The Draft Regulation on the Regulation of Crypto Assets and Crypto Asset Service Providers (crypto exchanges and other related institutions) under the Capital Markets Law has been accepted by the Turkish Grand National Assembly (TBMM). This regulation concerning the crypto licence will officially come into effect once approved by the President.
However, the Law does not provide detailed regulations and leaves the specifics of how crypto asset service providers will obtain licences to secondary regulations, namely the Capital Markets Board (SPK) communiqués. What will be included in these SPK Communiqués? We have compiled the important topics covered in these draft communiqués.
To simplify, we will use the terms “crypto licence” and “crypto exchanges” throughout. However, it is important to remember that the scope covers all other platforms as well while reading the following content.
1. Capital Adequacy for Crypto Licence
The crypto licence’s capital adequacy will be significant in two main dimensions. The first is the company’s minimum paid-in capital amount. Although not precisely defined, this capital amount is planned to be at least 200 million TL. The capital must be fully paid in cash.
The second aspect concerns the shareholders’ capacity to increase capital. This will be ensured through reports on the qualified shareholders’ (those owning 10% or more) assets, provided by certified public accountants or similar reports during the licensing process.
While capital adequacy is expected for institutions using customer funds (typically exchanges), the law’s definition of crypto asset service providers also includes all institutions conducting ICO-IDO. Therefore, it is possible that the SPK may differentiate capital adequacy requirements or narrow the definition through secondary regulations based on the authority granted by the law.
2. Business Plan and Feasibility Study
The company is expected to present its business model to the SPK. The business plan should include the following sections:
- Background of shareholders, vision, mission, value proposition
- Market analysis (local and global)
- Demand analysis
- Segmentation and target market identification, marketing strategies
- SWOT analysis
- Risk assessment and analysis
- Financial projections
3. Establishment of Corporate Governance Structure
The submission forms are expected to demonstrate the company’s corporate governance framework.
- Organizational chart compliant with regulations (e.g., structure of the audit committee, independent internal audit and risk management structure from the CEO)
- Establishment of internal control/internal audit and risk management units
- Establishment of the internal control system
- Definition of duties and responsibilities
- Workflows
4. Layout plan indicating the presence of a sufficient office space
5. Detailed information on the senior management’s CVs, qualified shareholders, CEO, and board members (criminal record, letters from TMSF, etc.)
6. Policies Aligned with the Business Plan for the Crypto Licence
- AML-KYC Policy, Customer Identification Procedures
- Internal Control Procedure
- Compliance Policy
- Internal Audit Policy
- Protection of Crypto and Fiat Funds Policy
- Digital Wallet Storage Policy
- Crypto Order Execution Policy
- Business Continuity Plan, Emergency Action Plan
- IT Policies (Acceptable Use Policy for Information Technology Resources, Access Control Policy, Account Management and Access Control Procedure, Asset Management Procedure, Backup Procedure, Change Management Policy, Cloud Computing Policy, Data Classification Procedure, Data Governance Policy, Data Retention Procedure, Incident Management Policy, Information Security Management Policy, etc. over 20 policies)
- IT Technical Standards (Identity Authentication Token Standards, 802.11 Wireless Network Security Standard, Cloud Security Standard, Database Security Standard, etc.)
- Complaint Management Policy
- KVKK (Personal Data Protection Law) Policies and procedures
- Customer agreements
7. Procedures for the internal control system that includes the process from receiving the customer order to transmitting the order, monitoring customer accounts, and maintaining necessary records.
8. Outsourcing Procedure, Report on Outsourcing Services
9. Independent Audit Report on Information Systems
(An independent audit will be conducted and a report obtained to verify that the crypto asset service provider’s systems and necessary infrastructure meet specific standards, comply with TÜBİTAK’s conditions, and ensure that data is kept within the country.)
10. Independent Financial Audit Report
11. Customer Suitability Tests, Customer Risk Notifications, and Platform Evidence for These
12. Additional Information Required if Crypto Asset Activities Are Conducted with an Overseas Parent Company
- Official document indicating that the institution where transactions will be carried out has obtained an operating license from the relevant authority of the respective country
- Detailed information about the institution where transactions will be conducted
- The agreement between the parties
- The company’s board decision on how crypto asset trading will be conducted and how this process will be managed
During the transition period, the SPK will grant time for currently operating crypto asset service providers to apply for a crypto licence. The secondary regulations will also include detailed arrangements on how these companies will operate, along with the application requirements mentioned above. Companies will submit their applications by meeting these requirements along with the draft amendment to the articles of association.
It is unclear at what stage the independent audit of information systems will take place. The discussion of obtaining the audit report after the preliminary application is quite strong.
To prepare flawlessly and very quickly for the application process, you can seek support from Finahukuk, which has made numerous similar applications in various countries abroad. Contact us for our experience in bringing both information systems and corporate structure in compliance with regulations.