Turkey has had a complicated relationship with crypto. The payment ban in 2021. The ongoing debates about capital controls. The MASAK reporting thresholds. None of this is new territory for anyone operating in this market.
What is newer is the BDDK's more specific attention to DeFi protocols — not just centralized exchanges, but the underlying infrastructure that powers permissionless finance. If you're building or using DeFi tools in Turkey, this guidance matters. Here's our read of it.
What the BDDK issued and when
The Banking Regulation and Supervision Agency (BDDK) published supplementary guidance in Q4 2025 addressing the obligations of technology providers that interface with Turkish financial institutions. The guidance doesn't introduce new law — it clarifies how existing banking law applies to infrastructure that routes digital assets.
The key distinction the BDDK makes is between a service provider that passively processes transactions and one that has discretion over routing decisions. Protocols that apply routing logic and can influence transaction outcomes are treated differently than simple relay systems.
The three obligations that changed
Before the Q4 2025 guidance, most DeFi infrastructure providers operating in Turkey followed MASAK obligations primarily — transaction reporting above 75,000 TL, enhanced due diligence for politically exposed persons, and record retention for five years. Those requirements haven't changed.
What's new:
- KYC at the protocol layer. If a DeFi protocol routes transactions for Turkish institutional clients, the protocol provider — not just the client — must maintain KYC records for those client relationships. This effectively extends the bank-style KYC obligation upstream to infrastructure providers.
- AML screening on routing decisions. The guidance explicitly states that routing protocols should not process transactions involving wallets on MASAK or EU AML watchlists. This means AML screening needs to happen before a transaction is routed, not just reported after the fact.
- Audit trail for cross-border flows. Any cross-chain transfer that originates from or terminates at a Turkish institution must have a full audit trail accessible to regulators within 48 hours of a formal request. Not within 5 business days — 48 hours.
What this means in practice
For teams using off-the-shelf DeFi bridges or aggregators not specifically designed for the Turkish regulatory environment, the 48-hour audit trail requirement alone is likely non-compliant. Most public bridges don't generate structured audit logs. And even if they did, the KYC obligation requires a documented relationship that doesn't exist in permissionless contexts.
The guidance isn't designed to kill DeFi in Turkey. It's designed to give regulators the visibility they need to feel comfortable allowing institutional money into these markets. That's actually a reasonable position.
This is exactly the problem we built the Defimec compliance layer to solve. Our transactions log to a structured audit database with full chain attribution. AML screening runs before routing, not after. And for institutional clients, we maintain KYC documentation as part of onboarding.
What about smaller operators?
The guidance is targeted at institutions under BDDK supervision — banks, licensed payment service providers, investment firms. If you're an individual developer or a startup that doesn't hold a banking license, these specific obligations don't apply to you directly.
But. If you're building products that institutional clients will use, you'll need to meet these requirements indirectly. Your institutional clients will ask whether your infrastructure satisfies their compliance obligations. If the answer is no, they can't use it.
The EU MiCA parallel
It's worth noting that Turkey's direction here mirrors what's happening under EU MiCA, even though Turkey isn't an EU member. MiCA requires crypto asset service providers to apply AML/KYC procedures equivalent to those applied by traditional financial institutions. The BDDK guidance essentially says the same thing, adapted for Turkish law.
For operators that need to be compliant in both markets, this convergence is actually good news. Build for one framework carefully, and you're most of the way there for the other. The underlying requirements — audit trails, AML screening, KYC records — are similar.
What we'd recommend
If you're operating DeFi infrastructure in Turkey and haven't reviewed your compliance posture against the Q4 2025 BDDK guidance, start there. The three obligations outlined above are the ones most likely to catch teams off guard. Particularly the 48-hour audit trail requirement — that one has a hard technical dependency that can't be solved quickly if you haven't built for it.
If you're evaluating infrastructure vendors, ask them directly whether their systems generate audit logs that satisfy the 48-hour requirement, whether they run pre-routing AML screening, and whether they have a documented process for KYC in institutional relationships.
The Turkish DeFi market is real and growing. But building here requires taking the regulatory environment seriously. That's not a disadvantage — it's what separates operators who will still be here in five years from those who won't.
