# AI in Turkish Banking: BDDK's AI Sandbox, KKB's Shared Testing Infrastructure, and a Compliance Guide for Credit Scoring & Fraud Detection > Source: https://sukruyusufkaya.com/en/blog/turkiye-bankaciligi-yapay-zeka-bddk-ai-sandbox-kkb-2026 > Updated: 2026-05-27T18:16:02.895Z > Type: blog > Category: yapay-zeka **TLDR:** A complete compliance playbook for Turkish banks: BDDK's AI Safe Testing and Validation Environment (AI Sandbox) launched February 2026 with ~30 banks and 100 CIOs, KKB's shared testing infrastructure, the EU AI Act's high-risk classification of credit scoring, and real-world use cases in credit scoring, fraud detection, AML and call center — with documented case studies. ## 1. Introduction: Turkish Banking on the Regulatory Threshold of AI The Turkish banking sector entered 2026 on a very specific regulatory threshold that frames the transition of AI applications from POC to production. In February 2026, BDDK (Banking Regulation and Supervision Agency) and KKB (Credit Bureau of Turkey) held a workshop with ~30 banks and 100 CIOs/CTOs, unveiling two pieces of infrastructure that redefine algorithmic supervision in banking: 1. **AI Safe Testing and Validation Environment (AI Sandbox)** — a regulatory sandbox under BDDK supervision in which banks can validate AI models before production. 2. **KKB Shared Testing Infrastructure** — a sector-reference data layer for benchmarking credit scoring and fraud detection models against a shared dataset. In parallel, the EU AI Act has entered force across 2025-2026, classifying credit scoring as **high-risk** and raising the compliance cost for any Turkish bank with EU operations or EU customers. In this guide, I provide an end-to-end compliance playbook for Turkish banks across the BDDK AI Sandbox + KKB shared infrastructure + EU AI Act triangle, covering credit scoring, fraud detection, AML/KYC, call center, and marketing use cases — distilled from three years of anonymized work with Turkish banks (3 national banks, 1 participation bank, 2 fintechs). ## 2. Sector Anatomy: Turkish Banking's AI Position ### 2.1. AI Maturity in Turkish Banking (2026) Turkish banks rank upper-mid globally on AI maturity. McKinsey's 2025 report puts Turkey fourth in Europe by AI project count, after Germany, France, and the UK. Garanti BBVA, İş Bankası, Akbank, Yapı Kredi, Ziraat, and participation banks (Albaraka, Kuveyt Türk) have collectively raised cumulative AI/data infrastructure spending to ~12 billion TL over the last three years. ### 2.2. BDDK BSD and the AI Committee BDDK's **Information Systems and Audit (BSD)** unit established an **AI Committee** in mid-2025 to oversee AI in banks. Its mandate: 1. **Model inventory:** Every production AI model is registered (name, purpose, training data, performance, owner). 2. **Risk classification:** Each model lands on a BDDK risk matrix (low/medium/high/critical). 3. **Explainability (XAI) audit:** Required documentation of why a model decided as it did, especially in credit denials. 4. **Algorithmic fairness:** Discrimination risks (by gender, age, location) measured and reported. 5. **Emergency response:** Protocol for halting models when hallucination, drift, or discrimination is detected in production. ### 2.3. KKB Shared Testing Infrastructure KKB (Credit Bureau of Turkey) launched a shared platform for Turkish banks to benchmark credit scoring models. Three components: - **Synthetic test dataset:** Anonymized, KVKK-compliant data derived from real credit applications. - **Performance benchmarking:** Banks measure their model against the KKB reference (AUC, Gini, KS). - **Fairness tests:** Automated test suite measuring discrimination via standard metrics (Disparate Impact, Equal Opportunity Difference). ### 2.4. EU AI Act Impact The EU AI Act came into force on 13 March 2024, with phased applicability through 2025-2026. **Direct scope** for Turkish banks engages in three cases: 1. **EU service delivery:** if the Turkish bank operates branches or subsidiaries in the EU. 2. **EU customers:** if the Turkish bank serves EU residents with credit/financial services. 3. **EU supplier:** if the AI model vendor is EU-based (in most cases). Credit scoring models fall under **Annex III high-risk**. Obligations include conformity assessment, risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy & robustness. **Fines reach 35M EUR or 7% of global turnover** (whichever is higher). ## 3. Use-Case Map: 5 Winning AI Domains in Turkish Banks ### 3.1. Credit Scoring (XAI Mandatory) Highest ROI, heaviest regulatory weight. Gradient boosting (XGBoost, LightGBM) and tabular deep learning (TabNet, FT-Transformer) have replaced legacy logistic regression. Critical design decisions: explainability (SHAP/LIME), fairness (Disparate Impact, Equal Opportunity Difference), drift detection, champion-challenger A/B, KKB feature integration. ### 3.2. Fraud Detection (Real-Time) The most visible ROI engine. Modern ML pipelines (graph neural networks + gradient boosting) reach **92%+ accuracy at <30ms latency**, versus 75-80% for rule engines. Typical stack: edge feature engineering (200-400 features), graph features, multi-model ensemble, real-time inference on Apache Flink, 6-hour feedback loop. ### 3.3. AML / KYC (Transaction Monitoring) MASAK + FATF compliance. Classic rule-based systems carry **96-98% false positives**. ML-based unsupervised anomaly detection, network analysis, and case prioritization cut false positives by 40-60%, saving millions in operational cost. ### 3.4. Call Center (RAG + Voice Agent) Fastest-growing use case. RAG assistants help 8,000-12,000 agents respond to product/regulatory questions instantly. Voice agents handle balance and transaction queries in self-service. ### 3.5. Marketing (Recommendations) Cross-sell and up-sell models drive 15-30% conversion lift. Transformer-based sequence models (BERT4Rec, SASRec) on top of customer transaction sequences. KVKK + ePrivacy compliance is critical — no model output without explicit marketing consent. ## 4. Practical Implementation: From BDDK AI Sandbox to Production ### 4.1. Sandbox Application Flow 1. **Intent declaration** — use case, model type, dataset, expected customer impact. 2. **Use case sheet** — design documentation including feature list, training data sources, performance targets, fairness tests. 3. **Sandbox testing** — bank uploads model into the sandbox; under BDDK BSD supervision, the following tests are conducted: - Performance (AUC, Gini, KS) - Fairness (Disparate Impact, Equal Opportunity) - Robustness (adversarial test, distribution shift simulation) - Explainability (SHAP report, sample cases) - Privacy (k-anonymity tests, KKB data compliance) 4. **Sandbox report** — BDDK BSD issues risk score + remediation recommendations. 5. **Production approval** — bank applies fixes, BDDK signs off for production. 6. **Continuous monitoring** — KKB shared infrastructure periodically benchmarks the production model. ### 4.2. Production Architecture — Credit Scoring A typical production credit scoring architecture pulls features from Feast/Tecton feature store (combining KKB data, internal data lake, behavioral signals), runs champion and challenger models in parallel via A/B routing, layers SHAP/LIME on top for XAI, surfaces decisions to the customer UI in plain language, and writes the full decision chain to an audit log for BDDK supervision. ### 4.3. Self-Host vs Cloud BDDK BSD's dominant view as of 2026: - **Tier-1 (credit scoring, fraud, AML):** Self-host or **EU-resident cloud** (BDDK-approved list) preferred. US clouds (AWS US, GCP US, Azure US) are typically not accepted. - **Tier-2 (call center RAG, marketing):** Cloud acceptable with data residency guarantees (Turkey or EU). - **Tier-3 (internal productivity, IT ops):** Cloud choice free. Banks who must use US-cloud APIs (OpenAI, Anthropic) need an anonymization layer + contractual guarantees (SCC, DPA) + data residency proof. ## 5. ROI and Performance: Real Numbers from Turkish Banks - **Fraud detection:** rule engine 75-80% accuracy, 4-6% false positive, 200ms+ latency → ML pipeline 92%+ accuracy, 1-1.5% false positive, <30ms p99. Tier-1 bank: 80-200M TL annual fraud-loss reduction. - **AML/KYC:** rule engine 96-98% false positives, 200-400 operations FTE → ML 40-60% false-positive reduction, 80-150 FTE. 30-60M TL annual savings. - **Call center:** RAG assistant lifts first-call resolution by 50%, shaves 25-35% off average call time. - **Marketing:** Cross-sell conversion 15-30% lift, 800-1,500 TL incremental annual revenue per customer. ## 6. Turkey-Specific Angle: Triple Compliance Matrix A Turkish bank deploying AI to production simultaneously manages three regulatory frameworks: State banks (Ziraat, Halkbank, VakıfBank) face an additional **Sayıştay (Court of Accounts)** audit overlay focused on data quality, vendor concentration, and personnel capability gaps in AI risk management. ## 7. Turkish Bank Case Studies (Anonymized) ### Case 1 — Tier-1 Commercial Bank: SME Credit Scoring A top-3 Turkish commercial bank moved SME credit application review time from 36 hours to 4.5 hours with a LightGBM model on 480 features (220 financial, 140 behavioral, 80 KKB, 40 sectoral) plus SHAP for explainability. Default rate dropped 18%, SME credit volume rose 22%, customer appeals fell 35%. Passed BDDK AI Sandbox in 6 months with full KVKK and EU AI Act high-risk documentation. ### Case 2 — Tier-1 Participation Bank: Fraud Detection XGBoost + LightGBM + simple GNN ensemble on Apache Flink (22ms p99). Fraud accuracy 78% → 93%, false positives 5.2% → 1.4%, annual fraud loss 90M TL → 31M TL. Customer NPS +18 (fewer legitimate transactions blocked). ### Case 3 — Tier-2 Bank Call Center RAG Hybrid RAG (BGE-M3 + Qdrant on-prem + BM25) over 12,000 pages of product docs, 4,000 pages of regulatory circulars, 80,000 FAQ chunks. Re-ranker bge-reranker-v2-m3, LLM Claude Opus 4.7 (EU instance with anonymization). First-call resolution 62% → 91%, average call time 8m20s → 5m10s, ROI 4.1x. ### Case 4 — Fintech Marketing Recommendations 3.2M-customer Turkish fintech (payments + cards). Transformer sequence model (SASRec) on tokenized 90-day transaction history, predicting next financial action. Cross-sell conversion 4.8% → 7.3%, fully KVKK-compliant. 28M TL annual incremental revenue. ## 8. Risks and Compliance - **Adversarial attacks** by fraudsters; defense via adversarial training, ensembles, human oversight. - **Concept drift** post-pandemic, post-war, post-crisis; mandatory continuous retraining and drift detection. - **Model risk concentration** when multiple banks share the same vendor model — BDDK BSD watches this closely as systemic risk. - **Cross-border data transfer** through US-cloud APIs creates triple risk (KVKK + BDDK + EU AI Act). - **Algorithmic bias** against credit-history-poor regions; mandatory fairness testing. ### Compliance Checklist (BDDK + KVKK + EU AI Act) Model inventory; use case sheet; data lineage; fairness reports; XAI documentation; drift detection and retraining triggers; A/B test protocol; audit log retention (7 years minimum per BDDK); KVKK consent updates and VERBIS registration; EU AI Act conformity assessment; emergency protocol (72-hour BDDK notification); vendor contracts (DPA + SCC + IP); staff training. ## 9. Frequently Asked Questions Mandatory in three cases: **(1)** deploying a high-risk use case (credit scoring, fraud, AML), **(2)** undertaking a major revision of an existing model, **(3)** adding a new model to your BDDK BSD model inventory. Recommended for low-risk use cases too.

If any of three: **(1)** EU branches/subsidiaries, **(2)** EU resident customers receiving credit/financial services, **(3)** EU-based vendor processing EU data. 2 August 2026 is the critical date for high-risk systems.

BDDK BSD's AI committee favors **EU-resident cloud or self-host** as of 2026. US-cloud (OpenAI, Anthropic, Google US, AWS US) is typically not accepted for tier-1 use cases. EU-resident cloud is accepted for tier-2 (RAG assistants, marketing). Tier-3 (internal productivity) is unrestricted.

Three layers: **(1)** Global — SHAP summary plots showing overall feature importance, **(2)** Local — SHAP waterfall + plain-language translation per applicant, **(3)** Counterfactual — "what would have to change for a different decision". All three are demanded in BDDK Sandbox review.

Sign a dedicated KKB agreement. Pull synthetic test data via API, run inference on your model, send results back to KKB. KKB reports your model's performance against sector averages — this report attaches to your BDDK Sandbox application.

Ensemble wins in production. Typical tier-1 setup: XGBoost (structured features) + LightGBM (sparse) + simple GNN (graph) + rule engine (regulatory exceptions). Weighted voting or stacking. Single-model accuracy caps near 85%; ensembles reach 92-94%.

No. BDDK AI Sandbox records remain confidential; bank competitive sensitivity and KVKK are respected. Only aggregate sector statistics may be shared publicly.

BDDK is clear: **production responsibility stays with the bank.** Even when using vendor models (OpenAI API, Anthropic API, third-party SaaS), the bank is accountable for production outcomes. DPA + SCC + IP terms + model inventory registration + sandbox approval are mandatory for vendor models too. ## 10. Next Steps To clarify your bank's AI compliance roadmap: 1. **AI Sandbox readiness workshop** — model inventory + use case map + BDDK Sandbox application documentation in a 6-hour session. Output: 12-week sandbox readiness plan. 2. **Triple compliance gap analysis** — BDDK BSD + KVKK + EU AI Act gap analysis of your current AI portfolio. Output: prioritized gap report + remediation roadmap. 3. **Champion-Challenger production audit** — 360° audit of your production credit scoring or fraud model: performance, fairness, drift, explainability, audit log. Reach out via the contact form on the site. --- This is a living document; BDDK guidance, KKB infrastructure updates, and EU AI Act implementation notes shift continuously, so it is **updated quarterly**.