Turkey - regulation and blockages

(Section: "Markets and Jurisdictions")

1) Market picture and fundamentals

• Lotteries - under the Milli Piyango brand.
• Sports betting - through Spor Toto/ İddaa (operator under a state contract).
• Horse racing and parimatch - through an authorized sweepstakes system.
• All other B2C activities (including offshore sites and applications) are classified as illegal. The mode is accompanied by active domain locks and overlapping payment routes.

2) Organs and roles

Ministry of Finance/Related Agencies - Policy and Fiscal Control.
Milli Piyango - state lotteries.
Spor Toto Organization (İddaa) - sports betting in a permitted format.
MASAK = National AML/AML/TF Coordination (Identification, STR/SAR, Training).
BDDK (banking supervision) - control of payment infrastructure and suppression of transfers to illegal operators.
BTK (communication/Internet supervision) - instructions for blocking sites, IP/DNS/URL filtering, removing content and mirrors.
Police/Prosecution/Cyber Units - Enforcement, Raids, Criminal/Administrative Cases.

3) What is allowed and what is forbidden

It is authorized

Milli Piyango lottery products sale.
Acceptance of bets through the licensed Spor Toto/İddaa circuit (ground points and official online channel).
Betting on races in the authorized system.

Forbidden

Private online casinos/slots/poker and offline casinos.
Any "mirrors," offshore sites, telegram bots and applications aimed at players from Turkey outside the state mandate.
Advertising/affiliate promotion of unlicensed brands for Turkish audiences.

4) Block mode: domains, networks, applications

BTK issues orders to block domain names, IP addresses and individual URLs; communication providers must execute immediately.
Dynamic lists are used: when mirrors/redirects appear, they are quickly added to block lists.
App stores and hosting sites receive requests to remove illegal content.
For evasion (CDN bypasses, fast rotational mirroring, proxy chains), increased responsibility is provided.

5) Payments and financial constraints

BDDK and banks/PSP block the transfer of funds to accounts related to unlicensed gambling activities; cards/virtual wallets and alternative payment channels are monitored.
Payment service providers are required to implement KYC/AML triggers and game MCC/route detection scenarios; attempts to mask payment traffic are treated as a violation.
Chargers and "pseudo-merchants" fall into the zone of law enforcement interest.

6) Taxes and fees (high level)

Fiscal rules apply to authorized operators and their counterparties: special fees from the rate (handle) and/or GGR, distribution of funds to the budget/trust funds.
Corporate tax and VAT are applied according to general standards to related services (IT, hosting, marketing, consulting).
Reporting - monthly/quarterly forms and annual audit with separate accounting by products and channels.

7) AML/KYC и RG

KYC/KYB: identification of identity/age, ultimate beneficiaries, sanctions/PEP; proof of ownership of the payment means.
Monitoring: limits, behavioral anomalies, connectivity of accounts/cards/devices; STR/SAR в MASAK.
Data storage: retention of CUS/logs, protection of personal data; access supervision on request.
Responsible Gaming: age filters, self-limiting (deposit/time limits), timeouts/" cooling, "risk communication.

8) Advertising, promo and affiliates

Advertising of only authorized brands is allowed within the framework of strict guidelines: RG labeling, lack of aggressive inductions ("no risk," "guaranteed gain"), prohibition of targeting minors/vulnerable.
Affiliates are jointly and severally liable: the promotion of unlicensed sites entails blocking sites/payments and fines.
Keep a compliance log (screenshots/URL/dates/geo, audience target), have an instant creative recall process.

9) IT loop for authorized operators/contractors

Platform, RNG/simulation module certification; version control and secure SDLC.
WORM logs along the chain "rate → calculation → payment → adjustment," time synchronization.
Interfaces for supervision: secure uploads/APIs, test accounts, SLAs for responses.
Reliability/information security: DR/BCP (target RPO/RTO), encryption at rest/in transit, RBAC/SoD, pentests/scans.

10) Enforcement and liability

Desk checks: comparison of reporting and payments, search for GGR/NGR anomalies, marketing/affiliate audits.
Field/cyber events: identification of back offices, hosting, domain/mirror chains, payment routes.
Sanctions: fines, blocking domains and applications, suppression of payment channels, criminal and administrative liability for organizers; administrative fines and/or other measures for players.
Mitigation: voluntary termination of violations, corrective plans, cooperation with authorities.

11) Roadmap: What Business Can Really Do

1. Define the role: content studio, risk management, platform, anti-fraud, payments, RG tools.
2. Check compatibility: security/certification requirements, reporting formats, integration with MASAK/KYC providers.
3. Contractual framework: SLA, data protection, content rights, escrow/code deposit, continuity plan.
4. Marketing: complete refusal to promote unlicensed brands to the audience of Turkey; white list of creatives, compliance magazine.
5. UAT/pilot: test cases of calculations, limits, RG/AML scenarios, resistance to block events (including CDN/IP rotation in the legal perimeter).

12) Compliance checklists

Legal regime

• Confirmed: work only in permitted verticals/through the state mandate
• AML/RG/IS responsible assigned, trained and certified
• BTK/BDDK response procedures

Tax & Reporting

• Separate accounting by products/channels; transparent accounting of bonuses/void/cashout
• Declaration/payment calendar; otchetnost↔billing reconciliation <0.5%
• Annual audit; storage of primary and logs

AML/KYC & RG

• KYC/KYB policies, sanctions/PEP, SoF triggers; STR/SAR log
• Deposit/time limits; timeouts; self-exclusion register
• Anomaly and escalation management

IT and Security

• RNG Certificates/Platforms; WORM logs; time synchronization
• Encryption, RBAC/SoD, secret management, penetration tests/scans
• DR/BCP Tests and Recovery Plan

Marketing & Affiliates

• Authorized brands only; RG-marking; without "dark patterns"
• Compliance log (screenshots/URL/dates/geo); quick feedback
• Strictly ban promo unlicensed sites/mirrors

13) First year KPI

Fiscal: timely filing ≥99%; discrepancy otchetnost↔billing <0.5%.
AML/KYC: average verification time; share of false positives; SLA STR/SAR.
RG: proportion of players with active limits; Self-exclusion lock TTR <1 min.
Information security/reliability: MTTR incidents; execution of DR tests; closing critical vulnerabilities.
Marketing: 0 cases of unlicensed brand promos; 100% compliance with guidelines.

14) FAQ

Can a private online casino be launched?
No, it isn't. Private B2C activities in casino/slots/poker are prohibited; only activities through state mandates (lotteries, rates) are legal.

What threatens the affiliate for promo offshore sites?
Blocking of domains/payments, fines and other measures; sites and accounts can be deleted/blocked.

How is blocking bypassed by law enforcement officers?
As an aggravating circumstance: mirrors, proxy chains, "pseudo-merchants" strengthen sanctions and the risks of criminal/administrative responsibility.

Is there a legal route to market?
Yes, in the form of a B2B partnership with authorized entities (content/platform/risk/payments) with strict adherence to security, data and AML/RG requirements.

Note

Turkish practice is actively updated (public tenders, advertising rules, blocking mechanisms, reporting formats). Before legally significant steps, check the current texts of laws/regulations and public conditions of authorized operators.