AI in Turkish Banking: BDDK's AI Sandbox, KKB's Shared Testing Infrastructure, and a Compliance Guide for Credit Scoring & Fraud Detection

The Turkish banking sector entered 2026 on a very specific regulatory threshold that frames the transition of AI applications from POC to production. In February 2026, BDDK (Banking Regulation and Supervision Agency) and KKB (Credit Bureau of Turkey) held a workshop with ~30 banks and 100 CIOs/CTOs, unveiling two pieces of infrastructure that redefine algorithmic supervision in banking:

1. AI Safe Testing and Validation Environment (AI Sandbox) — a regulatory sandbox under BDDK supervision in which banks can validate AI models before production.
2. KKB Shared Testing Infrastructure — a sector-reference data layer for benchmarking credit scoring and fraud detection models against a shared dataset.

In parallel, the EU AI Act has entered force across 2025-2026, classifying credit scoring as high-risk and raising the compliance cost for any Turkish bank with EU operations or EU customers.

Definition

AI Sandbox (AI Safe Testing and Validation Environment)

A supervised, isolated regulatory testing environment introduced by BDDK in 2026 in which Turkish banks validate AI models with synthetic or anonymized real data before production. Performance, fairness, robustness, explainability, and privacy tests are conducted under BDDK BSD oversight; production deployment requires sandbox approval.

Also known as: Regulatory Sandbox

Wikidata: Q102269923

In this guide, I provide an end-to-end compliance playbook for Turkish banks across the BDDK AI Sandbox + KKB shared infrastructure + EU AI Act triangle, covering credit scoring, fraud detection, AML/KYC, call center, and marketing use cases — distilled from three years of anonymized work with Turkish banks (3 national banks, 1 participation bank, 2 fintechs).

2.1. AI Maturity in Turkish Banking (2026)

Turkish banks rank upper-mid globally on AI maturity. McKinsey's 2025 report puts Turkey fourth in Europe by AI project count, after Germany, France, and the UK. Garanti BBVA, İş Bankası, Akbank, Yapı Kredi, Ziraat, and participation banks (Albaraka, Kuveyt Türk) have collectively raised cumulative AI/data infrastructure spending to ~12 billion TL over the last three years.

2.2. BDDK BSD and the AI Committee

BDDK's Information Systems and Audit (BSD) unit established an AI Committee in mid-2025 to oversee AI in banks. Its mandate:

1. Model inventory: Every production AI model is registered (name, purpose, training data, performance, owner).
2. Risk classification: Each model lands on a BDDK risk matrix (low/medium/high/critical).
3. Explainability (XAI) audit: Required documentation of why a model decided as it did, especially in credit denials.
4. Algorithmic fairness: Discrimination risks (by gender, age, location) measured and reported.
5. Emergency response: Protocol for halting models when hallucination, drift, or discrimination is detected in production.

2.3. KKB Shared Testing Infrastructure

KKB (Credit Bureau of Turkey) launched a shared platform for Turkish banks to benchmark credit scoring models. Three components:

• Synthetic test dataset: Anonymized, KVKK-compliant data derived from real credit applications.
• Performance benchmarking: Banks measure their model against the KKB reference (AUC, Gini, KS).
• Fairness tests: Automated test suite measuring discrimination via standard metrics (Disparate Impact, Equal Opportunity Difference).

2.4. EU AI Act Impact

The EU AI Act came into force on 13 March 2024, with phased applicability through 2025-2026. Direct scope for Turkish banks engages in three cases:

1. EU service delivery: if the Turkish bank operates branches or subsidiaries in the EU.
2. EU customers: if the Turkish bank serves EU residents with credit/financial services.
3. EU supplier: if the AI model vendor is EU-based (in most cases).

Credit scoring models fall under Annex III high-risk. Obligations include conformity assessment, risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy & robustness. Fines reach 35M EUR or 7% of global turnover (whichever is higher).

Turkish Banking AI Use-Case Maturity Matrix (2026)

Use Case	Maturity	Typical ROI	Regulatory Risk	BDDK Sandbox Priority
Credit Scoring (XAI)	High	15-25% default reduction	High (EU AI Act + KKB)	Very high
Fraud Detection (real-time)	High	2-5x ROI (loss reduction)	Medium-high (KVKK + audit)	High
AML/KYC	Medium-high	40-60% false positive reduction	High (MASAK + FATF)	High
Call Center (RAG + voice)	Medium	50% first-call resolution lift	Medium (KVKK)	Medium
Marketing Recommendations	High	15-30% cross-sell lift	Medium (KVKK + ePrivacy)	Low-medium
Treasury & Risk Management	Low-medium	Capacity multiplier	Medium	Low

3.1. Credit Scoring (XAI Mandatory)

Highest ROI, heaviest regulatory weight. Gradient boosting (XGBoost, LightGBM) and tabular deep learning (TabNet, FT-Transformer) have replaced legacy logistic regression. Critical design decisions: explainability (SHAP/LIME), fairness (Disparate Impact, Equal Opportunity Difference), drift detection, champion-challenger A/B, KKB feature integration.

3.2. Fraud Detection (Real-Time)

The most visible ROI engine. Modern ML pipelines (graph neural networks + gradient boosting) reach 92%+ accuracy at <30ms latency, versus 75-80% for rule engines. Typical stack: edge feature engineering (200-400 features), graph features, multi-model ensemble, real-time inference on Apache Flink, 6-hour feedback loop.

3.3. AML / KYC (Transaction Monitoring)

MASAK + FATF compliance. Classic rule-based systems carry 96-98% false positives. ML-based unsupervised anomaly detection, network analysis, and case prioritization cut false positives by 40-60%, saving millions in operational cost.

3.4. Call Center (RAG + Voice Agent)

Fastest-growing use case. RAG assistants help 8,000-12,000 agents respond to product/regulatory questions instantly. Voice agents handle balance and transaction queries in self-service.

3.5. Marketing (Recommendations)

Cross-sell and up-sell models drive 15-30% conversion lift. Transformer-based sequence models (BERT4Rec, SASRec) on top of customer transaction sequences. KVKK + ePrivacy compliance is critical — no model output without explicit marketing consent.

4.1. Sandbox Application Flow

1. Intent declaration — use case, model type, dataset, expected customer impact.
2. Use case sheet — design documentation including feature list, training data sources, performance targets, fairness tests.
3. Sandbox testing — bank uploads model into the sandbox; under BDDK BSD supervision, the following tests are conducted:
   • Performance (AUC, Gini, KS)
   • Fairness (Disparate Impact, Equal Opportunity)
   • Robustness (adversarial test, distribution shift simulation)
   • Explainability (SHAP report, sample cases)
   • Privacy (k-anonymity tests, KKB data compliance)
4. Sandbox report — BDDK BSD issues risk score + remediation recommendations.
5. Production approval — bank applies fixes, BDDK signs off for production.
6. Continuous monitoring — KKB shared infrastructure periodically benchmarks the production model.

4.2. Production Architecture — Credit Scoring

A typical production credit scoring architecture pulls features from Feast/Tecton feature store (combining KKB data, internal data lake, behavioral signals), runs champion and challenger models in parallel via A/B routing, layers SHAP/LIME on top for XAI, surfaces decisions to the customer UI in plain language, and writes the full decision chain to an audit log for BDDK supervision.

4.3. Self-Host vs Cloud

BDDK BSD's dominant view as of 2026:

• Tier-1 (credit scoring, fraud, AML): Self-host or EU-resident cloud (BDDK-approved list) preferred. US clouds (AWS US, GCP US, Azure US) are typically not accepted.
• Tier-2 (call center RAG, marketing): Cloud acceptable with data residency guarantees (Turkey or EU).
• Tier-3 (internal productivity, IT ops): Cloud choice free.

Banks who must use US-cloud APIs (OpenAI, Anthropic) need an anonymization layer + contractual guarantees (SCC, DPA) + data residency proof.

• Fraud detection: rule engine 75-80% accuracy, 4-6% false positive, 200ms+ latency → ML pipeline 92%+ accuracy, 1-1.5% false positive, <30ms p99. Tier-1 bank: 80-200M TL annual fraud-loss reduction.
• AML/KYC: rule engine 96-98% false positives, 200-400 operations FTE → ML 40-60% false-positive reduction, 80-150 FTE. 30-60M TL annual savings.
• Call center: RAG assistant lifts first-call resolution by 50%, shaves 25-35% off average call time.
• Marketing: Cross-sell conversion 15-30% lift, 800-1,500 TL incremental annual revenue per customer.

A Turkish bank deploying AI to production simultaneously manages three regulatory frameworks:

BDDK + KVKK + EU AI Act Triple Compliance Matrix

Topic	BDDK	KVKK	EU AI Act
Explainability	Mandatory (BSD guidance)	Mandatory (automated decisions)	Mandatory (high-risk)
Audit log	Mandatory	Mandatory	Mandatory
Data residency	Turkey/EU preferred	Consent + contract	EU-resident
Discrimination test	Mandatory (BSD)	Recommended	Mandatory (high-risk)
Human oversight	Mandatory	Mandatory	Mandatory (high-risk)
Conformity assessment	Sandbox approval	No	Mandatory (high-risk)
Max fine	Admin fine + activity limits	20M TL or 4% turnover	35M EUR or 7% turnover

State banks (Ziraat, Halkbank, VakıfBank) face an additional Sayıştay (Court of Accounts) audit overlay focused on data quality, vendor concentration, and personnel capability gaps in AI risk management.

Case 1 — Tier-1 Commercial Bank: SME Credit Scoring

A top-3 Turkish commercial bank moved SME credit application review time from 36 hours to 4.5 hours with a LightGBM model on 480 features (220 financial, 140 behavioral, 80 KKB, 40 sectoral) plus SHAP for explainability. Default rate dropped 18%, SME credit volume rose 22%, customer appeals fell 35%. Passed BDDK AI Sandbox in 6 months with full KVKK and EU AI Act high-risk documentation.

Case 2 — Tier-1 Participation Bank: Fraud Detection

XGBoost + LightGBM + simple GNN ensemble on Apache Flink (22ms p99). Fraud accuracy 78% → 93%, false positives 5.2% → 1.4%, annual fraud loss 90M TL → 31M TL. Customer NPS +18 (fewer legitimate transactions blocked).

Case 3 — Tier-2 Bank Call Center RAG

Hybrid RAG (BGE-M3 + Qdrant on-prem + BM25) over 12,000 pages of product docs, 4,000 pages of regulatory circulars, 80,000 FAQ chunks. Re-ranker bge-reranker-v2-m3, LLM Claude Opus 4.7 (EU instance with anonymization). First-call resolution 62% → 91%, average call time 8m20s → 5m10s, ROI 4.1x.

Case 4 — Fintech Marketing Recommendations

3.2M-customer Turkish fintech (payments + cards). Transformer sequence model (SASRec) on tokenized 90-day transaction history, predicting next financial action. Cross-sell conversion 4.8% → 7.3%, fully KVKK-compliant. 28M TL annual incremental revenue.

Compliance Checklist (BDDK + KVKK + EU AI Act)

Model inventory; use case sheet; data lineage; fairness reports; XAI documentation; drift detection and retraining triggers; A/B test protocol; audit log retention (7 years minimum per BDDK); KVKK consent updates and VERBIS registration; EU AI Act conformity assessment; emergency protocol (72-hour BDDK notification); vendor contracts (DPA + SCC + IP); staff training.

To clarify your bank's AI compliance roadmap:

1. AI Sandbox readiness workshop — model inventory + use case map + BDDK Sandbox application documentation in a 6-hour session. Output: 12-week sandbox readiness plan.
2. Triple compliance gap analysis — BDDK BSD + KVKK + EU AI Act gap analysis of your current AI portfolio. Output: prioritized gap report + remediation roadmap.
3. Champion-Challenger production audit — 360° audit of your production credit scoring or fraud model: performance, fairness, drift, explainability, audit log.

Reach out via the contact form on the site.

References

1. BDDK Banking Regulation and Supervision Agency — BDDK, Republic of Turkiye - BDDK · 2026
2. KKB Credit Bureau of Turkey — KKB, KKB · 2026
3. EU Artificial Intelligence Act — European Commission, EU · 2024-03-13
4. Findeks Official — KKB, KKB · 2026
5. KVKK - Law No. 6698 — Republic of Turkiye - KVKK, Republic of Turkiye · 2016-04-07
6. MASAK - Financial Crimes Investigation Board — MASAK, Republic of Turkiye · 2026
7. FATF Recommendations — FATF, FATF · 2024
8. FinTech Istanbul Sector Reports — FinTech Istanbul, FinTech Istanbul · 2025
9. BloombergHT Banking — BloombergHT, BloombergHT · 2026
10. ECB Banking Supervision — ECB, European Central Bank · 2026
11. Sayistay (Turkish Court of Accounts) — Sayistay, Republic of Turkiye · 2025
12. Garanti BBVA Annual Report — Garanti BBVA, Garanti BBVA · 2025
13. Isbank Annual Report — Isbank, Isbank · 2025
14. Akbank Investor Relations — Akbank, Akbank · 2025
15. Yapi Kredi Investor Relations — Yapi Kredi, Yapi Kredi · 2025
16. Banks Association of Turkiye — TBB, TBB · 2026
17. BIS - AI in Financial Services — BIS, Bank for International Settlements · 2024
18. McKinsey Global AI Survey 2025 — McKinsey, McKinsey · 2025
19. NIST AI Risk Management Framework — NIST, NIST · 2024
20. GDPR Article 22 — EU, EU · 2018
21. BKM Interbank Card Center — BKM, BKM · 2026
22. World Bank - AI in Financial Inclusion — World Bank, World Bank · 2024
23. IMF Working Paper - AI and the Future of Finance — IMF, IMF · 2024
24. Basel Committee on Banking Supervision - AI Risks — BCBS, BIS · 2025
25. OECD AI Policy Observatory — OECD, OECD · 2026
26. Bain Banking AI Report — Bain, Bain & Company · 2025
27. BCG Banking AI — BCG, Boston Consulting Group · 2025
28. Deloitte AI in Banking — Deloitte, Deloitte · 2025
29. PwC Global FinTech Report — PwC, PwC · 2025
30. ECB Discussion Paper - AI in Banking Supervision — ECB, European Central Bank · 2025

---

This is a living document; BDDK guidance, KKB infrastructure updates, and EU AI Act implementation notes shift continuously, so it is updated quarterly.