- within Technology topic(s)
- within Litigation and Mediation & Arbitration topic(s)
I. Introduction: The M&A Dynamics of a Maturing Ecosystem
Türkiye's fintech ecosystem has evolved rapidly over recent decades, reaching a maturity level that now attracts global-scale investments. This growth stems from a unique combination of market dynamics: a young, tech-savvy population, high mobile penetration rates, and rapidly evolving consumer finance habits. What began with software-based payment systems has transformed into a mature market where advanced technologies like artificial intelligence, digital assets, and blockchain are reshaping financial services.
1. Market Size and Activity
According to the Turkey Fintech Ecosystem Status Report for 2024 published by the Presidency of the Republic of Turkey Finance Office, as of the end of 2024, there are 901 fintech startups in Turkey, with 731 being active. Additionally, per the Central Bank of the Republic of Turkey (CBRT) data, there are 27 payment services fintechs and 63 e-money fintechs, a total of 90 accredited payment and e-money service providers as of October 2025. These figures demonstrate that Türkiye's fintech ecosystem is both active and thriving, supported by consistent growth and market engagement.
2. Investment Momentum
Pursuant to the "Turkey Startup Ecosystem Investment Report – Mid-Year 2025" published by Startup Centrum, between 2021 and 2024, investments in the fintech sector demonstrated a consistent upward trend, with total investment volume increasing from USD 70.81 million across 39 transactions in 2021 to USD 151.37 million across 19 transactions in 2024. In the first half of 2025, the sector continued to maintain strong momentum, recording USD 100.95 million in investments through 12 transactions in Turkey, while global fintech funding recorded USD 44.7 billion with 2,216 deals according to the "Pulse of Fintech Report – H1 2025" published by KPMG. Despite challenges in the global investment climate, fintech investments in Turkey have shown remarkable resilience, reaching record levels in 2024 while continuing growth in the first half of 2025. This growth is increasingly driving mergers and acquisitions ("M&A") activities both globally and in Turkey. For incumbent banks and financial institutions, acquiring a fintech represents a strategic imperative to accelerate digital transformation, access new customer segments, and "acqui-hire" talented teams. The relationship is generally structured through a strategic partnership or commercial agreement that regulates the fintech's service provision to the investing party. Simultaneously, financially strengthened Turkish fintechs are consolidating among themselves and expanding their horizons through international acquisitions.
In this article, we explain the key considerations in fintech M&A transactions, which have reached remarkable figures both in Türkiye and globally. We address the crucial aspects of due diligence, investment procedures, and transaction documentation, offering a practical playbook for navigating these complex processes to structure and execute successful investments in this rapidly evolving sector.
II. Critical Checkpoints in Fintech M&A Processes
Due to the intersection of technology and finance, fintech M&A transactions involve unique legal risks and require careful consideration. A successful transaction depends on meticulous due diligence covering these specific areas.
1. Licencing and Regulatory Compliance
The most critical step in a fintech transaction is the assessment of regulatory compliance. The regulatory framework, governed by the Central Bank of the Republic of Turkey (CBRT), the Banking Regulation and Supervision Agency (BRSA), the Capital Markets Board (CMB), and the Financial Crimes Investigation Board (FCIB), serves as a key condition for the validity of the transaction. Within the due diligence, investors must verify;
- that the target company possesses all necessary and valid licenses for its establishment and operations, such as crypto asset service providers, payment services, e-money or digital banking;
- whether ongoing license requirements are being met;
- that there are no transactions that may constitute a breach of applicable regulations; and
- whether there are any ongoing investigations that could jeopardize the licenses.
Furthermore, in cases where the target is subject to an ongoing licensing process (such as crypto asset service providers ("CASPs"), a detailed review of the application documents is crucial to identify, in advance, any issues that may hinder the granting of the license.
A violation of applicable legislation may result not only in license revocation but also in substantial administrative and criminal penalties. Accordingly, confirming that the target fintech is not subject to any active investigations, while also identifying and rectifying potential regulatory breaches in advance of closing, is essential to mitigating post-closing risks. Given that services offered within the fintech sector often differ from traditional financial services, compliance with relevant legislation must be thoroughly assessed for each service provided. Additionally, given the scope of services offered by fintech companies, assessing their compliance with applicable legislation on information systems and identifying any potential breaches or deficiencies in this regard is essential.
From a regulatory compliance standpoint, one of the key aspects that fintech companies must prioritize is the preparation, implementation, and supervision of their internal policies and procedures in full alignment with applicable legislation. For instance,
- Under the Capital Markets Law (CML) and its secondary regulations, CASPs are required to establish and maintain comprehensive corporate governance documents, including framework agreements, operational workflow procedures, conflict of interest policies, risk disclosure forms, listing and delisting procedures, order execution policies and risk management frameworks.
- Payment and electronic money institutions must adopt framework agreements, internal control and risk management policies, and human resources policies that are consistent with regulatory expectations.
The proper design and enforcement of these internal policies not only ensure compliance but also form the cornerstone of sustainable and transparent corporate governance within the fintech ecosystem.
2. Change of Control Requirements
The potential impact of a change in the company's control structure on the continuity of existing licenses and the approvals required from regulatory bodies must be carefully examined. In the fintech ecosystem, where service provision is subject to licensing, share transfers are generally conditioned upon the approval of relevant public authorities under applicable legislation. Accordingly, prior to transaction completion, regulatory approval must be obtained from the competent authority. This requirement is typically reflected in transaction documents as a condition precedent to closing. Furthermore, during the due diligence process, determining whether the fintech startup's commercial agreements contain any change of control provisions is important, and if so, ensuring that necessary notifications are duly made in accordance with such provisions.
3. Regulatory Reporting Requirements
Periodic reports and notifications that must be submitted to competent authorities should be carefully verified as part of regulatory compliance reviews. For instance, in the case of CASPs undergoing an operating license application process, regular reports and notifications required to be filed with the CMB and other relevant authorities, such as proof of reserves reports, compliance reports, special market conditions reports, and risk management reports, must be duly identified during the due diligence phase and confirmed to have been prepared and submitted in accordance with applicable regulations. Ensuring the accuracy and timeliness of such regulatory filings is critical not only for maintaining compliance but also for mitigating potential enforcement risks that may arise during or after the licensing process.
4. Intellectual Property
A fintech company's primary asset is its disruptive technology. Verifying that the company has full ownership of its trademarks, patents, and especially its proprietary software is vital. Additionally, the target company's employees may possess extensive know-how of the company in general. These factors undoubtedly affect the financial value of the target company. To ensure that the target holds all intellectual property rights, a qualified IP due diligence is required. Common issues include:
- IP Rights Not Transferred Properly: Under Turkish law, specific written assignment agreements are often required to transfer intellectual property rights from employees and consultants to the target company, as standard employment or work contract clauses may not always be sufficient. In similar sense, IP may have been created by third parties who are not employed by the company and the rights of the product may not be properly transferred to the target.
- Open-Source Dependencies: Use of open-source components that may impose licensing restrictions on commercial deployment. Furthermore, if the company uses third parties' software or other licensed products or open source products while creating its own software and other services, it is essential to examine, whether (a) the company has the right to use third parties' software while creating its own software or other services, and (b) the license agreements executed by and between the company and third parties and the intellectual property rights granted within the scope of such license agreements, during the due diligence phase.
- API Ownership: Ambiguity over whether custom-built APIs belong to the fintech or third-party developers.
Additionally, in the event of projects that received grants or funding from third-party organizations, such as TÜBİTAK (the Scientific and Technological Research Council of Türkiye) or universities, the conditions of such project agreements should be carefully reviewed to ensure there are no third-party claims or conditions that could affect the company's ownership of intellectual property rights.
5. Information Technologies, Cybersecurity and Data Privacy
Fintechs process high volumes of sensitive personal and financial data, making compliance with the Personal Data Protection Law (KVKK) No. 6698 a central risk factor. A thorough review of data processing policies, user consents, Data Controllers' Registry (VERBIS) registration and cybersecurity measures is crucial to prevent significant fines and reputational damage post-acquisition.
a. General Data Privacy Compliance Requirements
The target company's compliance with KVKK requirements
warrants careful examination, including proper legal basis for data
processing, transparent privacy notices, valid consent mechanisms
where required, and appropriate data retention and deletion
procedures.
b. Hardware and IT Infrastructure Ownership
In terms of fintech M&As, examining whether the target
company has the necessary hardware and other IT-related devices to
run its business, and whether such hardware and IT-related devices
belong to the target company, is essential. Also, as per
Communiqué No. VII-128.10, relevant compliance documents
must be duly prepared and in force for CASPs and other relevant
institutions (e.g., information security policies and
compliance documents, information assets inventory and policy on
information assets inventory, service inventory, process inventory,
etc.).
c. Cybersecurity Measures
Cyber security measures taken by the target company in
accordance with relevant legislation (e.g., the
Communiqué on the Procedures and Principles Regarding
Information Systems Management) must be in place and verified
during due diligence. The certificates of the target company with
regard to sustainability and information security in relation to
its field of activity, as well as their validity, should also be
examined during due diligence.
d. Data Localization Requirements
For fintech companies, particularly those operating in
regulated areas such as payment services and electronic money
institutions, data security and localization are of paramount
importance and highly regulated. Key requirements include:
- Payment and E-Money Institutions:The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and its secondary legislation often mandate that critical systems and data be stored within Turkey.
- CASPs and Related Institutions:Pursuant to the Communiqué No. VII-128.10, CASPs and other relevant institutions must establish their primary and secondary information systems within Turkey to ensure data localization and facilitate regulatory audits. According to Article 27(1) of Communiqué No. VII-128.10, CASPs are required to host their primary and secondary systems within Turkey. Pursuant to Provisional Article 1(1) of the said communiqué, a transition period has been set until 31 December 2025. Therefore, meticulously verifying the geographical location of the target company's main servers, backup centers and critical databases to ensure compliance with these regulations is essential.
6. Merger Control
The Turkish Competition Authority has included "financial technologies" within its definition of a "technology undertaking." This means that the acquisition of an innovative fintech startup, even one with low revenue, may be subject to the Competition Board's approval if the acquirer meets certain turnover thresholds, aiming to prevent "killer acquisitions." To plan an efficient and cost-effective M&A process, the merger control process should be considered and pre-planned, and the said turnover thresholds must be confirmed at the outset of the M&A process.
7. Customer Relations and Outsourcing
Fintech companies must adhere to strict regulatory requirements when engaging with clients, ensuring that investment services and custody operations are conducted in compliance with applicable laws (e.g., know your customer requirements, framework agreements, suitability tests, necessary notifications, etc.). Accordingly, during the due diligence phase, verifying that the fintech company's relationships with both its customers and outsourcing parties are conducted in compliance with applicable legislation, and ensuring that such regulatory obligations are duly considered in the drafting of investment agreements, is essential. Especially for CASPs, it should be considered that core functions such as board-level decisions, investment services, financial reporting, and internal audit activities cannot be outsourced, and all outsourcing must be in line with related regulations.
8. Employment and ey Personnal
For fintech M&A transactions, particularly those driven by acqui-hire considerations, employment matters require special attention:
- Key Personnel Retention: Identifying key employees whose departure could materially impact the business is critical. Investors should assess existing employment agreements, retention bonuses, and equity compensation arrangements to ensure continuity post-closing. Given that fintech employees often possess extensive know-how and institutional knowledge, ensuring proper knowledge transfer mechanisms and transition plans should be incorporated into transaction documentation.
- Non-Compete and Non-Solicitation Provisions: Turkish labor law imposes limitations on the enforceability of non-compete clauses. Due diligence should review whether existing non-compete agreements are valid and enforceable, particularly for founders and senior technical staff.
9. Government Incentives and Tax Benefits
In Turkey, fintech companies can benefit from a wide range of government incentives and tax exemptions designed to promote technological innovation and investment. A comprehensive due diligence should include a detailed review of these incentives to determine their relevance and impact on the transaction's commercial objectives. These include:
- R&D and Technopark Incentives: Significant tax reductions, grants, and funding opportunities for companies engaged in research, design, and product development.
- KOSGEB Programs: The Small and Medium Industry Development Organization provides financial, training, and consultancy support to small and medium-sized technology enterprises.
- TÜBİTAK Support: The Scientific and Technological Research Council of Turkey offers grants and funding for innovative technology projects.
- Teknogirişim Rozeti (Technology Entrepreneurship Badge): The Technology Entrepreneurship Badge, administered by the Ministry of Science, Industry and Technology, is a certification program that recognizes technology-based startups with high growth potential and innovative R&D activities. Fintechs holding this badge benefit from various incentives, including income tax exemptions on revenues derived from R&D and innovation activities, social security premium support for employees engaged in R&D work, and priority access to public procurement processes. The badge also provides exemptions from certain stamp duties and fees, making it particularly valuable for early stage fintechs.
III. Future Outlook
The Turkish fintech ecosystem continues to present new M&A opportunities, shaped by regulatory advancements and technological innovation. In this section, we explore high-potential areas for M&A investments and future projections.
1. High-Potential Areas for Fintech M&A
a. Open Banking and Banking as a Service (BaaS)
With steps like the BRSA authorizing the first service
model banking in Turkey in 2024, infrastructure providers in this
space are set to become prime acquisition targets. The emergence of
new concepts like "Open Investment" is also anticipated,
creating opportunities for platforms that enable seamless
integration of investment services across multiple providers.
Accordingly, increased activity in API infrastructure providers,
middleware platforms, and consent management solutions as
traditional banks seek to accelerate their open banking
capabilities can be expected in Türkiye.
b. Blockchain, Crypto Assets and Stablecoins
The enactment of the Crypto Asset Law in 2024 and its
secondary legislation in 2025 has provided a legal framework for
the sector, creating a more secure environment for M&A
activities involving these assets. Furthermore, following the
enactment of the GENIUS Act in the United States, global investor
interest in stablecoins has increased significantly. With these in
mind, licensed CASPs with proven compliance track records and
custody solutions will command premium valuations and cross-border
acquisitions by international exchanges seeking Turkish market
entry are expected to accelerate.
c. AI Agents and Intelligent Automation
Türkiye has taken four main steps recently with
respect AI governance: the 2021–2025 National Artificial
Intelligence Strategy, the Draft Artificial Intelligence Law, the
2024–2025 Artificial Intelligence Action Plan, and Law No.
7545 on Cybersecurity. These initiatives aim to secure the domestic
market and align with international standards. These regulations
incorporate provisions on security, transparency, and
accountability. Future developments in the scope of legislation,
risk classification, oversight mechanisms, and the chain of
responsibilities will determine the degree of alignment with
national and international regulatory standards.
Given the widespread adoption of AI across nearly all industries, the integration of AI into business models has become inevitable. Fintech companies are increasingly leveraging AI agents within their operational structures, and strategic partnerships in this field have notably accelerated compared to previous years. As such, fintechs offering AI-powered risk assessment, fraud detection, customer service automation, and personalized financial advisory services will attract significant investor interest.
d. RegTech and Compliance Solutions
As regulatory complexity increases, demand for automated
compliance solutions grows proportionally. RegTech providers
offering KYC/AML automation, transaction monitoring, and regulatory
reporting tools represent attractive acquisition targets. Banks and
financial institutions will increasingly acquire RegTech
capabilities to manage compliance costs and reduce regulatory risk
exposure in near future.
e. WealthTech and Digital Investment Platforms
The growing middle class in Turkey and increasing
financial literacy create opportunities for digital wealth
management and robo-advisory platforms. Traditional wealth managers
and banks will seek acquisitions to access younger, tech-savvy
customer segments and modernize their investment offerings.
2. Regulatory Tailwinds
a. Digital Turkish Lira and Digital Identity
System
The Digital Turkish Lira, defined as the digital form of
the Turkish Lira, began its R&D phase in 2020, followed by
first phase studies in 2022. The first phase was completed in 2023,
culminating in the publication of the Digital Turkish Lira First
Phase Evaluation Report. As the system requires a digital mechanism
for identity verification, the first phase studies focused on
integrating the Digital Identity System and Wallet Application into
the design of the Digital Turkish Lira, using distributed ledger
technology. However, the Digital Turkish Lira First Phase
Evaluation Report published by the CBRT clearly stated that the
Digital Turkish Lira will not be issued as a crypto asset.
The Digital Turkish Lira project, conducted by the CBRT and entered its second phase in 2024, is expected to introduce new payment systems and business models, further energizing the sector. In the third phase of the Digital Turkish Lira project, if the CBRT decides to proceed with circulation, the necessary regulatory amendments, certification, licensing, and dissemination processes will be carried out. Infrastructure providers, digital wallet developers, and payment processors positioned to support Digital Turkish Lira integration will become strategic acquisition targets.
b. Digital Company Framework
As part of the 2025 Action Plan of the Coordination
Council for the Improvement of the Investment Environment, led by
the Ministry of Trade and the Ministry of Industry and Technology,
in coordination with the Ministry of Treasury and Finance, Turkey
aims to introduce a digital company framework designed to
facilitate the establishment of innovative startups. The initiative
envisions a fully digitalized incorporation process, supported by
legislative amendments that allow company formation to be completed
entirely online. Furthermore, it contemplates temporary exemptions
from certain formalities and financial obligations during the
initial operational phase to promote entrepreneurship and
innovation.
Simplified incorporation processes will accelerate fintech formation, creating a larger pipeline of acquisition targets and reducing barriers for strategic investors.
c. Crowdfunding Information Forms
The crowdfunding sector in Turkey has emerged as a vital
alternative financing channel for fintech startups, particularly
those in early growth stages. Under the Communiqué No.
III-35/A.2 on Crowdfunding, the CMB regulates both equity-based and
debt-based crowdfunding platforms, establishing a structured
framework for capital raising by innovative ventures.
As part of ongoing regulatory refinement, Share-Based and Debt-Based Crowdfunding Information Forms—standardized disclosure documents to be published on campaign pages for projects seeking funding—were opened for public consultation by the CMB on 31 May 2025, and public feedback was collected until 14 June 2025. These Crowdfunding Information Forms, as determined by the CMB, are expected to be implemented in the upcoming period and will mandate consistent disclosure of key information including business models, risk factors, financial projections, use of proceeds and management backgrounds.
4. Conclusion
Turkey's fintech ecosystem presents compelling M&A opportunities for strategic investors and financial institutions seeking digital transformation. Success in this market requires meticulous due diligence spanning regulatory compliance, intellectual property, data privacy and operational readiness. As regulatory frameworks mature and innovative technologies emerge, fintechs that prioritize "M&A readiness" from inception will be best positioned to maximize value and achieve successful exits in this dynamic market. This involves maintaining impeccable corporate governance, ensuring robust compliance with regulatory and data privacy laws and securing clear IP ownership. A company that prioritizes these fundamentals not only de-risks its operations but also maximizes its value and strategic options in a future M&A transaction. Accordingly, forward-thinking fintechs should:
- Prepare the company to be investment-ready, especially for foreign direct investment,
- Document all IP assignments and licenses,
- Implement compliance frameworks that exceed minimum regulatory requirements,
- Build scalable governance structures that can withstand regulatory scrutiny, and
- Cultivate key talent with appropriate retention mechanisms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.