Skip to content

AI Interactive Tools

Banking AI Risk Score

BDDK + KVKK + MASAK + SPK + EU AI Act compliance — 6 dimensions, 36 questions risk assessment.

Definition
Banking & Finance AI Compliance
A financial institution (bank, payment/e-money institution, insurer, financing/fintech lender) operating AI systems in line with regulatory obligations under the BDDK IT Systems Regulation, KVKK 6698, MASAK Law 5549, the TCMB Payment Services Regulation, SEDDK rules, IFRS 9 / TFRS 9 and the EU AI Act.
Also known as: BDDK AI, banking AI compliance, MASAK AI, IFRS 9 ECL, TCMB payments, SEDDK, model risk SR 11-7, EU AI Act Annex III

Institution Type

9 dimensions · 70 questions apply to this institution type.

0/70 answered0%
BDDK IT Compliance0/8

BS Regulation + Cloud Guide + outsourcing + operational resilience.

  1. Q1.Are AI workloads running in a data centre located in Türkiye?

    BDDK BSY m.4 · weight 5/5

  2. Q2.Are primary, secondary and backup systems all kept in Türkiye?

    BDDK BSY m.7 · weight 4/5

  3. Q3.Has AI vendor outsourcing risk analysis been done and notified to BDDK?

    BDDK Dış Hizmet Tebliği · weight 4/5

  4. Q4.Does the AI vendor contract grant BDDK audit access?

    BDDK BSY m.9 · weight 4/5

  5. Q5.Is there an exit strategy and data portability plan for the AI vendor?

    BDDK Bulut Rehberi · weight 3/5

  6. Q6.Are rollback and disaster recovery (DR) procedures tested for AI systems?

    BDDK BSY m.16 · weight 4/5

  7. Q7.Is there segregation of duties + privileged access management for AI systems?

    BDDK BSY m.11 · weight 3/5

  8. Q8.Do AI model updates go through a formal change management process?

    BDDK BSY m.14 · weight 3/5

KVKK Compliance0/8

Personal data processing + lawful basis + cross-border transfer + data subject rights.

  1. Q1.Is AI use and its logic explicitly disclosed in the privacy notice?

    KVKK m.10 · weight 4/5

  2. Q2.Is a lawful basis (consent/contract/legitimate interest) defined for each AI processing?

    KVKK m.5-6 · weight 4/5

  3. Q3.Is there an objection + human-review mechanism for automated decisions?

    KVKK m.11/g · weight 5/5

  4. Q4.Is data minimisation + purpose limitation ensured in training/inference?

    KVKK m.4 · weight 3/5

  5. Q5.Is a KVKK Art. 9 appropriate safeguard (undertaking/SCC) in place for public LLM transfers?

    KVKK m.9 · weight 5/5

  6. Q6.Are AI processing activities current in the VERBİS registry?

    VERBİS · weight 3/5

  7. Q7.Is a retention + destruction policy defined for AI outputs and training data?

    KVKK m.7 + Yönetmelik · weight 3/5

  8. Q8.Has a data protection impact assessment (DPIA) been done for high-risk AI processing?

    KVKK Kurul + GDPR m.35 · weight 4/5

MASAK / AML Compliance0/7

AML risk scoring + sanctions screening + obligor duties + log retention.

  1. Q1.Are explainability (XAI) reports produced for AI-based AML risk scores?

    MASAK Rehberi · weight 5/5

  2. Q2.Are AI-generated AML decisions logged with model version for 8 years?

    5549 SK m.7 · weight 4/5

  3. Q3.Is sanctions + PEP screening done with current lists (UN, OFAC, EU), AI-assisted?

    MASAK + BM/OFAC · weight 5/5

  4. Q4.Is the false-positive rate monitored periodically + thresholds recalibrated?

    MASAK Rehberi · weight 3/5

  5. Q5.Is the model updated to cover new fraud typologies (AI-assisted fraud)?

    MASAK Rehberi · weight 4/5

  6. Q6.Are AI-flagged transactions reviewed by a compliance officer (no auto-SAR)?

    5549 SK · weight 4/5

  7. Q7.Is the AML model validated by a function independent of its developers?

    MASAK + SR 11-7 · weight 3/5

EU AI Act Compliance0/8

Credit & insurance pricing are high-risk (Annex III §5); QMS + oversight + FRIA.

  1. Q1.Has the EU AI Act risk class been formally determined for the AI system(s)?

    Annex III §5(b)/(c) · weight 5/5

  2. Q2.Is Annex IV technical documentation complete for high-risk systems?

    Annex IV · weight 4/5

  3. Q3.Has an AI Quality Management System (QMS) been established?

    Art. 17 · weight 4/5

  4. Q4.Has human oversight been designed for high-risk AI decisions?

    Art. 14 · weight 5/5

  5. Q5.Has a fundamental rights impact assessment (FRIA) been performed?

    Art. 27 · weight 4/5

  6. Q6.Does the system keep automatic event logs ensuring traceability?

    Art. 12 · weight 3/5

  7. Q7.Are accuracy, robustness and cybersecurity levels defined and tested?

    Art. 15 · weight 4/5

  8. Q8.Are users transparently informed they interact with AI and of its limitations?

    Art. 13/50 · weight 3/5

Model Risk Management0/8

SR 11-7 + BCBS 239: inventory, independent validation, backtesting, monitoring.

  1. Q1.Are all AI/ML models recorded in an inventory with ownership and risk tier?

    SR 11-7 · weight 4/5

  2. Q2.Are models validated by a function independent of developers?

    SR 11-7 · weight 5/5

  3. Q3.Is periodic backtesting and benchmark comparison performed?

    SR 11-7 · weight 4/5

  4. Q4.Are models tiered by risk with control intensity set accordingly?

    SR 11-7 · weight 3/5

  5. Q5.Are drift / performance monitoring + threshold alerts in place in production?

    SR 11-7 · weight 4/5

  6. Q6.Are model development, assumptions and limitations fully documented?

    SR 11-7 · weight 3/5

  7. Q7.Is champion-challenger model comparison performed?

    Internal MRM · weight 3/5

  8. Q8.Has the board approved model risk appetite and does it receive regular reporting?

    SR 11-7 + BCBS 239 · weight 4/5

Credit Scoring & IFRS 9 / ECL0/8

TFRS 9 expected credit loss (ECL) + PD/LGD/EAD + staging + explainability.

  1. Q1.Is the IFRS 9 expected credit loss (ECL) model under formal governance?

    TFRS 9 + BDDK Karşılıklar · weight 5/5

  2. Q2.If PD/LGD/EAD are AI-estimated, are they each separately validated?

    TFRS 9 / Basel · weight 4/5

  3. Q3.Are Stage 1/2/3 and significant increase in credit risk (SICR) criteria clearly defined?

    TFRS 9 · weight 4/5

  4. Q4.Are forward-looking macroeconomic scenarios (TCMB) incorporated?

    TFRS 9 · weight 4/5

  5. Q5.Are the top factors of the credit score disclosed to the customer as reasons?

    EU AI Act Annex III §5(b) + KVKK m.11 · weight 5/5

  6. Q6.Is the manual override rate monitored and justified?

    Internal credit policy · weight 3/5

  7. Q7.Are data quality controls applied to ECL/credit model inputs?

    BCBS 239 · weight 4/5

  8. Q8.Is the credit/ECL model subject to stress testing and sensitivity analysis?

    BDDK + ICAAP · weight 3/5

TCMB Payments & Open Banking0/7

Law 6493 + real-time fraud + SCA + open banking consent.

  1. Q1.Is real-time payment fraud scoring in place?

    TCMB Ödeme Yön. · weight 5/5

  2. Q2.Is risk-based SCA exemption governance (AI risk score) compliant?

    TCMB + güçlü kimlik doğrulama · weight 4/5

  3. Q3.Is customer consent management (scope + duration) enforced in open banking APIs?

    TCMB Açık Bankacılık · weight 4/5

  4. Q4.Is payment data stored in Türkiye per TCMB regulation?

    6493 SK + TCMB Yön. · weight 5/5

  5. Q5.Is there explainability + a customer objection channel for blocked transactions?

    KVKK m.11 + TCMB · weight 4/5

  6. Q6.Does transaction monitoring balance false positives vs. customer friction?

    TCMB + MASAK · weight 3/5

  7. Q7.Are payment AI incidents reported to TCMB within the defined window?

    TCMB Olay Bildirimi · weight 4/5

Security (OWASP LLM Top 10)0/8

Prompt injection, sensitive disclosure, excessive agency, RAG poisoning, supply chain.

  1. Q1.Is PII redaction applied before customer data enters LLM context?

    OWASP LLM02 · weight 4/5

  2. Q2.Is annual penetration / red-team testing performed for prompt injection?

    OWASP LLM01 · weight 4/5

  3. Q3.Is LLM output validated by schema/business rules before downstream use?

    OWASP LLM05 · weight 4/5

  4. Q4.Are agent tool permissions least-privilege + approval-gated for critical actions?

    OWASP LLM06 · weight 4/5

  5. Q5.Is source validation done against RAG / knowledge base poisoning?

    OWASP LLM08 · weight 3/5

  6. Q6.Is the model & dependency supply chain (origin, license, CVE) verified?

    OWASP LLM03 · weight 3/5

  7. Q7.Are AI vendor API keys rotated every 90 days?

    OWASP LLM07 · weight 3/5

  8. Q8.Are rate limits + budget caps in place against model DoS / unbounded consumption?

    OWASP LLM10 · weight 3/5

Fairness and Explainability0/8

Protected-attribute proxies + bias audit + adverse action + counterfactual.

  1. Q1.Are periodic bias audits performed (gender, age, geography)?

    EU AI Act Art. 10 + KVKK m.6 · weight 5/5

  2. Q2.Are proxies of protected attributes (e.g. district → ethnicity) detected?

    KVKK m.6 + EU AI Act · weight 4/5

  3. Q3.Are decision reasons explained to the customer in plain language?

    KVKK m.11/g + Tüketici Kanunu · weight 4/5

  4. Q4.Are specific reasons provided in the adverse action (denial) notice?

    Tüketici + ECOA benzeri · weight 4/5

  5. Q5.Can a counterfactual ('what would have led to approval') be offered to the customer?

    XAI best practice · weight 3/5

  6. Q6.Is there a defined SLA and human-review process for appeals?

    KVKK m.13 + iç politika · weight 3/5

  7. Q7.Is reject-inference bias managed for declined applications?

    Credit modeling · weight 3/5

  8. Q8.Is the model's TR sectoral benchmark + fairness performance measured annually?

    Internal standard · weight 3/5

Banking & Finance AI Risk Score

Answer all questions to compute the score.

Frequently Asked Questions

  • It filters the applicable dimensions: banks get IFRS 9 + TCMB payments + BDDK IT; insurers get SEDDK underwriting + health data; payment institutions get TCMB payments; fintech lenders get credit + payments.

References

  1. , BDDK
  2. , BDDK
  3. , MASAK
  4. , SPK
  5. , EUR-Lex