The Liability Of Board Members In Payment And Electronic Money Institutions In Türkiye: A Guide For Market Entrants And Investors

Turkey has one of the most dynamic fintech ecosystems in the EMEA region — over 60 licensed payment and electronic money institutions, a Central Bank actively expanding its open banking framework, and a consumer base increasingly reliant on digital payments. But with opportunity comes regulatory density.

If your company is considering acquiring a stake in a Turkish payment or electronic money institution, appointing a representative to its board, or establishing a licensed entity in Turkey, you need to understand what personal liability looks like for board members under Turkish law — before you sit in that chair.

This article maps the liability landscape for board members of licensed payment and electronic money institutions in Turkey. It is intentionally focused: we set aside the general company law obligations under the Turkish Commercial Code and concentrate solely on sector-specific regulation.

The Regulatory Architecture

Turkey’s payment services sector is governed by a layered framework that combines primary legislation, secondary regulation, and supervisory guidance. The key instruments addressed in this article are:

• Law №6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions — the primary statute governing licensed payment institutions and electronic money institutions in Turkey, administered by the Central Bank of the Republic of Turkey (CBRT, Türkiye Cumhuriyet Merkez Bankası).
• Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers — the principal secondary regulation under Law №6493, setting out operational, governance, and compliance requirements.
• Communiqué on Information Systems of Payment and Electronic Money Institutions — the CBRT’s detailed technical framework governing information systems management, cybersecurity, and outsourcing.
• Law №5549 on Prevention of Laundering Proceeds of Crime — Turkey’s primary AML statute.
• Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism
• Regulation on Programme of Compliance with Obligations Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism — the two secondary instruments under Law №5549, which together define the AML compliance program requirements applicable to licensed institutions.

MASAK (Mali Suçları Araştırma Kurulu, Financial Crimes Investigation Board) is Turkey’s financial intelligence unit and AML/CFT supervisor. Licensed payment and electronic money institutions are “obligated entities” under MASAK’s jurisdiction.

EXECUTIVE SUMMARY

Upon obtaining an operating license from the CBRT, payment and electronic money institutions operate both under the fintech-specific framework described above and as obligated entities under MASAK’s AML/CFT regime. The Board of Directors bears direct and comprehensive liability under both.

Fintech Legislation (Law №6493 and Secondary Regulations)

Board Composition and Qualification Requirements

The Board of Directors must consist of at least three members, with the general manager serving as an ex-officio member. Board members must individually satisfy the character and fitness criteria set out in Article 8(1)(a)–(d) of Banking Law №5411 (Turkey’s banking statute) — these criteria include the absence of bankruptcy, no material prior involvement in failed or seized financial institutions, and no criminal convictions for specified offences including fraud, embezzlement, bribery, or money laundering. Internal control and risk management personnel must not have familial ties to their respective supervising Board member. Any appointments or changes must be notified to the CBRT within 20 business days.

General Duties of the Board

The Board is directly responsible for policies and practices covering: organizational structure; internal control and risk management; information systems management; fraud prevention mechanisms; customer complaint procedures; and agent management.

Information Systems and Outsourcing

The Board must approve information systems policies and review them at least annually. The Board is also responsible for monitoring the risk, performance, and security of outsourced services; ensuring an annual critical information systems risk assessment is conducted and submitted to the CBRT; and receiving annual test results of cyber incident response plans.

Internal Control and Risk Management

Internal control and risk management activities must operate under a designated non-executive Board member (not the general manager). Both units report to the Board twice yearly.

Criminal and Administrative Sanctions

Board members may incur personal criminal liability in the following circumstances, each carrying imprisonment of 1–3 years and a judicial fine unless otherwise noted:

• Obstruction of CBRT inspection
• Making false statements in submitted documents
• Breach of recordkeeping and information security obligations
• Disclosure of confidential information (applies even after leaving office)
• Off-the-books accounting or inaccurate record-keeping
• Embezzlement (6–12 years imprisonment, up to 20,000-day judicial fine in aggravated cases)

MASAK Legislation (Law №5549 and Secondary Regulations)

Main Responsibilities of the Board

The Board holds ultimate responsibility for the entire AML compliance program. This includes: appointing and formally notifying MASAK of the compliance officer (within 10 days of appointment); approving compliance policies and annual training programs; evaluating training, risk management, monitoring/control, and internal audit processes; and ensuring the compliance unit has adequate staffing and resources.

Internal Audit

The Board is obligated to ensure the correction of deficiencies identified through internal audits.

Sanctions

A graduated enforcement mechanism applies: written warning → first administrative fine → second fine (double the first) → suspension or license revocation. The responsible Board member may be personally fined an amount equal to one-quarter (1/4) of the administrative fine imposed on the institution. Breaches of the obligations under Articles 4, 7, and 8 of Law №5549 — relating to confidentiality of suspicious transaction reports, provision of information to MASAK, and document retention — carry 1–3 years imprisonment and up to a 5,000-day judicial fine.

Personal Liability for Public Receivables

Under Law №6183 on the Collection Procedure of Public Receivables, administrative fines are classified as public receivables. Duplicate Article 35 of that Law provides that where a public receivable cannot be collected from the institution’s assets, it may be collected directly from the personal assets of board members. This mechanism applies to fines imposed under both the fintech and MASAK frameworks.

LAW NO. 6493 AND ITS SECONDARY REGULATIONS

Qualifications, Notifications, and Restrictions

Board Composition and Qualifications (Article 23, Payment Services Regulation)

The Board must have at least three members; the general manager is an ex-officio member. Each Board member must individually satisfy the criteria in Article 8(1)(a)–(d) of Banking Law №5411. These criteria — originally designed for bank founders — apply by cross-reference to payment and electronic money institution governance. In brief: no bankruptcy, no involvement in failed financial institutions transferred to the Savings Deposit Insurance Fund (SDIF, TMSF), and no conviction for financial crimes. The full text of Article 8 is reproduced in the annex to this article for reference.

Familial Relationships (Article 24, Payment Services Regulation)

Internal control and risk management personnel, and the Board member responsible for overseeing them, must not be the spouse of, or be related by blood or marriage up to the third degree to, the general manager or any other Board member.

Notifications Regarding Board Members and the General Manager (Article 25, Payment Services Regulation)

The institution must notify the CBRT of changes affecting Board members or the general manager — including resignation, removal, appointment, or election — within 20 business days of completing internal procedures, without waiting for formal registration or publication. Required supporting documents must accompany the notification. Institutions are advised to involve their legal teams before implementing any Board-level change to ensure CBRT processes are managed correctly.

Share Acquisitions and Transfers (Article 12/8, Payment Services Regulation; Article 25, Law №6493)

Share acquisitions that result in a party holding (directly or indirectly) 10%, 20%, 33%, or 50% or more of the capital require prior CBRT approval. The same applies to transfers that cause a party’s holding to fall below these thresholds. The Board is responsible for verifying, prior to general assembly meetings, that any shareholders whose participation would require prior approval have obtained it.

Prohibition on Related-Party Lending and Disguised Transactions (Article 32/8, Payment Services Regulation)

The institution may not extend credit to shareholders, senior management, or their close relatives, or to entities they control, nor enter into transactions with these parties at prices manifestly different from market rates. Amounts involved in such transactions are excluded from equity calculations.

General Duties of the Board (Article 23, Payment Services Regulation)

Under the Fintech Legislation framework, the Board is responsible for:

• Determining the organizational structure and human resources policy, including definition of personnel authorities and responsibilities.
• Establishing in writing the strategies, policies, and procedures for internal control and risk management, and ensuring their effective implementation.
• Formulating written risk management policies and strategies — both generally and for each specific risk category — determining acceptable risk levels and establishing implementation procedures.
• Defining information systems management policies and establishing control processes to ensure their effective operation.
• Establishing a customer complaints management system that enables evaluation of complaints, responses to affected parties, analytical processing for fraud detection, and regular reporting to the Board; ensuring necessary measures are taken on complaint subject matter.
• Establishing procedures for protection of customer funds, including related internal control and risk management procedures.
• Establishing procedures for identification, management, monitoring, and reporting of risks, including risks arising from agent activities.
• Establishing procedures and criteria to ensure that agents possess the necessary integrity, competence, reputation, and financial strength.
• Establishing risk-sensitive systems and controls for monitoring agent activities.
• Formulating comprehensive workflow plans covering all stages of the institution’s activities, including fund and information flows, the role of branches and agents, outsourcing service providers, stages of outsourcing, electronic money redemption (for EMIs), and bank accounts to be used.
• All other tasks for which the Board is responsible under the relevant legislation, including arrangements required under Article 31 of Law №6493.

Specific Duties and Obligations

Nature and Management of Outsourcing (Article 21/2, Payment Services Regulation)

Outsourcing arrangements may not be structured in a way that effectively delegates or transfers the powers and authorities of the institution’s “senior management” — a defined term covering Board members, the general manager, deputy general managers, and heads of internal control, risk management, and equivalent functions.

Management of Outsourced Information Systems (Article 16, Communiqué on Information Systems)

Senior management must establish adequate oversight of outsourced information systems. At minimum, this requires monitoring the availability, performance, quality, and security of outsourced services; the security controls and financial condition of the outsourcing provider; and contractual compliance — with annual reporting of these findings to the Board.

Internal Control Activities (Article 26/5, Payment Services Regulation)

Internal control activities must be conducted under the supervision of the Board or a designated non-executive Board member (not the general manager). Internal control personnel must report to the Board twice yearly, at end of June and December.

Risk Management Activities (Article 27/2, Payment Services Regulation)

Risk management activities must be conducted under the supervision of the Board or a designated non-executive Board member (not the general manager), carried out by non-executive personnel with relevant knowledge and experience. Risk management personnel must report to the Board twice yearly, at end of June and December.

Information Systems Management (Article 4, Communiqué on Information Systems)

Written policies on information systems management must be approved by the Board and reviewed at least annually. The organizational structure related to information systems, including job descriptions, must also be approved by the Board and reviewed annually. The Board bears explicit statutory responsibility for ensuring information systems management complies with the Communiqué.

Risk Management for Information Systems (Article 5, Communiqué on Information Systems)

Written risk management policies, procedures, and process documents must be approved by the Board. A comprehensive risk assessment of information systems must be conducted at least annually (and before significant changes), with results submitted to both the Board and the CBRT by the end of January each year covering the prior year.

Operation of Information Systems (Article 6, Communiqué on Information Systems)

Objectives for the reliability, resilience, and continuity of information systems must be defined and documented. Compliance with these objectives must be measured at least annually, with results evaluated by the Board; corrective actions must be determined in cases of non-compliance.

Incident Management and Cyber Incidents (Article 7, Communiqué on Information Systems)

Cyber incident response plans must be tested at least annually. Test results must be reported to the Board.

Information Security Management (Article 8, Communiqué on Information Systems)

An information asset classification manual must be approved by the Board. The information security management system must be monitored for legislative and framework compliance, with at least annual reporting to the Board.

Management Declaration (Article 29, Communiqué on Information Systems)

For each CBRT audit period, the institution must prepare a management declaration — approved by both the Board and the general manager — providing assurance regarding the internal controls established under the Communiqué.

Administrative and Criminal Sanctions

Obstruction of Audit and Supervision; Failure to Provide Information (Article 29, Law №6493)

Obstruction of CBRT audit or supervision duties: 1–3 years imprisonment. Failure to provide requested information or documents: 3 months–1 year imprisonment and up to a 1,500-day judicial fine. These sanctions apply to the individual Board member who commits the act, not to the Board as a collective body. Prosecution requires a written application by the CBRT to the Chief Public Prosecutor’s office.

False Statements (Article 30, Law №6493)

False statements in documents submitted to authorities, inspectors, or courts: 1–3 years imprisonment and up to a 2,000-day judicial fine, applied to the person or persons signing the documents. Again, individual rather than collective Board liability.

Breach of Recordkeeping and Information Security Obligations (Article 31, Law №6493)

Failure to comply with the document retention obligation in Article 23(1) of the Law (10-year retention within Turkey): 1–3 years imprisonment and a 500–1,500-day judicial fine. Additional sanctions of 1–3 years imprisonment and up to a 1,000-day judicial fine apply to institution officials and transaction executors who fail to protect personalized security credentials or ensure secure delivery of payment instruments. Negligent commission of these offences: up to a 1,000-day judicial fine. Prosecution generally requires a CBRT application to the Chief Public Prosecutor, unless the affected party applies directly.

Disclosure of Confidential Information (Article 32, Law №6493)

Disclosure of trade secrets or customer secrets learned in the course of duties — to any person not explicitly authorized by law — by shareholders, Board members, employees, or other institution officials: 1–3 years imprisonment and up to a 1,000-day judicial fine. This sanction applies even after the individual has left their position.

Off-the-Books Transactions and Inaccurate Accounting (Article 35, Law №6493)

Recording transactions off-the-books or in a manner that does not reflect their true nature: 1–3 years imprisonment and up to a 2,000-day judicial fine, applied to the person or persons signing the relevant documents. Individual, not collective, Board liability.

Embezzlement (Article 36, Law №6493)

Embezzlement for personal or third-party benefit by shareholders, Board members, employees, or institution officials: 6–12 years imprisonment and up to a 5,000-day judicial fine, plus an obligation to indemnify the institution for resulting damages.