Sanctions and Liabilities in Turkey’s Payment Systems have become increasingly important as Turkey’s digital payments and fintech industry continues to expand, making regulatory enforcement essential for ensuring financial integrity and consumer trust. Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions lays the legal groundwork for these activities. Among its most consequential parts, Section Seven (Articles 27 to 40) establishes a comprehensive regime of sanctions, investigations, criminal liability, and procedural rules applicable to payment service providers, electronic money institutions (EMIs), and system operators.

This article provides an in-depth legal analysis of each article under Section Seven, examining the structure and function of the enforcement provisions, the types of liabilities imposed on individuals and institutions, and the mechanisms for judicial review and regulatory supervision. Drawing on the regulatory experience of Bıçak Law Firm, this guide aims to support businesses in understanding their obligations and legal risks, while also informing legal practitioners and scholars of the evolving enforcement framework in Turkey’s fintech ecosystem.

Overview of Section Seven and Its Enforcement Philosophy

Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, enacted in 2013 and significantly amended in 2019 by Law No. 7192, forms the cornerstone of Turkey’s legal and regulatory framework governing non-bank financial institutions involved in digital payments, electronic money issuance, and the operation of payment systems.

The law aligns with European Union norms, particularly the EU’s Revised Payment Services Directive (PSD2), and grants the Central Bank of the Republic of Turkey (CBRT) extensive regulatory, licensing, supervisory, and enforcement authority. It aims to ensure the safety, efficiency, transparency, and resilience of payment services and infrastructure while protecting the rights of consumers and fostering innovation in the fintech ecosystem.

Section Seven (Articles 27 to 40) of the law sets out the enforcement mechanisms available when market participants fail to comply with the obligations imposed by the law, its secondary legislation, and CBRT-issued decisions. This section encompasses a broad range of sanctions, including:

• Administrative fines imposed by the CBRT Executive Committee (Article 27),
• Criminal penalties for unauthorized operations and misconduct (Articles 28–36),
• Procedural safeguards and defense rights (Article 27/3),
• Public prosecution procedures (Article 37),
• Emergency and reputational measures (Articles 33–34), and
• Provisions for transition and coordination with other financial laws (Articles 38–40).

The philosophy underpinning this section is one of graduated enforcement: the CBRT is empowered to act proportionately depending on the severity of the breach, the degree of intent or negligence, and the financial or reputational harm caused. Minor infractions may result in rectification orders or moderate fines, while serious violations – such as unlicensed activity, data breaches, or embezzlement – trigger severe sanctions including imprisonment, multi-year business bans, and public exposure.

Additionally, this section introduces personal criminal liability for individuals acting on behalf of institutions, such as board members, executives, and employees, especially where internal governance and compliance mechanisms fail or are deliberately circumvented.

The section also reflects principles of procedural fairness and transparency. Institutions have the right to be notified of allegations, present their defense, and challenge CBRT sanctions in administrative courts. Where necessary, the CBRT may also refer cases to the public prosecutor or take interim protective measures, including suspension of operations or blocking access to unauthorized platforms.

In summary, Section Seven represents the enforcement arm of Law No. 6493, acting both as a deterrent against malpractice and as a corrective mechanism for maintaining systemic trust and operational discipline in Turkey’s dynamic electronic payments sector.

Administrative Sanctions for Regulatory Violations (Art. 27)

Article 27 of Law No. 6493 constitutes the foundational provision for the administrative enforcement of regulatory obligations applicable to system operators, payment service providers, and electronic money institutions. It empowers the Executive Committee of the Central Bank of the Republic of Turkey (CBRT) to impose monetary fines and outlines the procedures and legal remedies concerning such sanctions.

Scope of Sanctionable Conduct

Under Article 27(1), administrative fines are imposed on legal persons that violate:

• Provisions of Law No. 6493,
• Regulations and decisions issued pursuant to the law,
• Rules not subject to separate criminal sanctions under this section.

Thus, the article applies broadly to a range of infractions, including failure to meet operational requirements, deficient reporting practices, non-compliance with CBRT instructions, or improper use of client funds – unless such violations are already penalized by criminal provisions in Articles 28 – 36.

Penalty Structure and Proportionality

The law introduces a graduated fine system:

• The base fine ranges from 40,000 to 900,000 Turkish Liras,
• If unlawful benefit is gained or damage is caused, the fine must be at least twice the amount of such gain or damage,
• If the violation is committed more than once before the fine is imposed, a single fine is issued but doubled,
• If the repeated violation results in gain or loss, the fine must be at least three times the amount of the benefit or damage.

This formula reflects a risk- and consequence-based sanctioning model, which is intended to deter misconduct proportionate to the magnitude and frequency of the breach.

Procedural Safeguards and the Right to Defense

Before any fine is finalized, Article 27(3) mandates that:

• The relevant institution must be notified of the alleged violation and invited to submit a defense,
• If no defense is received within one month, the institution is deemed to have waived its right to contest the charges.

Article 27(2) requires that any fine decision be reasoned and communicated in writing, ensuring transparency and procedural fairness.

Our experience shows that institutions frequently overlook this defense opportunity, often leading to preventable penalties. We advise clients to immediately respond to CBRT inquiries with detailed factual and legal rebuttals, supported by internal documentation and compliance records.

Payment Obligation and Enforcement

Under Article 27(4), imposed fines must be paid within one month of notification. Failure to pay may result in forced collection measures under Turkey’s general administrative enforcement rules.

The CBRT generally does not allow installment plans or postponements unless a separate regulation or policy decision permits such relief.

Judicial Review and Legal Remedies

Article 27(5), added by the 2019 amendment (Law No. 7192), explicitly confirms that CBRT-imposed administrative fines may be challenged before the competent administrative court, generally within 60 days of receipt.

The courts examine:

• Whether there was a legal basis for the fine,
• Whether the fine was proportionate and correctly calculated,
• Whether due process was respected (e.g., opportunity to defend, proper notification).

In successful cases, courts may annul the fine entirely or order its recalculation. Bıçak represents clients throughout this process – from preliminary responses and settlement attempts to full-scale litigation and judicial appeal.

Criminal Liability for Operating Without a License (Art. 28)

Article 28 of Law No. 6493 addresses the criminal consequences of operating in the payment services or electronic money sector without obtaining a license from the CBRT. This article represents a critical element of regulatory enforcement, aiming to prevent informal or unauthorized financial intermediation that could endanger consumer funds and destabilize the payment system.

Unauthorized Operations as a Criminal Offense

Under Article 28(1), natural persons and responsible officers of legal entities that act as:

• System operators,
• Payment institutions, or
• Electronic money institutions

without obtaining the necessary license from the CBRT are subject to:

• Imprisonment from one to three years, and
• A judicial fine of up to 5,000 days.

This provision targets both de facto and de jure operations – meaning that conducting payment services or issuing electronic money without registration or beyond the licensed scope constitutes a punishable offense, regardless of whether consumer harm has occurred.

Misuse of Institutional Titles and Public Misrepresentation

Article 28(2) extends criminal liability to those who:

• Use names, phrases, or marketing materials in business titles, documents, notices, advertisements, or public statements,
• That create the impression that they are licensed operators (e.g., by referring to themselves as a “payment company” or “e-money issuer”),

even when no actual service is provided. This protects the public from being misled by entities that illegitimately suggest they are under CBRT oversight. Courts have interpreted this broadly, applying the provision even to digital platforms and websites that display unauthorized logos or claims of licensing.

Closure of Business Premises and Repeat Offenses

Article 28(3) grants the courts the authority to:

• Close the business premises where these violations occur,
• For a period of two to six months,
• And in cases of recidivism, permanently shut down the operations.

This measure reflects the legislature’s intent to exclude bad-faith actors from the regulated market entirely, especially those who persistently attempt to evade regulatory controls. We have assisted clients in navigating investigations under this article, especially in cases involving foreign-owned fintech startups, where the boundaries between software development and payment intermediation may be unclear. Legal structuring, proper classification of services, and early dialogue with the CBRT can prevent misinterpretation and criminal exposure.

Continued Activity After License Revocation

Article 28(4) clarifies that these criminal sanctions also apply when a previously licensed entity continues to operate after the CBRT has revoked its license. In such cases, even former licensees are considered to be acting unlawfully, and their executives or board members may face both criminal prosecution and further administrative sanctions. This reinforces the importance of voluntarily suspending all regulated activity immediately upon license withdrawal and seeking legal counsel on how to settle existing obligations with clients, employees, and partners.

Preventing Supervision and Failure to Provide Information (Art. 29)

Article 29 of Law No. 6493 introduces criminal penalties for obstructing the supervisory authority of the Central Bank of the Republic of Turkey (CBRT) and for withholding information or documents requested during audits, inspections, or investigations. These provisions are central to regulatory enforcement integrity, as they ensure that the CBRT can carry out its oversight functions effectively and without obstruction.

Obstruction of Supervision (Article 29/1)

Under Article 29(1), any person who prevents the CBRT from fulfilling its supervisory and oversight duties under the law may be punished with:

• Imprisonment from one to three years

This includes:

• Physical obstruction of on-site inspections or audits,
• Refusal to grant access to company premises or IT systems,
• Tampering with evidence or audit trails,
• Instructing employees to mislead or obstruct CBRT personnel.

Importantly, the provision is not limited to executives — any individual, whether internal staff or third-party contractors, may be held criminally liable if they intentionally hinder the Bank’s activities.

Failure to Provide Information and Documents (Article 29/2)

Under Article 29(2), a separate offense is created for non-disclosure of information requested by the CBRT during supervisory activities. The sanctions include:

• Imprisonment from three months to one year, and
• A judicial fine of up to 1,500 days

This clause is commonly invoked when:

• Institutions ignore written requests for reports, records, or audit data,
• Responses are incomplete, evasive, or delayed,
• Third-party processors or service providers under contract fail to comply.

Given the CBRT’s reliance on timely and accurate data to detect risks in real time, this offense is considered serious even in the absence of underlying fraud. Failure to cooperate may escalate into further sanctions, such as administrative fines, license suspension, or criminal referrals under Article 37.

Compliance Strategies and Practical Risks

In practice, some institutions – especially new market entrants or foreign-backed fintechs – underestimate the breadth of the CBRT’s authority to demand information. Under Law No. 6493 and related regulations, institutions are required to:

• Maintain up-to-date and accessible records,
• Respond fully and promptly to all CBRT inquiries,
• Cooperate with onsite inspection teams,
• Provide auditable logs from internal systems upon request.

Failure to do so may be interpreted not only as negligence, but as deliberate obstruction, triggering Article 29 sanctions.

False Statements (Art. 30)

Article 30 of Law No. 6493 addresses the offense of making false statements in documents submitted to authorities within the framework of the electronic payments and settlement systems sector. This provision establishes criminal liability to protect the accuracy, reliability, and transparency of data that forms the basis of regulatory oversight and judicial proceedings.

Scope of the Offense

According to Article 30, any person who signs a false statement in documents submitted or published by:

• System operators,
• Payment institutions, or
• Electronic money institutions,

shall be subject to:

• Imprisonment from one to three years, and
• A judicial fine of up to 2,000 days

The offense covers documents provided to:

• The Central Bank of the Republic of Turkey (CBRT),
• Other competent administrative or judicial authorities,
• Supervision and audit personnel assigned under the law.

The falsity may relate to financial reports, compliance declarations, transaction data, risk assessments, or any other document prepared in the course of institutional reporting or regulatory review.

Legal Elements and Intent

The core element of this offense is intentional deception. The signer must knowingly approve inaccurate, incomplete, or manipulated information. This includes:

• Overstating capital adequacy or liquidity positions,
• Underreporting customer complaints or risks,
• Omitting liabilities or losses in balance sheets,
• Misrepresenting compliance with CBRT requirements.

The act of signing the document implies legal and professional responsibility. Therefore, directors, managers, internal auditors, or compliance officers who sign such documents may be held individually liable, even if they did not personally prepare the content.

Relevance in Practice and Regulatory Context

In CBRT’s enforcement practice, false statement violations often surface during:

• Routine or targeted inspections,
• Review of license applications,
• Evaluation of annual audit reports,
• Analysis of corrective action plans.

If inconsistencies are found, the CBRT may initiate both administrative and criminal procedures, or refer the matter to the Chief Public Prosecutor’s Office under Article 37 of the law. From a compliance standpoint, it is critical for institutions to:

• Conduct internal verification of all regulatory filings,
• Ensure clear division of responsibility between departments,
• Establish dual-signature or escalation mechanisms for sensitive reports,
• Retain documented audit trails for data used in official submissions.

Legal Risk Management and Defense Strategies

We have observed that this offense is particularly relevant where internal control systems are weak or outsourced service providers feed unverified data into compliance documents. In criminal defense, a key argument may relate to:

• Lack of intent (e.g., clerical error, misunderstood data),
• Absence of direct involvement in drafting the false content,
• Prompt correction or voluntary disclosure prior to detection.

In some cases, showing that the institution has implemented internal remedial actions (e.g., replacing personnel, introducing compliance software) may help mitigate criminal exposure and reputational harm.

Failure to Ensure Document Safekeeping and Information Security (Art. 31)

Article 31 of Law No. 6493 establishes criminal liability for failing to comply with obligations related to the preservation of documents and the protection of information security, particularly regarding payment instruments and personal security data. The provision serves to protect data integrity, system security, and consumer confidentiality, which are fundamental in the context of electronic payments and digital finance.

Breach of Document Retention Obligations (Art. 31/1)

The first paragraph refers to a breach of the duty outlined in Article 23(1) of the law, which requires institutions to:

• Retain documents, records, and data related to transactions,
• Ensure that such records are complete, accessible, and secure,
• Preserve information in a way that enables effective auditing and traceability.

Violation of this obligation may result in:

• Imprisonment from one to three years, and
• A judicial fine ranging from 500 to 1,500 days

This applies to institutions that lose, destroy, or otherwise fail to retain transaction-related documents as required by the CBRT or relevant regulations. It also applies in cases where record falsification, alteration, or negligent archiving prevents supervisory review.

Failure to Protect Personal Security Information (Art. 31/2)

The second paragraph targets payment institutions and electronic money institutions that:

• Fail to take necessary technical and organizational measures to prevent unauthorized access to personal security information relating to payment instruments (e.g., PIN codes, passwords, encryption keys), and
• Do not ensure secure delivery of such information to the payment service user or involved third parties.

If such failures occur, the responsible officers of the institution are subject to:

• Imprisonment from one to three years, and
• A judicial fine up to 1,000 days

This provision is particularly relevant in cases of data breaches, identity theft, or unauthorized transactions caused by the institution’s insufficient IT infrastructure or weak encryption and transmission controls.

Liability for Negligence or Professional Incompetence (Art. 31/3)

Recognizing that not all breaches stem from malicious intent, the third paragraph addresses violations that occur due to:

• Carelessness,
• Negligence, or
• Incompetence in professional practice.

In such cases, the officers or the individuals performing the transaction may still face a judicial fine up to 1,000 days, even in the absence of deliberate wrongdoing.

This establishes a dual standard of liability – one for intentional or reckless misconduct, and another for inadvertent noncompliance – reinforcing the duty of care and professional diligence in financial operations.

Practical Challenges and Enforcement Risks

In CBRT practice, Article 31 is often invoked when:

• Institutions suffer cybersecurity incidents affecting user data,
• Internal audit trails are incomplete or corrupted,
• Transaction records are lost due to IT failures or insufficient backups,
• Payment instruments are sent insecurely, resulting in fraud.

Compliance with this provision requires institutions to:

• Invest in secure IT infrastructure,
• Apply end-to-end encryption and two-factor authentication,
• Implement robust document archiving policies,
• Train staff on data protection standards.

Legal Defense and Corrective Strategies

In enforcement cases, we supports clients by:

• Analyzing whether the CBRT has correctly identified the breach,
• Presenting evidence of pre-existing compliance controls,
• Demonstrating that the incident was caused by external factors beyond the institution’s control,
• Negotiating mitigation based on remedial steps taken (e.g., reporting the breach, compensating users, upgrading systems).

We also assist institutions in reviewing their technical compliance architecture to avoid recurrence and defend institutional integrity in the face of criminal allegations.

Unlawful Disclosure of Confidential Information (Art. 32)

Article 32 of Law No. 6493 criminalizes the unauthorized disclosure of confidential information by individuals who, due to their professional role, have access to sensitive data belonging to system operators, payment institutions, electronic money institutions, or their clients. This provision is essential in safeguarding trust, privacy, and data protection in the electronic payments and financial services ecosystem.

Primary Offense: Disclosure by Internal Parties (Art. 32/1)

According to Article 32(1), the following individuals are criminally liable if they disclose confidential information they have obtained through their position:

• Shareholders,
• Board members,
• Employees,
• Agents, or
• Other officers acting on behalf of a system operator, payment institution, or electronic money institution.

The information protected includes:

• Internal operational data,
• Client financial and transactional data,
• Strategic business information,
• Any other information classified as confidential under legislation or institutional policy.

The penalty for such disclosure is:

• Imprisonment from one to three years, and
• A judicial fine of up to 1,000 days

This penalty applies even if the offender has been dismissed or is no longer affiliated with the institution at the time of disclosure.

Extended Liability: Third Parties and Outsourcing Providers (Art. 32/2)

Recognizing the widespread use of outsourcing in financial services (e.g., IT services, call centers, KYC providers), Article 32(2) extends the same confidentiality obligations to:

• Employees of service providers, and
• Third parties that may access confidential data through contractual or business relationships.

This provision reinforces the principle that confidentiality obligations travel with the data and are not limited to direct employees or internal actors. It ensures that clients and institutions are protected even when functions are partially or fully outsourced.

Key Compliance Measures

Institutions must ensure that all individuals – whether internal or external – are:

• Informed of their confidentiality obligations,
• Bound by written contracts containing non-disclosure clauses,
• Regularly trained on data protection and privacy standards,
• Prevented from unauthorized data access through technical safeguards, such as role-based access controls.

A failure to take such measures not only increases the risk of breach but also undermines any legal defense should a violation occur.

Regulatory and Legal Practice Context

In practice, Article 32 is often invoked in:

• Cases involving unauthorized access to customer databases,
• Leaks of transaction history or account balances,
• Disclosure of investigation details or internal compliance findings,
• Post-employment breaches, especially by former employees acting maliciously or negligently.

Such incidents may result in:

• CBRT sanctions against the institution,
• Civil claims by affected clients under tort liability or personal data protection laws, and
• Criminal prosecution under Article 32.

We frequently advises clients on:

• Drafting confidentiality policies compliant with Law No. 6493 and KVKK (Turkish Personal Data Protection Law),
• Investigating internal breaches and determining culpability,
• Filing criminal complaints in case of third-party data abuse,
• Defending employees or institutions unjustly accused of unlawful disclosure.

Damage to Institutional Reputation (Art. 33)

Article 33 of Law No. 6493 establishes criminal liability for individuals who intentionally cause reputational or financial harm to system operators, payment institutions, or electronic money institutions through public dissemination of false or misleading information. This provision reflects the critical role of public confidence in the financial system and aims to protect licensed entities from malicious attacks, defamation, or disinformation campaigns, particularly in the digital and media environment.

Protected Institutions and Harmful Acts

This article protects the reputation, prestige, and financial stability of institutions licensed under Law No. 6493. The offense is committed by:

• Disseminating inaccurate, false, or misleading information,
• That may damage the reputation, prestige, or assets of these institutions,
• Using public communication tools, including:
  • Printed press (as per Press Law No. 5187),
  • Radio and television,
  • Video,
  • Internet websites,
  • Electronic communications,
  • Social media platforms or other digital broadcast tools.

The method of communication must be intentional and public-facing, capable of reaching a wide audience and influencing public perception.

Criminal Penalties

Individuals found guilty under this article are subject to:

• Imprisonment from one to three years, and
• A judicial fine of between 1,000 and 2,000 days

The provision is designed to deter media abuse, unverified social media claims, and deliberate defamation campaigns aimed at undermining the financial credibility of licensed actors.

Key Considerations and Interpretation

The offense under Article 33 requires intent, which means:

• The offender must know the information is false or unverified,
• The dissemination must aim to cause harm or provoke public distrust, and
• The institution’s economic stability or public image must be at risk.

However, the provision is not intended to criminalize criticism or whistleblowing based on true and verifiable facts. Legitimate reporting or public commentary made in good faith may fall under freedom of expression, especially if it serves the public interest and is backed by evidence.

Turkish courts often examine:

• Whether the dissemination was fact-based or speculative,
• The source of the information,
• The platform used, and
• The actual impact or potential damage caused to the institution.

Relation to Other Legal Frameworks

This article intersects with:

• Press Law No. 5187, which regulates journalistic responsibilities,
• Criminal Code provisions on insult, slander, and disinformation,
• KVKK (Turkish Data Protection Law) when reputational damage involves personal data leaks.

Institutions that are targeted may also pursue civil claims for damages, takedown requests, or right of reply procedures.

Specific Criminal Liabilities for Electronic Money Institution Officers (Art. 34)

Article 34 of Law No. 6493 establishes targeted criminal liability for officers and related parties of electronic money institutions (EMIs) who violate specific operational requirements. Unlike other articles that apply broadly across the sector, this provision exclusively addresses EMI-related misconduct, emphasizing the heightened responsibilities of those managing stored-value systems that mimic deposit-taking functions.

Scope of Application and Targeted Offenders

The article applies specifically to:

• Officers (e.g., board members, executives, compliance officers), and
• Other relevant parties involved in the management, control, or operational execution of electronic money institutions.

It covers violations of:

• Article 18(4) – which generally includes restrictions imposed after license revocation or conditions related to license validity and use, and
• Article 20 – which regulates issuance, redemption, safeguarding of customer funds, and reporting obligations of EMIs.

These provisions are critical in ensuring consumer protection, prevention of fund misuse, and sound financial management in institutions that issue electronic money.

Sanctions and Penalties

Officers and related parties who breach these provisions may face:

• Imprisonment from one to three years, and
• A judicial fine of up to 5,000 days

These penalties underscore the individual accountability of decision-makers who either:

• Continue operations after their license is suspended or revoked,
• Fail to return funds to users upon request,
• Mismanage funds that must be kept separate and safeguarded, or
• Engage in practices that expose customers or the system to risk.

Examples of Prohibited Conduct

Practical examples of violations that may fall under Article 34 include:

• Issuing electronic money despite expired or revoked licensing status,
• Using customer funds for operational expenses or speculative investment contrary to fund safeguarding requirements,
• Delaying redemption of e-money without legal justification,
• Failing to comply with CBRT reporting rules under Article 20.

Violations may come to light during CBRT audits, customer complaints, or insolvency proceedings.

Legal Implications and Compliance Considerations

Because EMIs operate at the intersection of banking-like functions and digital innovation, Article 34 serves to:

• Reinforce the need for internal governance,
• Emphasize fund segregation and liquidity adequacy,
• Ensure timely redemption of user balances, and
• Promote accountability in decision-making chains.

Institutions must implement:

• Clear internal policies aligning with Article 18 and Article 20,
• Training for executives and staff on legal obligations,
• Independent audits to ensure safeguarding mechanisms are compliant,
• Legal review before expanding services, especially in gray zones of the regulatory framework.

Unrecorded Transactions and Improper Accounting (Art. 35)

Article 35 of Law No. 6493 targets intentional efforts to conceal or misrepresent the financial reality of payment institutions and electronic money institutions by failing to record transactions or by engaging in non-factual (false or misleading) accounting practices. This provision is vital in protecting financial transparency, regulatory integrity, and stakeholder trust, particularly in a sector that processes high volumes of customer transactions and stores value electronically.

Offense Description and Scope

According to Article 35(1), individuals who:

• Sign documents that leave institutional transactions unrecorded, or
• Sign off on accounting records that misrepresent the true nature of transactions

are subject to:

• Imprisonment from one to three years, and
• A judicial fine of up to 2,000 days

The offense applies regardless of whether the institution’s financial statements are externally audited or publicly disclosed. It focuses on internal misconduct that undermines the reliability of financial reporting and regulatory oversight.

Nature of the Criminal Conduct

This provision is aimed at:

• Omitting revenue, liabilities, or transaction details from ledgers,
• Creating false documentation to support fabricated transactions,
• Manipulating accounting records to disguise fund flows,
• Distorting the classification of items (e.g., showing liabilities as income),
• Hiding off-balance sheet arrangements to mislead regulators or investors.

Even intentional delay in recording financial entries may trigger scrutiny under this article if it creates a materially inaccurate picture of the institution’s status.

Who Can Be Held Liable

Liability under Article 35 extends to:

• Signatories of false or misleading documents (e.g., CFOs, accountants, general managers),
• Individuals with direct responsibility for bookkeeping, financial oversight, or reporting,
• Possibly board members, if it can be shown they knew or should have known of the misconduct.

Unlike other provisions, Article 35 focuses on the act of signing or authorizing non-compliant documents, which implies personal culpability even in the absence of broader institutional wrongdoing.

Context in Regulatory Practice

CBRT investigations and independent audits often uncover violations of Article 35 in situations such as:

• Concealment of high-risk client transactions,
• Overstatement of capital adequacy,
• Underreporting of foreign currency liabilities,
• Falsified reporting during license renewal or inspections.

Such offenses not only lead to criminal liability but may also trigger:

• Revocation of operating licenses,
• Tax inspections,
• Civil liability toward investors, partners, or clients who relied on false records.

Preventive Measures and Legal Support

To mitigate the risk of Article 35 violations, institutions should:

• Implement double-layered financial oversight (e.g., internal and external audit),
• Maintain real-time transaction recording systems integrated with secure databases,
• Ensure that only qualified personnel prepare and approve financial statements,
• Provide regular training on legal accounting standards and CBRT reporting obligations.

We advise clients in:

• Investigating potential accounting irregularities before they escalate into criminal matters,
• Designing internal reporting and audit procedures compliant with Turkish Financial Reporting Standards and CBRT regulations,
• Defending accused officers or employees by analyzing intent, causality, and procedural fairness,
• Negotiating with CBRT for corrective settlements where misreporting resulted from technical errors or capacity constraints.

Embezzlement by Internal Parties (Art. 36)

Article 36 of Law No. 6493 introduces one of the most serious criminal offenses applicable to system operators, payment institutions, and electronic money institutions: the crime of embezzlement. This provision imposes severe penalties on individuals who misappropriate funds or assets entrusted to them in the course of their duties. It serves to protect both consumer trust and the financial integrity of institutions operating within Turkey’s regulated payments sector.

Definition of the Offense (Article 36/1)

The crime of embezzlement occurs when the following individuals:

• Partners,
• Chairperson or members of the board,
• Employees,
• Agents, or
• Other officers acting on behalf of a system operator, payment institution, or electronic money institution,

misappropriate or unlawfully dispose of:

• Money,
• Monetary equivalents (e.g., checks, bonds, electronic funds),
• Other entrusted assets,

for their own or another person’s benefit, in breach of their duty of trust.

Sanctions for such conduct include:

• Imprisonment from 6 to 12 years,
• A judicial fine of up to 5,000 days, and
• Compulsory compensation for the loss suffered by the institution.

This paragraph reflects the high level of fiduciary duty imposed on financial institution insiders, given their access to sensitive assets and customer funds.

Aggravated Embezzlement (Article 36/2)

If the offense is committed:

• Through fraudulent means designed to conceal the embezzlement, or
• In a way that prevents detection,

the penalty is significantly aggravated:

• Minimum imprisonment of 12 years,
• A judicial fine of up to 20,000 days, but not less than three times the amount of loss caused, and
• A court order for mandatory restitution of the loss, even if not requested by the victim.

This includes conduct such as:

• Altering records to cover up missing funds,
• Routing funds through third-party accounts,
• Creating fictitious accounts or documents.

Voluntary Restitution and Penalty Reduction (Article 36/3)

The law provides for sentence mitigation where the perpetrator takes steps to repair the harm:

• If full restitution is made before the investigation starts, the penalty is reduced by two-thirds,
• If restitution occurs after investigation begins but before prosecution, the penalty is reduced by one-half,
• If restitution is made before final judgment, the penalty is reduced by one-third.

This incentivizes offenders to remedy financial losses promptly and reduces the burden on the criminal justice system.

Minor Embezzlement (Article 36/4)

If the value of the embezzled funds or assets is relatively low, courts may reduce the punishment:

• By one-third to one-half,
• Depending on the circumstances and degree of harm caused.

The provision allows judicial discretion in balancing punishment with the principle of proportionality, particularly for low-value offenses without aggravating factors.

Practical Risks and Common Scenarios

Article 36 is invoked in CBRT referrals and criminal proceedings involving:

• Misuse of client balances for internal expenses,
• Unauthorized transfers by staff from institution-owned accounts,
• Diversion of customer payments to personal or related-party accounts,
• Falsified reconciliations to cover up disappearing funds.

Embezzlement cases often trigger CBRT license reviews, civil damages claims, and public disclosure of the incident, which can cause severe reputational harm to the institution.

Legal Defense and Institutional Mitigation

To defend against Article 36 accusations or mitigate liability, we advises clients to:

• Conduct internal investigations with secure evidence collection,
• Distinguish between fraudulent intent and operational error,
• Demonstrate existence of internal controls and compliance systems,
• Seek penalty reduction under Article 36/3 by encouraging full restitution.

We also represent clients in criminal courts, as well as in parallel administrative and civil procedures relating to embezzlement, asset recovery, and insurance disputes.

Investigation and Prosecution Procedures(Art. 37)

Article 37 of Law No. 6493 sets forth the procedural framework governing the initiation of criminal investigations and prosecutions for certain offenses described in Section Seven. It introduces a requirement for prior written application (complaint) by the CBRT for specific crimes, and outlines conditions under which public prosecutors may proceed with or without the Bank’s request. This article aims to balance the autonomy of the judiciary with the expertise and discretion of the regulatory authority.

Offenses Requiring CBRT Complaint (Article 37/1)

For the following criminal offenses under Law No. 6493, an official written application by the CBRT to the Chief Public Prosecutor’s Office is required as a precondition to prosecution:

• Article 28 – Operating without a license,
• Article 29 – Preventing supervision or failing to provide information,
• Article 31 – Violating safekeeping or information security duties.

In these cases, even if law enforcement or the public prosecutor becomes aware of the offense, no investigation or prosecution may begin unless and until the CBRT submits a formal written complaint. This mechanism ensures that technical and legal assessments by the supervisory authority precede any criminal inquiry, reducing the likelihood of frivolous or uninformed prosecutions.

Exceptions to the Application Requirement (Article 37/2)

There is one key exception:

• If the affected parties (e.g., consumers, clients) file a criminal complaint directly concerning an offense under Article 31, a prior CBRT application is not required.

This allows individuals who have suffered harm (e.g., due to data leaks or payment security failures) to initiate legal action independently, without needing CBRT intervention. It reflects a victim-centered exception to the general rule of regulator-initiated prosecution.

Protection of CBRT Personnel (Article 37/3)

In cases where CBRT employees are alleged to have committed offenses in the course of their official duties under Law No. 6493 or its regulations, criminal investigation and prosecution against them is also subject to written authorization by the CBRT.

This clause is designed to:

• Shield regulatory personnel from harassment or retaliatory legal actions,
• Allow the Bank to assess whether conduct in question falls within the scope of official authority and good faith execution,
• Prevent interference with the CBRT’s supervisory mandate.

Only if the CBRT waives this procedural protection or finds misconduct, may a criminal case proceed.

Legal and Strategic Implications

For regulated institutions, Article 37 has several important consequences:

• Criminal liability for Articles 28, 29, and 31 is not automatic; it depends on CBRT’s decision to trigger prosecution.
• Institutions can engage in pre-prosecution negotiations or corrective actions to avoid criminal referral.
• Individuals (especially executives) accused of misconduct should monitor whether the CBRT has officially initiated the process or not.

For CBRT itself, this article enhances its ability to:

• Prioritize enforcement resources,
• Protect its personnel and institutional integrity, and
• Maintain regulatory discretion over what constitutes a serious enough breach to warrant criminal charges.

Transitional, Coordinative, and Institutional Provisions (Art. 38 to 40)

The final three articles of Section Seven – Articles 38, 39, and 40 – do not introduce new sanctions or offenses, but instead serve important regulatory, transitional, and institutional functions. They coordinate Law No. 6493 with other legislation and establish the legal continuity and framework needed for proper implementation.

Coordination with Law No. 1211 (CBRT Law)

Article 38 refers to the Law No. 1211 on the Central Bank of the Republic of Turkey (CBRT), which defines the powers, duties, and structure of the CBRT.

By referencing Law No. 1211, Article 38 emphasizes that the CBRT’s existing powers under its founding legislation remain intact and are applicable to the supervision and enforcement of payment systems and electronic money institutions under Law No. 6493.

In practice, this provision ensures:

• That CBRT can use its general supervisory, auditing, and monetary policy tools while performing tasks under Law No. 6493.
• That CBRT’s authority is not limited or overridden by Law No. 6493 but rather complemented by it.

It also lays the foundation for integrated enforcement, allowing the CBRT to impose measures under either legal framework where appropriate.

Coordination with Law No. 5411 (Banking Law)

Article 39 references Law No. 5411 on Banking, which regulates the Turkish banking system and the Banking Regulation and Supervision Agency (BDDK).

The coordination clause is particularly relevant because:

• Some institutions may operate both as banks and payment service providers,
• Hybrid products (e.g., e-wallets linked to bank accounts) may fall under both regulatory regimes,
• Enforcement actions under Law No. 6493 may intersect with provisions of banking law (e.g., fund safeguarding, operational risks).

This article ensures that when overlaps arise:

• There is no legal conflict between Law No. 6493 and Law No. 5411,
• Institutional responsibilities are clearly divided,
• Supervision is performed in a coherent and coordinated manner between CBRT and BDDK.

In legal practice, this means that institutions must be alert to dual compliance obligations and may face joint inspections or enforcement actions depending on the nature of the service offered.

Supplementary and Transitional Provisions

Article 40 addresses transitional legal arrangements and supplementary rules necessary for the proper implementation of Law No. 6493. Though not elaborated in detail, this article generally refers to:

• Repeal of previous conflicting provisions,
• Transitional periods for compliance with licensing, operational, or capital requirements,
• Legal continuation of pre-existing licenses or permissions granted under prior frameworks, provided they are consistent with the new law.

This article is particularly important for:

• Institutions that were already operating under previous payment regulations or BDDK licenses before the 2013 enactment and the 2019 amendment,
• Ongoing legal cases or enforcement actions that needed to be adapted to the new legal terminology and procedural mechanisms.

The article also enables the regulatory infrastructure – including CBRT circulars, communiqués, and implementation guides – to remain valid and binding as long as they are not contrary to Law No. 6493.

Practical Significance

While Articles 38–40 do not create direct liabilities, they are legally significant for:

• Conflict resolution between overlapping financial laws,
• Legal certainty and continuity,
• Ensuring that administrative and judicial decisions maintain coherence across the Turkish financial regulatory regime.

Law Firm’s Support in Compliance and Defense

As the financial services ecosystem in Türkiye evolves, so too does the complexity of regulatory compliance. The increased scrutiny by the Central Bank of the Republic of Türkiye (CBRT) under Law No. 6493, particularly through its enforcement mechanisms set out in Articles 27 to 40, demands that payment institutions, electronic money institutions, and system operators adopt a proactive, structured, and legally sound approach to both compliance and legal defense. We offer comprehensive legal services covering regulatory compliance, enforcement defense, and risk management advisory tailored to the needs of both domestic and international financial service providers.

Licensing and Operational Structuring

We assist clients from the earliest stages of market entry by:

• Preparing and submitting license applications to the CBRT,
• Structuring corporate governance, shareholding, and internal policies in compliance with regulatory standards,
• Advising on outsourcing arrangements, AML/CTF obligations, and fund safeguarding requirements,
• Reviewing business models to ensure lawful categorization under Law No. 6493 or related legislation (e.g., Banking Law No. 5411, CBRT Law No. 1211).

CBRT Investigations and Administrative Sanctions

We have experience defending institutions in CBRT-driven processes, including:

• Responding to regulatory inquiries and information requests,
• Preparing written defenses before the imposition of administrative fines under Article 27,
• Challenging CBRT sanctions through administrative litigation in Turkish courts,
• Negotiating with regulators to avoid license revocation or public disclosure of violations.

Our team leverages both legal strategy and a deep understanding of financial regulation to achieve proportional, fair, and legally defensible outcomes.

Criminal Defense and Corporate Representation

We represent both institutions and individuals in cases involving alleged criminal conduct under Articles 28 to 36, including:

• Unlicensed activity,
• Obstruction of supervision,
• False statements or improper accounting,
• Unauthorized data disclosure,
• Embezzlement or breach of trust.

In such cases, our services include:

• Engaging in pre-prosecution discussions with CBRT to prevent the initiation of criminal complaints (Article 37),
• Drafting legal defenses and compiling evidentiary documentation,
• Representing executives, board members, and institutions during criminal investigations and trials,
• Pursuing mitigation through restitution, settlement, or defense of procedural violations.

Internal Compliance, Audit, and Preventive Lawyering

We also offer internal legal audits to prevent exposure to the types of liabilities described in Section Seven. Our services include:

• Reviewing internal policies and manuals for regulatory compliance,
• Conducting mock inspections to test readiness for CBRT audits,
• Training executives and compliance personnel on their individual legal responsibilities,
• Advising on proper data handling, accounting, and transaction documentation

Cross-Border and Strategic Advisory

For international clients entering the Turkish market or investing in local financial service providers, we offer:

• Legal due diligence on Turkish fintech companies,
• Structuring of foreign ownership and investment vehicles,
• Strategic advisory on conflicts between Turkish and foreign licensing regimes,
• Coordination with EU/UK/US sanctions compliance rules, where relevant.

With a multi-disciplinary team comprising legal academics, compliance experts, and litigation specialists, Bıçak Law Firm serves as a trusted advisor for navigating the legal and regulatory landscape of Türkiye’s electronic payments sector.

Conclusion – Toward a Secure and Accountable Fintech Ecosystem

Türkiye’s digital payments and electronic money industry continues to expand rapidly, bringing innovation, efficiency, and convenience to consumers and businesses alike. However, this dynamic growth must be accompanied by robust legal and regulatory safeguards to ensure the stability, transparency, and integrity of the financial ecosystem.

Section Seven (Articles 27–40) of Law No. 6493 provides the legal foundation for such safeguards. It empowers the CBRT to:

• Penalize regulatory violations through administrative fines,
• Initiate criminal proceedings for serious breaches,
• Enforce internal control, transparency, and consumer protection obligations,
• Coordinate supervision with other regulatory bodies and adapt to market evolution.

From administrative sanctions for non-compliance (Article 27) to severe criminal penalties for embezzlement and fraud (Article 36), the law establishes a wide-ranging enforcement regime. At the same time, it incorporates principles of procedural fairness, proportionality, and institutional accountability through rights of defense, judicial review, and conditional prosecutorial discretion.

Institutions operating under this framework must treat regulatory compliance not as a box-ticking exercise but as a core strategic and operational function. Inadequate recordkeeping, poor internal governance, and disregard for CBRT directives not only invite penalties but also jeopardize consumer trust and business continuity.

At Bıçak Law Firm, we believe that sound legal advice is essential not only when problems arise, but in building sustainable and compliant business models from the outset. Our goal is to support fintech innovation while ensuring that clients remain aligned with Türkiye’s evolving legal landscape – turning compliance from a burden into a competitive advantage.

As Türkiye deepens its integration with international financial markets, and as payment systems become more digitized, the importance of legal integrity and regulatory discipline will only grow. Law No. 6493, and particularly its enforcement arm in Section Seven, stands as a critical pillar in building a secure, accountable, and innovation-friendly fintech ecosystem for the future.