What is the Deadline for CASPs to Establish a Compliance Programme?
The deadline for the establishment of a compliance programme by the CASPs declared to be in operation by the Capital Market Board ("CMB") is 1 month at the latest after the appointment of the compliance officer.
The commitment forms in Annex-1/A regarding the corporate policies determined within the scope of the compliance programme must also be sent to the MASAK by the same date.
Will The Casps Be Able To Perform Remote Identification Within The Scope Of The Communiqué No.19?
Yes. Until the CMB legislation regulates remote identification, it is possible for CASPs to perform remote identification within the scope of the methods and general principles set forth in the second part and the measures set forth in the fourth part of the Communiqué No.19.
Once the CMB legislation regulates remote identification, CASPs must carry out this process subject to both the SPK and the Communiqué No.19.
Pursuant to the addition made to Article 6 of the Communiqué No. 19, crypto asset service providers that intermediate the trading or custody of privacy-based crypto assets are not able to perform remote identification.
What Should Casps Pay Attention To Within The Scope Of Communiqué No.19?
Pursuant to the addition made to Article 6 of the Communiqué No. 19, deposits and withdrawals at the CASP, including the first financial transaction in the establishment of a permanent business relationship, must be made through a bank or credit card account compatible with the customer's identity information.
Can Casps Identify Customers By Applying Simplified Measures By Taking Advantage Of Article 2.2.2.10 Of Order No.5?
No, they cannot. The phrase 'Games of Chance and Betting' has been added to the title of the relevant article. Therefore, although before the Amendment, CASPs were able to identify customers within the scope of simplified measures on the basis of this article, they will not be able to benefit from this provision after 25 February 2025.
What Should CASPs Do With Respect To The Customers They Have Acquired To Date?
CASPs should apply face-to-face or remote identification of the customers they have acquired so far until 25 April 2025 at the latest.
Within this period, necessary measures should be taken by the CASPs in order to reach the customers who have not requested any transaction for the purpose of identification.
Here, it is seen that the regulation imposes an active obligation on the CASPs. For this reason, it is important that the CASPs act proactively regarding these processes and that their actions are evidenced.
In case the customers who do not request a transaction within this period cannot be reached, the process of making them eligible should be carried out on the date of the customer's first transaction request and before the transaction is executed.
Can CASPs Apply Simplified Measures During The Transition Period When They Start Acquiring Customers Within The Scope Of Sequence No.19?
No. Pursuant to the Provisional Article 2 added to the Communiqué No.5, the CASPs that start customer acquisitions within the scope of the Communiqué No. 19 cannot benefit from simplified measures under 2.2.10 even until the end of the transition period.
Are CASPs required to register to the Electronic Notification System?
Yes. CASPs that are declared to be operating by the CMB are required to apply to MASAK to open an account in the Electronic Notification System until 25 January 2025.
Considering the nature of the above-mentioned Amendments, the fact that some of these amendments require software development for CASPs, and that CASPs are currently in a transition period in order to comply with the SPK legislation, it is possible to say that a busy period awaits CASPs.
In this context, it will be important for CASPs to correctly define their obligations in the relevant transition process and to design their business processes in an effective and evidenced manner in order to meet their obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
