AMP • EN
How to Obtain a Payment Institution License in Turkey (2025/2026)
Step-by-step guide to getting a payment institution license in Turkey: capital requirements, BDDK application, compliance, security, and operational readiness.
How to Obtain a Payment Institution License in Turkey (2025/2026)
This guide covers the BDDK payment institution license process with capital, compliance, security, and operational requirements. Built as a hub page with spoke links to detailed long-tail topics (PCI-DSS, KYC/AML, DR/BCP, capital planning).
Last updated
- Published: 2025-02-06
- Updated: 2025-12-15 (regulatory and capital checks)
1) Legal and corporate framework
- Regulator: BDDK (Law 6493 and related secondary regulations)
- Entity: Joint Stock Company (A.Ş.) incorporated in Turkey
- Governance: Independent internal audit, risk management, and compliance functions
- Compliance: AML/KYC, KVKK (data protection), logging and retention policies
- Reporting: Periodic BDDK filings, IT audits, independent audit
2) Capital and financial adequacy
- Paid-in capital: Minimum threshold set by regulation (check latest BDDK circulars).
- Higher capital for e-money institutions (EMI).
- Liquidity/own funds ratios; provisioning and treasury controls.
- 3–5 year financial projections: volumes, users, OPEX/CAPEX, revenue model.
3) Technical and security requirements
- PCI-DSS, 3DS, tokenization; network segmentation.
- DDoS/WAF, IPS/IDS, SIEM, backups and DRP.
- Dual-site HA (active/active or active/passive), high availability targets.
- Secure SDLC: code reviews, SAST/DAST, OWASP controls.
- Immutable logging for critical events; access control and least privilege.
4) Compliance and operations
- KYC/AML: Identity verification (e-ID), watchlist checks, STR flows.
- KVKK: Consent, data retention/erasure, anonymization.
- Customer support SLAs, dispute/chargeback handling, call recording.
- Business continuity: RPO/RTO targets, regular drills.
5) Application dossier (core docs)
- Articles of association, shareholding, BoD/management CVs.
- Policies: internal control, risk, compliance, ISMS, BCP/DRP.
- Technical architecture: network diagrams, access matrix, redundancy and security controls.
- Business plan: products, transaction types, fee/commission model.
- Financials: capital proof, projections, independent audit plan.
6) Illustrative timeline (may vary)
- Preparation (policies, architecture, docs): 6–10 weeks
- Filing and pre-discussions: 2–4 weeks
- BDDK review & clarifications: 8–16 weeks
- License & go-live permit: total 4–8 months depending on readiness
7) Checklist
- [ ] A.Ş. established and paid-in capital ready
- [ ] Internal control, risk, compliance, ISMS, BCP policies finished
- [ ] PCI-DSS/3DS design in place
- [ ] KYC/AML flows defined (e-ID, face match, watchlist)
- [ ] DR/BCP tested, backups verified
- [ ] Business plan and financials complete
- [ ] Application pack compiled (security, architecture, processes)
8) Hub-spoke and internal links
- Hub: This guide.
- Spokes (long-tail): capital adequacy, PCI-DSS, KYC/AML, DR/BCP, fee model, reporting, fraud controls.
- Related services:
/en/fintech, /en/e-commerce, /en/seo-services, /en/blockchain.
- Related blog:
FAQ
What is the minimum paid-in capital?
BDDK sets minimum paid-in capital for payment institutions; EMIs require a higher threshold. Check latest BDDK publications for exact amounts.
Which technical documents are mandatory?
Network/system architecture, access matrix, HA/DR design, security controls (WAF/DDoS/IPS), PCI-DSS/3DS design, logging/audit policies.
Which KYC/AML steps are expected?
Electronic ID verification, watchlist screening, suspicious transaction scenarios, STR filing, data retention aligned with KVKK.
How long does it take?
Typical cycle is 4–8 months depending on dossier completeness and technical readiness.
Is PCI-DSS required?
If you process/handle card data, PCI-DSS is expected. Even with tokenized models, segmentation and controls are reviewed.
Why is DR/BCP important?
Continuous service and regulatory expectations demand proven RPO/RTO targets, redundant infrastructure, and tested drills.
Conclusion
Licensing requires strong compliance, secure architecture, resilient ops, and solid financial planning. A hub-spoke content approach plus a complete technical dossier accelerates approvals.
Need expert help?
- 📧 iletisim@cesayazilim.com
- 📞 +90 850 225 53 34
- 💬 WhatsApp: Payment License Desk
Sıkça Sorulan Sorular
What is the minimum paid-in capital?
BDDK sets minimum paid-in capital for payment institutions; EMIs require a higher threshold. Check latest BDDK publications for exact amounts.
Which technical documents are mandatory?
Network/system architecture, access matrix, HA/DR design, security controls (WAF/DDoS/IPS), PCI-DSS/3DS design, logging/audit policies.
Which KYC/AML steps are expected?
Electronic ID verification, watchlist screening, suspicious transaction scenarios, STR filing, data retention aligned with KVKK.
How long does it take?
Typical cycle is 4–8 months depending on dossier completeness and technical readiness.
Is PCI-DSS required?
If you process/handle card data, PCI-DSS is expected. Even with tokenized models, segmentation and controls are reviewed.
Why is DR/BCP important?
Continuous service and regulatory expectations demand proven RPO/RTO targets, redundant infrastructure, and tested drills.
Conclusion
Licensing requires strong compliance, secure architecture, resilient ops, and solid financial planning. A hub-spoke content approach plus a complete technical dossier accelerates approvals.
Need expert help?
📧 iletisim@cesayazilim.com
📞 +90 850 225 53 34
💬 WhatsApp: Payment License Desk