Fintech Sanctions in Turkey: Administrative Fines and Criminal Liability Under Law No. 6493
Turkey penalizes fintech firms on two tracks at once: administrative fines on the company under Article 27 of Law No. 6493, and personal criminal liability on the executives who run it under Articles 28 to 36, with the Central Bank (TCMB) acting as the single regulator and prosecution gatekeeper. For a payment or electronic money institution, paying a fine does not close a criminal file, and a foreign passport does not shield a named director. This guide explains both tracks, the current figures, and what a foreign founder or board member should do the moment the regulator makes contact.
The legal framework: Law No. 6493 and who actually regulates fintech
The backbone of fintech regulation in Turkey is Law No. 6493, the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. It governs licensed payment institutions, electronic money institutions, and the systems that settle and clear transactions. If your business moves money, issues e-money, or operates a payment system in Turkey, this is the statute that defines what you may do and what happens when you cross the line.
One authority now leads. Since 1 January 2020, the licensing and supervisory powers over payment services, payment institutions and electronic money institutions sit with the Central Bank of the Republic of Turkey (TCMB / CBRT). Before that date these powers belonged to the Banking Regulation and Supervision Agency (BRSA / BDDK), and many older guides still name the BRSA as the fintech regulator. That is out of date. The TCMB is today the single body that licenses payment and e-money institutions, supervises them, and decides whether a criminal file can be opened against their managers. The BRSA only re-enters the picture where a banking-licence overlap arises under the Banking Law No. 5411.
The framework runs on two tracks in parallel: administrative penalties aimed at the institution, and criminal liability aimed at the individuals who manage it. Understanding that these tracks are separate is the single most important point for any foreign executive. A company can pay an administrative fine and still see its directors prosecuted criminally for the same underlying conduct. Settling with the regulator does not extinguish personal criminal exposure. If you are still at the entity-setup stage, structuring the company and mapping who holds licensable roles is part of setting up and licensing a Turkish fintech entity correctly from day one.
Administrative fines under Article 27
Article 27 of Law No. 6493, headed "breaching regulations and decisions," is the principal administrative sanction. It targets the institution as a legal entity rather than individuals, and it is the penalty foreign operators encounter most often during routine supervision.
How the fine is calculated
The statute sets a base monetary band and then layers an anti-enrichment rule on top of it:
- Base statutory band: the un-revalued figure in the statute is TRY 40,000 to TRY 900,000 per violation. These amounts are revalued every year under the tax revaluation mechanism (yeniden değerleme), so the figure actually applied in 2026 is higher than the statutory base. Confirm the current revalued band from the TCMB before you assess exposure.
- The "benefit rule": where the institution gained an unlawful benefit or caused a loss, the fine cannot be less than twice that amount. For a repeat violation committed before a fine is imposed, the fine is doubled; and where a repeat violation again produces a gain or loss, the floor rises to three times the benefit or damage. These multipliers can push the effective penalty far above the nominal band and are designed to remove any incentive to treat fines as a cost of doing business.
The right to a written defense and the challenge route
Administrative sanctions are not imposed in silence. Before a fine becomes final, the institution is given a window — typically one month — to file a written defense setting out its position. A reasoned, well-evidenced defense can reduce or remove the penalty. If the fine is confirmed, it can be challenged before the administrative courts (idare mahkemesi); under the Administrative Procedure Law (İYUK No. 2577) the standard window to bring such a challenge is sixty days from notification. Administrative fines also sit within the general framework of the Misdemeanours Law (Kabahatler Kanunu No. 5326), which governs how monetary administrative penalties are imposed and contested.
Personal criminal liability for executives (Articles 28-36)
This is where foreign managers are most exposed and least prepared. Law No. 6493 does not stop at fining the company; it creates criminal offenses that fall on natural persons — board members, directors, authorized signatories and, depending on the conduct, other personnel. Holding a foreign passport or sitting on the board from abroad does not insulate you from a Turkish criminal file.
Turkish law treats criminal liability as personal: under Article 20 of the Turkish Penal Code (TCK No. 5237), only natural persons can be criminally punished, while legal persons (the company itself) face security measures under TCK Article 60, such as licence cancellation or confiscation. That is the principle underneath the dual-track design — the company pays the administrative fine and faces security measures; the people behind the conduct face prison.
The core offenses, with the ranges set out in the statute, are:
| Offense | Article | Imprisonment | Judicial fine | TCMB referral needed? |
|---|---|---|---|---|
| Unauthorized activity (operating without a licence) | Art. 28 | 1–3 years | up to 5,000 days | Yes |
| Obstructing supervision / withholding information | Art. 29 | 3 months–3 years | up to 1,500 days | Yes |
| Information-security & record-keeping breaches | Art. 31 | 1–3 years | 500–1,500 days | No — direct complaint allowed |
| Breach of confidentiality | Art. 32 | 1–3 years | up to 1,000 days | General rules |
| Embezzlement | Art. 36 | 6–12 years (aggravated: min. 12 years) | up to 5,000 days | General rules |
A few points are worth pulling out. Unauthorized activity (Art. 28) is the flagship offense — it covers providing payment services, issuing electronic money or running a payment system without the TCMB licence the law requires, including operating before a licence is granted or after one is revoked. Embezzlement (Art. 36) is the gravest offense in the statute: misappropriation of funds entrusted to the institution carries six to twelve years, rising to a minimum of twelve years in its aggravated form together with an obligation to make good not less than three times the loss. It parallels the embezzlement (zimmet) offense in the TCK No. 5237, but the six-to-twelve-year range is the statute's own.
The prosecution gatekeeper: Article 37
One of the most important procedural features of Law No. 6493 — and a genuine protection for institutions and their staff — sits in Article 37. For the offenses it covers, a public prosecutor cannot open a criminal case on their own initiative. They first need a formal written application from the TCMB.
In practice the TCMB acts as a gatekeeper: no regulatory referral, no prosecution for the gated offenses. That filter is significant, because it gives institutions a chance to resolve matters at the regulatory level before they ever reach the criminal courts.
The important exception
The gatekeeper does not cover everything. While Articles 28 and 29 are firmly inside the filter, Article 31 carries a direct-complaint carve-out: affected or interested parties can complain about information-security and record-keeping breaches directly, without waiting for a TCMB application. For a fintech handling large volumes of customer data, that means a single aggrieved customer can set a criminal process in motion. Data-security compliance is therefore not just a regulatory checkbox; it is direct criminal-risk management, and it sits close to the wider cybersecurity obligations and breach risk Turkish institutions now face.
Where Article 31 duties come from: TCMB secondary regulation
The information-security and record-keeping obligations that Article 31 turns into criminal risk are not free-floating. They are detailed in the TCMB's secondary legislation — principally the Regulation on Payment Services and the Issuance of Electronic Money, Payment Service Providers and Payment Institutions and the accompanying Communiqué on Information Systems of payment and electronic money institutions. These instruments set the data-retention, systems-security and outsourcing standards an institution must meet.
That matters for criminal exposure in a concrete way: a breach of a duty written into the TCMB regulation can be the factual basis for an Article 31 offense. Because much of the information-systems work is delegated to vendors and cloud providers, the terms you agree in service-provider and outsourcing contracts directly shape who is exposed if a breach occurs and how a defense can be evidenced. Confidentiality obligations under Article 32 reach the same third-party providers.
How this intersects with anti-money-laundering rules
Fintech liability in Turkey rarely lives in isolation. Payment and e-money institutions are obliged (liable) parties under the country's anti-money-laundering regime, supervised by MASAK (the Financial Crimes Investigation Board) under Law No. 5549 on the Prevention of Laundering Proceeds of Crime. Failures in customer due diligence, suspicious-transaction reporting, or record-keeping can generate their own administrative fines and feed into criminal investigations.
Where money laundering is suspected, the conduct can also engage the Turkish Penal Code (TCK No. 5237) — laundering of assets under Article 282 and, where deception is involved, fraud under the Turkish Penal Code (Articles 157–158). A fintech compliance failure can therefore expand quickly from a Law No. 6493 matter into a multi-statute exposure spanning TCMB supervision, MASAK / AML duties and general criminal law. This is why specialist defense at the first sign of regulatory contact matters so much.
A worked example: one audit, two parallel files
The two tracks are easiest to understand from a single, anonymized scenario. Suppose a TCMB supervision team reviews a payment institution and finds that part of its service went live before the licence was fully in place, and that customer funds in one ledger do not reconcile.
- The administrative file: the institution receives a notice and a window of roughly one month to file a written defense under Article 27. If the breach is confirmed, the company faces a fine in the revalued TRY 40,000–900,000 band — and, if it gained from the conduct, not less than twice that benefit. The company can then take the fine to the administrative court within 60 days under İYUK No. 2577.
- The criminal file: the same facts can produce a separate criminal track. The pre-licence activity points at Article 28 (unauthorized activity, 1–3 years), and the ledger shortfall can be examined as possible embezzlement under Article 36 (6–12 years). For the Article 28 strand, the prosecutor needs a TCMB written application first; the Article 36 strand follows the general rules.
One audit, two files, two timelines — and the individuals named in the criminal track are not the same legal person paying the fine. Coordinating both responses from the first notice is what keeps an administrative problem from becoming a personal one.
Cross-border reality for a foreign board member
Most of our readers in this area are foreign executives sitting outside Turkey, and the unspoken question is simple: what can actually reach me abroad? The honest answer is that distance reduces but does not remove the risk.
- Summons and statements: a Turkish investigation can summon a named individual to give a statement (ifade). Non-appearance can lead the prosecutor or court to escalate, including issuing measures that take effect if you enter the country.
- Entry and travel measures: where a criminal file is open, the practical pinch points are arrival in Turkey and any travel ban (yurt dışı çıkış yasağı) a court may impose on those within reach. A board member who travels in can find a measure waiting.
- Jurisdiction and cooperation: conflict-of-laws questions are governed by MÖHUK No. 5718, and cross-border enforcement depends on mutual legal assistance and any applicable extradition arrangements, which vary by country and offense. These are fact-specific and should never be assumed either way.
If you hold a board or signatory role from abroad, the right time to map your exposure is before a file opens, not after a summons. Clear allocation of corporate governance and board-role mapping can keep individuals out of the line of fire that Articles 28–36 draw.
Practical compliance and defense steps for foreign operators
For foreign-owned payment and e-money businesses, the goal is to keep matters at the administrative level and to protect named individuals if a criminal file ever opens. Practical measures include:
- Build documented internal controls with clear audit trails, so a written defense under Article 27 can be evidenced quickly within the one-month window.
- Treat the Article 31 information-security obligations — and the underlying TCMB regulation and information-systems communiqué — as a criminal-risk priority, given that customers can complain directly without a regulatory filter.
- Map who holds authorized-signatory and board roles, and brief those individuals on their personal criminal exposure under Articles 28–36.
- Maintain a clean, retrievable record-keeping system for both Law No. 6493 and MASAK / Law No. 5549 purposes.
- Engage specialist criminal defense counsel the moment the TCMB or MASAK makes contact — before giving any statement.
If your institution has received a notice, a request for a written defense, or any indication of a referral to prosecutors, do not respond alone. Contact Lexin Legal to assess your administrative and criminal exposure and to coordinate the institution's defense alongside the position of any individually named executive.
Frequently asked questions
Who regulates fintech and payment institutions in Turkey?
Since 1 January 2020, the Central Bank of the Republic of Turkey (TCMB / CBRT) is the single authority that licenses and supervises payment institutions, electronic money institutions and payment systems under Law No. 6493. These powers were transferred from the Banking Regulation and Supervision Agency (BRSA / BDDK), which only remains relevant where a banking-licence overlap under Law No. 5411 arises. Older guides naming the BRSA as the fintech regulator are out of date.
Which Turkish law governs fintech sanctions?
The principal statute is Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions. It is enforced by the Central Bank (TCMB) and sets both administrative fines (Article 27) and criminal offenses (Articles 28 to 36). Anti-money-laundering obligations under Law No. 5549 (MASAK) often apply in parallel, and serious misconduct can also engage the Turkish Penal Code No. 5237.
How large can fintech fines be in Turkey?
Article 27 of Law No. 6493 sets a base band of TRY 40,000 to TRY 900,000 per violation, but these figures are revalued every year (the 2026 revaluation rate is 25.49%), so the amount actually applied is higher than the statutory base. Where the institution gained from a violation, the fine cannot be less than twice the benefit, rising to three times for repeat violations. Confirm the current revalued band from the TCMB rather than relying on historical numbers.
What happens if you operate a payment service without a licence in Turkey?
Operating a payment service, issuing electronic money or running a payment system without the required TCMB licence is unauthorized activity under Article 28 of Law No. 6493. It carries imprisonment of one to three years plus a judicial fine of up to 5,000 days, and the premises can be closed for two to six months or permanently. A prosecutor can only open the case after the TCMB files a written application under Article 37.
Can a foreign director be held criminally liable for a Turkish fintech's violations?
Yes. Articles 28 to 36 of Law No. 6493 create personal criminal offenses for board members, directors and authorized signatories regardless of nationality. Unauthorized activity (Article 28) carries one to three years and embezzlement (Article 36) carries six to twelve years. Criminal liability is personal under Article 20 of the Turkish Penal Code, so a foreign passport does not provide immunity from a Turkish criminal process.
Does paying an administrative fine end the matter?
Not necessarily. Administrative penalties under Article 27 target the institution, while criminal liability under Articles 28 to 36 targets individuals. The same conduct can lead to both a corporate fine and a separate criminal prosecution of the people responsible. Settling with the TCMB does not extinguish personal criminal exposure.
What is the Article 37 prosecution gatekeeper?
For unauthorized activity (Article 28), obstructing supervision (Article 29) and record-keeping or information-security breaches (Article 31), a prosecutor cannot open a criminal case without a written application from the Central Bank (TCMB). This acts as a filter that lets institutions resolve issues at the regulatory level first. The key exception is Article 31 information-security offenses, where affected parties can complain directly without a TCMB referral.
