Establishing a Payment Institution in Turkey: Central Bank Licensing and Legal Requirements

The global financial technology landscape is shifting, and Turkey has emerged as one of the most vibrant battlegrounds for innovation. With a young, unbanked population eager for digital solutions and a strategic location bridging Europe and Asia, the Turkish market offers immense potential for Fintech disruptors. However, unlike the “move fast and break things” era of early Silicon Valley, the Turkish Fintech ecosystem is built on a bedrock of stringent regulation. For international investors, business setup in Turkey in the payment services sector is not merely a commercial incorporation; it is a complex regulatory marathon governed by the Central Bank of the Republic of Turkey (CBRT).

Understanding the nuances of Law No. 6493 (The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions) is the first step in Payment Institution License Turkey journey. This guide serves as a strategic blueprint for establishing a licensed Payment Institution (PI) or Electronic Money Institution (EMI) in Turkey, dissecting the capital requirements, technological mandates, and the dual-stage licensing process that defines market entry.

The Regulatory Architect: From BRSA to CBRT

Historically, the Banking Regulation and Supervision Agency (BRSA) held the keys to the kingdom. However, a pivotal shift in the regulatory framework transferred this authority entirely to the Central Bank of the Republic of Turkey (CBRT). This move signaled a semantic and practical change: payment services are no longer just “banking-adjacent” activities; they are central components of the national monetary stability. Consequently, any foreign entity looking to register a company in Turkey with the intent of processing payments, issuing e-money, or acting as a digital gateway must navigate the CBRT’s rigor. This transition has streamlined supervision but also raised the bar for compliance, particularly regarding information systems and fund protection.

Corporate Structure and Shareholding Eligibility

Before approaching the regulator, the corporate vehicle must be perfectly aligned with statutory requirements. A standard Limited Liability Company (LLC) is insufficient for this tier of operation. The law mandates that a Payment Institution must be established as a Joint Stock Company (JSC – Anonim Şirket). This distinction is critical because JSCs offer a more robust governance structure, including a General Assembly and a Board of Directors, which the regulator demands for accountability.

Furthermore, the shareholding structure is subject to a “transparent and open” test. All share certificates must be “registered” (nama yazılı) rather than “bearer” shares, ensuring that the Ultimate Beneficial Owners (UBO) are always identifiable. The CBRT conducts a deep-dive background check on any shareholder holding ten percent or more of the capital. These individuals must meet specific “fit and proper” criteria, similar to those required for bank founders. They must be free of bankruptcy history and serious criminal records, particularly those involving financial crimes, fraud, or tax evasion. This is where the initial company formation in Turkey intersects heavily with due diligence; a single red flag in a shareholder’s history can derail the entire license application.

The Financial Pillar: Minimum Capital and Equity

Fintech is capital intensive, and Turkish regulations reflect this reality to ensure system stability. The “entry ticket” is the minimum paid-in capital requirement, which must be fully paid in cash—not in kind—before the application. These figures are subject to annual revaluation based on the inflation rates and specific communiqués issued by the CBRT.

As of the latest regulatory updates approaching the 2025-2026 period, the capital thresholds have been segmented based on the complexity of the service. For a standard Payment Institution acting as a gateway (intermediating fund transfers or acquiring transactions), the minimum equity requirement has seen significant upward revisions, currently hovering around the 30 Million TRY mark (subject to official gazette updates). For Electronic Money Institutions (EMIs) that issue digital wallets or prepaid cards, the threshold is considerably higher, reflecting the increased risk of holding customer funds. It is imperative to consult with IncorpTurkey for the exact, real-time figure on the day of your application, as these numbers are dynamic. Crucially, this capital must be free of any collusion or fictitious transactions; the regulator traces the “source of funds” to ensure it is clean capital.

The Dual-Stage Licensing Process

Obtaining a license is not a single administrative act; it is a two-phase process that tests both the theoretical and practical readiness of the applicant.

Phase 1: The Establishment Permit The first hurdle is obtaining the “Establishment Permit.” In this stage, the investor submits a comprehensive dossier to the CBRT, including the draft Articles of Association, a detailed three-year business plan, and projected financials. The business plan must be more than a pitch deck; it must semantically demonstrate how the company will generate revenue while complying with Turkish laws. The regulator evaluates the feasibility of the model and the background of the founders. Only after receiving this permit can the investor formally register a company in Turkey at the Trade Registry with the title “Payment Institution” or “Electronic Money Institution.”

Phase 2: The Operating License Incorporation is not authorization. Once the company is legally formed, it enters the second phase: the “Operating License” (Activity Permit). This is the audit phase. The company must build its physical and digital infrastructure, hire key personnel (including a General Manager and internal control staff), and establish its IT systems. The CBRT will not grant the final license until it is satisfied that the company can securely process transactions. This phase typically involves an on-site inspection.

Information Systems and Data Localization

Perhaps the most technically demanding aspect of Law No. 6493 is the requirement for Information Systems compliance. Turkey maintains a strict “Data Localization” policy for financial data. The primary and secondary systems used to process payment data must be physically located within the borders of Turkey. Relying solely on a global cloud provider hosted in Dublin or Frankfurt is not compliant.

The applicant must undergo a rigorous “Information Systems Audit” conducted by independent audit firms authorized by the regulator. This audit verifies the security, redundancy, and business continuity plans of the infrastructure. For a foreign Fintech expanding to Turkey, this often means investing in local server infrastructure or partnering with compliant local data centers. Failing this audit is the most common reason for delays in the licensing process.

Collateral and Fund Protection

To protect consumers, the law requires Payment Institutions to provide collateral (Teminat) to the CBRT. This is a safety net. The amount of collateral is calculated based on the nature of the services and potentially the transaction volume. This creates a financial obligation beyond the initial capital.

Additionally, the concept of “Safeguarding of Funds” is paramount. A Payment Institution cannot use customer funds for its own operational expenses or investments. These funds must be kept in specific “protection accounts” at Turkish banks, segregated from the company’s own assets. This legal ring-fencing ensures that even if the Payment Institution goes bankrupt, the users’ money remains safe and can be returned.

MASAK Compliance: The Anti-Money Laundering Regime

A licensed Payment Institution automatically becomes an “Obliged Party” under the regulations of MASAK (Financial Crimes Investigation Board). This brings the company under the umbrella of Turkey’s strict Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) regime.

The company must appoint a Compliance Officer who reports directly to the Board of Directors. It must implement robust Know Your Customer (KYC) procedures to verify the identity of its users. In the digital age, this often involves “Remote Identification” technologies, which are heavily regulated to ensure they are tamper-proof. The semantic link between “Innovation” and “Compliance” is strongest here; the technology must be frictionless for the user but impenetrable for money launderers.

Conclusion: The Cost of Entry vs. The Prize

Establishing a Payment Institution in Turkey is a high-barrier, high-reward endeavor. It requires significant upfront capital, technical localization, and patience through a licensing process that can take 6 to 12 months. However, the reward is access to one of the most active e-commerce and digital banking markets in the region.

The complexity of Law No. 6493 means that company formation in Turkey for Fintechs is not a DIY project. It requires a synchronized effort between legal counsel, financial advisors, and IT auditors. At IncorpTurkey, we act as the conductor of this orchestra, guiding global Fintechs through the labyrinth of the Central Bank, from the first draft of the business plan to the final go-live authorization.