Why ThreatMark
Solutions
Solutions
- Scams & Social Engineering
  Intercept deceptive schemes and protect customers from scams.
- Phishing Detection & Mitigation
  Mitigate financial fraud with an proactive defense against phishing attacks.
  - Credential Theft
- Account Takeover
  Prevent unauthorized access and safeguard customer accounts.
- Money Mules
  Identify money mule accounts before fraudster can cover their tracks.
- New Account Fraud
  Detect new account fraud with advanced behavioral biometrics.
- Transaction Risk Analysis
  Balance security and UX with the application of stringent security measures.
- Department
  ThreatMark supports the unspoken heroes in the fight against fraud.
ThreatMark Platform
ThreatMark Platform
- Behavioral Intelligence Platform
  Bolster fraud prevention with constant monitoring of the now.
- Smart Insights
  Gain expert insight for accurate detections and fewer false positives.
- Cyber Fraud Fusion Center
  Cyber Fraud Fusion Center stands at the forefront of fighting cyber threats.
Modern fraud demands a modern solution.

In this world of constantly increasing fraud threats, we’ve reimagined protection. Combining transaction risk analysis, threat detection, and user behavior profiling capabilities in one integrated platform.
Resources
Resources
- Resources
- Insights
Bringing trust to the digital world

The landscape of cyber threats is constantly evolving; stay ahead of the curve with ThreatMark.
Company
Company
Built to disrupt the fraud infrastructure.

Fraudsters don’t stand still, so neither do we.

Talk to a fraud fighter

Home Insights BDDK Regulation – Compliance Made Easy With ThreatMark

BDDK Regulation – Compliance Made Easy With ThreatMark

August 4, 2020

The Turkish banking regulator announced a new regulation with one audacious goal: to create a robust protection measure to prevent fraud in the online world with a strong accent on innovation in the area of unauthorized and fraudulent transactions.

Similarities with PSD2 Legislation

A new regulation published by Banking Regulation And Supervision Agency (BDDK) is called The Regulation on Information Systems of Banks and Electronic Banking Services as a part of Official Gazette published on March 15th, 2020. This modified, updated regulation went into force on July 1st, 2020. The paper is based on its predecessor called Communiqué on the Principles to be Based on Information Systems Management in Banks from November 2019, with an effective date of January 1^st, 2020.

It is no secret that this regulation resembles PSD2 regulation in many points since Turkey closely followed the EU legislation. The principal exemption between Turkish and EU adoption of the new legislation is that Turkey, seeing at the time the technical and compliance struggles of the EU banks and regulators, chose not to enforce the concept of Strong Customer Authentication (SCA).

This is now changing. From now on, banking customers in Turkey must use the 2^nd factor of authentication for all their actions. Regardless if they’re sending money, changing passwords, or checking their balance – an additional authentication challenge has to be initiated. Let’s have a closer look at some regulation’s specifics and what might be the role of ThreatMark in helping Turkish banks to adopt this regulation.

Exemption for Mobile Apps

Despite what has been written above, there is an exemption from this rule concerning mobile apps. Similar to the PSD2, when banking customer uses a mobile app (and doesn’t want to send money and he authenticated himself not longer than 90 days before), there is no need for escalation of authentication elements.

Compliance Delivered Promptly

Developed by security practitioners with extensive knowledge of online banking, ThreatMark’s Anti-Fraud Suite (AFS) already ensures PSD2 compliance. Therefore, ThreatMark AFS is perfectly capable of tackling points stipulated in the BDDK’s Article 36, namely:

known fraudulent methods,
unusual behavioral patterns,
location information,
authentication element has been stolen,
signs of malware infection,
transaction monitoring in real-time,
amount of fund being sent.

Apart from the capabilities mentioned above, ThreatMark AFS also reduces friction put on the end-user during authentication. Similarly, like European Banking Authority (EBA), the Turkish regulator in Article 3 of BDDK accepts behavioral biometrics (specific way you move your mouse, the way you type on your keyboard or navigate throughout the banking app) as an independent authentication element. This way, with ThreatMark, banks can authenticate end-users seamlessly and without adding friction.

Since the banks are prohibited from using SMS OTP (or any other device operating with SIM technology), the ThreatMark’s behavioral biometrics authentication is a better & safer replacement. Moreover, behavioral biometrics cannot be mimicked or stolen by fraudsters. Unlike SMS and behavioral patterns (usual date/time you log in to the app, amount of money you send, typical beneficiary number, …) that can be stolen or faked, complex behavioral biometrics cannot, as it is unique for each user. This brings trust into the identity proofing and makes bank and its customers more secure.

ThreatMark provides contextual views of each situation, weighting not just the behavior of a user but also their session info, their device, the payment, and the behavior of the entire session. Each of these entities has it’s own risk score generated in real-time. This risk can then work as reasoning for the decision whether to step up or step down with the authentication challenge (Risk-based Strong Customer Authentication). In other words – there is no reason to bother the user with authentication when there is a clear and strong evidence for their identity.

Concept of Risk-Based Adaptive Authentication

Flexible Deployment

ThreatMark’s solution is perfectly aligned with a BDDK’s deployment requirement. ThreatMark AFS can be deployed to any private cloud located in any country, but more importantly, it can be deployed on the premise of the bank. Deployed on-premise, the bank has the certainty that no data ever leave the bank’s premises.

Contact our team and arrange a workshop related to BDDK legislation. We can deep dive into the regulation and discuss how to address it with the ThreatMark AFS solution.