Fintech Company License Turkey: Complete CBRT Regulatory Guide

If you’re looking to get a fintech company license in Turkey, you need to work within a specific regulatory system, which is mainly run by the Central Bank of the Republic of Turkey (CBRT). The process isn’t just about paperwork; it’s about setting up the right kind of company, proving you have significant capital, and showing regulators you’re ready to operate securely and compliantly from day one.

Understanding Turkey’s Fintech Regulatory Environment

Turkey has worked hard to create a solid and supportive environment for financial technology. This isn’t by accident. Thanks to a young, digitally-native population and forward-thinking regulators, the government laid down a clear legal groundwork early on. This framework manages to encourage new ideas while still protecting consumers and keeping the financial system stable—a balance that’s crucial for anyone wanting to break into this market.

The main player you’ll be dealing with is the Central Bank of the Republic of Turkey (CBRT). It’s the authority that licenses and oversees most fintech operations. Think of the CBRT not just as a rule-enforcer, but as a market-shaper. Getting a handle on what they expect is genuinely the first, most important step you can take.

Key Regulatory Bodies and Their Roles

Knowing who’s who in the regulatory zoo is essential. You’ll likely interact with one of these key institutions:

• Central Bank of the Republic of Turkey (CBRT): This is your go-to for payment and electronic money institutions. They’re the ones who will scrutinise your application, grant the license, and keep an eye on you to make sure you’re sticking to the rules, especially those in Law No. 6493.
• Banking Regulation and Supervision Agency (BRSA): If your business model looks more like a digital bank or involves taking deposits, you’ll be dealing with the BRSA. They have their own unique licensing process, separate from the CBRT’s.
• Capital Markets Board of Turkey (CMB): For anyone in the crowdfunding or crypto-asset space, the CMB is the regulator you need to know. It’s a different slice of the fintech pie, but just as important.

The growth in Turkey’s fintech scene, particularly for payment and e-money services, has been impressive. As of June 2025, a total of 92 payment and e-money institutions had been licensed in Turkey. That’s a huge jump, and it all really kicked off after Law No. 6493 came into effect back in 2013, which opened the door for these companies to operate under the CBRT’s watch.

Key Takeaway: The biggest mistake you can make is applying to the wrong regulator. Before you do anything else, be absolutely certain which authority oversees your specific fintech model. Getting this wrong will cost you time and money.

Before you even think about the license itself, your company needs to legally exist. The entire journey starts with forming your business, which has its own set of procedures. For a full rundown, it’s worth taking a look at the legal requirements to start a business in Turkey. Getting this foundation right from the beginning will make the licensing part much smoother.

Choosing the Right Fintech License for Your Business

Selecting Between Payment Institution and E-Money Licenses

Before you even think about drafting an application, you have to make a crucial decision: which fintech company license in Turkey actually fits what you’re trying to build? Getting this wrong is one of the quickest ways to see your application rejected, setting you back months and costing you a small fortune.

The entire regulatory framework is built on Law No. 6493, which essentially creates two main pathways for fintechs: operating as a Payment Institution or as an Electronic Money (E-Money) Institution. Each license unlocks a very different set of capabilities, so understanding these distinctions is your first real test.

Your choice here will dictate everything that follows—from your business plan and tech stack to the financial forecasts you present to the Central Bank of the Republic of Turkey (CBRT).

Decoding the Payment Institution License

A Payment Institution license is your ticket if your business is all about moving money from point A to point B without actually holding onto it for very long. Think of yourself as a facilitator, the engine that makes transactions happen seamlessly in the background.

So, what can you actually do with this license? The scope is quite specific:

• Payment Processing: This is the bread and butter—giving merchants the ability to accept credit cards and other digital payments.
• Money Remittance: You can help people and businesses send money to each other, both within Turkey and across borders.
• Bill Payments: Your platform can become a one-stop-shop for users to pay their utility bills, rent, and other regular expenses.
• Payment Initiation Services (PIS): A key piece of the open banking puzzle, this lets you kick off a payment from a user’s bank account with their permission.

If your core service is simply executing payment orders and not issuing any form of digital currency, the Payment Institution license is almost certainly the right fit for you.

Simplify your business setup with Workon’s all-in-one company registration service in Turkey.

Understanding the Electronic Money Institution License

The E-Money Institution license is a significant step up in both scope and regulatory expectation. It grants you all the same powers as a Payment Institution, but with one game-changing addition: the ability to issue electronic money.

This is the license you need if you plan to launch a digital wallet, offer prepaid cards, or create any system where users store value electronically on your platform. You’re essentially accepting real funds from a customer and issuing a digital equivalent they can use for purchases and transfers.

Expert Insight: Be prepared for a much higher capital requirement for an E-Money license. From the regulator’s perspective, holding customer funds is a massive responsibility. They demand a much stronger financial cushion to ensure consumer funds are always protected, so make sure your financial planning reflects this.

Opting for an E-Money license means you are more than just a payment processor; you become a custodian of your customers’ money. As you can imagine, the CBRT’s scrutiny of your internal controls, data security, and risk management protocols will be far more intense.

Comparing Key Fintech License Types in Turkey

To make the decision clearer, it helps to see the two license types side-by-side. The table below breaks down the fundamental differences in what each license allows and where the regulators will focus their attention.

As you weigh your options, also consider if your specific business model might be seen as high-risk. Activities involving certain industries or complex cross-border payments often require a deeper understanding of navigating the specific requirements for high-risk payment processors, as this can definitely impact regulatory scrutiny.

Finally, don’t forget the foundational step: your company structure. You must set up a joint-stock company in Turkey before you can even apply for a license. Our guide on company formation in Turkey provides a detailed walkthrough and is essential reading. Getting your corporate structure right from day one will save you from major headaches down the road.

Assembling Your Application for CBRT Review

Preparing and Submitting Your Fintech Application to the Central Bank of Turkey

When you submit your application to the Central Bank of the Republic of Turkey (CBRT), you’re doing more than just filing paperwork. This is your one chance to make a powerful first impression. The regulators aren’t just ticking boxes; they’re looking for a compelling story that proves your company is financially sound, operationally robust, and fully prepared to protect consumers.

Think of your application as a complete business dossier. Every single document needs to be strong on its own but also fit perfectly into the larger narrative. Any inconsistencies, vague promises, or missing details are huge red flags that can get you rejected right out of the gate. A meticulously organised and detailed submission tells the CBRT you’re a serious player in the running for a fintech company license in Turkey.

The Foundational Legal and Corporate Documents

First things first, the CBRT will put your company’s legal framework under a microscope. This is where you prove your business is properly set up and structured to operate under Turkish commercial law. It’s the very foundation of your entire application.

Your Articles of Association have to be flawless. They must clearly spell out the exact payment or e-money services you plan to offer, matching the scope of the license you’re after. Any ambiguity here is an immediate deal-breaker for the regulators.

You’ll also need to lay out your Shareholding Structure in detail. This isn’t just about listing names; it’s a critical transparency check. The CBRT runs ‘fit and proper’ tests on all major shareholders and board members, so get ready to provide:

• Judicial Records: Clean criminal records for all key people are non-negotiable.
• Proof of Reputation: You’ll need evidence of good standing in the business community and relevant industry experience.
• Financial Standing: This means clear documentation showing the financial health and source of funds for your shareholders.

This deep dive into your company’s leadership and ownership is all about making sure the people behind the scenes have the integrity and expertise the industry demands.

Crafting a Persuasive Business Plan and Financial Projections

Your business plan is, without a doubt, the most critical piece of your submission. This isn’t the time for an optimistic pitch deck. It needs to be a detailed, operational blueprint that convinces the CBRT that your business model is not only viable but built to last.

A weak or generic business plan is one of the top reasons applications fail. The regulators need to see a clear and realistic path to profitability that doesn’t cut corners on security or compliance.

Your plan must persuasively explain:

• Your specific target market and the problem you’re solving for them.
• A crystal-clear outline of your products and services.
• Your strategies for marketing and bringing customers on board.
• A sharp, insightful analysis of your competitors in the Turkish market.

Insider Tip: The CBRT gives extra scrutiny to financial projections. Your forecasts for the first three years need to be realistic and backed by solid research and assumptions. You have to demonstrate a deep understanding of the Turkish market, from potential transaction volumes to your revenue models.

These projections have to connect directly to your proof of capital adequacy. The CBRT wants to see that you’ve not only met the minimum capital requirement but also have enough cash to fuel your operations through those early growth stages. This is also where having a proper business bank account becomes vital for showing clear financial management. If you’re not there yet, learning how to open a business bank account in Turkey is a practical step that strengthens your application.

Documenting Your Technical and Security Infrastructure

In the fintech world, your technology is your vault. The CBRT demands absolute confidence that your systems are secure, resilient, and capable of protecting customer data and funds. That means your application needs to include extensive documentation on your entire IT framework.

This technical dossier should break down several key areas in fine detail. Start with a comprehensive overview of your IT infrastructure—everything from servers and networks to your software architecture.

Next up, your Information Security Policies must be thoroughly documented. This covers everything from data encryption standards and access control protocols to your plans for regular vulnerability assessments. You have to show the regulators you’ve got a proactive, multi-layered approach to cybersecurity.

Finally, your Risk Management and Internal Control Systems are crucial. This part of the application details how you identify, assess, and mitigate risks across operations, finance, and compliance. Get specific about your anti-money laundering (AML) and know-your-customer (KYC) procedures, as these are hot-button issues for regulators. A clear, well-defined framework proves to the CBRT that you’re ready to manage the risks that come with playing in the financial services industry.

Getting Through the Official Application and Approval Process

Once you’ve pulled together your comprehensive application package, you’re ready to enter the formal review stages with the Central Bank of the Republic of Turkey (CBRT). This is where all your preparation gets put under the microscope. Don’t think of this as a simple ‘submit and wait’ situation; it’s a dynamic, multi-stage examination where regulators dig deep into your company’s DNA to make sure it’s ready for the Turkish financial market.

Understanding this journey—from the first look to the final decision—is absolutely critical. Knowing what to expect, how long it might take, and the real costs involved will help you manage your resources and your sanity. A well-prepared applicant can anticipate the regulators’ questions and navigate the process with confidence, not anxiety.

The Initial Pre-Assessment Check

After you officially submit your application, it lands in the Pre-Assessment phase. You can think of this as a triage step. At this point, CBRT officials aren’t getting into the nitty-gritty of your business model. They’re doing a high-level check to see if your application is complete and meets the most basic requirements.

During this stage, they’re looking for things like:

• Completeness: Are all the required documents actually there and formatted correctly?
• Basic Eligibility: Does your company tick the fundamental boxes, like being a joint-stock company with the right shareholding declarations?
• Capital Adequacy: Have you provided clear proof that you meet the minimum paid-in capital?

If there are glaring omissions or structural problems, your application can get bounced right back to you, causing major delays. This phase is all about getting the basics right to earn a more detailed look.

The In-Depth Examination Phase

If your application clears the initial check, it moves into the Detailed Examination phase. This is the heart of the entire process and easily the most time-consuming part. A dedicated team of CBRT inspectors will meticulously review every single aspect of your submission. They’re looking past the paperwork to understand the real-world viability and integrity of your operation.

The inspectors focus heavily on your business plan’s sustainability, the strength of your tech infrastructure, and your company’s financial health. They need to see that you’ve thought through every possible scenario and have built a secure, compliant, and responsible fintech from the ground up. Expect several rounds of questions and requests for more information as they probe for weaknesses.

Real-World Scenario: Let’s say you’ve submitted a business plan with very optimistic growth projections. The CBRT will likely come back asking for the specific market data and assumptions behind those numbers. They might also want a more detailed breakdown of your IT security budget to ensure it scales realistically with your projected user growth. Having that supporting data ready is crucial.

The application fee for a fintech company license in Turkey is around ₺1.5 million as of 2024. The whole process is tough, and regulators will confirm that companies meet strict rules for their articles of association, management, capital, and risk management. For more background, you can explore the current fintech regulations in Turkey on nortonrosefulbright.com.

The infographic below shows the core compliance steps that are scrutinised during this examination and continue even after you get your licence.

Key Regulatory, AML/KYC, and Reporting Steps for Fintech Licensing

As you can see, the CBRT’s review is just the start of an ongoing compliance journey, with a heavy focus on AML/KYC and continuous reporting.

Realistic Timelines and Common Bottlenecks

While every case is different, you should realistically expect the entire process—from submission to final approval—to take anywhere from 12 to 18 months. It feels like a long time, but it’s important to understand why. The detailed examination phase alone can easily eat up most of that period.

A few common bottlenecks can stretch this timeline even further:

1. Incomplete or Vague Submissions: If you provide unclear information, regulators are forced to send requests for clarification. Each back-and-forth can add weeks or even months.
2. Complex Business Models: If your fintech offers something new or particularly complex, the CBRT will naturally take more time to assess the risks involved.
3. Slow Response Times: How quickly and thoroughly you answer the CBRT’s questions will directly impact the timeline. Delays on your end create delays on theirs.

Budgeting for this duration is just as important as budgeting for the actual costs.

Breaking Down the Full Spectrum of Costs

The official application fee is just the tip of the iceberg. To budget properly, you need to think about the whole financial picture.

• Official Fees: The CBRT’s application fee is a significant upfront cost you can’t avoid.
• Legal Consultation: Hiring expert legal counsel isn’t optional; it’s a necessity and will be a major investment throughout the process.
• Third-Party Audits: You’ll likely need independent audits of your IT systems or financial controls, which adds another layer of expense.
• Operational Costs: Don’t forget, you’ll be paying for staff, technology, and office space for over a year before you can even think about generating revenue.

Careful financial planning that accounts for all these moving parts is what will keep you afloat during the long approval journey and help you launch your fintech on solid ground.

So You Got Your Licence. What Now? Staying Compliant in Turkey’s Fintech Scene

Getting that fintech licence in Turkey feels like crossing the finish line, but it’s really just the start of the race. The moment you have that piece of paper, you’ve officially entered a closely watched financial world. Now, your relationship with regulators like the Central Bank of the Republic of Turkey (CBRT) shifts from applicant to active, regulated entity.

The biggest trap I see newly licensed firms fall into is treating compliance like a one-and-done project. It’s not. It’s a living, breathing part of your daily operations that needs constant attention. Your focus has to pivot from getting the licence to keeping it.

Your Internal Controls Need to Be More Than Just Paperwork

First things first: those internal control systems you promised in your application? It’s time to bring them to life. This isn’t just about theory anymore. You need a real, empowered compliance officer and a clear structure where everyone, from the top down, knows their part in keeping the company on the right side of the law.

Think of these controls as your company’s immune system. They’re there to catch problems before they become full-blown crises. It’s about building a genuine culture of compliance, not just a rulebook.

• Keep Your Risk Assessments Fresh: You have to regularly check for new risks, especially around money laundering, fraud, and data security. What seemed like a minor risk when you launched can quickly become a major threat as your user base grows.
• Document Everything Clearly: From how you onboard a new customer to what happens when a suspicious transaction is flagged, every single procedure needs to be written down and available to your team.
• Train Your People Relentlessly: Your team is your first and most important line of defence. Ongoing, documented training on Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) isn’t just a good idea—it’s a strict regulatory requirement.

A Word of Experience: Don’t let your risk management framework become a static document filed away somewhere. A classic mistake is failing to update risk models when you launch a new product or expand into a new customer demographic. The CBRT absolutely expects your controls to grow and adapt right alongside your business.

Juggling Reporting Duties and Data Protection

Once you’re operational, you’re on the hook for regular reporting and have to follow Turkey’s tough data protection laws to the letter. Two areas, in particular, need your constant focus: your AML/CFT duties and protecting customer data under the Personal Data Protection Law (KVKK).

The Financial Crimes Investigation Board (MASAK) is the big player here, and their rules are non-negotiable. This means:

1. Know Your Customer (KYC): You need a rock-solid process for identifying and verifying every single customer.
2. Transaction Monitoring: Your systems must be constantly scanning for transactions that look strange or out of the ordinary.
3. Suspicious Activity Reporting (SAR): If you spot something suspicious, you have to report it to MASAK immediately—and without letting the customer know.

Dropping the ball on any of these can lead to serious trouble, from massive fines to, in the worst-case scenario, losing the fintech company licence in Turkey you worked so hard to get.

At the same time, you have to be fully compliant with the KVKK, which is Turkey’s answer to GDPR. It dictates exactly how you can collect, use, and store your customers’ personal information. One data breach isn’t just a PR nightmare; it’s a direct path to serious financial and reputational pain.

Don’t Get Caught Off Guard by Regulatory Shifts

The fintech world moves fast, and the rules change to keep up. New technologies and new risks mean regulations are always evolving. It’s your job—and your responsibility—to stay on top of any updates from the CBRT, MASAK, or any other authority.

Make it a habit to read official regulatory circulars and get involved with local fintech industry groups. To make this process smoother and less prone to human error, many firms find that using some of the best compliance management software solutions makes a world of difference. These platforms can help automate the monitoring and reporting, giving you peace of mind.

Ultimately, staying compliant is about building a business that people can trust. When you build a strong compliance culture from day one, you’re not just protecting your licence—you’re laying the groundwork for a successful, sustainable future in Turkey’s exciting fintech market.

Got Questions About the Turkey Fintech License? You’re Not Alone.

Entrepreneurs celebrating their fintech company license approval under the CBRT regulatory framework

Stepping into Turkey’s fintech scene is exciting, but let’s be honest—the licensing process can feel like a maze. Founders, investors, and even legal teams often get tangled up in the same core questions about capital, timelines, and potential showstoppers.

Getting straight answers is the first step to building a solid market-entry strategy and avoiding headaches down the road. So, let’s tackle the questions I hear most often, drawing from real-world experience to cut through the jargon and give you the practical insights you need.

What’s the Real Minimum Capital I Need?

This is usually the first question on everyone’s mind, and for good reason. The minimum paid-up capital isn’t a one-size-fits-all number; it’s set by the Central Bank of the Republic of Turkey (CBRT) and depends entirely on the type of license you’re after and the services you plan to offer.

An Electronic Money Institution, for example, which holds customer funds, is going to face a much steeper capital requirement than a straightforward Payment Institution that just processes transactions. These aren’t set in stone, either. The CBRT reviews and adjusts these figures periodically to keep up with market risks and economic shifts.

Key Takeaway: Never base your financial model on old information. Before you finalise anything, you absolutely must check the latest capital requirements directly from the CBRT’s official publications or confirm with your local legal counsel. Getting this wrong will stop your application in its tracks.

Can Foreigners Apply for a Fintech License?

Absolutely. Turkey welcomes foreign investment in its fintech sector. But there’s a critical first step: you can’t apply as a foreign entity. You must first establish a joint-stock company in Turkey, known locally as an Anonim Şirket (A.Ş.).

The CBRT will put the shareholding structure under a microscope. Every foreign founder and significant shareholder goes through the exact same rigorous “fit and proper” assessment as Turkish applicants. This is all about proving you have a clean financial track record and the right kind of industry experience.

Just be ready for a bit more paperwork. You’ll need to provide documents from your home country, all of which must be officially translated and notarised. The bar is the same for everyone, but the documentation trail for foreign nationals is longer.

How Long Does This Whole Process Actually Take?

Patience is more than a virtue here; it’s a necessity. Being realistic, you should brace for a timeline of 12 to 18 months from the moment you file a complete application to getting that final yes or no. If you have an unusually complex business model or there’s a lot of back-and-forth with the regulator, it can stretch even longer.

The stage that eats up the most time is the CBRT’s detailed examination. This is where inspectors go deep, scrutinising everything from your business plan’s viability to the strength of your IT security. The quality and clarity of your initial submission—and how quickly you respond to their questions—will directly impact how long this takes.

What Are the Most Common Reasons Applications Get Rejected?

Knowing where others have stumbled is one of the smartest ways to pave your own path to success. Most rejections boil down to a handful of recurring issues.

Here are the top deal-breakers I’ve seen:

• A Vague Business Plan: If your market analysis is thin or your financial projections seem like guesswork, the CBRT will see it as a major red flag.
• Missing the Capital Mark: This is non-negotiable. You either have the required capital, or you don’t. There’s no grey area.
• Weak IT & Security: You must provide concrete proof that your systems are robust enough to protect customer data and funds from today’s threats.
• Inexperienced Management: Regulators need to see a leadership team that has credible, relevant experience in finance or technology.
• A Flawed Risk Framework: A generic, copy-paste plan for managing operational, financial, and compliance risks simply won’t cut it.

Your best defence against these common pitfalls is meticulous preparation and an almost obsessive attention to detail.

Navigating the complexities of establishing your business in Turkey requires expert guidance. At Workon, we specialise in simplifying the entire process, from company formation to securing necessary permits, allowing you to focus on what you do best—growing your business. Let our team handle the details so you can launch with confidence. Start your journey in the Turkish market with Workon today.