Subject 07: Online Banking- Electronic Money, Crypto Currency, and Central Bank Digital Currencies

  • Online Banking Frauds and Legal Liability

Internet banking frauds are usually carried out in two steps.

In the first step, individuals known as hackers obtain the customer’s account information, such as passwords and PINs.

In the second step, the hacker uses this information to commit fraudulent activities by transferring the victim’s money to another account.

For the initial step, hackers typically employ various methods to obtain the customer’s personal information, which often involve using similar approaches.

Pirates who acquire passwords through spyware can easily conduct transactions as if they were the account owner using these obtained passwords.

In the second stage, stolen funds are typically withdrawn as cash through bank branches or ATMs, loaded onto credit cards for spending, or, as seen in recent times, used to top up mobile phone credits. It’s evident that merely obtaining the customer’s password is not sufficient to complete the action and cause harm in cases of this kind of fraud. In fact, stolen funds can be blocked and returned to the customer’s account before they are spent. This situation can be likened to someone breaking into a house and leaving stolen items inside because they cannot take them outside.

  • Turkish Supreme Court General Assembly Main Case: 2012/11-550 Decision: 2012/820 Decision Date: 21.11.2012

The dispute brought before the General Assembly of the Court of Cassation revolves around whether there is any negligence on the part of the plaintiff in the case of money from the account at the defendant bank being withdrawn by third parties through internet banking without the plaintiff’s consent.

In order to resolve the dispute, it is first beneficial to clarify the legal nature of the concept of internet banking and the contracts entered into between banks and their customers.

The internet is a communication environment created through computers by multiple communication networks. (Sözer, B.; Electronic Contracts, Istanbul 2002, p.7)

Today, the internet has become a vast global computer network. Internet banking, which benefits from this communication network, is an electronic form of banking that allows almost all banking transactions to be conducted online due to technological advancements. In other words, interactive banking can also be defined as a form of banking where banking services are offered through the internet.

As defined in common terms in contracts prepared by banks, internet banking is a method where individuals can carry out all kinds of transactions on their bank accounts, within the rules and limits set by the bank, using computers, GSM, phones, and other devices via cable, wireless communication systems, and technical conditions, as well as through the internet-wap, with an automatic, voice response system using a password and PIN.

The most significant issue in internet banking is undoubtedly security. In providing and receiving secure internet banking services, both the bank and the customer have obligations and responsibilities. In this context, since banks offer internet banking services to their customers, it is of utmost importance for them to take all necessary precautions to ensure the security of this system and make it compliant with the latest technological developments. Without a doubt, customers should also take necessary measures to prevent their username, password, and other information provided for internet banking from falling into the hands of third parties and exercise the utmost care in this regard.

Cybercrime actions that can occur in the online environment largely involve unauthorized interference with computer systems or data for various purposes, often causing harm to the system, and the presence of some harmful content in this system. For instance, actions with the intent of damaging a computer system, altering data, sending unauthorized emails for malicious purposes (spam), viruses, and harmful codes such as Trojan horses, or the distribution of child pornography fall into this category. (Mahmut Koca, Ünal Tekinalp Armağan, Vol. 3, Istanbul 2003, pp. 789-790)

Special regulations and interpretations regarding the liability of banks are necessary due to the ineffective application of the principle of freedom of contract in the field of banking transactions. (Ahmet Battal, Legal Liability of Banks in the Light of the Trust Agency Classification, Ankara, 2001, p.1)

The main issue in internet banking revolves around what will happen when an account holder with no fault suffers damage due to the internet banking system.

Banks are institutions that collect money from the public with interest or profit-sharing arrangements through written or verbal announcements and, at the same time, make profits from these deposits while contributing to the strengthening of the Turkish economy. Banks are obliged to return the deposited money, either upon request or at a specified maturity, in kind or in a similar manner. In this respect, a deposit contract, which has characteristics of a loan (Karz) or an irregular deposit agreement, should be treated analogously as the qualities of the deposit allow (this principle is also mentioned in the decision of the General Assembly of the Court of Cassation dated 15.06.1994, numbered 1994/11-178-398).

As is known, the loan agreement is regulated in Articles 306 and subsequent articles under the title “Contract of Loan” of the Turkish Civil Code No. 818. According to this provision, a loan is defined as follows: “A loan is an agreement by which the lender transfers to the borrower the ownership of a certain amount of money or other equivalent things, and the borrower is obliged to return to the lender an equal amount and equivalent things of the same kind, together with interest, if agreed.” Consequently, the bank in the position of the borrower is obligated to return the borrowed money, along with interest if specified.

This provision is also regulated in Article 61 of Law No. 5411 on Banks. The first paragraph of that article states, “Without prejudice to the provisions of the Turkish Civil Code No. 4721 regarding pledges and the right of retention, the transfer of debt, and assignment under the Turkish Commercial Code, as well as the authority and obligations imposed by other laws, the right of deposit and Participation by fund holders to recover the amounts payable to them cannot be restricted in any way.”

In the case of irregular deposits, as stipulated in Article 472/1 of the Turkish Civil Code, the absolute right to the money in case of an irregular deposit will pass to the person who holds it.

According to Article 20 of the Turkish Commercial Code, a bank is also required to demonstrate the degree of care expected from a prudent merchant; otherwise, it can be held liable even for a slight defect. Contracts aimed at relieving this liability are not valid. This is because, as per Articles 99 and 100/3 of the Turkish Civil Code, contracts that exempt the debtor from liability in cases of fraud and gross negligence are considered unethical and against the principles of good faith, and therefore, invalid.(Mustafa Çeker, Hukuki Yönüyle Banka Mevduatı, Adana 2004, S.281-233)

Limitations placed on exemption agreements are based on the purpose of protecting weaker individuals against stronger entities (social justice). 

Banks are considered institutions of trust, established by special laws, granted various privileges in their fields, and obliged to protect deposits against fraud carefully. Banks are under an objective diligence obligation, meaning they are responsible even for slight defects.

Banks, just like in other areas, have an obligation to ensure system security in transactions conducted in the online environment. Within this framework, the bank must establish a security mechanism that prevents third parties from obtaining password information during interactive banking transactions to enable depositors to transact securely. If system security cannot be maintained, the liability for damages arising from this failure will be attributed to the bank.(Mustafa Çeker, İnternet Bankacılığı İşlemlerindeki Usulsüzlüklerden Bankaların Sorumluluğu, S.8)

In light of these explanations, banks engaged in internet banking activities are obligated to reimburse depositors’ funds in the event that the funds are transferred irregularly by third parties in the online environment, in accordance with the legislation explained above. Funds withdrawn through irregular transactions are essentially considered a loss incurred by the bank, and the depositor’s claim against the bank remains intact. The bank may request a reduction in compensation if it can prove that the depositor was partly at fault for the occurrence of the irregular transaction.

Some members in the General Assembly argued that certain personal information, such as passwords and similar data necessary for utilizing internet banking, cannot be obtained by external access to the bank’s computer system. They argued that these details are typically acquired through external interventions on customers’ computers, and as such, customers who fail to safeguard their personal information adequately should be held responsible for losses caused by computer hacking. However, this viewpoint was not adopted by the majority of the Assembly. It was stated that, given the current level of technology, it is possible to implement advanced security measures like electronic signatures, and it is the responsibility of service-providing banks to take such precautions.

In the specific case at hand, the defendant bank could not prove the plaintiff’s contributory negligence or any actions that could constitute a crime. Consequently, the defendant bank is obliged to reimburse the plaintiff for the deposit that the plaintiff entrusted to them.

In light of this, adherence to the Special Chamber’s decision in line with the General Assembly’s decision should have been followed. However, resisting the previous decision is procedurally and legally incorrect.

Therefore, the decision to resist should be overturned.”

  • Turkish Supreme Court 11th Civil Division E.2017/4888 K. 2019/2015 Date: 11.03.2019

“The case pertains to the compensation of damages suffered due to the withdrawal of the funds in the account opened with the defendant bank, as a result of transactions made via the internet without the knowledge and consent of the plaintiff. Banks are obliged to return the funds deposited with them when requested by depositors or within a specified period, either in kind or with equivalent. (Law No. 4491 amended Banking Law No. 4389 and Article 61 of Banking Law No. 5411) According to this definition, it is a unique contract that possesses the characteristics of a deposit with a loan and unlawful deposit agreements. According to Articles 306 and 307 of the Turkish Civil Code, the borrower must return the borrowed money along with the agreed interest at the end of the agreement. Furthermore, Article 472/1 of the same Law stipulates that, in the case of an unlawful deposit, the ownership and damages of the money are transferred to the one who keeps it absolutely; hence, they can use this money in their favor without further explanation. Therefore, from this perspective, the funds withdrawn through unauthorized transactions actually constitute a direct loss for the bank, and the depositor’s claim against the bank remains unaffected. If it is proven that the unauthorized transactions occurred due to the plaintiff’s collusion with third parties or in another way, the plaintiff may be found at fault, and the bank may request a setoff from the plaintiff’s receivables based on the degree of this fault. In the specific case, the money belonging to the plaintiff was transferred from the plaintiff’s account to another account under the name of an identified person, with a fraudulent transaction carried out against the bank. This situation will not exempt the defendant bank from its obligation to return the deposited funds. It is not proven from the case files that the plaintiff acted in collusion with third parties in the transactions or acted negligently in any other way. It is evident that the defendant bank did not ensure the complete security of the funds in the account, failed to protect it from malicious individuals’ transactions, did not develop effective mechanisms and security measures against these individuals’ actions and transactions, and did not make the use of these measures mandatory for its customers. Therefore, it should be accepted as a principle that the defendant bank is responsible for the entire amount withdrawn from the account. For the reasons explained, it should be ruled by the court that the defendant bank’s obligation to return the deposit still continues, and a judgment should be issued accordingly. However, the decision, with its written justifications, was erroneously deemed correct, and the decision should be reversed in favor of the appellant for the reasons explained.”

  • Turkish Supreme Court 19th Civil Chamber, Reference Number: 2016/9607, Decision Number: 2017/5061, Decision Date: June 15, 2017

“The plaintiff’s attorney has filed a lawsuit, stating that an expenditure of 1,200 USD was made from the client’s card without their knowledge. The plaintiff claims that as soon as they received a message notifying them of this transaction, they immediately contacted the defendant bank to report that these transactions were unauthorized and that they did not give consent. However, despite the plaintiff’s immediate action, the defendant did not take any measures, and the debt was charged to the plaintiff’s card. The plaintiff alleges that the amount was paid by the client and that the defendant is responsible for this unauthorized expenditure due to their failure to take sufficient precautions. The plaintiff requests a decision for the refund of the amount paid by the client.

The defendant’s attorney claims that the transaction in question was made by entering a password through the ‘3D Secure’ system, and that the cardholder is responsible for transactions made by entering card passwords and other information from 3D security member merchants. As a result, the defendant requests the dismissal of the lawsuit.

According to the court’s judgment based on the conducted trial and accepted expert report, it was determined that the transaction in question was carried out using the ‘3D Secure’ system. This system aims to provide security for credit card transactions made over the internet. Committing fraud over the internet requires a substantial amount of knowledge. Banks should ensure that customers perform internet transactions using different passwords each time, rather than fixed passwords, to prevent this. There was no information or evidence indicating that the defendant bank used different passwords. Since the defendant bank did not provide sufficient security during the transactions, the court concluded that they were at fault, and the lawsuit was accepted. The judgment was subsequently appealed by the defendant’s attorney.”

  • Payment And Securities Settlement Systems, Payment Services And Electronic Money Institutions
  • Payment And Securities Settlement Systems, Payment Services

In accordance with the definitions set forth in Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions published in the Official Gazette dated June 27, 2013, and numbered 28690, the following terms are defined as follows:

 Payment institution: Legal person authorized pursuant to this Law to provide and execute payment services

In accordance with Article 12 of the law, payment services encompass the following activities:

  1. a) All the transactions required for operating a payment account including the services enabling cash to be placed on and withdrawn from a payment account,
  2. b) Execution of payment transactions, including transfer of funds on a payment account with the user’s payment service provider, direct debits, including one-off direct debits, payment transactions through a payment card or a similar device, credit transfers including standing orders,
  3. c) Issuing or acquiring payment instruments,

ç) Money remittance,

  1. d) Execution of payment transaction, where the consent of the payer to execute a

payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication, IT system or network operator, acting only as an intermediary between the payment service user and the supplier of the goods and services, 

  1. e) Corresponding services enable bill payments
  2. f) (Amendment: 12/11/2019-7192/8 Article) The service of initiating a payment order related to a payment account held with another payment service provider upon the request of the payment service user.
  3. g) (Amendment: 12/11/2019-7192/8 Article) The service of initiating a payment order related to a payment account held with another payment service provider upon the request of the payment service user,

ğ) (Amendment: 12/11/2019-7192/8 Article) The service of providing consolidated information regarding one or more payment accounts held with one or more payment service providers, on online platforms, subject to obtaining the approval of the payment service user,

According to the provision in Article 13, Payment Service Providers are limited in number, and individuals or entities outside of banks and payment service providers cannot offer payment services:

  1. a) Banks within the scope of Law No. 5411,
  2. b) Electronic money institutions,
  3. c) Payment service providers,

ç) (Amendment: 17/4/2017-Decree Law/690-68th Article; Accepted as is: 1/2/2018-Law No. 7077/58th Article.) Post and Telegraph Corporation Incorporated Company are considered payment service providers.

  • Electronic Money İnstitutions

In accordance with the definitions provided in Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions published in the Official Gazette dated 27/6/2013 and numbered 28690;

Electronic money: Monetary value which is issued on the receipt of funds by an electronic money issuer, stored electronically, used to make payment transactions defined in this Law and accepted as a payment instrument also by natural and legal persons other than the electronic money issuer,

Electronic money institution: Legal person who has been granted authorization to issue electronic money under this Law

In order to establish electronic money companies, certain conditions have been specified. 

    1. Pursuant to Article 11 of the Regulation on Payment Services and Electronic Money Issuance, Payment Institutions, and Electronic Money Institutions, it is mandatory to obtain an operating license from the Central Bank as specified.
  • According to Article 5 of the Law, electronic money companies must meet the following requirements in order to be established:
  1. To be established as a joint stock company. 
  2. To have at least five million Turkish Liras of paid-in capital which is cash and free of all kinds of collusions.
  3. To employ a sufficient number of qualified staff and to have adequate technical equipment and management to operate the system. 
  4. To have sufficient risk management and to take necessary measures regarding information security, information reliability and business continuity. 
  5. To ensure the compliance of the system, participants and operating rules with this Law and with the regulations to be issued pursuant to this Law. 
  6. To have its shares issued against cash and be fully registered in its name, 
  7. To have a transparent and open partnership structure and organizational chart that will not constitute an obstacle to the efficient oversight of the Bank. 
  8. To have its shareholders, who own ten percent or more shares in capital and who have the control, meet the bank founders’ eligibility criteria laid down in the Banking Law No. 5411 dated October 19, 2005. 

Providing services as an unauthorized payment service provider is regulated as a crime in Article 28 of the law.

“(1)Natural persons and officers of legal persons who act as system operators, payment institutions or electronic money institutions without having licenses that should be obtained pursuant to this Law, shall be sentenced to imprisonment for one year to three years and a judicial fine of up to five thousand days.

(2) Natural persons or officers of legal persons who use words and expressions that could create the impression that they are acting as system operators, payment institutions, or electronic money institutions in their business titles, all kinds of documents, notices, advertisements, or public statements without having the license that should be obtained pursuant to this law shall be sentenced to imprisonment for one to three years and a judicial fine of up to five thousand days. 

(3) In cases where the offenses defined in the first and second paragraphs are committed within the body of a business place, such business places may be closed for two to six months and permanently if such acts are repeated.

(4) Provisions of this article shall be enforced in cases in which a system operator, payment institution, or electronic money institution whose operating license  granted pursuant to this law has been withdrawn continues its activity.

As of 2023, the active Payment Institutions listed on the Central Bank of Turkey (TCMB) website are as follows:

Aktif Ödeme Kuruluşları (Kodlar)

Aypara Ödeme Kuruluşu A.Ş. (880)

Ceo Ödeme Hizmetleri A.Ş. (878)

Efix Ödeme Hizmetleri A.Ş. (876)

Elekse Elektronik Para ve Ödeme Kuruluşu A.Ş. (855)

Faturakom Ödeme Hizmetleri A.Ş. (858)

Föy Fatura Ödeme Kuruluşu A.Ş. (859)

Global Ödeme Hizmetleri A.Ş. (884)

GönderAl Ödeme Hizmetleri A.Ş. (851)

İstanbul Ödeme ve Elektronik Para A.Ş. (883)

Klon Ödeme Kuruluşu A.Ş. (881)

MoneyGram Turkey Ödeme Hizmetleri A.Ş. (871)

N Kolay Ödeme ve Elektronik Para Kuruluşu A.Ş. (852)

Nestpay Ödeme Hizmetleri A.Ş. (865)

Octet Express Ödeme Kuruluşu A.Ş. (874)

Ödeal Ödeme Kuruluşu A.Ş. (868)

Paragram Ödeme Hizmetleri A.Ş. (888)

Pay Fix Elektronik Para ve Ödeme Hizmetleri A.Ş. (882)

Paybull Ödeme Hizmetleri A.Ş. (892)

Paynet Ödeme Hizmetleri A.Ş. (866)

Paytrek Ödeme Kuruluşu Hizmetleri A.Ş. (856)

Pratik İşlem Ödeme Kuruluşu A.Ş. (860)

Ria Turkey Ödeme Kuruluşu A.Ş. (879)

Sender Ödeme Hizmetleri A.Ş. (875)

Trend Ödeme Kuruluşu A.Ş. (862)

Tronapay Ödeme Hizmetleri A.Ş. (887)

Vezne24 Tahsilat Sistemleri ve Ödeme Hizmetleri A.Ş. (885)

Western Union Turkey Ödeme Hizmetleri A.Ş. (886)

Payment Institutions Whose Operating Licenses Have Been Revoked

Buradaöde Ödeme Kuruluşu A.Ş.

Misyon Ödeme Hizmetleri A.Ş.

Tam Fatura Ödeme Hizmetleri A.Ş.

Paytrek Ödeme Kuruluşu Hizmetleri A.Ş.

Payment Institutions Whose Operating Licenses Have Expired

PayU Ödeme Kuruluşu A.Ş.

As of 2023, the active Electronic Money Institutions listed on the TCMB (Central Bank of the Republic of Turkey) website are as follows:

A Ödeme ve Elektronik Para Hizmetleri A.Ş. (913)

Ahlatcı Ödeme ve Elektronik Para Hizmetleri A.Ş. (894)

As Ödeme Hizmetleri ve Elektronik Para A.Ş. (911)

Aköde Elektronik Para ve Ödeme Hizmetleri A.Ş. (836)

Belbim Elektronik Para ve Ödeme Hizmetleri A.Ş. (828)

Birleşik Ödeme Hizmetleri ve Elektronik Para A.Ş. (825)

BPN Ödeme ve Elektronik Para Hizmetleri A.Ş. (850)

Cemete Elektronik Para ve Ödeme Hizmetleri A.Ş. (826)

Ceo Ödeme ve Elektronik Para Kuruluşu A.Ş. (878)

D Ödeme Elektronik Para ve Ödeme Hizmetleri A.Ş. (830)

Dgpara Ödeme ve Elektronik Para Kuruluşu A.Ş. (893)

DSM Ödeme ve Elektronik Para Hizmetleri A.Ş. (848)

Erpa Ödeme Hizmetleri ve Elektronik Para A.Ş. (837)

Fastpay Elektronik Para ve Ödeme Hizmetleri A.Ş. (891)

Faturamatik Elektronik Para ve Ödeme Kuruluşu A.Ş. (861)

Fzypay Elektronik Para ve Ödeme Hizmetleri A.Ş. (896)

Hızlıpara Ödeme Hizmetleri ve Elektronik Para A.Ş. (833)

IQ Money Ödeme Hizmetleri ve Elektronik Para A.Ş. (889)

İninal Ödeme ve Elektronik Para Hizmetleri A.Ş. (832)

İstanbul Ödeme ve Elektronik Para A.Ş. (883)

İyzi Ödeme ve Elektronik Para Hizmetleri A.Ş. (864)

Lydians Elektronik Para ve Ödeme Hizmetleri A.Ş. (890)

Moka Ödeme ve Elektronik Para Kuruluşu A.Ş. (857)

Moneyout Elektronik Para ve Ödeme Hizmetleri A.Ş. (917)

Moneypay Ödeme ve Elektronik Para Hizmetleri A.Ş. (842)

N Kolay Ödeme ve Elektronik Para Kuruluşu A.Ş. (852)

Nomu Pay Ödeme ve Elektronik Para Hizmetleri A.Ş. (831)

Ozan Elektronik Para A.Ş. (839)

Paladyum Elektronik Para ve Ödeme Hizmetleri A.Ş. (834)

Papara Elektronik Para A.Ş. (829)

Papel Elektronik Para ve Ödeme Hizmetleri A.Ş. (914)

Parakolay Elektronik Para A.Ş. (847)

ParaQR Elektronik Para ve Ödeme Hizmetleri A.Ş. (897)

Parolapara Elektronik Para ve Ödeme Hizmetleri A.Ş. (846)

Payco Elektronik Para ve Ödeme Hizmetleri A.Ş. (849)

Paypole Ödeme Hizmetleri ve Elektronik Para A.Ş. (916)

Paytr Ödeme ve Elektronik Para Kuruluşu A.Ş. (863)

Pratik İşlem Ödeme ve Elektronik Para A.Ş. (860)

Rubik Elektronik Para ve Ödeme Hizmetleri A.Ş. (899)

Sipay Elektronik Para ve Ödeme Hizmetleri A.Ş. (838)

Token Ödeme Hizmetleri ve Elektronik Para A.Ş. (840)

Tom Pay Elektronik Para ve Ödeme Hizmetleri A.Ş. (912)

TT Ödeme ve Elektronik Para Hizmetleri A.Ş. (870)

TTM Elektronik Para ve Ödeme Hizmetleri A.Ş. (843)

Turk Elektronik Para A.Ş. (827)

Turkcell Ödeme ve Elektronik Para Hizmetleri A.Ş. (869)

Turkonay Elektronik Para ve Ödeme Hizmetleri A.Ş. (915)

UPT Ödeme Hizmetleri ve Elektronik Para A.Ş. (853)

Vepara Elektronik Para ve Ödeme Hizmetleri A.Ş. (845)

Vizyon Elektronik Para ve Ödeme Hizmetleri A.Ş. (854)

Vodafone Elektronik Para ve Ödeme Hizmetleri A.Ş. (835)

III. Crypto Currencies Law

  • In General

Like everything that evolves and changes with technology, money is also adapting to the requirements of the age. In recent years, concepts such as Digital Money, Virtual Money, and Cryptocurrency have found their place in our lives.

Digital currencies have not yet been legally regulated and accepted in a consistent manner. Although there are regulations regarding Electronic Money and Payment Institutions in Turkey, concepts referred to as digital money, virtual money, or cryptocurrency have not been legally defined.

Cryptocurrencies operate on a network formed by the convergence of many servers, known as “Blockchain Technology.”

  • Key Features of Cryptocurrency:

Cryptocurrencies can be produced by solving complex algorithms using high-performance computers, a process often referred to as “crypto mining.”

Regarding the security of cryptocurrency, according to a report published by the Banking Regulation and Supervision Agency (BDDK): “Cryptocurrencies are not easily counterfeited due to the complex mathematical functions they contain, they can change hands rapidly without adhering to specific rules, and they can gain user trust since the same cryptocurrency can be used in multiple places simultaneously as an alternative to real currencies. However, this does not mean that cryptocurrencies cannot be stolen. Just like real money, cryptocurrencies can be stolen, and they can be subject to various criminal activities. Cryptocurrencies, unlike printed money, are produced in a digital environment, which requires more technical knowledge for their protection. While the cryptocurrency itself may be secure, the devices and network vulnerabilities used with it can make it susceptible to theft.

Furthermore, when considering this context, taking precautions one level higher than those taken to protect any digital asset is advisable to safeguard the acquired cryptocurrencies. Establishing mechanisms that ensure the recipient of the cryptocurrency in e-commerce transactions is indeed the intended party by implementing the strictest security procedures in e-commerce can be vital because one of the most significant advantages of cryptocurrencies is their almost impossible traceability.

In this context, it would be appropriate to take a level higher measures than those taken to protect any digital asset to protect the crypto currencies in possession, and to establish mechanisms to ensure that the person to whom the cryptocurrency is sent is really the person who should be sent, by applying the strictest security procedures in e-commerce for the transactions that are made using that currency. “

  • Cryptocurrency Applications Worldwide

While there is a legal status and regulatory framework for electronic money in Turkey, it is observed that cryptocurrencies are not subject to legal regulation. 

The United States is one of the countries with a law related to virtual and cryptocurrencies. The Token Taxonomy Act of 2019 was introduced with the aim of regulating digital currencies. According to this law, virtual currencies are not considered securities, but virtual assets can be taxed as values.  (Source)

Canada is known for its moderate approach to cryptocurrencies and digital currencies like Bitcoin. It supports their use, except for money laundering. Cryptocurrencies can be freely used to purchase goods and services in places that accept digital money and can be converted into other currencies. In Canada, cryptocurrencies are considered commodities, and the existing tax law is applied to cryptocurrencies as well. (Source)

Australia does not classify Bitcoin as a currency or a foreign currency. The Australian Taxation Office (ATO) considers it an asset for capital gains tax purposes. (Source)

The European Union has published the MICA (Markets in Crypto-Assets Regulation) in June 2023. According to this regulation, a “crypto-asset” is defined as a “digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology.”

  • Place of Crypto Assets in Turkish Law
    1.  2013 BDDK Statement

In 2013, the Banking Regulation and Supervision Agency (BDDK) issued the following press release regarding cryptocurrencies:

“Bitcoin, known as a virtual currency that is not issued by any official or private institution and is not guaranteed for its counterpart, is not considered electronic money within the scope of the law due to its existing structure and operation. Therefore, its supervision and regulation are not deemed possible within the framework of the law. 

On the other hand, transactions involving Bitcoin and similar virtual currencies where the identities of the parties are not known create a suitable environment for the illegal use of these virtual currencies. In addition, Bitcoin is susceptible to risks such as extreme market volatility, theft or loss of digital wallets, and unauthorized use without the knowledge of the owners, as well as irreversible transactions, leading to risks stemming from operational errors or the misuse by malicious sellers.”

  • 2021 Cryptocurrency Regulation

Regulations regarding crypto assets have been introduced into Turkish law with the “Regulation on the Non-Use of Crypto Assets in Payments,” which was published in the Official Gazette on April 16, 2021.

According to Article 3 of the Regulation, a crypto asset is defined as an intangible asset that is created virtually using distributed ledger technology or a similar technology and distributed through digital networks. These assets are not classified as fiat money, book money, electronic money, payment instruments, securities, or other capital market instruments.

In accordance with the Regulation, the following rules apply to crypto assets:

  • Crypto assets should not be used directly or indirectly for payments.
  • Services should not be provided to enable the direct or indirect use of crypto assets in payments.
  • Payment service providers should not develop business models that involve the direct or indirect use of crypto assets in providing payment services and issuing electronic money.
  • Payment and electronic money institutions are regulated not to act as intermediaries for buying, selling, holding, transferring, or exporting services related to crypto assets or fund transfers made through these platforms.
  • Regulation Amendment on Crypto Assets in the Context of Preventing Money Laundering and Financing of Terrorism for the Year 2021

With an amendment to the Regulation on Measures Regarding the Prevention of Money Laundering and the Financing of Terrorism, published on May 1, 2021, crypto asset service providers have been included among the “obligated parties” in the context of enforcing the Law on Preventing Money Laundering.

Financial and non-financial institutions, as well as certain professions and occupations, are defined as “obligated parties” due to the possibility of being used as intermediaries by criminals in their areas of activity and the services they provide. In other words, the transactions and services provided by these obligated parties can be potentially used by criminals for the purpose of committing crimes. To prevent this, the obligated parties are expected to take on a “preventive” function by being educated and increasing their awareness about money laundering and combating terrorism financing.

Therefore, obligated parties are considered vital stakeholders in the fight against financial crimes, playing a significant role alongside the Financial Crimes Investigation Board. The status of obligated parties is defined in Article 2/1-d of Law No. 5549 on the Prevention of Money Laundering and in Article 4/1 of the Regulation on Measures Regarding the Prevention of Money Laundering and the Financing of Terrorism. According to an amendment to the Regulation published in the Official Gazette with issue number 31471 on May 1, 2021, a new subparagraph (u) has been added to Article 4 of the Regulation. This amendment includes “crypto asset service providers” among the obligated parties as of the date mentioned. (Source:

Obligations of Crypto Asset Service Providers According to the Regulation

  • Obligation for Identity Verification:

Obligated parties must identify the identities of those conducting transactions with them or on behalf of whom they mediate before any transaction is made. Identity verification is completed before establishing a business relationship or conducting a transaction. In the case of an ongoing business relationship, information is obtained about the purpose and nature of the business relationship.

  • Obligation to Report Suspicious Transactions:

According to Article 4 of Law No. 5549 titled “Suspicious Transaction Reporting,” obligated parties are required to report transactions that are conducted within their scope or through their intermediation if there is any information, suspicion, or circumstance that indicates that the assets involved in these transactions have been obtained through illegal means or are being used for illegal purposes. These transactions must be reported to the Financial Crimes Investigation Board (MASAK) by the obligated parties.

  • Obligation to Provide Information and Documents:

Public institutions and organizations, natural and legal persons, as well as entities without legal personality, are required to provide all kinds of information, documents, and records in any medium requested by the Presidency and inspection staff. They must provide all necessary information and passwords to access these records or make them readable accurately and completely.

  • Obligation to Preserve and Produce:

Obligated parties must preserve and produce all documents related to the obligations and transactions imposed by these laws for eight years starting from the date of document issuance, the last entry date for books and records, or the last transaction date for identity verification documents when requested by the authorities.

  • Court Decisions Related to Cryptocurrency 
  • Antalya Regional Court of Justice, 6th Civil Division, Case No: 2020/1149, Decision No: 2020/905

‘‘…Within the framework of the quoted Court of Cassation decision, it is evident that the decision to dismiss the request was made without conducting any investigation in the current case. However, it is clear that there is a specific situation in this case. The claimant has also requested the determination that the ‘Apple iCloud’ identity is included in the estate’s assets.

It is a well-known fact that while evolving technologies make human life more convenient, they also give rise to new concepts and legal issues. The transformation of the concept of property can be cited as the primary example of this. Until recently, the concept of property was centered around movable and immovable property, as well as certain limited real rights. However, in recent times, with the development of the concept of intellectual property, “Intellectual and Artistic Works” have been protected within the framework of property law, and various legal regulations have been made in this regard.

Yet, it can be observed that there is no legal regulation regarding digital property in the face of the inevitable digitization of our contemporary lifestyle. Until recently, email accounts, social media accounts, and similar digital applications were only for personal use and did not carry any financial value. However, in today’s world, these accounts have evolved into assets with monetary value generated through advertising revenue. Additionally, it is now evident that social media accounts and digital wallets, as well as the email accounts they are linked to, have gone beyond personal use and have become part of digital property with commercial value.

In this regard, citations have been made for the purpose of emphasizing some of the observations made during our participation, based on the article published by Yasemin Maraşlı DİNÇ, a Research Assistant in the Department of Civil Law at Tokat Gaziosmanpaşa University Faculty of Law, at the address

The use of social media has become an integral part of our lives as a result of the significant advancements in technology and the internet. Some individuals have even started to earn a living through social media platforms. In recent times, the number of people referred to as “YouTubers” has been increasing day by day. Moreover, selling products through “Facebook” or “Instagram” accounts or generating income by advertising on personal pages, especially those with a high number of followers, has become commonplace.

As a result of all these developments, the concepts of digital property or digital inheritance are not widely used within our legal system in Turkey. There are no legal regulations on this matter in Turkish law yet. In addition, this issue has not been adequately examined in Turkish legal doctrine and practice, possibly because it has not posed a problem in practice.

The concept of digital property refers to electronically stored assets such as videos, photos, emails, personal social media accounts, and other assets that exist solely in digital form. However, due to the constant evolution of the digital world, it is not possible to clearly define what constitutes digital property.

“Digital inheritance, on the other hand, is the transfer of such abstract assets to the heirs, making them part of the inheritance.”

As mentioned in the same article, the principles of inheritance, as embodied in Article 599/2 of the Turkish Civil Code (TCC), state: ‘’Assigned heirs win with the legacy of the inheritance. The legal heirs are obliged to hand over the inherited legacy to the assigned heirs in accordance with the provisions of their possession.’’

In today’s world, it is an undeniable and unignorable reality that digital assets exist. There are digital systems, known as cryptocurrencies, that are used even in international payments. Additionally, social media accounts that generate astronomical advertising revenues are increasing day by day. Similarly, channels are being established on digital platforms like YouTube and others, offering services based on advertising revenue and even subscription systems. In such an environment, it has been assessed that there is no legal regulation regarding digital property and digital inheritance and that there is a legal void in this regard.

According to Article 1 of Law No. 4721 of the Turkish Civil Code, ‘‘The law shall apply to all matters referred to by the word and its essence.

If there is no applicable provision in the law, the judge decides according to the customary law, otherwise whatever rule he would have made if he were a legislator.’’. 

It has been concluded that the determination of digital assets with financial value, including the deceased’s email account, associated social media accounts, digital wallet accounts, and other assets falling within the scope of Article 599 of the Turkish Civil Code, which should be included in the inheritance and transferred to the heirs, will be necessary.

When examined in the context of the file, the claimant specifically requests the determination that the ‘********’ account belongs to the deceased, in other words, the owner of the accounts associated with the deceased’s Apple ID, and that the client is the representative of the deceased. The claimant also seeks the establishment of the powers to be granted by the court as ‘legal consent’ in the manner used in the Electronic Communications Privacy Act.

As a result, considering that all of the deceased’s active and passive assets as of the date of the deceased’s death need to be determined as part of the request for determination by the court and that the digital assets should be included in the estate, a decision should have been made after the determination of the digital estate following the research and examination. However, by considering the deceased person’s email account within the scope of the privacy of private life, the decision to reject the request was erroneous.

In light of the reasons provided, it is considered that the appellant’s request for appeal should be accepted, the decision of the first-instance court should be annulled in accordance with Article 353/1-a.6 of the HMK, and the following judgment should be made.’’

III. Central Bank Digital Currency (CBDC)

  • In General, Digital Currency

Although the terms digital currency, cryptocurrency, electronic money, and similar-sounding concepts are often confused, they contain important characteristic differences.

Digital currency is also referred to as “Central Bank Digital Currency” (CBDC) and can be used in the form of CBDC or by adding the word “digital” to the country’s currency (e.g., digital euro, digital Turkish lira).

According to the European Central Bank’s definition,

“The digital euro will be digital, but, like euro banknotes, it will not replace cash; it will complement it. A digital euro will offer people an additional choice on how to pay and make it easier, contributing to accessibility and inclusivity.”

The frequently asked questions document released by the European Central Bank outlines the framework for this topic:

Why does Europe need a digital euro?

Digitalization is changing the way we pay. The use of cash is decreasing, and the COVID-19 pandemic has accelerated the trend towards online shopping and digital payments. A digital euro will be an electronic form of cash in the digital world. It will offer consumers the option to use central bank money in a digital format, complementing banknotes and coins.

A digital euro will make people’s lives easier and provide something that is not currently available: a universally accepted digital payment instrument for payments in stores, online, or peer-to-peer throughout the euro area. Like cash, the digital euro will be risk-free, widely accessible, user-friendly, and free for basic use.

Furthermore, a digital euro will strengthen Europe’s strategic independence and monetary sovereignty and contribute to the efficiency of the European payment ecosystem by promoting innovation and enhancing resilience against potential cyberattacks or technical interruptions, such as energy outages.

Does the digital euro replace cash?

No, the digital euro complements cash; it does not replace it. The digital euro will coexist with cash to meet the growing trend of people making digital payments quickly and securely. Cash will continue to be available in the Euro area, just as the currently used private electronic payment instruments will persist.

Will the e digital euro be an alternative currency within the Eurosystem?

No, a digital euro is not an alternative currency within the Eurosystem. It is a form of the euro, which is the single currency of Europe. A digital euro will be exchangeable one-to-one with banknotes. It will emerge in response to the growing trend of people and businesses making digital payments quickly and securely.

Where does the project stand now, and how are European legislative bodies getting involved?

In June 2023, the European Commission proposed a bill for a potential digital euro. This legal regulation aims to provide a widely accepted, affordable, secure, and resilient public currency for use throughout the euro area in the future.

Who will be able to use the digital euro?

As per the bill proposed by the European Commission and in compliance with the European Economic Area Agreement, the digital euro will be made available to individuals residing in or established in the euro area. Individuals residing in or established in a euro area country can, in principle, access a digital euro account.


Merchants outside the euro area can also accept digital euro payments if they have a euro area payment service provider.

Further down the line, depending on legal developments, consumers and merchants in the European Economic Area and/or selected third countries may also have access to the digital euro.

Why might people want to use a digital euro?

A digital euro will be a payment solution that can be used universally and at all times throughout the euro area. Consumers will have access to a universally accepted digital payment instrument that they can use for free in stores, online, or for peer-to-peer transactions. People will have the option to use digital payments when using a public payment instrument.

A digital euro will preserve cash-like features in the digital age and offer characteristics such as a high level of privacy and ease of use. Additionally, it will provide the highest level of privacy for digital payments: the Eurosystem will not have access to or store users’ personal data. Moreover, higher privacy options for offline digital euro payments will mean that only the payer and the payee are aware of the payment.

A digital euro aims to be secure and easy to use and is designed to promote digital financial inclusion for those who do not have digital or financial skills or access to bank accounts or digital devices. To make the digital euro available and accessible throughout the euro area, the bill proposed by the European Commission foresees mandatory acceptance by merchants and mandatory distribution by regulated intermediaries.

How does a digital euro work?

A digital euro allows individuals to make secure instant payments in both physical and online stores and between individuals, regardless of their location within the euro area or their payment service provider. The ECB is exploring how this could work in practice.

For example, the Eurosystem could develop a dedicated digital euro app that everyone can access. Alternatively, intermediaries, including banks, can integrate digital euro services into their existing apps that their customers are already familiar with. In any case, individuals who do not have access to bank accounts or digital devices can make payments with a physical card through public intermediaries like post offices.


In any case, a digital euro provides functionality for both online and offline scenarios, anticipating limited connectivity situations. When digital euro payments are made offline, they provide the highest level of privacy because payment information is only known to the payer and the payee.

How will privacy work in a digital euro?

Privacy is one of the key design features of a digital euro. The Eurosystem has no commercial interest in individuals’ personal payment data and does not wish to see or store such data. As a result, the Eurosystem does not want to share user’s personal information with third parties, except for what is required to prevent illegal activities in compliance with European regulations.

A digital euro allows individuals to make payments without sharing their payment data with third parties beyond what is necessary to prevent illegal activities in compliance with European regulations.

Furthermore, the offline functionality of a digital euro offers a higher level of privacy since payment information is known only to the payer and payee.

Will a digital euro be based on distributed ledger technologies like blockchain?

The Eurosystem is exploring various approaches and technologies, including both centralized and distributed ledger approaches, in the development of a digital euro. However, no final decision has been made yet.

Does the introduction of a digital euro make payments in Europe more vulnerable to cyberattacks?

Like other digital infrastructures, the  digital euro could become a target for cyberattacks. To mitigate this risk, the design of a digital euro will be based on the latest technologies to provide a resilient and future-proof environment against cyberattacks.

How will a digital euro be different from stablecoins and cryptocurrencies?

A digital euro is a digital currency backed by a central bank and designed to meet the needs of its users. It carries no risk and respects privacy and data protection. Central banks have a mandate to maintain the value of money, whether in physical or digital form.


The stability and reliability of stablecoins ultimately depend on the credibility of the issuer and their commitment to preserving the value of the currency over time. Private issuers may use personal data for commercial purposes

  • Use Cases of Digital Currency


Person-to-person (P2P) – Payments made between two individuals.

Consumer-to-business (C2B) – Payments for goods or services purchased in physical stores (point-of-sale payments) or online through e-commerce.

Business-initiated payments – Payments made from one business to another (B2B payments).

X2G-G2X payments – Payments to the government (e.g., taxes) and payments from the government (grants and subsidies).

Machine-initiated payments – Fully automated payments initiated by a device and/or software based on predefined conditions.

  • Functioning of the Digital Currency System
  • Structuring Digital Currency Ledge

Account-Based: Used to digitize the cash deposit accounts in the central bank’s ledgers. An account-based system records the state of the ledger as a list of accounts, each having a corresponding balance. When a transaction occurs, the system typically updates the records by increasing and decreasing the balances of the paying and receiving accounts. An example of this type is Ethereum DLT, where the state of the ledger consists of objects called “accounts” with associated balances. (source)

Token-Based: Designed as a digital token without an account relationship between the central bank and the owner. In a token-based system, the ledger’s state is recorded as a list of individual objects, namely tokens, each with a corresponding value (e.g., 10€). While different tokens can be recorded in the same ledger, each has a specific value, which can also be a decimal number (e.g., 10.55€), but it remains unchanged throughout the token’s lifetime. An example of this type is Bitcoin DLT. For each payment, the unspent token set owned by the payer is destroyed, and (usually) two tokens of equal total value are simultaneously created: one goes to the payee as payment, and the other returns to the payer as change. (source)

  • Usage Model

Wholesale: The use of the reserve through banks and financial institutions. The form of money issued by the central bank (in addition to deposits in central bank accounts) offers new functionalities to existing business partners of the central bank (such as commercial banks) for financial market transactions, for example. (source)

Retail: The direct use of the reserve by individuals. A form of money issued by the central bank (in addition to cash) that can be used for digital payment of goods or services to non-bank individuals (individuals and, if applicable, companies). (source)

  • Launch Method

Direct: The central bank introduces and manages circulation itself. In this scenario, individuals and businesses hold CBDCs through special accounts with a central bank, thus eliminating intermediaries. This situation may impact the structure of the current financial system, enhancing the role and responsibilities of the central bank. (source)

Indirect: Transactions are carried out through banks and financial institutions. In the indirect retail CBDC scenario, financial institutions responsible for supporting the issuance of the digital currency are responsible for providing money directly to individuals and businesses. They are also responsible for sending payment messages to other financial institutions and transmitting payment instructions to the central bank for payment settlement. (source)

  • Countries Using Digital Currency
  • Bahamas Sand Dollar

The Sand Dollar was issued by the Central Bank of the Bahamas in October 2020. The Sand Dollar holds the distinction of being the first CBDC (Central Bank Digital Currency) issued nationwide in the world.

In the Bahamas, due to the country’s geography, which is divided into many different islands, it is not possible for commercial actors to operate in every area, and a portion of the population lacks access to financial services. The Sand Dollar is expected to improve financial inclusion and enhance security against money laundering and illegal economic activities in The Bahamas, where it is estimated that 20% of the population does not have a bank account.

The Sand Dollar is available for both wholesale and retail applications. The wholesale application is used for interbank payment settlements, similar to clearinghouse transactions.

The retail application enables the general public to make and receive digital payments. Each holder can legally possess equivalent accounts with the Central Bank by directly asserting claims against the Central Bank. (Source)

  • Caribbean D-Cash

Countries in the Eastern Caribbean Union have created their own digital currency formats to expedite transactions and serve individuals without bank accounts. The seven participating countries are Antigua and Barbuda, Dominica, Grenada, Montserrat, St. Kitts and Nevis, Saint Lucia, and St. Vincent and the Grenadines.

The Eastern Caribbean Central Bank claims that “DCash” is the world’s first blockchain-based currency issued by any currency union, even though individual nations have similar existing systems.

The system allows users to download an app on a smartphone and make payments using a QR code, even if they do not have a bank account. There is no minimum CBDC balance or minimum spending requirement to reach financially underserved segments of the population. (Source)

  • Digital Currency and Privacy

The European Union central bank is working on different models regarding privacy. According to their report, digital currency inherently provides privacy by design and purpose of use, giving individuals control over their personal data and money. The central bank will not have access to personal data (it won’t be able to see people’s assets, transaction histories, or payment patterns), but intermediary institutions will be able to access personal and transaction data to ensure compliance with legal requirements.

Offline use of digital euros is expected to provide a degree of privacy close to cash usage, potentially meeting the highest privacy requirements, subject to political decisions.

A risk-based classification approach could open the way for greater privacy when less risky or low-value transactions are involved.

The design of digital currency will ultimately have to comply with conditions set by legislators. (Source)

  • The Legal Framework for Digital Currency

In a report published by the IMF Working Group in 2020, several considerations for legislative efforts regarding digital currency were recommended:

  • There should be strong legal foundations.
  • Digital currency should be regulated in legislation as “money.”
  • Banking regulations and monetary laws should be amended to encompass digital currency.
  • Legislation work is required in areas such as tax law, private law (including property law), contract law, payment systems, personal data protection law, and international private law.
  • The legal framework should grant the central bank the authority to issue digital currency, either “account-based” or “digital token-based,” with provisions ensuring cybersecurity.
  • Digital Turkish Lira Initiatives

The 2023 Presidential Annual Program, published in the Official Gazette on October 25, 2022, announced that the testing phase for a blockchain-based digital Turkish Lira had been reached. Following the second-phase pilot findings of the Central Bank’s Digital Turkish Lira Research and Development Project, it was shared that the digital Turkish Lira could be used for payments starting in the following year.

Banks will actively participate in this process and collaborate on research, development, and testing. According to the program, integration work for the Digital Turkish Lira systems with digital identity and FAST systems will be completed as part of research and development.

In an announcement released on December 29, 2022, it was stated that, within the scope of the first-phase work of the Digital Turkish Lira Project, the first payment transactions on the Digital Turkish Lira Network had been successfully completed under the leadership of the Central Bank of the Republic of Turkey (TCMB). According to the announcement, the TCMB, along with technology stakeholders, will continue limited-scale and closed-circuit pilot application tests in the first quarter of 2023. The findings from these tests will be shared with the public in a comprehensive evaluation report.

  • Differences in Virtual Currency Terminology


Electronic Money


Digital Currency (CBDC)

Authority and Control

Central Bank-Licensed Institutions


Central Bank


Regulated by Laws

is partially regulated by Laws

Regulated by Laws

Receipt of funds

Has receipt of funds

No Physical fund

No Physical fund


Identity Verification (Excluding Anonymous Prepaid Instruments)




Physical, Administrative, and Technical Security



Payment Instrument?

Payment Instrument

Forbidden for Payments

Payment Instrument


Transfer of Equivalent Value to the Protection Account


Direct Issuance by Central Bank 

To download the Turkish-English bilingual version, click here


The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024