Founder
August 10, 2025
32 min read
Global financial markets are at the heart of a profound transformation driven by the innovations of blockchain technology. Central to this shift is "Real-World Asset (RWA) Tokenization," the process of creating digital representations of traditional financial assets such as real estate, private equity funds, debt instruments, and company shares. By fractionalizing these traditionally illiquid assets, tokenization holds the potential to unlock trillions of dollars in value, facilitating access for a global investor base and significantly reducing intermediation costs. This process enhances efficiency and expands market depth by enabling instant settlement (T+0) in asset transfers.
We provide expert legal guidance on RWA tokenization in Turkey, from structuring your project to ensuring full SPK compliance.
However, the primary obstacle facing this technological revolution is regulatory compliance. Unlike permissionless cryptocurrencies such as Bitcoin, RWAs are inherently tied to existing laws governing property, debt, and securities. A token representing ownership of real estate or a company share must be subject to the legal framework of the relevant jurisdiction. This raises fundamental concerns for regulatory bodies: investor protection, Anti-Money Laundering (AML), Combating the Financing of Terrorism (CTF), and ensuring market integrity. Therefore, the widespread adoption of RWA tokenization depends on solutions that place legal requirements at the core of the technological infrastructure.
This is where the ERC-3643 standard, developed on the Ethereum blockchain, emerges as a regulation-focused solution. Formerly known as the T-REX (Token for Regulated Exchanges) protocol, ERC-3643 offers a "permissioned" token infrastructure that prevents unauthorized and anonymous transfers. Instead, it allows only pre-verified and eligible participants to transact. With features like on-chain identity management, issuer control mechanisms, and programmable compliance rules, ERC-3643 provides a technical framework specifically designed for the digitalization of securities and other regulated assets.
ERC-3643 is more than a simple token standard; it is a multi-layered and modular suite of smart contracts designed to manage the lifecycle of regulated financial assets. The most critical feature underpinning its legal analysis is its "Compliance by Design" philosophy, which embeds compliance into the system's core rather than treating it as a post-facto audit mechanism.
The most significant distinction that forms the foundation of ERC-3643, setting it apart from standards like ERC-20, is its "permissioned" structure. The ERC-20 standard assumes a "permissionless" environment where any wallet address can send and receive tokens without restriction. While this forms the basis of decentralization, it presents unacceptable risks for regulated assets like securities, as there is no technical barrier to prevent unidentified or legally ineligible individuals (e.g., a sanctioned individual or a non-accredited investor) from holding the security.
ERC-3643 addresses this problem at its root. The protocol conditions every token transfer on validation against a predefined set of rules. In practice, this means that only wallet addresses included in a "whitelist" created by the issuer can hold, receive, or send the tokens. When a transfer is initiated, the token's smart contract automatically checks whether both the sender and the receiver are on this whitelist and whether the transfer violates any other compliance rules. If the conditions are not met, the transaction is rejected before it can be recorded on the blockchain.
This permissioned model elevates the token from a simple bearer instrument to a regulated object whose lifecycle can be managed and audited at every step. This architecture offers a direct technological answer to the fundamental concerns of regulatory bodies regarding anonymous and illicit transactions. It provides an infrastructure that executes investor eligibility checks—traditionally performed manually by transfer agents, custodians, and compliance officers in the traditional financial world—autonomously and immutably on the blockchain.
The compliance philosophy of ERC-3643 is built on a modular smart contract architecture. This architecture separates identity management, compliance rules, and token logic into distinct yet integrated components. At the heart of this system lies a "decentralized validator" mechanism that serves to verify each participant's identity and eligibility on-chain.
The fundamental building block of the protocol is a digital identity smart contract called ONCHAINID, created by each participant (e.g., investor, issuer, intermediary). Based on the ERC-734 and ERC-735 standards, this identity contract creates a persistent and manageable identity layer independent of the user's wallet address. This contract stores verifiable claims and management keys associated with the user's identity.
The power of ONCHAINID comes from verifiable identity information called "claims." A claim is a digitally signed statement about a specific identity made by a trusted third party. For instance, a financial institution can issue a "KYC_Approved" claim confirming that an investor has successfully completed Know Your Customer (KYC) and Anti-Money Laundering (AML) processes. This claim is then added to the investor's ONCHAINID contract. One of the most significant advantages of this system is that it prevents personal data (name, address, ID number, etc.) from being published on the blockchain. What is stored on-chain is not the data itself, but a cryptographic proof (a verifiable credential) that it has been verified by a trusted entity.
This structure strikes a balance between compliance and data privacy (in the context of regulations like KVKK, Turkey's Personal Data Protection Law). The institutions that issue claims are called "Trusted Issuers," and the issuer of each security defines which institutions are considered trusted in a dedicated smart contract registry (the Trusted Issuers Registry).
These two contracts form the brain of the protocol's "decentralized validator" mechanism.
It maintains a list of all ONCHAINIDs authorized to hold a token. Before a transfer occurs, the token contract calls the isVerified() function in the Identity Registry to check the receiver's eligibility. This function verifies whether the receiver's ONCHAINID possesses all the necessary claims for the issuance (e.g., a valid KYC claim, a claim of residency in a specific jurisdiction, etc.). This check works in an integrated manner with the Trusted Issuers Registry and the Claim Topics Registry, which lists the required claim topics.
This contract enforces the general rules of the issuance rather than the investor's identity. For example, rules such as "there can be a maximum of 100 investors in a country" or "a single investor cannot hold more than 5% of the total supply" are coded into this contract. After passing the isVerified() check, the token contract calls the canTransfer() function in the Compliance Contract to verify that the transfer does not violate these general rules.
This two-phase verification process (first individual eligibility, then general rule compliance) guarantees that a transfer can only occur if and only if it meets all legal and issuance conditions. This structure reduces the complex compliance process of traditional finance, which involves multiple intermediaries (transfer agents, compliance departments, legal advisors), into a single, atomic, and autonomous transaction. Consequently, the ERC-3643 protocol is not just a token creation tool but also an on-chain governance and compliance framework.
Our legal services cover Decentralized Identity (DID), Verifiable Credentials (VC), and SSI frameworks under Turkish law.
ERC-3643 acknowledges that, due to the nature of regulated assets, issuers or their authorized agents must have specific control mechanisms. These functions are critical for managing legal obligations and exceptional circumstances and are what set the protocol apart from fully decentralized structures.
This function grants the issuer or an authorized agent the power to forcibly transfer tokens from one wallet to another without the wallet owner's consent or private key. From a legal perspective, this is one of the protocol's most powerful and essential features. This mechanism enables the technical enforcement of court orders (e.g., a seizure order or inheritance transfer) or regulatory sanctions on the blockchain. While such actions are performed manually by institutions like the Central Securities Depository of Turkey (MKK) or intermediaries in a traditional system, forcedTransfer embeds this enforcement capability directly into the asset's code.
These functions provide the ability to temporarily or permanently block a specific wallet address from making token transfers. This serves as a powerful AML/CTF compliance tool to instantly halt the movement of funds upon detection of suspicious activity (e.g., suspected money laundering) or in the event of a security breach. Freezing an account ensures the protection of assets during a legal investigation and is fully compliant with the expectations of regulatory bodies.
One of the biggest risks in digital asset ownership is the loss of the private keys that provide access to a user's wallet. In traditional crypto-assets, this results in the permanent loss of the assets. ERC-3643 mitigates this risk by offering a recovery mechanism. By proving their identity to the issuer (through off-chain methods), an investor can request that the tokens from a lost wallet be transferred to a new, secure wallet using the forcedTransfer mechanism. This feature directly aligns with the principle of investor protection and can be considered a fundamental requirement for a regulated financial product.
These control mechanisms transform an ERC-3643 security from a passive legal structure into a self-enforcing regulatory tool that actively audits its own compliance before every transaction. Unlike traditional audits, the primary point of enforcement here shifts from post-transaction sanctions to the pre-transaction stage, where a non-compliant transfer is programmatically rejected. This represents a paradigm shift for financial regulation.
Financial regulations and market conditions are dynamic. Therefore, it is critically important that the smart contracts representing a security can adapt to these changing conditions over time. ERC-3643 meets this need with its "upgradability" feature.
The protocol uses a proxy architecture based on the Universal Upgradeable Proxy Standard (UUPS) proposed in ERC-1822. In this architecture, the token contract that users interact with (the proxy contract) actually only stores the data. The main contract containing the token's business logic (the implementation contract) resides at a separate address. When regulations change or the issuer wants to add a new feature, they can deploy a new business logic contract and point the proxy contract to this new address. This allows the underlying rules and functions to be updated without changing the token's address or its asset records. This feature enables the issuer to dynamically adapt to evolving legal frameworks without undergoing the costly and complex process of re-issuing the entire asset class.
In terms of interoperability, ERC-3643 is compatible with the ERC-20 standard in its basic functions. This allows ERC-3643 tokens to integrate with the existing Ethereum ecosystem infrastructure, such as wallets, exchanges, and Decentralized Finance (DeFi) protocols that support ERC-20. However, this integration is controlled by ERC-3643's permissioned nature. This means that even if an ERC-3643 token is listed on a DeFi protocol, only whitelisted wallet addresses interacting with that protocol can transact. This serves as a "bridge," allowing regulated assets to benefit from the liquidity and innovation of DeFi without compromising on compliance standards.
Before analyzing the applicability of the ERC-3643 protocol in Turkey, it is essential to understand the Turkish legal system's approach to digital assets, particularly tokens that qualify as securities.
The first regulatory steps towards crypto-assets in Turkey were taken with the "Regulation on the Disuse of Crypto-Assets in Payments," issued by the Central Bank of the Republic of Turkey (TCMB) in 2021. This regulation defined crypto-assets as "intangible assets that are not qualified as money, scriptural money, electronic money, payment instrument, security, or other capital market instrument," thereby assigning them a negative legal status and prohibiting their use in payments.
However, the real turning point came with the law that entered into force on July 2, 2024, which introduced comprehensive amendments to the Capital Markets Law No. 6362. This law positioned the Capital Markets Board (SPK) as the primary regulator of the crypto-asset market.
The new law added the definition of "crypto-asset" to the Capital Markets Law: "intangible assets that can be created and stored electronically using distributed ledger technology or a similar technology, are distributed over digital networks, and are capable of expressing a value or a right." This definition is technology-neutral and broad, designed to encompass new types of digital assets that may emerge in the future.
The law created a new category of licensed institutions called "Crypto-Asset Service Providers" (KVHS). KVHSs are legal entities that include crypto-asset trading platforms, custody service providers, and other related services. These entities are required to obtain a license from the SPK to operate. With its secondary regulations (communiqués No. III-35/B.1 and III-35/B.2) published on March 13, 2025, the SPK has detailed the establishment conditions, minimum capital requirements (150 million TL for platforms, 500 million TL for custodians), organizational structures, internal control and risk management systems, technological infrastructure requirements, and operating principles for KVHSs. These regulations aim to institutionalize the market and protect investors.
The most sophisticated aspect of the Turkish legal system's new approach is that instead of treating all crypto-assets as a monolith, it segregates those that qualify as "securities." This distinction is vital as it fundamentally changes the legal regime applicable to a token.
Article 3(o) of the Capital Markets Law defines securities, "excluding money, checks, policies, and notes," as:
Shares, other equity-like instruments, and depository receipts related to such shares.
Debt instruments or debt instruments based on securitized assets and revenues, and depository receipts related to such instruments.
Elements from legal doctrine and previous SPK regulations also remain important in interpreting this definition. For an asset to be considered a security, it is generally expected to have the following characteristics:
Providing Partnership or Creditorship Rights: The asset grants its owner partnership rights in a company (e.g., shareholding, dividends, voting rights) or a right of credit from an issuer (e.g., interest, principal repayment).
Being an Investment Instrument: The asset is acquired as an investment vehicle with the expectation of appreciation or income, rather than for accessing a service or product.
Being Fungible and Issued in Series: It is issued in fungible units that grant identical rights and is offered to the public.
In light of these criteria, tokens can be divided into three main categories:
Utility Tokens: These tokens provide access to a service or product on a specific platform. They are generally not considered securities as they do not offer an expectation of profit.
Payment Tokens: These are assets like Bitcoin, designed as a medium of exchange. Under the TCMB Regulation, they cannot be used as payment instruments in Turkey and do not qualify as securities.
Security Tokens: These are tokens that represent a company's share (equity token) or a debt instrument (debt token) and provide their owner with financial rights such as dividends, interest, or voting rights. These tokens clearly meet all the elements of the security definition in the Capital Markets Law.
Turkey's approach is based on the "substance over form" principle, similar to the U.S. Securities and Exchange Commission's (SEC) "Howey Test." In other words, the name of an asset being a "token" does not change its legal nature; what matters is its economic function and the rights it offers to investors. The SPK had already signaled this approach in a 2018 announcement, stating that whether token sales fall within the Board's regulatory scope would be evaluated on a "case-by-case basis."
Read our definitive guide for companies on the technical and legal architecture of creating secure, liquid share tokens.
The most revolutionary provision of the new crypto-asset law is the clause added to Article 13 of the Capital Markets Law (CML). This clause grants the SPK the following authority:
"The Board may establish the principles for capital market instruments to be issued as crypto-assets and monitored on the electronic platforms provided by crypto-asset service providers where they are created and stored, instead of being issued dematerially and monitored by the MKK in accordance with the provisions of this article."
This provision is the legal bridge that allows a token to be simultaneously a "crypto-asset" technologically and a "capital market instrument" legally. It clearly establishes that such security tokens will be subject not to the general crypto-asset regime, but to the entire body of the SPK's capital markets legislation (including obligations such as prospectus preparation, public disclosure, and investor protection).
The system establishes a dual-track system: while creating a licensed KVHS regime under SPK supervision for general-purpose crypto-assets, it activates the full safeguards of capital markets law for security tokens, which carry the highest risk and where investor protection is most critical. This structure strategically diverges from the European Union's MiCA (Markets in Crypto-Assets) regulation, which excludes securities from its scope, and thus offers a more holistic and clear legal foundation for security tokenization.
Implementing a protocol like ERC-3643 in Turkey requires a complex interaction involving the jurisdictions of multiple regulatory bodies.
The SPK is the primary regulator of security tokens. It is authorized to permit issuances, approve prospectuses, license and supervise KVHSs, set market rules, and take measures to protect investors.
MASAK is the institution responsible for combating money laundering and the financing of terrorism. All KVHSs are considered "obliged entities" under Law No. 5549. They are required to comply with strict obligations such as Know Your Customer (KYC), Suspicious Transaction Reporting (STR), identification of the ultimate beneficial owner, and FATF's "Travel Rule."
The MKK is the central custody and registry institution for securities in the traditional dematerialized (book-entry) system. The new clause added to Article 13 of the CML states that the SPK "may require integration to be established between the records on the electronic platform and the MKK system." This suggests the establishment of a hybrid model between a blockchain-based registry and a centralized layer of supervision and finality. This approach can be seen as a technological reflection of the "Trust but Verify" principle: the system relies on the efficiency and transparency of the blockchain while retaining a verification layer through the MKK for ultimate legal certainty and supervision.
The BDDK regulates and supervises not the assets themselves, but the banking services related to crypto-assets (e.g., the bank accounts where KVHSs hold customer cash, or custody services offered by banks).
This division of responsibilities among institutions clearly indicates that an ERC-3643-based security issuance must comply not only with SPK regulations but also with MASAK's AML/CTF rules and any technical integration requirements from the MKK.
We guide you through the complexities of SPK licensing, MASAK obligations, and the entire regulatory landscape for your project.
In this section, we will build a direct bridge between the technical capabilities of the ERC-3643 protocol and the regulatory requirements of the Turkish legal system. We will demonstrate how each core feature of the protocol can be used as a tool to meet the specific provisions of legislations such as the Capital Markets Law (governed by the SPK), MASAK regulations, and the Turkish Commercial Code (TCC).
The following comparison summarizes the basic framework of this integration. By systematically matching the compliance features of ERC-3643 with their counterparts in Turkish legislation, it provides a summary of the analysis that will be detailed in the subsequent parts of the report. This is not just a summary, but a new analytical framework created to demonstrate the protocol's legal compliance.
Allows only whitelisted wallets to hold/transfer tokens.
Relevant Turkish Legal Requirement: Capital Markets Law (CML) Principle of Investor Protection (Art. 1), Prevention of unauthorized public offerings (CML Art. 109), Restrictions on sales to qualified investors.
Legal Analysis and Implications: The protocol technologically guarantees that a security is distributed only to investors who are eligible under SPK regulations (e.g., qualified investors) and that these restrictions are maintained in secondary market transactions. This fundamentally prevents the risk of an unauthorized public offering and sales to ineligible persons.
Creates an on-chain identity for each participant and manages verifiable claims received from trusted issuers.
Relevant Turkish Legal Requirement: Financial Crimes Investigation Board (MASAK) Obligations (Know Your Customer - KYC, Identification of the Ultimate Beneficial Owner), SPK Crypto-Asset Service Provider (KVHS) Communiqués (No. III-35/B.1, III-35/B.2) on customer identification and account opening rules.
Legal Analysis and Implications: It offers an automated, auditable, and programmatic method to meet the KYC obligations mandated by MASAK. By using verifiable credentials instead of disclosing personal data on-chain, it enhances compliance with the Personal Data Protection Law (KVKK).
Enforces issuance-specific rules (e.g., number of investors, geographical restrictions, maximum investment amount).
Relevant Turkish Legal Requirement: CML Prospectus and Issuance Document conditions (Art. 4, Art. 10), Restrictions on sales to foreign investors (Law on the Protection of the Value of Turkish Currency).
Legal Analysis and Implications: It ensures the automatic enforcement, at the smart contract level, of the sales conditions specified in the prospectus and approved by the SPK (e.g., "can only be sold to investors residing in Turkey"). This reduces the issuer's legal liability and operational risk.
Allows the issuer to move tokens from one wallet to another without the owner's intervention.
Relevant Turkish Legal Requirement: Enforcement of court orders (Enforcement and Bankruptcy Law), Inheritance transfer (Civil Code), Measures to be implemented by the SPK (CML Art. 94).
Legal Analysis and Implications: It enables the technical execution of judicial and administrative proceedings, such as seizures and inheritance transfers, on Distributed Ledger Technology (DLT), which are traditionally handled by the Central Securities Depository (MKK) or intermediaries. It provides a concrete mechanism for the technical enforcement of a legal decision.
Prevents a specific wallet from transacting (sending/receiving).
Relevant Turkish Legal Requirement: MASAK Suspicious Transaction Reporting (STR) and related measures (Law No. 5549, Art. 4), Measures the SPK can take against market-disruptive actions.
Legal Analysis and Implications: It is a powerful tool to instantly and irreversibly halt the movement of funds when a suspicious account reported to MASAK or illegal activity is detected. It is fully compliant with MASAK's expectations for preemptive measures.
Allows an investor who proves their identity to have tokens from a lost wallet moved to a new one.
Relevant Turkish Legal Requirement: Principle of Investor Protection (CML Art. 1), Protection of property rights (Turkish Civil Code).
Legal Analysis and Implications: It eliminates one of the biggest risks of digital asset ownership (the permanent loss of access to assets due to private key loss). This feature can be viewed by regulators as an investor-friendly practice, thereby increasing trust in security tokens.
The analysis presented above shows that a token issued in Turkey using the ERC-3643 standard, which offers financial rights such as partnership or creditorship to its investor, would, beyond any doubt, be classified as a "capital market instrument" in terms of its legal nature. These tokens function as an investment contract rather than providing a "utility."
The most significant consequence of this classification is that the issuance and trading of these tokens are subject not to the general crypto-asset regime, but to the entire body of the SPK's regulations. This means issuers are obligated to submit a prospectus to the SPK for approval in the case of a public offering, or to prepare an issuance document for sales to qualified investors without a public offering. Furthermore, all requirements of capital markets legislation, such as public disclosure, financial reporting, corporate governance, and investor protection, will also apply to these tokens. ERC-3643 itself does not eliminate these obligations; on the contrary, it provides the technological infrastructure to ensure compliance with them.
Under MASAK legislation, KVHSs are "obliged entities" and are therefore required to implement strict AML/CTF measures. The identity infrastructure of ERC-3643 offers significant advantages in meeting these legal obligations.
MASAK requires KVHSs to perform identity verification when establishing an ongoing business relationship with customers or for transactions exceeding certain thresholds. In the ERC-3643 model, the role of "Trusted Issuer" could be assumed by identity verification service providers or banks authorized by the SPK and MASAK. After these entities complete an investor's identity verification in accordance with their own legal processes (off-chain), they can add an on-chain "KYC_Completed" claim to the investor's ONCHAINID. This claim acts as cryptographic proof that the investor's identity has been verified. Through this, the isVerified() check performed before a token transfer also becomes a programmatic check of whether MASAK's KYC requirement has been fulfilled.
The protocol, by its nature, does not detect or report suspicious transactions. This obligation must be fulfilled by the KVHS's own internal control and monitoring systems. However, the blockchain technology used by ERC-3643 ensures that all transactions are kept in a time-stamped, immutable, and public (or accessible to auditors on permissioned networks) ledger. This transparent and auditable structure provides a rich and reliable data source for the KVHS's monitoring systems to detect suspicious transaction patterns (e.g., numerous small transfers in a short period, interactions with known high-risk addresses, etc.). This data facilitates the substantiation of evidence for STRs to be filed with MASAK.
At first glance, the powerful authorities granted to the issuer by ERC-3643, such as forcedTransfer and freezeAddress, may seem to create a tension with the right of property regulated in the Turkish Civil Code and the principle of freedom of contract in the Code of Obligations. However, a deeper analysis reveals that these functions are not an arbitrary use of power but rather a technological enforcement tool for legal processes.
When an investor purchases an ERC-3643-based security token, they accept not only the rights in the underlying asset but also the rules of the technological platform on which these rights operate. The issuer must clearly state in the SPK-approved prospectus or issuance document the circumstances under which the forcedTransfer or freezeAddress functions can be used (e.g., court order, legal requirement, loss of key, etc.). The investor's purchase of the token, with full knowledge and acceptance of these terms, forms the necessary contractual basis for the application of these control mechanisms. This is valid within the framework of the "freedom of contract" principle of the Code of Obligations, as parties are free to determine the content of a contract, provided it does not contradict the mandatory provisions of the law. Therefore, the use of these functions is not an arbitrary interference with property rights, but the execution of pre-accepted contractual terms or a court order.
These functions offer a concrete solution for how a legal decision can be enforced in the digital world. For example, when a court orders the seizure of tokenized shares owned by a debtor, the bailiff's office serves this decision to the issuer. The issuer can then use the forcedTransfer function to transfer these tokens to a wallet designated by the bailiff's office. This is the technological equivalent of a dematerialized (book-entry) block or transfer order in traditional systems.
Where and how the ownership of a security is recorded is the most fundamental question from a legal validity perspective. While ERC-3643 offers a decentralized answer to this question, Turkish law has traditionally relied on centralized registries.
Law No. 6102, the Turkish Commercial Code (TCC), requires joint-stock companies to record their registered shareholders and transfers in a "share ledger." This ledger is necessary for the transfer to be valid against the company. The blockchain, with its inherently immutable, chronological, and transparent nature, can serve as a technologically superior, more secure, and more auditable version of the share ledger required by the TCC. In a legal dispute, the records on the blockchain would constitute strong evidence for proving share ownership.
The securities of publicly-held companies, on the other hand, are monitored not physically but on a "dematerialized" (book-entry) basis within the MKK. The new Article 13 of the CML envisions a hybrid model for this scenario. The SPK may mandate integration between blockchain-based records and the MKK system. In practice, this integration would likely function as follows:
Token transfers, trading activities, and instantaneous ownership changes would occur in real-time on the blockchain. The blockchain would be the "source of truth" for the markets.
KVHSs would report the final ownership status from the blockchain to the MKK system at specific intervals (e.g., at the end of each day). The MKK would record this data in its system, creating a centralized audit point for regulatory bodies and providing ultimate legal finality. This model combines the speed and efficiency of the blockchain with the legal certainty of a centralized registry.
This new approach creates a new obligation for lawyers and regulators: legal-technical due diligence. It will no longer be sufficient to merely review a prospectus. To fully understand the legal risks of a security token, the code of the smart contracts governing that token must also be audited to ensure that the code correctly and securely implements the legal rules specified in the prospectus. This signals the birth of a new field of expertise at the intersection of the legal and information technology disciplines.
We offer legal-technical analysis and auditing of smart contracts to ensure they correctly and securely implement your legal rules.
In light of the analysis above, the steps that an institution wishing to conduct a Security Token Offering (STO) in Turkey using the ERC-3643 standard should follow can be summarized as follows:
The first step is to clarify the legal nature of the underlying asset to be tokenized (e.g., share, debt instrument) and to clearly define the rights to be granted to token holders (e.g., dividends, voting rights, interest). At this stage, it may be necessary to make relevant amendments to the company's articles of association.
Since the token to be issued qualifies as a security, an application to the SPK is mandatory. A comprehensive prospectus must be prepared for a public offering, or an issuance document for a sale only to qualified investors. These documents must disclose not only traditional information but also transparently explain the technical workings of the ERC-3643 protocol, its control mechanisms like forcedTransfer, risks related to private key management, and other risks specific to blockchain technology.
The platform conducting the issuance, or the issuer itself, must have obtained the relevant KVHS license(s) from the SPK. This involves meeting numerous requirements such as minimum capital, technological infrastructure, internal control systems, and personnel competency.
After receiving SPK approval, the ERC-3643 smart contracts (Identity Registry, Compliance Contract, etc.) are configured to perfectly match the rules specified in the prospectus. For example, if the prospectus states that "only citizens of the Republic of Turkey can invest," the Identity Registry is programmed to accept only ONCHAINIDs that hold a claim related to Turkish citizenship.
The platform's technical integration with the MKK is established within the framework of procedures and principles to be determined by the SPK. This includes regular data reporting and ensuring interoperability between systems.
The KVHS must establish an internal policy for full compliance with MASAK obligations, appoint a compliance officer, and provide regular training to its staff. Customer acceptance processes and transaction monitoring systems must be designed to meet MASAK's expectations.
These steps show that ERC-3643, or similar and successor protocols created within this scope, represent not just a technology, but a legal-technical system that must be integrated into Turkey's complex financial regulatory environment.
To fully understand the place of ERC-3643 within the Turkish legal system, it is illuminating to compare Turkey's adopted regulatory approach with the approaches of other leading jurisdictions in this field, namely the United States and the European Union.
The U.S. Securities and Exchange Commission (SEC) has largely based its approach to digital assets on the "Howey Test," derived from a 1946 Supreme Court decision. This test examines whether a transaction involves an "investment of money in a common enterprise with an expectation of profits to be derived from the efforts of others." If these criteria are met, the asset in question is considered a "security," regardless of its technological form, and becomes subject to federal securities laws.
Turkey's new legal framework shows a significant parallel with the SEC's approach in terms of the "substance over form" principle. When determining whether a token is a security, the SPK focuses not on its technological name but on the economic rights it offers to investors (partnership, creditorship, expectation of profit). Any token that fits the SPK's definition of a security falls under the full supervisory and regulatory authority of the SPK.
The European Union's Markets in Crypto-Assets (MiCA) Regulation offers one of the most comprehensive regulatory frameworks in this area. However, one of MiCA's most distinct features is the critical distinction it makes regarding its scope. While MiCA regulates crypto-assets such as utility tokens, e-money tokens, and asset-referenced tokens (stablecoins), it expressly excludes crypto-assets that qualify as "financial instruments" under the existing Markets in Financial Instruments Directive (MiFID II)—that is, security tokens.
This is where Turkey's approach shows a strategic difference. Where MiCA leaves a gap for securities, requiring them to be subject to the traditional and non-crypto-native MiFID II regime, Turkey's new law grants the SPK the authority to create a special, integrated framework for the issuance of these assets on the blockchain. This means an STO project in Turkey will engage with a single point of contact—the capital markets authority, the SPK—rather than navigating two different and not fully integrated legal regimes as is the case in the EU.
The adoption of technologies like ERC-3643, alongside the problems it solves, also brings new legal questions.
If a code error (bug) in a smart contract governing a security token leads to financial loss for investors or a regulatory breach (e.g., an accidental transfer to an ineligible investor), who will be liable? The issuer? The software developer who wrote the smart contract? The audit firm that reviewed the code? How will the provisions on tort and breach of contract in the Turkish Code of Obligations apply to this new situation? This is a gray area where case law has not yet been established. It is likely that the issuer will be considered to have a duty of care to ensure the technology used is secure and compliant with the law, and this liability will likely be managed through insurance policies and service agreements.
Although ERC-3643 enhances privacy by not writing personal data directly onto the chain, its compliance mechanism relies on off-chain processes. "Trusted Issuers" and KVHSs must process and store investors' KYC information in their own systems. These processes are fully subject to Law No. 6698, the Personal Data Protection Law (KVKK). The collection, processing, storage, and especially the international transfer of investor data (if a Trusted Issuer is located abroad) must comply with the strict rules of KVKK. Ensuring the compliance of data processing activities with KVKK is a critical step for STO projects.
The borderless nature of blockchain technology complicates the issue of which country's courts will have jurisdiction in legal disputes. If a dispute arises between an issuer in Turkey and a Japanese investor who bought the token, where will the lawsuit be heard? To reduce this uncertainty, it is crucial to include clear provisions in the framework agreements with investors and in the token's prospectus, designating a specific court (e.g., the Istanbul Courts) or an arbitration center as the competent authority for dispute resolution. Innovative solutions, such as arbitration clauses embedded in smart contracts, may also play a role in this area in the future.
The comprehensive technical and legal analysis conducted throughout this report leads to the conclusion that the ERC-3643 permissioned token standard is not only compatible with Turkey's crypto-asset regulatory framework but also offers an ideal technological infrastructure to meet the strict compliance demands of this framework. The protocol's "Compliance by Design" philosophy directly aligns with the SPK's investor protection mission and MASAK's objectives in combating financial crimes.
ERC-3643's permissioned architecture—with its on-chain identity management, programmable compliance rules, and issuer control mechanisms—provides concrete tools for fulfilling many obligations required by Turkish law, such as Know Your Customer (KYC), sales restrictions, and the enforcement of legal measures, in an automated, transparent, and immutable manner. This technology enables legal principles to be embedded directly into the asset's code, increasing efficiency in compliance processes while reducing the risk of human error and abuse.
Turkey's proactive and holistic approach—choosing to create a special legal pathway within the SPK's jurisdiction for security tokens rather than excluding them as regulations like MiCA do—holds the potential to position the country as a global hub for RWA tokenization. When this progressive legal framework is combined with compliance-focused technological standards like ERC-3643, it can create a secure and effective foundation for bringing trillions of dollars of traditionally illiquid assets into the capital markets.
Realizing this potential will require strategic steps from both market participants and regulatory bodies. Issuers must structure their projects with a holistic approach that combines legal and technical expertise, while regulators should provide greater clarity to the market through secondary regulations on topics such as smart contract auditing and MKK integration.
The success of this process will depend on the extent to which regulations recognize and encourage the automated compliance and transparency capabilities offered by technologies like ERC-3643. If regulators develop a "safe harbor" approach that simplifies approval processes or reduces capital requirements for issuers who adopt such high technical standards, it would create a strong incentive for the entire market to adopt the best technologies, enhancing the overall health and integrity of the ecosystem.
Build a resilient tokenization project with our strategic GRC advisory, embedding compliance into your project's DNA from day one.
In this complex field at the intersection of capital markets and blockchain technologies, you can contact our law firm for expert consultancy and support on your ERC-3643-based Security Token Offering (STO) projects and related legal processes.
Receive our exclusive analyses on regulations, trends, and strategic insights directly in your inbox.
