Founder
March 9, 2026
16 min read
SPK 99/A is the fundamental provision under which Turkey-facing activities of crypto asset actors residing abroad can, under certain conditions, be deemed as unauthorized crypto asset service provision. The critical threshold under SPK 99/A is not solely whether trading or custody services are actively provided; maintaining a Turkish website, engaging in promotional and marketing activities directed at Turkey, or conducting user acquisition activities through individuals and institutions residing in Turkey can create a direct presumption of targeting.
However, the SPK 99/A analysis is not one-dimensional. The text of SPK 99/A is rigorous; yet in practice, models involving centralized exchanges, custody, trading, fiat on-ramps, or explicit calls for investment are not evaluated with the same intensity as pure protocol-layer visibility, developer training, hackathons, general ecosystem events, and non-solicitative community activities. According to Genesis Hukuk's assessment, a sound legal analysis requires reading the literal text, secondary regulations, access ban practices, and concrete product functions together.
SPK 99/A is not merely a license application regime for crypto asset regulation in Turkey; it is also a boundary provision determining how, to what extent, and in what tone foreign brands can interact with the Turkish market.
Article 99/A, added to the Capital Markets Law No. 6362 by Law No. 7518, establishes a mechanism that can deem the Turkey-facing activities of platforms located abroad as unauthorized crypto asset service provision. The article is based not only on the actual provision of services but also on specific indicators of targeting. Three indicators particularly stand out in the text of the law:
Opening a workplace in Turkey
Creating a Turkish website
Engaging in promotional and marketing activities regarding the offered crypto asset services, either directly or through individuals or institutions residing in Turkey
The strictness of the SPK 99/A provision emerges precisely here. The targeting assessment is not left simply at "users are coming from Turkey"; the law directly ties certain behaviors to a legal presumption.
Following Law No. 7518, the main question in crypto asset regulation is no longer "are you related to crypto?" but rather, "are you fulfilling the functions of a platform or other regulated service provider?"
With Law No. 7518, definitions for "platform" and "crypto asset service provider" were added to Article 3 of Law No. 6362. The definition of a platform relies on a broad functional set including trading, initial sale or distribution, clearing, transfer, and the requisite custody for these. Therefore, the legal debate proceeds on two levels:
Is the relevant actor truly a platform or a regulated service provider?
Is the relevant activity directed at Turkey?
The SPK 99/A risk most often arises at the intersection of these two questions. As an entity approaches the nature of a platform, the legal weight of its targeting indicators increases. For the same reason, even an entity claiming to be a mere technology provider can cross this line through its actual de facto functions.
The concept of a "Turkey-facing activity" refers not merely to being accessible from Turkey, but to objective indicators showing an intent to generate business, users, or demand directed at the Turkish market.
When read together, SPK 99/A and subsequent secondary regulations evaluate "Turkey-facing activity" based on concrete signals reflected in the external world rather than declarations of intent. The following elements stand out among these signals:
Turkish web or mobile interface
Advertising and campaigns specific to Turkey
Local community structures
Influencer, ambassador, or referral mechanics
Turkey-focused customer acquisition
Promotion via individuals or institutions residing in Turkey
The systematic approach of SPK regulations establishes a distinction between passive access and active targeting. Turkish users reaching a foreign entity entirely on their own initiative is not the same as a foreign brand designing visibility, trust, and user flow specifically for Turkey.
The logic of reverse solicitation can be protective in certain situations; however, the moment a Turkish interface, Turkey-targeted advertisement, or local marketing channel is produced, this protective zone rapidly diminishes.
Communique No. III-35/B.2 carries a rationale that can exclude services received by users on their own initiative, provided that institutions residing abroad do not engage in promotion, advertisement, and marketing to persons residing in Turkey. In market parlance, this logic is often referred to as reverse solicitation.
The reverse solicitation protection is limited for the following reason: the same communique states that in the presence of any of the following—a workplace in Turkey, a Turkish website, or promotional-marketing activities—the activity will be deemed Turkey-facing. Therefore, the passive access defense cannot be sustained simultaneously with active growth operations.
The SPK 99/A risk is not just a theoretical licensing debate. SPK 99/A can trigger a chain of risks including content removal, access bans, administrative sanctions, and in some scenarios, criminal law consequences.
The potential outcomes in the context of SPK 99/A include:
Website or content-based access ban processes
Risk of administrative sanctions due to the determination of unauthorized activity
Suspension of promotional and announcement activities
Risk of heavier scrutiny and investigation regarding regulated functions
Discussion of criminal law consequences within the axis of Article 109/A, depending on the concrete case
The most common mistake in assessing risks directed at the Turkish market is operating solely on the logic that "no action has been taken against me so far." The SPK 99/A regime becomes more visible specifically for entities with increasing market visibility, user complaints, and growing volume in local media and social networks.
GRC (Governance, Risk and Compliance) for TokenizationServicesJuly 12, 2025👤Genesis Hukuk
Under SPK 99/A, not all indicators are equal. A Turkish interface, Turkey-focused campaigns, and local marketing channels constitute the highest risk areas.
Under SPK 99/A, not all activities produce a "targeting" signal to the same degree. Depending on the nature of the activities, the risk map is as follows:
Turkish Website or Application: It is the most fundamental presumption of targeting explicitly listed in the law.
Turkey-Focused Digital Advertising: It is the most visible and active form of the promotion and marketing element.
Local Community Manager / Ambassador: Marketing activities conducted through individuals residing in Turkey directly spawn risk.
Influencer / Referral Program: It is considered evidence of targeting as it transforms user acquisition into a systematic marketing activity.
Custom Landing Page for Turkish Users: It gives a clear commercial "targeting" signal aimed at a specific geography.
Hackathon / Event in Turkey: It is not a violation on its own; however, it is evaluated (Medium Risk) based on the "call-to-action" tone in its content and the rewards offered.
English Global Technical Content: As long as it is not localized, it may not be considered a Turkey-facing activity on its own (Low-Medium Risk).
Participation in General Industry Conferences: It is addressed (Low-Medium Risk) depending on the content and the intensity of branded guidance.
Real World Asset (RWA) Tokenization involves complex legal and compliance challenges, especially regarding targeting. Get specialized legal services to ensure your RWA projects in Turkey comply with all regulations.
The weight of the legal risk under SPK 99/A varies depending on whether the product offers pure technology or a de facto service. The same marketing behavior could be a red line for a centralized exchange, while acting as a gray area for a pure protocol.
The fundamental issue in Turkey is that structures such as protocol-layer, non-custodial wallets, and utility token issuers do not always perfectly fit the classic platform definition. The crucial distinction in practice emerges through these questions:
Are user orders being received?
Is a trading, clearing, transfer, or custody relationship being established?
Is the foreign actor the party directly interfacing with the customer?
Does the token or network narrative de facto transform into a call for investment?
Is it conveying technical education?
Or is it highlighting token value, yield, airdrops, or exchange listings?
According to Genesis Hukuk's recent assessments, pure protocol-layer visibility and regulated-function marketing should not be treated the same way. A Layer 1 network providing developer training, organizing a hackathon, publishing a research report, or being visible in general blockchain events should not be read with the same legal intensity as a centralized exchange offering a Turkish trading interface. However, if that same Layer 1 network utilizes language focusing on token price, staking yield, referrals, airdrops, or Turkey-specific customer acquisition, the risk axis shifts rapidly.
Market practice does not validate an absolute invisibility model, especially for Layer 1 and ecosystem projects; however, this flexibility in practice does not imply legally free maneuvering space.
There is an intensive event practice aimed at the blockchain ecosystem in Turkey, particularly in Istanbul. It is well-known that various networks and ecosystems maintain visibility at the level of hackathons, builder events, conferences, workshops, ecosystem days, or community meet-ups. Market practice de facto produces the following distinction:
Structures that are exchange-type, fiat-facing, custody-linked, or containing direct calls to investors are scrutinized more harshly.
Protocol-layer, developer ecosystem, and non-solicitative visibility are evaluated more nuancedly.
According to Genesis Hukuk's approach, this phenomenon must also be reflected in the language of reporting and consulting. The sound articulation should be this: not all types of visibility are prohibited in Turkey; however, if visibility transforms into commercial solicitation, Turkish customer acquisition, and branded calls linked with regulated functions, the SPK 99/A risk sharpens.
Be the first to be informed about our new articles, opinions and case studies in the field of Blockchain.
A Turkish website or Turkish interface creates a severe textual risk on its own. The nuance in practice does not always eliminate the impact of this indicator; it solely necessitates re-weighing it within the specific concrete context.
The statutory text and secondary legislation explicitly list a Turkish website as a presumption of targeting. Therefore, on a theoretical level, the answer is clear: yes, a Turkish site is a serious risk factor.
In practice, however, the assessment does not always end merely with the language element. The difference between the following two examples is critical:
Turkish interface + Turkey advertisement + user registration + token incentive + buy/sell link
English core structure + limited technical Turkish documentation + general educational content + no call for trading + no customer acquisition flow
A Turkish website is still a strong risk signal. Yet, the legal analysis concentrates on what the Turkish content narrates and which product it serves.
Local community and ambassador structures, especially when utilized on behalf of a foreign brand, can directly morph into a marketing channel in terms of SPK 99/A.
The line between community management and commercial user acquisition is remarkably thin, particularly in the crypto ecosystem. The following activities conducted through persons residing in Turkey engender legal risk:
Appointing a salaried community manager
Establishing a local ambassador program
Driving growth through referral codes
Attracting users via influencer content
Orchestrating a Turkey-specific Telegram, Discord, X, or Instagram growth setup
It cannot be said that local communities are prohibited in all circumstances. However, when systematic demand generation is performed on behalf of a foreign brand, the activity crosses the community boundary and enters the realm of marketing and user acquisition.
A licensed local partner can be critical on the regulated function side; yet it does not single-handedly eliminate the targeting risk of the foreign brand.
One of the most common arguments in the market is: "We are merely explaining the technology; the trading, liquidity, or fiat side resides with the licensed local partner." Regarding SPK 99/A, this defense bears value only under limited conditions.
If the local partner offers a Turkey-facing regulated interface under its own name
If the customer relationship, contract, onboarding, and documentation reside with the partner
If the foreign brand does not engage in direct solicitation in Turkey
If the Turkish interface, advertising, and customer acquisition are not managed by the foreign brand
If the Turkish user encounters the foreign brand
If the interface runs under the umbrella of the foreign brand
If the Turkish landing page, campaign, or CTA is orchestrated by the foreign brand
If the local partner merely remains in the background as a liquidity or compliance layer
Under the SPK 99/A rationale, the critical question is not just "who executes the transaction in the background?" but equally "who appears at the forefront to the Turkish user?"
Not every entity bears the same risk. The technical architecture of the product must be read together with its marketing architecture.
The most defensible area for Layer 1 networks constitutes technical infrastructure, validator architecture, developer ecosystem, SDKs, documentation, and general industry visibility. For Layer 1 networks, the risk inflates with token sales language, listing incentives, yield narratives, and Turkey-facing community-led acquisition.
Non-custodial wallet architecture can soften the custody analysis; however, being non-custodial does not zero out the targeting risk. A Turkish interface, transfer-swap-bridge routing, and Turkey-specific onboarding campaigns can elevate the SPK 99/A risk.
The boundary between pure utility token narrative and an investment call is paramount. Elaborating the technical function of the token is not the same as disseminating messages that the token will appreciate in value, be listed, generate yield, or provide an airdrop.
Understand the 2026 legal framework for DAOs, including SPK compliance and liability risks for decentralized autonomous organizations in Turkey.
The most accurate approach is not a dichotomy of "total freedom" or "total prohibition". The accurate approach involves distinguishing red lines from the manageable zone.
Turkish exchange interface
Turkey-specific buy/sell campaigns
Turkey advertisement + user registration + token incentive
Foreign brand engaging in direct solicitation in Turkey (e.g., Meta Earth-like approach)
Customer acquisition via referrals, airdrops, or bonuses
Conversion-oriented growth through a local influencer network
Prominently featuring fiat on-ramp or swap functions in a branded manner
Participation in general industry conferences
Technical workshops or developer education
Hackathon sponsorship or hackathon participation
English, global, non-localized technical content
Articulating protocol architecture without conveying calls for trading
Rendering ecosystem visibility without establishing links to regulated functions
A manageable area is not an automatically safe haven. To preserve the manageable area, the content tone, CTA design, language selection, landing page architecture, and user flows must be meticulously crafted.
SPK 99/A risk arises not so much upon product launch but much earlier, within the design of content, growth, and interfaces.
A foreign crypto actor planning to enter Turkey should ask the following questions before the product goes live:
Is there a Turkey-specific landing page, social media account, or advertising plan?
Is a Turkish interface or Turkish onboarding flow being designed?
Is a local community, ambassador, or influencer mechanism being established?
Are messages surrounding tokens, yield, airdrops, or listings utilized with a Turkey-focus?
Which brand establishes the contractual relationship with the user?
If there is a licensed local partner, is the partner truly the apparent party at the forefront?
Do the offered functions approach regulated functions such as transfer, clearing, custody, or fiat conversion?
Is the visibility activity constituting technical education, or conversion-oriented growth?
Genesis Hukuk approaches the SPK 99/A analysis not merely as statutory interpretation, but as a triad of product architecture + compliance by design + go-to-market strategy.
The distinction of Genesis Hukuk is not remaining confined to a pure "prohibited / permitted" dichotomy. Genesis Hukuk embraces a Law + Tech Studio approach that engineers the legal architecture synchronously with the technical architecture in blockchain and digital asset projects. Therefore, in provisions like SPK 99/A, the analysis is built not only from the statutory text but from the following triad:
Product functions
Marketing and access architecture
Brand relationship reflected to the user
For a crypto exchange, Layer 1 network, wallet project, token issuer, or Web3 startup planning to expand into Turkey, the SPK 99/A risk cannot be managed solely by reading the legislative text. Genesis Hukuk establishes a defensible Turkey strategy by holistically addressing product functions, interface design, marketing tone, user acquisition setups, and local partner models.
You can receive support from Genesis Hukuk on the following topics:
SPK 99/A and targeting risk analysis
Go-to-Turkey strategy and pre-launch legal check
Review of Turkish interface, landing page, and CTA language
Regulatory analysis of Layer 1, non-custodial wallet, and utility token architectures
Structuring licensed local partners, white-labels, and brokerages
Review of whitepapers, user agreements, and marketing materials
SPK 99/A is a provision regulating that the activities of platforms established abroad directed at persons residing in Turkey may, under certain conditions, be deemed unauthorized crypto asset service provision.
A Turkish website is one of the targeting presumptions explicitly listed in the law and secondary regulations. All features of the concrete case hold further importance; however, it alone generates a serious risk signal.
Organizing a hackathon in Turkey should not automatically be considered a violation. Content, CTA language, token incentives, customer acquisition intentions, and connections to regulated functions serve as the determinants.
Layer 1 networks often significantly depart from classic platform models as they generally do not offer direct trading, custody, or fiat on-ramps. Nonetheless, the area of risk can expand through token incentives, Turkish targeting, and user acquisition.
While a non-custodial wallet architecture can provide a critical advantage in custody analysis, it does not unilaterally abrogate targeting, marketing, and user acquisition risks.
Using a licensed local partner can be crucial concerning certain regulated functions. However, if the foreign brand directly undertakes solicitation and marketing in Turkey, relying on a partner does not offer adequate protection on its own.
If community and ambassador structures generate user acquisition and brand visibility specifically through individuals residing in Turkey, they can be evaluated as evidence of promotional and marketing activities.
The reverse solicitation logic finds correspondense to some extent in secondary regulations. Yet, the reverse solicitation defense profoundly weakens when active targeting indicators are produced.
A utility token narrative focuses on technical functions, network utilization, gas, governance, and protocol architecture. A call for investment, conversely, highlights economic expectations such as yield, capital appreciation, listings, and bonuses.
The safest communication strategy entails eschewing Turkey targeting behaviors coupled with regulated functions, and establishing an independent framework of visibility that is technical, general, non-solicitative, and not strictly conversion-oriented.
SPK 99/A is not merely a licensing provision for crypto actors in Turkey; it is coincidently a boundary regime defining how a product will be presented to Turkey. The correct question under SPK 99/A is not, "Can I be visible in Turkey?" but rather, "Does my visibility in Turkey dovetail with regulated functions to transmute into a targeting and solicitation risk?"
Genesis Hukuk's drawn conclusion is unequivocal: The text of SPK 99/A is rigorous; its implementation, particularly regarding Layer 1, protocol-layer, and non-solicitative ecosystem visibility, is more nuanced. The most defensible strategy is not to find a middle ground between complete invisibility and aggressive growth; but to cautiously engineer technical and ecosystem-level visibility while strictly protecting red lines on the side of regulated functions.
Capital Markets Law No. 6362
Crypto asset amendments introduced by Law No. 7518
SPK, Announcement Regarding Crypto Asset Service Providers, 02.07.2024
SPK, Two Communiques Published Regarding Crypto Asset Service Providers, 13.03.2025
Communique No. III-35/B.1
Communique No. III-35/B.2
MASAK AML obligations concerning crypto asset service providers
CBRT, Regulation on the Disuse of Crypto Assets in Payments
Genesis Hukuk, Crypto Asset Regulation and Compliance Guide in Turkey
Genesis Hukuk has formulated the assessments contained in this article by collectively reading blockchain architecture, token economics, product design, and marketing strategy. Because the SPK 99/A risk can vary structurally depending on the concrete product architecture, target market, interface, contractual architecture, and communication tone, separate legal evaluations must be conducted on a specific project basis.
