How to Set Up an Electronic Money Institution (EMI) in Turkey

This guide covers BDDK requirements for EMI licensing: capital, compliance (KYC/AML), PCI-DSS/3DS, secure architecture, and the application dossier. It’s structured as a hub with spoke links to long-tail topics (capital, PCI-DSS, DR/BCP, KYC/AML).

Last updated

• Published: 2025-02-07
• Updated: 2025-12-15 (regulatory/capital check)

1) Legal and corporate framework

• Regulator: BDDK (Law 6493 + secondary regs)
• Entity: Joint Stock Company (A.Ş.) in Turkey
• Governance: Internal control, risk, internal audit, compliance
• Data protection: KVKK alignment, retention/erasure, anonymization
• Reporting: Periodic BDDK filings, IT audits, independent audit

2) Capital and financials

• Higher paid-in capital threshold for EMI (check latest BDDK circulars; e.g., 10 mn TL+).
• Own funds/liquidity ratios; provisioning and treasury policies.
• 3–5 year projections: users, volumes, OPEX/CAPEX, revenue streams.

3) Architecture and security

• PCI-DSS, 3DS, tokenization; card data segmentation.
• DDoS/WAF, IPS/IDS, SIEM, backups, DR/BCP.
• Dual DC (HA), RPO/RTO targets; observability/alerting.
• Secure SDLC: SAST/DAST, code review, OWASP.
• Immutable logging, access matrix, least privilege.

4) Compliance and operations

• KYC/AML: e-ID/face match, watchlists, STR flow, retention.
• Customer support SLAs, disputes/chargebacks, call recording.
• Business continuity: Tested BCP/DRP, regular drills.

5) Application dossier (core)

• Articles, shareholding, BoD/management CVs.
• Policies: internal control, risk, compliance, ISMS, BCP/DRP, security.
• Technical architecture: network diagrams, access matrix, redundancy/security controls.
• Business plan and financials; capital proof; audit plan.

6) Indicative timeline

1. Preparation (policies, architecture, docs): 6–10 weeks
2. Filing + pre-reads: 2–4 weeks
3. BDDK review & clarifications: 8–16 weeks
4. License + go-live: 4–8 months total (readiness-dependent)

7) Checklist

• [ ] A.Ş. established, paid-in capital ready
• [ ] Control/risk/compliance/ISMS/BCP/DRP policies complete
• [ ] PCI-DSS/3DS design in place
• [ ] KYC/AML flows defined (e-ID, face match, watchlist)
• [ ] DR/BCP tested; backups verified
• [ ] Business plan and projections ready
• [ ] Application pack compiled (security/architecture/process)

8) Hub-spoke and links

• Hub: this guide.
• Spokes: capital, PCI-DSS/3DS, KYC/AML, DR/BCP, fee model, reporting, fraud controls.
• Related services: /en/fintech, /en/e-commerce, /en/seo-services, /en/blockchain.
• Related blog:
  • Payment institution license in Turkey
  • Licensed payment and EMI list
  • What is e-money?
  • Secure crypto exchange guide

FAQ

What is the minimum capital for an EMI?

BDDK sets a higher threshold than payment institutions; check latest BDDK releases for exact numbers.

Which technical documents are required?

Network/system architecture, access matrix, HA/DR design, security controls (WAF/DDoS/IPS), PCI-DSS/3DS design, logging/audit policies.

What KYC/AML controls are expected?

e-ID/face match, watchlist screening, STR scenarios, retention per KVKK.

How long does licensing take?

Typically 4–8 months depending on dossier completeness and technical readiness.

Is PCI-DSS mandatory?

If you process/handle card data, yes; even with tokenization, segmentation and controls are reviewed.

Why is DR/BCP critical?

Regulatory expectations and uptime targets require proven RPO/RTO, redundancy, and tested drills.

Conclusion

EMI licensing demands strong compliance, secure architecture, resilient ops, and robust financial planning. Hub-spoke content plus a complete technical dossier accelerates approvals.

Need expert help?

• 📧 iletisim@cesayazilim.com
• 📞 +90 850 225 53 34
• 💬 WhatsApp: EMI License Desk