AC
Anasayfa Makaleler Financial Law

12-Month Compliance Roadmap for Fintech: License + MASAK + KVKK

TL;DR

Sıfırdan lisanslı fintech için 12 ay yol haritası: ay 1-3 hazırlık, 4-6 başvuru, 7-9 inceleme, 10-12 onay+launch.

16 Şubat 2026 Financial Law 2 dk okuma 6 görüntülenme Son güncelleme: 10 Mayıs 2026

It takes 12-18 months to establish a licensed fintech from scratch. Month-by-month task list: month 1-3 preparation, 4-6 application, 7-9 review, 10-12 approval + launch.

Month 1-3: Preparation

  • Company establishment (TTK art. 331 et al.; A.Ş. is mandatory).
  • Capital (1M TL PI / 5M TL EMI).
  • Manager suitability test (criminal record, BRSA suitability application).
  • Data center selection (Türkiye); main DC + DR site.
  • Appointing the first compliance officer; MASAK registration.

Month 4-6: Application

  • BRSA license file (80+ documents).
  • IT infrastructure tests, ISO 27001 certification application.
  • KVKK by-design infrastructure: VERBIS registration, data inventory.
  • MASAK compliance program documentation.
  • Initial pen-test + vulnerability fixing.

Month 7-9: BRSA Review

  • BRSA inspection visit (IT, compliance, finance).
  • Response to notification of deficiency (usually 2-3 rounds).
  • PCI-DSS control.
  • First customer segment pilot design.

Month 10-12: Confirmation + Launch

  • License approval.
  • Launch limited to pilot users (50-200).
  • Compliance officer monthly reporting begins.
  • Marketing + scaling.

Which consultancies are outsourced?

QSA (PCI), independent audit (Big4), pen-test (CEH/OSCP certified), KVKK compliance, MASAK compliance external support are common.

Does VC investment shorten this process?

Yes — capital commitment accelerates. However, the BRSA review period does not change with the VC.

Average first year compliance cost?

5-15M TL range, including license + capital + infrastructure + consultancy. EMI license costs are 50% higher than PI.

Can it be shortened with a partnership with an existing bank?

Yes, with the BaaS (Banking-as-a-Service) model. If you work under a bank license, BRSA license is not mandatory; but the bank + infrastructure contract is challenging.

How long is the license maintained after it is obtained?

It is indefinite, but if violations/deficiencies are found as a result of annual audits, BRSA has the authority to suspend + cancel.

Relevant legislation

  • Law No. 6493 — Payment & electronic money; licensing, operating permit.
  • BRSA Regulations — Payment institution / EML permission, capital, reporting.
  • 5549 SK — MASAK; KYC, STR, regular activity.
  • KVKK + GDPR — Data security, cross-border transfer.
  • PCI-DSS — Card storage; PCI level 1-4 compliance.
Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case. Durations, rates and practice are shaped by jurisprudence; Check the current legislation before applying.

Kaynaklar ve referanslar

Kaynaklar

Fintech için 12 Aylık Uyum Yol Haritası: Lisans + MASAK + KVKK içeriği hazırlanırken resmi mevzuat ve yüksek yargı kaynakları esas alınmıştır.

Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

Hukuki destek arıyorsanız

Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

Görüşme Planla