For Crypto Asset Service Provider (KVHS), MASAK compliance is a prerequisite for license application. 5 pillars of the program: policy set, KYC/KYB, monitoring & travel-rule, training, internal audit.
KVHS license application criteria
- Minimum capital, corporate governance and one-time financial strength test.
- Manager suitability test (criminal record, financial record).
- IT infrastructure (cold-warm-hot wallet separation, multi-signature, hot wallet limit).
- MASAK compliance program + appointment of compliance officer.
- INDEPENDENT audit, ISO 27001 / 27701 certification.
Travel-rule (FATF Recommendation 16) compliance
For crypto transfers over 1,000 USD, the identity and address information of the sender + receiver must be shared with the other KVHS. Türkiye application:
- Connecting with TRP (Travel Rule Protocol) or similar standard (Sygna Bridge, OpenVASP, TRUST).
- Querying the counter VASP's whitelist.
- Owner verification (Satoshi Test, EIP-191 signature) when transferring to a self-hosted wallet.
Customer risk score matrix
| Factor | Low | Medium | High |
|---|---|---|---|
| Geography | Türkiye, EU, USA | Other OECD | FATF grey/black list |
| Transaction type | BTC, ETH spot | Stablecoin, DeFi inconsistent | Privacy coin (XMR, ZEC), Mixer |
| Amount | <5K USD | 5K-50K USD | 50K USD+ single transaction |
| PEP/sanction | None | Associated 3rd degree | Direct |
Does the 2021/30 payment ban affect the compliance requirement?
No. BRSA 2021/30 only prohibits the use of crypto in payments; KVHS services (buying-selling, storage) are not prohibited. Compliance requirement continues through SK 5549.
What to do if travel-rule fails?
If the opposite VASP travel-rule is incompatible, stop the transfer or redirect it to a self-hosted wallet (with user warning). Report exceeded threshold transfers to MASAK as STR.
Does the brokerage make a difference between the issuer of virtual assets?
Yes. KVHS requires different authorizations for broker and customer types; The issuance (token issuer) is subject to separate CMB regulation.
How often is internal audit?
Annual internal audit + biennial independent external audit is the minimum; A 6-month internal audit is recommended for stock exchanges with a high risk profile.
Is KVHS compliance applied to non-VASP payment intermediaries?
No; The product whose side has changed is evaluated within the framework of another SC. KVHS is for crypto asset service providers only.
Relevant legislation
- Law No. 5549 on the Prevention of Laundering Proceeds of Crime Article 19 — 7-day temporary measure in suspicious transactions.
- 5549 SK article 13 — Administrative fines (obliged person, manager, employee).
- Turkish Penal Code art.282 — Laundering of proceeds of crime (3-7 years + judicial money).
- CMK article 128 — Confiscation of goods and rights; peace penalty approval.
- 5549 SK Implementation Regulation — Suspicious transaction reporting (STR), regular activity reporting.