BDDK and Crypto Asset Compliance: A Guide for Banks and Financial Institutions in Turkey

## Introduction The intersection of traditional banking and cryptocurrency creates one of the most complex regulatory environments for financial institutions operating in Turkey. The **Banking Regulation and Supervision Agency (BDDK — Bankacilik Duzenleme ve Denetleme Kurumu)** has steadily expanded its guidance on how licensed banks, participation banks, and financial institutions should manage their exposure to crypto asset markets, their relationships with crypto asset service providers, and the risks these activities introduce. This guide provides a detailed overview of BDDK's crypto-related regulatory framework, its coordination with the **Capital Markets Board (SPK — Sermaye Piyasasi Kurulu)** and MASAK, and the specific compliance obligations that banks and fintechs must address. ## The Regulatory Architecture ### BDDK's Mandate in the Crypto Context BDDK supervises all banks and financial institutions operating under the Banking Law (Law No. 5411). Its crypto-related authority covers: - **Balance sheet exposure** to crypto assets and crypto-adjacent businesses - **Service provision** to crypto asset service providers (banking relationships, payment infrastructure) - **Customer risk management** when bank customers engage in significant crypto activity - **AML/CFT obligations** for crypto-related transactions flowing through bank accounts - **Consumer protection** where banking products intersect with crypto asset investments BDDK does not directly license crypto asset service providers — that function falls to SPK under the framework established by Law No. 7518. However, BDDK regulates the financial infrastructure that crypto platforms depend on, giving it substantial indirect influence over the sector. ### SPK: The Primary Crypto Regulator **Law No. 7518** (amending the Capital Markets Law) established SPK as the primary regulator for crypto asset service providers in Turkey. Key elements: - Crypto asset service providers must obtain an **SPK operating license** - Licensed platforms must meet **minimum capital requirements** - SPK sets standards for **asset segregation** (customer assets must be held separately from platform assets) - SPK supervises **listing standards** for crypto assets available on Turkish platforms - **Advertising and communication** restrictions apply to licensed and unlicensed platforms alike Banks and fintechs need to understand both regulatory frameworks because activities at the bank level (payment processing, account services, custody) interact with SPK-regulated activities at the crypto platform level. ### BDDK-SPK-MASAK Coordination Turkey has established formal coordination mechanisms between BDDK, SPK, and MASAK: - **Joint risk assessment committees** evaluate emerging crypto-related risks - **Data sharing agreements** allow each regulator to access relevant information from the others - **Coordinated inspection programs** examine crypto-related activity across the financial system - **Regulatory guidance** is typically issued jointly or with cross-referencing between agencies For financial institutions, this means that a compliance failure identified by one regulator will almost certainly come to the attention of the others. Treating BDDK, SPK, and MASAK compliance as separate, siloed functions is an increasingly untenable approach. ## BDDK Requirements for Banks Serving Crypto Platforms ### Enhanced Due Diligence for Crypto Platform Clients Banks are required to apply enhanced due diligence (EDD) when onboarding or maintaining relationships with crypto asset service providers. This includes: **Entity-Level Assessment:** - Verification of SPK licensing status (a bank cannot maintain a business account for an unlicensed crypto platform) - Assessment of the platform's AML/CFT program quality - Review of the platform's MASAK compliance record and any prior enforcement actions - Evaluation of the platform's beneficial ownership structure and geographic reach - Assessment of the platform's customer base and transaction volume relative to its size **Ongoing Monitoring:** - Regular review of the platform's SPK licensing status (licenses can be suspended or revoked) - Transaction monitoring on the bank account for patterns inconsistent with the platform's stated business model - Annual review of the EDD file, or more frequently if risk indicators change - Monitoring of public information (media, regulatory announcements) regarding the platform ### Transaction Monitoring Expectations BDDK expects banks to apply specialized transaction monitoring rules to crypto-related payment flows. High-volume, rapid-cycling payment patterns typical of crypto exchange settlement activity must be understood in context — they should not generate excessive false positives, but they require calibrated rules that can distinguish legitimate crypto business activity from unusual patterns. Specific monitoring scenarios BDDK guidance addresses: - **Large round-number transfers** between bank accounts and crypto exchange accounts - **High-frequency transfers** (multiple per day) from individual customers to crypto platforms - **Aggregation patterns** where multiple customers' funds flow to the same crypto platform account in coordinated timing - **Reversal patterns** where funds deposited to a crypto account quickly return to the banking system through different accounts ### Correspondent Banking Decisions For banks with international correspondent relationships, BDDK expects careful assessment of exposure to foreign crypto-related payment flows. Where a foreign bank is primarily serving crypto platforms operating in unregulated jurisdictions, Turkish banks must evaluate whether maintaining those correspondent relationships is consistent with their risk appetite. ## BDDK Requirements for Banks with Direct Crypto Exposure As of 2026, Turkish banks are not permitted to directly hold cryptocurrency assets on their balance sheets or offer crypto custody services to retail customers under their banking license. However, several forms of indirect exposure are regulated: ### Loans Collateralized by Crypto Assets BDDK has issued guidance on lending against cryptocurrency collateral: - **Loan-to-value ratios** must account for the heightened volatility of crypto assets (significantly lower than for traditional asset collateral) - **Margin call mechanisms** must be in place with sufficient trigger thresholds to account for rapid price movements - **Collateral custody** arrangements must not expose the bank to unacceptable counterparty or custody risk - **Stress testing** of crypto-collateralized portfolios is required under BDDK's risk management framework ### Investment in Crypto-Related Entities Banks that hold equity stakes in crypto asset service providers (or their parent companies) must: - Consolidate the risk profile of the investee into group-level risk assessment - Ensure the investee's regulatory compliance does not create reputational or regulatory contagion risk for the bank - Apply BDDK's requirements for related-party risk management ### Structured Products Referencing Crypto Assets Where banks offer structured notes or derivatives that reference cryptocurrency prices, BDDK expects: - Clear customer suitability assessment - Hedging arrangements that do not create unmanaged market risk - Disclosure consistent with SPK's advertising restrictions for crypto-related financial products ## AML/CFT Obligations Specific to Crypto-Related Activity ### MASAK's Crypto Red Flag Typologies BDDK incorporates MASAK's published typologies into its AML/CFT expectations for banks. Red flags specifically relevant to crypto-related banking activity include: | Red Flag | Monitoring Implication | |---|---| | Customer frequently transfers to multiple different crypto platforms | Structuring or layering risk | | Large crypto exchange deposits immediately followed by international wire transfers | Placement and integration risk | | Customer account receives funds from crypto exchange but customer denies crypto activity | Identity and source-of-funds inconsistency | | Business account for non-crypto company processes high-volume crypto exchange settlements | Undisclosed business activity risk | | Frequent small transfers to crypto exchange exactly below the 15,000 TRY threshold | Classic structuring pattern | ### Threshold Reporting to MASAK Banks are required to submit **Cash Transaction Reports (CTR)** to MASAK for transactions at or above the 15,000 TRY threshold. For transactions flowing between bank accounts and crypto exchange accounts, the TRY equivalent of any cryptocurrency received or sent is included in this calculation. Banks must also file **Suspicious Transaction Reports (STR)** for any transaction pattern that meets the grounds for suspicion under Law No. 5549, regardless of the 15,000 TRY threshold. Crypto-related STRs filed by banks are a significant source of intelligence for MASAK investigations of crypto platforms and their users. ## Fintech-Specific Considerations ### Payment Institution Exposure Fintech companies licensed as payment institutions (odeme kurulusu) under BDDK's supervision are increasingly involved in crypto-related payment flows — facilitating fiat on-ramps and off-ramps for crypto platforms, processing settlement payments, and enabling customer deposits and withdrawals. BDDK's expectations for payment institutions in this context: - **Merchant screening:** Payment institutions must verify that merchants (including crypto platforms) they serve hold the necessary regulatory authorizations - **Transaction monitoring:** The same enhanced monitoring expectations applicable to banks apply to payment institutions processing crypto-related flows - **Capital adequacy:** Payment institutions must maintain capital buffers sufficient to cover the risk profile of their crypto-related business - **Safeguarding:** Customer funds must be segregated in licensed credit institutions, with particular care when the funds are destined for crypto platform accounts ### Electronic Money Institution Considerations Electronic money institutions (EMI) licensed under BDDK face similar considerations. Where an EMI's stored value product is used to fund crypto platform accounts, BDDK expects the EMI to have controls addressing: - Customer identification standards equivalent to those required of the crypto platform itself - Monitoring of high-frequency or high-value crypto funding patterns - Source-of-funds controls for large top-ups destined for crypto platforms ## Risk Management Framework Requirements ### Board-Level Oversight BDDK expects that crypto-related risks are identified, assessed, and reported at the board level. For institutions with material crypto exposure (whether through customer relationships, direct investment, or product offerings), the board should: - Approve a written crypto risk policy - Receive regular reporting on crypto-related exposures and incidents - Ensure management has the expertise to evaluate crypto-specific risks - Review the institution's crypto-related compliance record with BDDK, SPK, and MASAK ### Stress Testing For banks with material exposure to crypto markets (through collateralized lending, investments in crypto entities, or significant payment volumes), BDDK expects crypto-specific stress scenarios to be incorporated into the institution's Internal Capital Adequacy Assessment Process (ICAAP): - **Price crash scenario:** 70–90% decline in major crypto asset prices within 30 days - **Market liquidity freeze:** Complete cessation of crypto market trading for 72 hours - **Regulatory action scenario:** Emergency suspension of all crypto platform licenses in Turkey - **Counterparty default:** Default of the institution's primary crypto exchange client ### Technology Risk BDDK's IT risk framework applies to any systems used to process, monitor, or report on crypto-related transactions. Specific requirements: - **API security** for connections to crypto platform systems or blockchain data providers - **Data integrity** for crypto transaction records used in AML monitoring - **Resilience** of monitoring systems covering crypto-related flows (downtime in the monitoring system does not suspend the monitoring obligation) ## Preparing for BDDK Examination BDDK examinations increasingly include crypto-related modules. Institutions should be prepared to demonstrate: 1. **Policy and governance:** Written policies addressing crypto-related customer relationships, transaction monitoring, and risk management — approved at the appropriate level 2. **Customer due diligence quality:** File reviews demonstrating EDD applied to crypto platform clients 3. **Transaction monitoring effectiveness:** Alert rates, false positive rates, escalation logs, and STR filing outcomes for crypto-related monitoring rules 4. **Staff competency:** Training records showing that relevant staff understand crypto-specific risks and MASAK typologies 5. **Coordination with MASAK:** Evidence that STR obligations are being met for crypto-related suspicious activity 6. **Record retention:** Complete and accessible records for the 8-year period required under Law No. 5549 ## Conclusion BDDK's regulatory expectations for banks and financial institutions with crypto exposure have matured significantly over the past two years. The combination of Law No. 7518's SPK licensing framework, MASAK's AML enforcement capacity, and BDDK's supervisory reach over banking infrastructure creates a comprehensive — and demanding — compliance environment. For banks, the key risk is not crypto's inherent volatility but rather the regulatory and reputational consequences of inadequate due diligence on crypto-related relationships and insufficient monitoring of crypto-related transaction flows. For fintechs, the challenge is building compliance infrastructure capable of meeting banking-grade AML standards while serving the fast-moving crypto market. Institutions that align their crypto compliance programs with BDDK's framework — and that invest in the technology to make transaction monitoring and STR filing efficient and reliable — will be best positioned as Turkey's crypto regulatory environment continues to develop.