Talk to a fraud fighter

BDDK Regulation – Compliance Made Easy With ThreatMark

August 4, 2020

The Turkish banking regulator announced a new regulation with one audacious goal: to create a robust protection measure to prevent fraud in the online world with a strong accent on innovation in the area of unauthorized and fraudulent transactions.


Similarities with PSD2 Legislation

A new regulation published by Banking Regulation And Supervision Agency (BDDK) is called The Regulation on Information Systems of Banks and Electronic Banking Services as a part of Official Gazette published on March 15th, 2020. This modified, updated regulation went into force on July 1st, 2020. The paper is based on its predecessor called Communiqué on the Principles to be Based on Information Systems Management in Banks from November 2019, with an effective date of January 1st, 2020.

It is no secret that this regulation resembles PSD2 regulation in many points since Turkey closely followed the EU legislation. The principal exemption between Turkish and EU adoption of the new legislation is that Turkey, seeing at the time the technical and compliance struggles of the EU banks and regulators, chose not to enforce the concept of Strong Customer Authentication (SCA).

This is now changing. From now on, banking customers in Turkey must use the 2nd factor of authentication for all their actions. Regardless if they’re sending money, changing passwords, or checking their balance – an additional authentication challenge has to be initiated. Let’s have a closer look at some regulation’s specifics and what might be the role of ThreatMark in helping Turkish banks to adopt this regulation.


Exemption for Mobile Apps

Despite what has been written above, there is an exemption from this rule concerning mobile apps. Similar to the PSD2, when banking customer uses a mobile app (and doesn’t want to send money and he authenticated himself not longer than 90 days before), there is no need for escalation of authentication elements.

Compliance Delivered Promptly

Developed by security practitioners with extensive knowledge of online banking, ThreatMark’s Anti-Fraud Suite (AFS) already ensures PSD2 compliance. Therefore, ThreatMark AFS is perfectly capable of tackling points stipulated in the BDDK’s Article 36, namely:

  • known fraudulent methods,
  • unusual behavioral patterns,
  • location information,
  • authentication element has been stolen,
  • signs of malware infection,
  • transaction monitoring in real-time,
  • amount of fund being sent.

Apart from the capabilities mentioned above, ThreatMark AFS also reduces friction put on the end-user during authentication. Similarly, like European Banking Authority (EBA), the Turkish regulator in Article 3 of BDDK accepts behavioral biometrics (specific way you move your mouse, the way you type on your keyboard or navigate throughout the banking app) as an independent authentication element. This way, with ThreatMark, banks can authenticate end-users seamlessly and without adding friction.

Since the banks are prohibited from using SMS OTP (or any other device operating with SIM technology), the ThreatMark’s behavioral biometrics authentication is a better & safer replacement. Moreover, behavioral biometrics cannot be mimicked or stolen by fraudsters. Unlike SMS and behavioral patterns (usual date/time you log in to the app, amount of money you send, typical beneficiary number, …) that can be stolen or faked, complex behavioral biometrics cannot, as it is unique for each user. This brings trust into the identity proofing and makes bank and its customers more secure.

ThreatMark provides contextual views of each situation, weighting not just the behavior of a user but also their session info, their device, the payment, and the behavior of the entire session. Each of these entities has it’s own risk score generated in real-time. This risk can then work as reasoning for the decision whether to step up or step down with the authentication challenge (Risk-based Strong Customer Authentication). In other words – there is no reason to bother the user with authentication when there is a clear and strong evidence for their identity.

Concept of Risk-Based Adaptive Authentication


Flexible Deployment

ThreatMark’s solution is perfectly aligned with a BDDK’s deployment requirement. ThreatMark AFS can be deployed to any private cloud located in any country, but more importantly, it can be deployed on the premise of the bank. Deployed on-premise, the bank has the certainty that no data ever leave the bank’s premises.

Contact our team and arrange a workshop related to BDDK legislation. We can deep dive into the regulation and discuss how to address it with the ThreatMark AFS solution.