Banks · 1 Year Compliance Period

BDDK + Circular 2025/10 Accessibility Compliance for Banks

Bring your internet banking, mobile banking and open banking interfaces to WCAG 2.2 A level while staying compliant with BDDK security requirements. Start your compliance process before the 21 June 2026 deadline.

Legal Basis: Presidential Circular 2025/10 (Official Gazette 32933) · Law No. 5378 · BDDK Information Systems Regulation · Banking Law No. 5411 · Standard: WCAG 2.2 A

Run a Free Scan Request a Bank Demo

Banks in Turkey

BDDK 2024 license

80M+

Digital Banking Users

TBB data

500K TL

Annual Penalty Cap

After 21 June 2026

1 Hafta

Marketing Site Scan

Without compromising BDDK security

A Two-Layer Compliance Burden for Banks

All public and private banks in Turkey fall under Circular 2025/10 and are in the 1-year compliance period group. For banks, the risk is not only the 5,000-25,000 TL administrative fine from the Ministry of Family and Social Services.

The security requirements of the BDDK Information Systems Regulation (e.g. CAPTCHA, OTP, session locking) can conflict with accessibility requirements. Complaints from disabled customers can be taken to the TBB Customer Complaints Arbitration Committee and lawsuits to consumer courts; reputational risk is a topic the entire banking sector watches closely.

Bank Segments

The Right Solution for Your Bank Type

Deposit, participation and investment banks need to strike different balances between security and accessibility.

DEPOSIT

Deposit Banks

All banking products, high customer traffic. Internet and mobile banking are the main channels.

CAPTCHA audio alternative
Flexible OTP timeout
Mobile WebView scanning

PARTICIPATION

Participation Banks

Interest-free banking products. A sensitive customer base, with references to religious teaching that need to be inclusive.

Interest-free product description texts
Accessible contract PDF files
Customer information texts

INVESTMENT

Investment Banks

B2B and HNW customer segment. SPK + BDDK dual regulation, content heavy on reports and charts.

Text alternative for financial charts
Accessible PDF reports
Authorized user portal

3 Critical Challenges

Accessibility vs. Security Conflicts in Banking

The most common problems where BDDK regulation and WCAG 2.2 A collide.

Security Steps (CAPTCHA, OTP, e-Signature)

BDDK security requirements mandate CAPTCHA, OTP entry and device verification. Visual-only CAPTCHA is a WCAG 1.1.1 violation; an audio-based alternative and an extended timeout must be provided. OTP SMS messages with a short window such as 30 seconds can be insufficient for visually impaired users.

Mobile Banking SDK and Iframe Structures

Web-based modules embedded in mobile banking apps (e.g. investment, insurance) run inside iframes; native screen reader (TalkBack/VoiceOver) integration is usually missing. WCAG 4.1.2 (Name, Role, Value) violations are common.

Open Banking API Consent Screens

Under Banking Law No. 5411, open banking consent flows grant access to third-party finance apps. These consent screens are very short-lived and keyboard access is often broken. Disabled customers cannot use open banking services independently.

Risk Calculation

What Does Non-Compliance Cost a Bank?

For a bank, the risk is not only a fine; there is the annual BDDK audit, TBB Arbitration Committee complaints and reputation:

Digital User Reach

~10M

Disabled and elderly digital customers

Annual Penalty Cap

500K TL

By the Ministry

Additional Risk

BDDK
+ TBB

Audit and arbitration committee

Comparison: A bank Enterprise contract corresponds to annual figures of 6 to 12 digits, but a single BDDK compliance fine or reputational crisis can cost 10 to 50 times that figure.

Solution Package

cerez.io Bank Package

A bank-focused package that delivers compliance with BDDK, KVKK and Circular 2025/10.

WCAG 2.2 A Automatic Scanner

Multi-URL scanning for your internet banking and marketing site. Instant violation report for public pages; manual checklist and consultant support for internal banking screens that require a session.

Accessibility Widget (40+ Features + 10+ Profiles)

Widget for bank marketing pages and pre-login screens. Profiles for the visually impaired, motor impairment and elderly users are critical for banking. The Shadow DOM architecture does not conflict with BDDK security policies.

Accessibility Statement + BDDK Reporting

A statement in the 2025/10 format and a compliance status output for use in annual BDDK reporting. A management summary report for the risk management unit is generated automatically.

Local Hosting + Enterprise SLA

cerez.io infrastructure, Turkey data center (KVKK Article 9 and BDDK data localization requirement). In the Enterprise plan, dedicated support, SLA and an on-premise deployment option are open for evaluation.

Technology Compatibility

Works Seamlessly With Your Existing Banking Infrastructure

The Shadow DOM architecture does not violate BDDK security policies.

iOS SDK

Mobile

Android SDK

Mobile

Open Banking API

PSD2

3D Secure

Payment

WAF / CDN

Security

Adobe AEM

CMS

Sitecore

CMS

Custom Frontend

Custom

Tested integrations. For bank-specific systems you can request a technical feasibility study.

Roadmap

Bank Compliance in 5 Steps

Step-by-step WCAG 2.2 A compliance without violating BDDK requirements.

Marketing Site and Login Screen Scan (1 Week)

Campaign and marketing pages on the public domain and the banking login screen are scanned. The first list of Critical/Serious violations is reported.

Widget Integration: Public Pages (5 Minutes)

Without conflicting with BDDK security policies, the widget is activated for the public area (pre-login). Disabled customers gain access to screen reader, contrast and magnifier tools on the login screen.

Internal Banking WCAG A Fixes (1-3 Months)

Critical violations in the investment, loan and insurance modules (unlabeled forms, timeouts, keyboard traps) are fixed together with your team. cerez.io consulting provides recommendations that do not conflict with BDDK security requirements.

Accessibility Statement and BDDK Management Report

A statement describing the compliance status of the website is published in the footer. A management summary report is generated for the annual audit under the BDDK Information Systems Regulation.

Accessibility Logo Application

Once WCAG A is met, an "Accessibility Logo" application is made to the Ministry of Family and Social Services. In the bank's corporate communications, this logo builds customer trust.

Comparison

3 Options for Banks

cerez.io Enterprise compared with foreign solutions and manual compliance.

Foreign Solutions

OneTrust / UserWay / AccessiBe

$500 per month and up
BDDK data localization risk
KVKK Article 9 risk
English-only support
No Turkish banking legislation knowledge
No BDDK audit assistance

Manual Compliance

Big4 consultant and in-house IT

6+ month project
Consultant 500,000+ TL
Managing BDDK vs. WCAG conflicts is hard
Re-audit on every release
No ongoing maintenance
Manual management reporting

cerez.io Enterprise

Turkey-based and BDDK-compliant

Public area in 1 week
Local hosting
BDDK data localization compliance
Dedicated Turkish support
Automatic management reporting
SLA option

Pilot Feedback

Early Access Pilot Banks

cerez.io is currently in early access. The statements below are compiled from the technical feedback of banks in the pilot program.

We needed to strike a balance between BDDK security requirements and accessibility. cerez.io consulting recommended suitable solutions for an audio CAPTCHA alternative and OTP timeout.

Director of Digital Banking

Deposit Bank

Our investment report PDFs were not screen reader compatible. With cerez.io's accessible PDF production guidelines, we created internal training material for financial chart captions.

Customer Experience Manager

Investment Bank

* Statements have been anonymized as part of the pilot program.

Recommended Plan

Bank Enterprise for Your Bank

The Enterprise plan is recommended for all banks; BDDK audit reports, SLA and dedicated support are included.

Bank Enterprise

Enterprise (Bank Package)

Custom Offer

Unlimited domains (bank and subsidiaries), SLA (4-hour response), dedicated account manager, BDDK reporting support, on-premise deployment evaluation, white-label widget.

Unlimited domains (bank and subsidiaries)
SLA (4-hour response guarantee)
Dedicated account manager
BDDK reporting support
On-premise deployment evaluation
White-label widget

Request a Bank Quote

FAQ

Banks: Frequently Asked Questions

Short answer: BDDK mandates security controls such as CAPTCHA, OTP and session duration; however, their accessible variants (audio CAPTCHA, extendable timeout, screen-reader-compatible OTP entry) can be WCAG 2.2 A compliant. cerez.io consulting resolves these conflicts.

Short answer: For native iOS/Android apps, platform-specific criteria (iOS Accessibility, Android TalkBack) apply rather than WCAG. However, web modules embedded in the app (WebView) fall under WCAG 2.2 A; cerez.io can scan these web modules.

Short answer: Because consent screens have short timeouts, they can cause a WCAG 2.2.1 (Timing Adjustable) violation. We recommend adding an extend-time button, keyboard focus management and ARIA live announcements. cerez.io flags this point in the violation report.

Short answer: Under the BDDK Information Systems Regulation, customer experience and access to service are examined in the annual audit. After Circular 2025/10, the accessibility statement, violation report and remediation plan should be part of your audit documents.

Short answer: Within the Enterprise plan, an on-premise option (installation in the bank's data center) is open for evaluation for some banks. Send us your request via the contact form; the technical feasibility and pricing are prepared as a separate contract.

Short answer: Yes. The Enterprise contract includes cookie consent (KVKK), the accessibility widget (2025/10) and data localization (BDDK) components in a single package. The contract is prepared together with your legal counsel.

DEADLINE: 21 JUNE 2026

Where does your bank stand on accessibility?

Banks have a 1-year compliance period. Consider the cerez.io Enterprise package for dual BDDK and WCAG compliance.

Free Marketing Site Scan Request a Bank Demo

BDDK-compliant · Local hosting · SLA 4-hour response · On-premise option