Back

Türkiye’s Travel Rule: What CASPs Need to Know

11 Feb, 2026

Türkiye’s Travel Rule introduces a comprehensive and enforceable compliance framework for crypto asset service providers (CASPs), embedding Travel Rule obligations into the country’s broader AML/CFT and data protection regime.

TL;DR

The Travel Rule applies to all crypto transfers in Türkiye, regardless of value.
CASPs must collect and, where required, verify specific originator and beneficiary information, including wallet details and identifying data.
The rules also extend to self-hosted wallets, requiring customer declarations.
CASPs must be authorised by the CMB and comply with MASAK reporting obligations.
Robust KYC, transaction monitoring, and suspicious activity reporting are mandatory.
Beneficiary CASPs must request missing information and may halt or terminate high-risk transactions.
Strict system localisation rules require primary and secondary systems to be stored in Türkiye.
Cross-border data transfers are subject to KVKK requirements, including consent or approved safeguards.

In short, compliance in Türkiye goes beyond simple data exchange. CASPs must align their Travel Rule processes, IT infrastructure, and counterparties with both AML and data protection obligations.

Understanding the Regulatory Obligations for CASPs

Scope of the Travel Rule in Türkiye

Per Law No.7518, Türkiye’s Travel Rule applies to all CASPs. The term CASP refers to: “platforms, crypto asset custody service providers, and other organizations designated for provision of other services regarding crypto assets, also including the initial sales or distribution of crypto assets, under regulations to be published in reliance upon this Law [Capital Markets Law].”

Download the Turkish Travel Rule Overview

Download Now

Required Travel Rule Data

In Türkiye, the Travel Rule applies to all crypto transactions, regardless of value.

However, the verification of Travel Rule data is not required for transactions below 15,000 TL (approximately EUR 425); moreover, the originator does not need to provide their address, date and place of birth, customer number, tax identification number, ID number or passport number.

For transactions equal to or exceeding 15,000 TL, MASAK (the Financial Crimes Investigation Board) requires the exchange and verification of the following information:

originator’s full name;
originator’s wallet address, or transaction reference number;
at least one of the following identifiers: address, date and place of birth, customer number, tax identification number, ID number or passport number;
beneficiary’s full name;
beneficiary’s wallet address, or transaction reference number.

If either the originator or beneficiary is a legal entity, the title of the legal entity registered in the trade registry must be provided, or the full name of the other legal entities or entities without legal personality.

Obligations of Originator and Beneficiary CASPs

Per Article 35/B of the Capital Markets Law, CASPs must:

Obtain permission from the Capital Markets Board of Türkiye (CMB) before offering services and only carry out activities explicitly permitted by the CMB.
Implement robust KYC procedures to monitor transactions for suspicious activity. If suspicious activity is detected, this must be reported to MASAK.
Implement internal controls to manage operational and system risks and ensure IT systems and infrastructure comply with TÜBİTAK’s requirements.
Complete KYC processes before entering into a contract or executing a transaction. This data must be verified and retained for 8 years.

How Beneficiary CASPs Must Handle Missing Travel Rule Information

If the required data is not provided, CASPs shall request the missing data and return the funds. If the required data is not provided or is incomplete, CASPs have the authority to deem the transaction risky and halt it, or to terminate business relations.

Self-Hosted Wallets

Self-hosted wallets fall within the scope of the Turkish Travel Rule. Customers are required to provide a “declaration” for self-hosted wallet transactions. A declaration includes one of the following data points:

name and surname of the originator or beneficiary;
trade name, if the originator or beneficiary is a legal entity;
address;
date or place of birth;
customer number;
tax identification number; or
ID number or passport number.

System Localisation and Data Management Regulations

Türkiye’s system localisation and data management regulations require CASPs to store their primary and secondary systems domestically. The CMB is the main regulator overseeing CASPs and, under its existing Communiqué on Management of Information Systems, mandates that systems remain in Türkiye [Article 26(1)].

Banks and their affiliates operating as crypto custodians are also classified as CASPs and must comply with the localisation requirements set by the CMB and the Banking Regulation and Supervision Agency (BRSA).

In addition, CASPs remain subject to personal data protection and sector-specific data rules, including cross-border transfer restrictions and technical and organisational safeguards. As a result, CASPs must carefully assess Travel Rule service providers to ensure compliance with both system localisation and data protection obligations.

Cross-border Data Transfers under the KVKK

Türkiye regulates personal data protection under Personal Data Protection Law No. 6698 (KVKK, Kişisel Verileri Koruma Kanunu).

The KVKK applies to all natural or legal persons that process or handle the personal data of Turkish citizens, regardless of whether the processing entity is located inside or outside Türkiye.

Under the KVKK, personal data may only be transferred abroad if one of the legal grounds for processing exists and additional transfer-specific requirements are met. These requirements include:

Explicit consent of the data subject has been obtained; or
The transfer is mandated by law or falls under another limited exemption, and the receiving country provides adequate protection, as determined by the Turkish Data Protection Authority (KVKK Board); or
Both parties commit in writing to providing adequate protection, and this commitment is approved by the KVKK Board.

Read more about cross-border transactions: Cross-border Transfers: The GDPR and KVKK Compared.

Cross-border Data Transfers with Counterparties That Are Not Travel Rule Ready

In cross-border transactions where the foreign CASP does not require the exchange of personal information, the Turkish-based CASP must still obtain at least one piece of identifying data from the counterparty. This includes:

name and surname of the originator or beneficiary;
trade name, if the originator or beneficiary is a legal entity;
address;
date or place of birth;
customer number;
tax identification number; or
ID number or passport number

In Conclusion

Türkiye’s Travel Rule regime sets out a clear, comprehensive, and enforceable framework for CASPs, embedding Travel Rule obligations firmly within the country’s broader AML/CFT and data protection landscape.

By applying the Travel Rule to all crypto transactions and extending its requirements to self-hosted wallets, the Turkish approach assigns well-defined responsibilities to both originator and beneficiary CASPs throughout the transaction flow.

At the same time, the combination of system localisation rules, strict data retention obligations, and the KVKK’s cross-border transfer requirements means that compliance in Türkiye goes beyond simple data exchange. CASPs must ensure that Travel Rule processes are supported by secure, locally compliant IT systems and by carefully selected counterparties and service providers.

21 Travel Rule and Türkiye’s Travel Rule

Under Türkiye’s Travel Rule, CASPs must complete KYC processes before entering into a contractual relationship or executing a transaction. The collected data must be verified and retained for eight years.

21 Analytics’ solution has a built-in audit log, allowing all transactions to be downloaded when required. As the solution is deployed on-premises, CASPs retain complete control over their data and can ensure it is stored for the mandatory 8-year period. They can securely delete data once contractual relationships have ended and the retention period has expired, supporting both compliance and data minimisation obligations.

In the event of missing or incomplete Travel Rule information, the Turkish Travel Rule requires CASPs to request the outstanding information and return the funds where necessary. Where data remains incomplete or raises concerns, CASPs may classify the transaction as high risk, halt it, or terminate the business relationship.

With 21 Analytics’ solution, CASPs can identify where crypto assets are being sent and verify whether the beneficiary CASP has undergone appropriate Know-Your-VASP procedures, including sanctions and PEP checks. This allows them to confirm that their counterparty is not subject to sanctions before disclosing additional information.

An additional safeguard is the ability to accept or reject transactions before any on-chain activity occurs. This pre-transaction screening enhances security by enabling CASPs to identify the originating country of a transaction and immediately decline transfers from sanctioned jurisdictions.

They can also verify the sender’s identity and reject transactions involving individuals on sanctions or watchlists. This process not only reduces operational risk but also supports enhanced due diligence, as CASPs can review key transaction details, such as names and physical addresses, before proceeding.
Furthermore, the payment address is disclosed only after the transaction has been accepted, reducing the likelihood of errors and preventing unwanted transfers.

Türkiye’s system localisation and data management framework requires CASPs to store their primary and secondary systems domestically. As 21 Analytics’ solution is deployed on-premises, all data remains under the CASP's control and is stored on their own servers, supporting compliance with localisation requirements.

These are but a few ways in which 21 Analytics can support Turkish CASPs in their compliance journey. Find out more by requesting a demo.