Financial Regulations for Authentication in Turkey

Turkey has emerged as one of the world's most regulation-forward jurisdictions for financial cybersecurity. What makes Turkey's approach particularly compelling is its comprehensive integration of international standards with uniquely Turkish requirements, especially around authentication protocols.

Unlike many countries that implement cybersecurity regulations piecemeal, Turkish regulators have crafted a holistic framework addressing everything from user authentication to cloud infrastructure. This coordinated approach reflects a clear understanding that modern cyber threats require multi-layered defenses across the entire financial ecosystem.

In this article, we are going to cover the answers to the three most important questions regarding the cybersecurity regulatory landscape in Turkey:

• Who regulates cybersecurity in Turkish banking?

• What are Turkey's main cybersecurity requirements for banks?

• How do Turkey's banking authentication rules look like?

Understanding Turkey's cybersecurity requirements begins with mapping the complex regulatory landscape that governs financial institutions. The Turkish approach relies on coordinated oversight from multiple specialized agencies, each contributing unique expertise to create comprehensive security coverage.

Turkey's financial cybersecurity landscape operates under a coordinated multi-agency approach that ensures comprehensive coverage across banking and payment systems.

The BDDK serves as the primary banking regulator, making it the most influential authority for financial institutions. Key responsibilities include:

• Setting comprehensive IT security standards for all licensed banks

• Conducting regular cybersecurity audits and compliance assessments

• Enforcing penalties for non-compliance with information security requirements

The CBRT oversees the broader financial ecosystem, particularly payment systems and monetary infrastructure:

• Payment service providers and electronic money institutions

• National payment infrastructure, including the FAST instant transfer system

• Cross-border payment security protocols

Turkey's newest regulatory player gained significant powers with the March 2025 cybersecurity law:

• Immediate incident reporting and national threat coordination

• Oversight of domestic cybersecurity solution preferences

• Cross-sector cybersecurity intelligence and threat sharing

This multi-agency structure ensures banks face consistent cybersecurity expectations while minimizing regulatory gaps in their jurisdictions. For cybersecurity professionals, this means navigating requirements from multiple authorities simultaneously, but also receiving comprehensive regulatory coverage that addresses security from every relevant angle.

The Regulation on Information Systems and Electronic Banking Services, which became effective in July 2020, represents the cornerstone of Turkey's modern financial cybersecurity framework and acts as an equivalent to the Strong Customer Authentication (SCA) that is part of EU’s Payment Services Directive 2 (PSD2). This regulation transformed how Turkish banks approach IT security and established the foundation upon which all subsequent cybersecurity requirements have been built.

The 2020 regulation broke new ground by establishing mandatory IT security standards that cover every aspect of banking operations:

• Information security management systems based on international standards

• Mandatory risk assessment and asset classification procedures

• 24/7 security incident monitoring and immediate reporting protocols

• Strict access management and segregation of duties requirements

One of the regulation's most significant impacts was the mandatory implementation of two-factor authentication for all banking users, both staff and customers. This requirement eliminated weaker authentication methods and forced rapid adoption of stronger security protocols across the entire Turkish banking sector.

The regulation also established specific requirements for digital banking services:

• Mobile application security verification and code integrity checks

• Customer-specific encryption requirements for all transactions

• Restrictions on SMS-based one-time passwords for enhanced security

The 2020 regulation created the regulatory architecture that supports Turkey's current cybersecurity landscape. It established the legal framework for BDDK's expanded cybersecurity oversight powers and created the compliance structure that subsequent regulations, including the 2025 cybersecurity law, have built upon.

This foundational regulation essentially modernized Turkey's approach to banking cybersecurity, moving from ad-hoc security measures to a comprehensive, standardized framework that positions Turkish banks among the most regulated in terms of cybersecurity requirements globally.

Turkey's cybersecurity regulatory landscape received a significant update with Law No. 7545, which came into effect in March 2025. This new legislation builds upon the 2020 banking IT regulation foundation while introducing additional requirements that reflect the evolving cybersecurity threat landscape.

The 2025 law introduces immediate reporting obligations to the Cybersecurity Authority for all cybersecurity incidents:

• No minimum threshold for incident severity, all incidents must be reported

• Structured reporting format with specific timelines for initial and follow-up reports

• Direct communication channels established between financial institutions and the Cybersecurity Authority

All financial institutions must now establish dedicated cybersecurity incident response teams with specific qualifications:

• Team members must meet defined professional experience requirements

• 24/7 availability and response capabilities are mandatory

• Regular training and certification maintenance obligations

• Coordination responsibilities with external regulatory authorities

The law introduces a notable preference for Turkish-developed cybersecurity products and services:

• Evaluation criteria that favor domestic providers when capabilities are equivalent

• Support for local cybersecurity industry development through procurement preferences

• National security considerations integrated into vendor selection processes

Rather than replacing previous regulations, the 2025 cybersecurity law enhances and expands the existing framework established in 2020. Financial institutions must now comply with both the BDDK's banking-specific requirements and the Cybersecurity Authority's broader national cybersecurity mandates, creating a more comprehensive but also more complex regulatory environment.

With Turkey's regulatory framework established, the focus shifts to one of the most distinctive aspects of Turkish cybersecurity policy: authentication and access control. Turkey's authentication requirements represent some of the world's strictest banking security standards, covering everything from universal 2FA mandates to complete bans on SMS-based authentication.

Turkey's approach to authentication security centers on a universal two-factor authentication requirement that applies across all banking operations without exception. This mandate represents one of the most comprehensive 2FA implementations in global banking regulation.

The regulation establishes 2FA requirements that cover all banking users and operations:

• Bank staff: All employees accessing internal banking systems, regardless of role or seniority level

• Customers: Every individual accessing accounts through any channel, including online, mobile, and telephone banking

• All transactions: Both initial account access and individual transaction authorization processes

Unlike many jurisdictions that allow exceptions or phase-in periods, Turkish regulations require immediate compliance with no grandfathering provisions for existing users.

Turkish regulations specify several acceptable second-factor authentication options. The most distinctive is the integration with Turkish Identity Cards: national ID cards working with NFC used with PIN or biometric verification. Electronic signatures meeting Turkish PKI standards are also approved, along with biometric authentication methods such as fingerprint, facial recognition, or voice verification. Traditional hardware tokens generating time-based or challenge-response codes remain acceptable options for institutions preferring established technologies. Turkey also recognizes passkeys based on biometrics and device-bound authentication as a secure method that can be used for phishing resistant two-factor authentication.

Banks must ensure their 2FA implementation meets strict technical standards:

• Real-time verification: All authentication factors verified online at bank servers rather than locally

• No local storage: Critical authentication data cannot be stored on user devices or local systems

• Complete audit trails: Comprehensive logging of all authentication attempts, successes, and failures

Banks must also establish fallback procedures for system failures while maintaining security integrity throughout any contingency processes.

The BDDK conducts regular compliance auditing through on-site technical assessments, authentication log reviews, and testing of bypass prevention measures. This rigorous enforcement ensures that no exceptions or alternative approaches are permitted, making Turkey's 2FA mandate one of the most strictly enforced authentication requirements in global banking.

Turkey has implemented some of the world's most restrictive policies regarding SMS-based one-time passwords, recognizing the inherent security vulnerabilities in SMS delivery systems like phishing. These restrictions represent a significant departure from common banking practices globally.

The regulation establishes a clear prohibition on SMS-based authentication for active mobile banking users:

• Active mobile app users: Banks cannot send SMS OTP or verification codes to customers who have installed and activated mobile banking applications

• Transaction verification: SMS codes are prohibited during login sessions and transaction authorization processes

• Session management: No SMS-based authentication during active mobile banking sessions

This prohibition reflects Turkish regulators' understanding that SMS interception and SIM swapping attacks pose unacceptable risks for financial transactions.

SMS-based codes remain permissible only during specific initial setup phases:

• Initial setup: First-time mobile banking application installation and configuration

• Activation processes: Initial account linking and mobile app activation procedures

• Reactivation stages: Account recovery and mobile app reactivation after security incidents

These limited exceptions recognize that SMS may be necessary when alternative secure channels haven't yet been established.

Turkish banking regulations take an unusually definitive approach by explicitly prohibiting certain authentication methods that remain common in other jurisdictions. These prohibitions reflect a sophisticated understanding of authentication vulnerabilities and represent some of the most prescriptive security requirements globally.

The most notable prohibition is the complete ban on mothers' maiden names for any authentication purpose during electronic banking services. This prohibition recognizes that mothers' maiden names are easily discoverable through social engineering and public records, making them fundamentally unsuitable for secure authentication.

Turkish regulations also discourage traditional knowledge-based authentication questions beyond the explicit maiden name prohibition. Security questions based on easily discoverable information are considered inadequate for financial service authentication. This includes questions about birthplaces, first schools, or other biographical information that can be researched or guessed.

The regulation establishes that static passwords alone are insufficient for transaction authorization, even when they meet complexity requirements. This recognition that password-only authentication cannot provide adequate security for financial transactions has forced banks to implement multi-factor approaches universally.

While biometric authentication is approved, the regulation establishes strict requirements for biometric data processing. Biometric templates must be processed securely with appropriate encryption standards, and raw biometric data cannot be stored in accessible formats on user devices or transmitted without proper protection.

• All “banks” licensed under Turkey’s Banking Law No. 5411: That means deposit banks, participation (Islamic) banks, and development & investment banks—including the Turkish branches of foreign banks. These are the entities supervised by the BRSA (BDDK) and the regulation sets minimum procedures and controls for the information systems they use and for electronic banking services they offer.

• Digital / branchless banks (“şubesiz bankalar”): Even though they operate only via electronic channels, they are still “banks” under Law 5411 and their dedicated 2021 rulebook explicitly ties back to the 2020 BSEBY (it references BSEBY definitions and obligations). In short: branchless banks must meet BSEBY just like traditional banks.

• Banks providing open-banking interfaces: Open banking is treated as an electronic banking service under the regulation, so banks that expose account information or payment initiation APIs must implement the BSEBY’s identification, strong authentication and transaction-security requirements for those channels.

• Support/outsourcing service providers used by banks: Cloud providers, data centers, core-banking vendors, SMS/OTP gateways, software integrators, call centers, etc. are not regulated as “banks,” but whenever a bank outsources to them, the bank must ensure (through due diligence, on-site/remote audits, and detailed contracts) that the provider meets BSEBY-level security, continuity, logging, audit-rights, and subcontractor controls. Practically, this forces providers to comply with the same controls if they want to serve banks.

• Independent audit firms that audit banks’ IT: Audit firms and IT auditors working on banks are affected in that their work must assess conformance with BSEBY and related BRSA circulars (e.g., BADES/IT audit guidance). They don’t become “banks,” but their audit scope is anchored in BSEBY requirements.

Turkish regulators already discourage SMS OTP and static passwords due to SIM swap and phishing risks. Passkeys directly address this: they only function on the legitimate domain or app, making phishing and replay attacks impossible. Since SMS OTP is banned for active mobile users, passkeys are the ideal secure, mobile-native replacement.

The BRSA requires two independent factors (Article 34). Passkeys bind cryptographic keys to a trusted device, which regulators explicitly recognize as a valid possession factor. Combined with a biometric or PIN, a single passkey login delivers both possession and inherence, fulfilling MFA requirements more cleanly than legacy OTP-based solutions.

Passkeys integrate biometrics like fingerprint or Face ID into the flow. Turkish regulators already recognize biometrics as a legitimate inherence factor, and this aligns neatly with PSD2/SCA principles, even though Turkey isn’t in the EU. Unlike traditional MFA (e.g., password + SMS), passkeys provide a clear-cut and regulator-friendly case of possession + inherence.

The BRSA’s 2023 circular highlights the “what you see is what you sign” (WYSIWYS) principle for transaction approvals. Passkeys naturally deliver this: each signature is scoped to the transaction context and origin. While not a qualified e-signature under Turkish law, passkey cryptographic signatures strengthen remote identification and contract signing workflows in ways auditors can accept as secure authentication.

Turkish regulators mandate 2FA even for basic account access. Passkeys provide this without the friction of OTP codes or hardware tokens, supporting adoption at scale. As an open standard (FIDO2/WebAuthn), they can also be deployed on local infrastructure to satisfy BRSA’s vendor approval and data localization requirements, unlike proprietary cloud-only services.

Passkeys give Turkish banks the opportunity to replace weak authentication factors such as SMS OTP, static passwords, and soft tokens with a future-proof solution that directly addresses BRSA’s concerns. They also enhance compliance reporting: during audits, banks can present passkeys as evidence of using state-of-the-art MFA and cryptographic transaction signing. Beyond compliance, passkeys position banks for open banking readiness, providing secure customer authentication in PSD2-style API environments. Finally, by offering seamless, passwordless, biometric-backed login experiences, banks can build stronger customer trust and stand out in an increasingly competitive market with new digital-only challengers.

While Turkey's authentication requirements establish the foundation of banking security, they operate within a broader framework of internationally recognized standards. Turkey's cybersecurity regulatory framework demonstrates sophisticated integration with established international standards while maintaining distinctly Turkish requirements. Rather than creating entirely separate standards, Turkish regulators have strategically adopted and mandated compliance with globally recognized frameworks.

ISO/IEC 27001 certification is mandatory under Turkish law for entities providing electronic communication services, electronic networks and infrastructure, and energy facilities. For financial institutions, while not explicitly required by law, ISO 27001 certification is highly recommended and often necessary to demonstrate compliance with information security management system requirements.

The Turkish implementation of ISO 27001 goes beyond standard certification requirements:

• Annual surveillance audits: Required to maintain certification validity

• Integration with Turkish regulations: ISO 27001 frameworks must accommodate specific Turkish requirements like data localization

• BDDK recognition: The banking regulator actively references ISO 27001 compliance during its own audit processes

This approach allows Turkish banks to demonstrate international best practices while meeting domestic regulatory expectations.

Payment system providers and e-commerce companies operating in Turkey must maintain Payment Card Industry Data Security Standard (PCI DSS) compliance to secure online payment records and sensitive data such as credit card numbers. The Turkish implementation emphasizes several key areas:

• Data encryption requirements: All cardholder data must be encrypted using approved methods

• Fraud prevention controls: Active monitoring and prevention systems for suspicious transactions

• Regular vulnerability assessments: Systematic testing of payment processing systems

• Network security: Secure network architectures for all payment processing environments

Turkish regulators coordinate with international payment networks to ensure PCI DSS compliance aligns with global payment security standards while meeting domestic oversight requirements.

Banking sector institutions must comply with Control Objectives for Information and Related Technology (COBIT) standards, which are audited annually by the BRSA to ensure data security and integrity. This requirement establishes comprehensive IT governance frameworks that cover:

• IT governance structures: Clear roles and responsibilities for technology decision-making

• Risk management processes: Systematic identification and mitigation of IT-related risks

• Performance measurement: Metrics and reporting for IT security and operational effectiveness

• Compliance monitoring: Regular assessment of adherence to established IT controls

The annual BRSA audits ensure that COBIT implementation remains current and effective, with findings directly impacting banks' regulatory standing.

Financial institutions using SWIFT services must comply with the comprehensive SWIFT Customer Security Programme (CSP). Turkish implementation includes:

• 21 mandatory security controls: Covering areas from secure network architecture to incident response

• 10 advisory controls: Additional recommended security measures for enhanced protection

• Annual independent assessments: Third-party validation of CSP control implementation

• Dedicated incident response teams: Specialized teams specifically for SWIFT-related cybersecurity incidents

The CSP requirements include critical system protection from general computing environments, ensuring that SWIFT infrastructure maintains appropriate isolation and security controls.

Turkey's comprehensive approach to financial cybersecurity regulation represents one of the world's most rigorous frameworks, demonstrating how prescriptive regulation can drive industry-wide security improvements. The multi-agency coordination and integration of international standards with local requirements creates a unique model that other jurisdictions are watching closely.

The emphasis on data localization, advanced authentication, and domestic cybersecurity solutions reflects a strategic approach to digital sovereignty while maintaining operational effectiveness. Turkey's willingness to definitively prohibit weak security practices has forced rapid modernization across the entire banking sector.

Looking back at our initial questions we covered:

• Who regulates cybersecurity in Turkish banking? Three main agencies coordinate oversight: BDDK (primary banking regulator), CBRT (payment systems), and the Cybersecurity Authority (national incident response and domestic solution preferences).

• What are Turkey's main cybersecurity requirements for banks? Turkey mandates universal 2FA, data localization, real-time incident reporting, and compliance with international standards like ISO 27001 and PCI DSS.

• How strict are Turkey's banking authentication rules? Turkey has some of the world's strictest authentication requirements, including complete SMS-OTP bans for mobile banking users and mandatory customer-specific encryption for all transactions.