I. Introduction
It has been nearly 12 years since the establishment of the first crypto asset service provider in Turkey in November 2013. Today, many crypto asset service providers (“CASPs”) with millions of active users continue to operate actively. Although we speak of a 12-year period specific to Turkey, the existence of crypto asset service providers dates even further back. The publication of the Bitcoin Whitepaper on October 31, 2008—which made a global impact and was described by some as the beginning of a new era—and the establishment of Bitcoin Market, the first example of what we now call a crypto asset service provider, two years later, marked the integration of crypto assets into the financial system that we, and regulators alike, have long seen, heard of, and, in many cases, actively used.
Although regulators and traditional financial institutions have shown significant resistance to crypto assets and the new institutions they have formed over the past decade, we now see that many countries, rather than resisting innovation, have turned towards regulation. Europe has taken the lead in this regard by publishing, adopting, and enacting the most comprehensive regulatory framework to date, namely the Markets in Crypto-Assets (MiCA) regulation. MiCA has served as a crucial guide for many countries in their regulatory efforts and has also introduced new definitions for us.
In Turkey, after a long period of 11 years, significant legislative steps regarding crypto assets were finalized, and on July 2, 2024, Law No. 7518 Amending the Capital Markets Law (“Law No. 7518”) was published and entered into force. Much like MiCA, Law No. 7518 has introduced new concepts and imposed significant obligations on institutions that provide services related to crypto assets. The regulation of crypto assets in Turkey is ongoing, and the Capital Markets Board (“CMB”) and the Financial Crimes Investigation Board (“MASAK”) have issued secondary regulations, resulting in a comprehensive regulatory framework for the crypto asset sector, which continues to evolve. In this process, the Scientific and Technological Research Council of Turkey (“TÜBİTAK”) has also made notable announcements, serving as a harbinger of important upcoming technical regulations.
In this article, we will examine one of the key concepts introduced by the regulations and mentioned at the beginning of this text: the concept of a Crypto Asset Custody Institution. Before diving into the analysis of these institutions, we believe it is beneficial to first assess what crypto asset custody service means and how it is defined under Law No. 7518. Therefore, we will briefly touch on this concept at the outset.
II. Crypto Asset Custody Service
In fact, the concept of custody service is a long-established one that has appeared in various forms and under different names for centuries. A custody service is a financial institution that protects an asset from potential harm and loss and provides professional asset management services. Crypto asset custody services show considerable similarities to the custodians we know from traditional finance. While traditional custodians maintain physical records of assets and safeguard them in a way that allows us to manage them easily, institutions providing crypto asset custody services aim to securely store and manage the keys that provide access to our crypto assets.
Due to the nature of crypto assets, security risks and technical challenges are inherently more complex. For example, issues such as the irretrievability of assets if private keys are lost or stolen underscore the importance of crypto custody services. Therefore, custody institutions aim to protect users’ assets using innovative security measures such as multi-signature solutions, cold wallet technology, and advanced encryption methods.
Crypto asset custody services are increasingly offering more professional and comprehensive solutions to ensure compliance with financial regulations and to meet the expectations of institutional investors. These services have expanded beyond individual investors and now also cater to crypto exchanges, fund management companies, and large institutional players.
III. Examination of Crypto Asset Custody Institutions within the Scope of the Capital Markets Board (CMB)
Law No. 7518 has primarily served as a regulatory framework governing CASPs and the activities of CASPs. In its first article, the law proceeds to define crypto asset custody services and CASPs. In this article, platforms, institutions providing crypto asset custody services, and other entities designated to provide services related to crypto assets—including their initial issuance or distribution—under the regulations to be issued based on Law No. 7518 are broadly categorized under the definition of CASP, and institutions offering crypto asset custody services are also included within this definition.
The same article further defines custody services as the safekeeping and management of platform customers’ crypto assets or the private keys that provide the right to transfer from the relevant wallet, or other custody services as determined by the CMB.
One particular point we wish to emphasize here is that while institutions providing custody services are defined as CASPs, Law No. 7518 explicitly stipulates that crypto asset custody services shall be provided by banks authorized by the CMB and the Banking Regulation and Supervision Agency (BRSA), and by other institutions authorized by the CMB. Although the relevant article of the law currently defines custody services specifically in relation to platform customers, it is also stated that the CMB may define other custody services. Therefore, it may be considered that, in future regulations, custody services may be offered not only to CASPs but also to individual customers. This anticipated expansion of custody services in terms of service providers suggests that secondary legislation will likely detail how, where, and under what conditions the crypto assets of individual clients must be held by custody institutions.
It is especially foreseeable that TÜBİTAK may play a critical role in the coming days, particularly in determining the technical requirements and qualifications for the safekeeping of crypto assets.
While crypto assets are categorized into various classes based on their inherent characteristics, the custody services related to these assets may also vary accordingly. Therefore, custody institutions may need to establish differentiated custody strategies for various types of crypto assets. In the sixth paragraph of Article 4 of Law No. 7518, it is stated that the Capital Markets Board (CMB) is authorized to determine separate principles regarding custody based on each crypto asset’s technological features or their qualitative and quantitative attributes. Hence, it will be important for institutions planning to engage in custody services to begin strategizing on this matter now.
Although Law No. 7518 and the principle decisions published by the CMB on August 8, August 23, and September 9, 2024, detail the establishment and operational requirements of CASPs and include crypto asset custody institutions under the definition of CASP, it should not be overlooked that custody institutions may be subject to different requirements due to the significantly higher risk factors they entail compared to other CASPs such as crypto asset trading platforms. In particular, it should be noted that the minimum capital and equity requirement of TRY 50 million envisaged in the CMB’s principle decision dated August 8, 2024, for CASPs may be set at higher levels for custody institutions. The possibility that the TRY 50 million capital and equity threshold stipulated in the August 8, 2024 principle decision may be applied at higher levels for custody institutions highlights the importance of risk factors and security requirements in this field. Accordingly, the financial strength and equity structure of these institutions will be considered a critical element in ensuring sectoral security.
Another important issue is where the assets will be held. Past scandals such as FTX and Thodex have provided both us and regulators with significant guidance concerning the custody of crypto assets. The regulator may mandate that individuals’ private keys be stored on servers located within Turkey, under the highest possible security measures. If the regulator imposes a domestic server storage requirement for custody institutions, it would facilitate audit processes and enable rapid intervention during crises. Especially in the wake of global trust crises, the development and reinforcement of local custody infrastructures emerges as a critical requirement for ensuring stability in the crypto asset ecosystem.
We believe that a major cause behind many of the past scandals has been the lack of reporting and accountability. Therefore, we anticipate that the CMB will impose much stricter reporting obligations on custody institutions than on crypto asset trading platforms in future regulations. Furthermore, we believe these reporting obligations will not be limited to regular financial reporting but will also cover security procedures, the status of user assets, and audit processes related to custody services. It is also anticipated that the CMB may mandate independent audit procedures to ensure transparent monitoring of user assets and to prevent potential abuses.
In addition, future regulations are likely to be expanded to define technological infrastructure standards aimed at minimizing the operational risks of custody institutions and to ensure compliance with these standards through monitoring.
IV. Conclusion
Blockchain technology, which has long been a part of our lives, and the crypto assets it has enabled, have been embraced by traditional finance and have become a significant component of today’s financial system. As regulations continue to evolve rapidly both globally and in Turkey, all service providers that incorporate crypto assets into their business processes must navigate this fast-developing regulatory landscape with steady and confident steps. One key factor that will strengthen each step taken by such institutions is compliance with regulations. In this context, it is crucial for CASPs to raise awareness within their organizations and to develop compliance strategies that enable them to act in accordance with the regulations and take prepared steps toward the future. These compliance strategies will not only ensure regulatory conformity but also reduce operational risks and enhance institutional credibility in the sector.
In particular, for institutions operating in sensitive areas such as crypto asset custody services, compliance with the regulatory framework is vital to bolster investor trust and ensure long-term sustainability. Accordingly, it becomes a critical requirement for CASPs to be subject to regular audit processes, to adhere to transparency principles, and to invest in technological infrastructures that prioritize the security of user assets. Moreover, closely following global regulatory trends and adopting a business model aligned with international standards will provide a competitive edge not only in the local market but also on a global scale.
MiCA offers a comprehensive framework for the crypto asset markets and introduces key standards specifically regarding custody services. The safekeeping and management of crypto assets on behalf of clients is explicitly defined under MiCA as a crypto asset service.
In this regard, MiCA imposes a minimum capital requirement of EUR 125,000 for custody institutions and additionally requires these entities to establish a custody policy to ensure the safety and segregation of client assets. It also mandates that the scope of the custody service, security systems, and fee structures be clearly outlined in the contracts signed with clients. Especially for custody institutions planning to operate on a global scale, MiCA serves as an important and indispensable regulatory guide.
In conclusion, compliance with regulations should not be viewed merely as an obligation, but rather as a fundamental pillar in building trust and reputation within the industry. By acting with this awareness, CASPs will not only meet regulatory expectations but also position themselves strongly in the financial world of the future.
