Introduction
Bank liability in Turkey for unauthorized transactions and online banking fraud has become one of the most important legal issues in modern banking litigation. As customers increasingly use mobile banking, internet banking, credit cards, virtual POS systems, QR payments, digital wallets and instant money transfers, financial fraud methods have also become more sophisticated. Phishing messages, fake bank websites, SIM swap fraud, malware, social engineering, call center impersonation, stolen card data, remote access applications and identity theft can cause serious financial losses within minutes.
When money disappears from a bank account or a credit card is used without authorization, the central legal question is usually clear but difficult: Who should bear the loss—the customer or the bank? The answer depends on the facts, the type of transaction, the security measures applied by the bank, the customer’s conduct, the timing of notification, authentication records, transaction logs, applicable banking rules and the court’s evaluation of fault and causation.
Turkish law does not treat banks as ordinary service providers. Banks are professional institutions that operate under strict regulation, hold customer funds, process sensitive financial data and maintain electronic banking infrastructure. Banking Law No. 5411 aims to ensure confidence and stability in financial markets, support the efficient functioning of the credit system and protect the rights and interests of depositors. It also regulates banking activities and the institutional duties of banks in Turkey.
This article explains bank liability in Turkey for unauthorized transactions and online banking fraud, including the legal framework, common fraud types, bank security obligations, customer duties, burden of proof, evidence, remedies, compensation claims and practical steps for victims.
1. What Is an Unauthorized Banking Transaction?
An unauthorized banking transaction is a transfer, payment, withdrawal, card transaction or other financial operation carried out without the genuine consent of the account holder or card holder. It may occur through internet banking, mobile banking, ATM, credit card, debit card, wire transfer, EFT, FAST transfer, SWIFT, virtual POS transaction, card-not-present transaction or digital payment channel.
Examples include:
A fraudster transfers money from the customer’s bank account through mobile banking. A credit card is used online without the cardholder’s consent. A customer’s SIM card is unlawfully duplicated and used to receive one-time passwords. A fake bank website captures login credentials. A remote access application is installed on the customer’s phone. A call center impersonator convinces the customer to approve a transfer. A malware infection intercepts banking credentials. A card is physically stolen and used before the customer notices. A business account is compromised through a fake e-mail instruction or payment redirection fraud.
The legal classification of the transaction is important. A credit card fraud case may involve Law No. 5464 on Bank Cards and Credit Cards. A bank account transfer may involve banking law, contract law, electronic banking security regulations and general liability principles. A payment institution transaction may involve payment services law. A personal data breach may involve the Personal Data Protection Law No. 6698. A criminal fraud may also require a criminal complaint.
2. Main Legal Framework for Bank Liability
Bank liability for unauthorized transactions in Turkey is shaped by several legal sources. The first is Banking Law No. 5411, which regulates banking activities, bank obligations, supervision, confidentiality and the banking system’s reliability. Banks are authorized to conduct payment and fund transfer transactions, issue payment instruments and provide electronic banking services within the regulated banking framework.
The second key source is the Regulation on Information Systems and Electronic Banking Services of Banks. This regulation sets minimum procedures and principles for banks’ information systems, electronic banking services, management of related risks and information systems controls. It is directly relevant to online banking fraud because it regulates the technical and operational environment in which electronic banking services are provided.
The third source is Law No. 5464 on Bank Cards and Credit Cards. This law regulates card issuance, card use and the responsibilities of card issuing institutions. It includes rules requiring card issuing institutions to take measures to keep codes, passwords and identification information confidential and secure.
The fourth source is Consumer Protection Law No. 6502 where the customer is a consumer. For consumer disputes in 2026, claims below TRY 186,000 fall within the Consumer Arbitration Committee route, while higher-value disputes generally require mediation and consumer court proceedings.
The fifth source is Personal Data Protection Law No. 6698, which applies where fraud involves unlawful processing, leakage or misuse of personal data. The law’s purpose is to protect fundamental rights and freedoms, particularly privacy, and to set obligations for persons processing personal data.
3. Bank’s Professional Duty of Care
Banks in Turkey are expected to act with a high level of professional care. Unlike an ordinary commercial company, a bank manages funds, credit systems, digital channels, authentication tools and payment infrastructure. Customers entrust banks with money and financial data. Therefore, courts generally assess bank conduct in light of professional banking standards.
In unauthorized transaction cases, the bank’s duty of care may include:
Providing secure electronic banking infrastructure; applying strong authentication; monitoring suspicious transaction patterns; warning customers about high-risk transactions; maintaining transaction limits; detecting abnormal account activity; securing customer credentials and card data; preventing unauthorized access; preserving logs and evidence; responding quickly to fraud notifications; blocking accounts or cards when necessary; and investigating disputed transactions properly.
The bank is not automatically liable for every fraud. If the customer knowingly approves a transfer after being deceived by a third party, or if the customer shares passwords and one-time codes despite clear warnings, the bank may argue customer negligence. However, even in social engineering cases, the bank’s systems may still be examined. The court may ask whether the transaction was unusual, whether the bank’s fraud monitoring system should have detected it, whether additional verification was required, and whether the bank reacted reasonably.
4. Customer’s Duty of Care
Customers also have duties. A customer should not share passwords, card details, one-time passwords, mobile banking credentials or SMS verification codes with third parties. The customer should avoid clicking suspicious links, installing unknown applications, giving remote access to a phone or computer, using insecure devices and ignoring bank warnings.
Banks often defend unauthorized transaction claims by arguing that the customer acted negligently. Common bank defenses include:
The customer entered credentials on a fake website; the customer shared SMS codes with fraudsters; the customer approved the transaction through mobile banking; the customer installed remote access software; the customer failed to protect the phone; the customer delayed notifying the bank; the transaction was authenticated with the customer’s device; or the customer violated security instructions.
However, customer negligence must be evaluated carefully. Fraudsters often use sophisticated deception methods. A customer may be deceived by a message that appears to come from the bank, a spoofed phone number, a fake official website or a social engineering script. The legal analysis should not assume that any use of customer credentials automatically eliminates bank liability. The decisive question is whether the loss resulted from customer fault, bank system failure, third-party crime, or a combination of these factors.
5. Online Banking Fraud and Electronic Banking Security
Online banking fraud is one of the most common forms of unauthorized transaction litigation in Turkey. It may involve internet banking credentials, mobile banking access, one-time passwords, push notifications, device binding, QR login systems, biometric authentication or remote access attacks.
The BRSA’s electronic banking regulation is important because it sets minimum rules for information systems and electronic banking services. The regulation defines open banking services as an electronic distribution channel through which customers, or parties acting for and on behalf of customers, may execute or instruct banking transactions through remote access to financial services offered by banks.
In litigation, the court may examine whether the bank’s electronic banking system complied with applicable regulatory standards. Relevant questions may include:
Was multi-factor authentication used? Was the device previously registered? Was there a sudden change in device, IP address or location? Was the transfer amount unusual compared with past behavior? Were multiple transfers made rapidly? Did the bank send clear transaction notifications? Were the warnings meaningful or generic? Did the bank detect abnormal login attempts? Did the bank preserve logs? Did the bank block suspicious transfers quickly after notification?
The technical evidence is usually decisive. Without logs, authentication records and transaction details, the parties may struggle to prove their claims.
6. Credit Card Fraud and Bank Card Liability
Credit card fraud may involve stolen physical cards, lost cards, cloned cards, online card-not-present transactions, virtual POS fraud, 3D Secure abuse, merchant fraud, subscription traps, unauthorized recurring payments or card data theft.
Law No. 5464 is directly relevant to card disputes. The official English text states that if cards are usable only by using a code number, password or other identification method, card issuing organizations are liable to take all actions and measures required to keep such information strictly confidential and to prevent certain card information from being printed on customer copies of expenditure documents and correspondences.
This statutory duty shows that card issuers must maintain card security and confidentiality. In a card fraud dispute, the bank may need to prove that the transaction was properly authenticated and that it took legally required security measures.
For online card transactions, 3D Secure records, SMS verification, merchant data, IP address, delivery address, device information and chargeback procedure may be important. For physical card transactions, card presence, PIN use, POS slip, CCTV records and timing of loss notification may matter.
7. Phishing Fraud
Phishing is one of the most common fraud methods. The customer receives a fake SMS, e-mail or social media message that appears to come from a bank, public authority, cargo company, tax office, e-commerce platform or payment institution. The link directs the customer to a fake website where credentials, card data or one-time passwords are captured.
In phishing cases, banks usually argue that the customer voluntarily entered credentials into a fake site. Customers argue that the bank failed to prevent a suspicious transaction, failed to detect abnormal access, or failed to warn effectively.
The outcome depends on technical and factual details. If a customer’s account was accessed from a new device, foreign IP address or unusual location, and a high-value transfer was made immediately, a court may examine whether the bank’s fraud detection system should have intervened. If the transaction was completely consistent with the customer’s ordinary activity and was approved through strong authentication, the bank’s defense may be stronger.
8. SIM Swap Fraud
SIM swap fraud occurs when fraudsters obtain control of the customer’s mobile phone number by unlawfully replacing the SIM card or transferring the number. They may then receive SMS verification codes and access banking systems.
SIM swap cases may involve several responsible parties: the fraudster, telecom operator, bank, customer and sometimes identity verification service providers. The bank may argue that it sent the one-time password to the registered number. The customer may argue that the bank should have detected the SIM change or abnormal transaction.
In many banking systems, a recent SIM card change may be treated as a risk signal. If the bank allowed high-value transactions immediately after a SIM swap without additional verification, the customer may argue that the bank failed to apply adequate risk controls.
Evidence may include telecom operator records, SIM replacement date, bank login records, SMS logs, transaction timing, device information and customer notification history.
9. Social Engineering and Call Center Impersonation
Social engineering fraud involves psychological manipulation rather than purely technical hacking. Fraudsters may call the customer pretending to be bank employees, police officers, prosecutors, cargo company staff, investment advisers or customer service representatives. They may create urgency and convince the customer to share codes, approve transactions or install remote access applications.
Banks often rely on the defense that the customer personally approved the transaction. However, social engineering cases are not always simple. Courts may examine whether the bank’s warnings were clear enough, whether the transfer was suspicious, whether the bank’s systems detected unusual behavior, whether the customer’s account was suddenly emptied, and whether the bank acted promptly after notification.
For example, a customer who had never made large transfers suddenly sends multiple high-value transfers to newly added recipients within minutes. Even if the customer approved the transfers, the bank’s fraud monitoring duties may still be examined.
10. Remote Access Application Fraud
Remote access fraud has become increasingly common. Fraudsters convince customers to install applications that allow screen sharing or remote device control. Once installed, the fraudster may view banking credentials, approve transactions or control the device.
In these cases, evidence is highly technical. The bank may show that the transaction was approved through the customer’s device. The customer may show that the device was controlled by fraudsters and that the bank should have detected abnormal transaction behavior.
A strong legal claim should focus on the full timeline: when the application was installed, whether the phone was under remote control, what warnings appeared, whether the bank detected device compromise, whether new recipients were added, whether transfer limits changed, and how quickly the customer notified the bank.
11. Business E-Mail Compromise and Corporate Accounts
Corporate customers face a different type of fraud: business e-mail compromise. Fraudsters may hack or spoof a supplier’s e-mail address and instruct a company to pay invoices to a fraudulent bank account. They may also impersonate company managers and instruct finance staff to transfer funds.
Bank liability in corporate cases is often harder to prove because commercial customers are expected to have internal controls. However, banks may still face liability if they process clearly suspicious transactions, ignore fraud alerts, fail to follow corporate signing rules or execute instructions outside agreed authorization procedures.
Corporate account disputes may involve authorized signatory rules, online banking user rights, dual approval requirements, transaction limits, account mandates, internal company approvals and bank-customer agreements.
For companies, prevention is critical. Dual approval, call-back procedures, verified beneficiary lists, payment controls and staff training can reduce risk.
12. Burden of Proof in Unauthorized Transaction Cases
Unauthorized transaction cases are heavily evidence-based. The customer must generally show that the transaction was not genuinely authorized and that a loss occurred. The bank must usually present transaction records, authentication logs, security procedures and evidence that the transaction was processed through lawful channels.
In practice, banks hold most of the technical evidence. This includes IP logs, device IDs, login records, SMS records, push notification records, transaction timestamps, call center recordings and fraud monitoring alerts. Therefore, a customer should request preservation and disclosure of these records as early as possible.
If the bank cannot produce adequate technical records, the customer may argue that the bank failed to prove proper authorization and system security. If the bank produces strong records showing the transaction was approved through the customer’s registered device with multi-factor authentication and no abnormal indicators, the bank’s defense becomes stronger.
13. Importance of Timing and Immediate Notification
Timing is crucial. Once the customer discovers an unauthorized transaction, the customer should immediately notify the bank, request blocking of accounts and cards, request reversal if possible, and file a written objection.
Delay can damage the claim. Banks may argue that earlier notification would have allowed them to block the transaction, freeze the recipient account or initiate recall procedures. Customers should therefore avoid relying only on phone calls. Written records are essential: e-mail, bank complaint form, branch petition, notary notice or secure banking message.
If fraud involves criminal activity, the customer should also file a criminal complaint and provide all transaction details, account numbers, phone numbers, messages, links, screenshots, IP information, recipient names and payment references.
14. Evidence Needed in Online Banking Fraud Claims
The following evidence is commonly important:
Bank account statements, transaction receipts, mobile banking screenshots, SMS messages, phishing links, e-mails, call records, fraudster phone numbers, police complaint, bank complaint, bank response, IP logs, device records, authentication method, one-time password records, push notification records, transfer recipient data, telecom operator records, SIM swap records, ATM or POS records, credit card statements, 3D Secure records, chargeback responses and expert reports.
For court proceedings, expert examination may be necessary. Experts may analyze whether the bank’s authentication was adequate, whether the transaction was unusual, whether security controls complied with standards, whether customer credentials were used, whether system logs are consistent and whether the bank could have prevented the loss.
15. Bank’s Internal Fraud Monitoring Duties
A key issue in bank liability is fraud monitoring. Banks should not only authenticate users; they should also monitor suspicious transaction behavior. A transaction may be technically authenticated but still suspicious.
Possible red flags include:
First-time transfer to a new recipient; unusually high amount; multiple transfers within minutes; transaction after new device registration; transaction after SIM swap; foreign IP login; transfer inconsistent with customer history; account being emptied; transfer to known suspicious accounts; rapid movement of funds; failed login attempts before successful login; use of remote access indicators; or change in limits followed by transfer.
If such indicators existed and the bank did not apply additional verification or temporary blocking, liability may be argued. The bank may respond that its systems complied with regulations and that the customer approved the transaction. The dispute then becomes a technical and legal assessment of reasonable banking security.
16. Bank Account Freezing After Fraud
After a fraud notification, banks may attempt to freeze remaining funds, block cards, suspend digital channels and contact recipient banks. If the money was transferred to another bank, speed matters. The receiving bank may be asked to freeze funds if they have not yet been withdrawn or transferred.
However, if the funds have already moved, recovery becomes more difficult. The victim may need criminal investigation and asset tracing. Recipient account holders may be money mules who quickly withdraw or forward funds.
A bank that delays action after receiving a clear fraud report may face liability if the delay caused additional loss. Therefore, the exact time of customer notification and bank action is important evidence.
17. Consumer Remedies Against Banks
If the customer is a consumer, several remedies may be available. The customer may file a written complaint with the bank, apply to the Banks Association of Türkiye Customer Complaints Arbitration Panel where the conditions are met, apply to the Consumer Arbitration Committee for disputes below the 2026 threshold, use mandatory mediation where required, and file a consumer court lawsuit for compensation.
The Banks Association of Türkiye has a Customer Complaints Arbitration Panel for retail banking-related disputes and provides application materials and procedural information.
For 2026, consumer disputes below TRY 186,000 may be brought before Consumer Arbitration Committees. For higher-value disputes, consumers generally need to follow the mediation and consumer court route where applicable.
Consumer claims should be supported with a clear timeline, disputed amount, bank complaint, bank response, evidence of fraud and legal grounds for bank liability.
18. Commercial Customer Remedies
If the customer is a company or merchant, the dispute may be treated as a commercial matter. The company may send a formal notice to the bank, request preservation of digital records, initiate mandatory commercial mediation where applicable, file a commercial lawsuit, seek compensation, request interim measures, and file criminal complaints against fraudsters.
Commercial cases often require more detailed analysis of corporate banking agreements, authorized users, payment approval rules, internal control obligations, account mandates and company negligence.
A business customer should show that the transaction was outside ordinary business practice, that the bank failed to follow agreed authorization rules or that the bank ignored suspicious circumstances. The bank may argue that the company’s employees approved the transaction or failed to maintain internal security.
19. Criminal Complaint and Asset Tracing
Online banking fraud often constitutes criminal conduct. Victims should file a criminal complaint with the prosecutor’s office. The complaint should include:
Transaction dates and amounts; sender and recipient account numbers; recipient names; phone numbers used by fraudsters; messages and links; screenshots; bank complaint records; device details; SIM swap evidence; IP information if available; and names of suspected persons.
Criminal investigation may allow authorities to request bank records, identify recipient account holders, trace money flow, seize funds and obtain technical data. However, criminal proceedings do not automatically compensate the victim. A civil compensation claim against the bank or fraudsters may still be necessary.
20. Personal Data Breach and KVKK Claims
Some online banking fraud cases involve personal data breaches. If customer information was leaked, unlawfully accessed or inadequately protected, the customer may consider remedies under the Personal Data Protection Law No. 6698. The law requires data controllers to process personal data lawfully and to take necessary measures to protect personal data. Its purpose includes protecting privacy and setting obligations for those processing personal data.
A bank may face data protection liability if fraud was enabled by inadequate data security, unauthorized disclosure of personal data, improper employee access, vendor breach or failure to protect customer information. However, not every fraud automatically proves a data breach by the bank. The customer must establish a connection between the bank’s data handling failure and the fraud.
21. AML and Suspicious Transaction Monitoring
Banks are also subject to anti-money laundering obligations. Law No. 5549 aims to determine procedures and principles for preventing laundering proceeds of crime.
Although AML rules are primarily designed to prevent financial crime, they may also intersect with fraud prevention. Fraud proceeds may pass through mule accounts. Banks may need to monitor suspicious transaction patterns, report suspicious transactions and cooperate with authorities. MASAK materials also recognize procedures for postponement or non-execution of transactions within the AML/CFT framework where conditions are met.
In a civil fraud case, AML obligations do not automatically make the bank liable. But the bank’s transaction monitoring and suspicious activity response may be relevant when assessing whether the bank acted as a prudent financial institution.
22. Compensation Claims Against Banks
A customer seeking compensation from a bank should establish four main elements:
First, an unauthorized or fraudulent transaction occurred.
Second, the customer suffered measurable financial loss.
Third, the bank breached a contractual, statutory or professional duty.
Fourth, there is a causal link between the bank’s breach and the loss.
The bank may defend itself by arguing that the transaction was properly authenticated, that the customer was grossly negligent, that the fraud was caused by a third party, that the bank complied with security standards, that the customer notified late, or that the loss would have occurred even if the bank acted differently.
The court may allocate responsibility depending on comparative fault. In some cases, the bank may be found fully liable. In others, the customer may be found responsible. In complex cases, the court may find shared fault.
23. Common Bank Defenses
Banks commonly rely on the following defenses:
The transaction was authenticated by password, SMS, biometric approval or mobile confirmation.
The transaction was made from the customer’s registered device.
The customer shared credentials with third parties.
The customer ignored bank warnings.
The customer approved the transfer voluntarily.
The customer delayed reporting fraud.
The bank complied with electronic banking regulations.
The fraud resulted from customer device compromise, not bank system failure.
The bank acted immediately after notification.
The disputed amount was transferred before the bank could intervene.
A strong claimant response should not merely deny these defenses. It should address them with evidence: unusual transaction pattern, inadequate warnings, recent SIM swap, new device registration, abnormal IP, lack of transaction monitoring, delay in blocking, weak authentication or missing bank logs.
24. Common Customer Mistakes
Victims often make mistakes that weaken their case. They wait before notifying the bank. They rely only on call center conversations. They fail to file a written objection. They delete phishing messages. They do not preserve screenshots. They do not file a criminal complaint. They cannot identify the disputed transactions clearly. They accept the bank’s rejection without requesting technical records. They miss consumer arbitration or litigation deadlines.
A customer should act systematically: notify, block, document, complain, file criminal complaint, request records and seek legal advice.
25. Practical Checklist for Victims
A victim of unauthorized banking fraud in Turkey should immediately:
Call the bank and block accounts, cards and digital banking channels.
Submit a written fraud objection to the bank.
Request reversal or recall of the transfer.
Ask the bank to preserve all logs and records.
File a criminal complaint.
Keep all SMS, links, e-mails and call records.
Take screenshots of transactions.
Request telecom records if SIM swap is suspected.
Identify whether the claim is consumer or commercial.
Apply to the correct remedy route.
Calculate the loss precisely.
Avoid signing settlement or restructuring documents without review.
26. Practical Checklist for Banks
Banks should also maintain strong procedures:
Apply multi-factor authentication.
Monitor abnormal transaction patterns.
Use risk-based transaction scoring.
Detect new device and SIM swap risks.
Provide clear and meaningful warnings.
Respond rapidly to fraud notifications.
Preserve logs and records.
Train customer service teams.
Maintain incident response procedures.
Coordinate with receiving banks and authorities.
Review fraud trends regularly.
Document decisions carefully.
These measures protect customers and reduce litigation risk.
27. Why Legal Support Is Important
Unauthorized transaction and online banking fraud cases require legal, technical and financial analysis. A Turkish banking lawyer may assist with bank complaints, evidence preservation, consumer arbitration applications, mediation, lawsuits, criminal complaints, expert report objections, compensation claims, data protection complaints and negotiations with banks.
Legal support is especially important in high-value fraud cases, SIM swap fraud, corporate account fraud, disputed mobile banking approvals, bank refusal of compensation, missing transaction logs, or cases involving multiple banks and money mule accounts.
Conclusion
Bank liability in Turkey for unauthorized transactions and online banking fraud depends on a careful assessment of banking security, customer conduct, transaction records, fraud method, notification timing, technical evidence and legal duties. Banks are professional institutions subject to strict regulation and must provide secure electronic banking services. Customers must also protect credentials, act carefully and notify fraud immediately.
The most important issue in these cases is evidence. Courts and experts will examine authentication records, IP logs, device data, SMS or push approval records, transaction history, fraud warnings, customer complaints, bank response times and whether the transaction was abnormal. Emotional allegations are not enough; the claim must be supported by documents and technical analysis.
For consumers, legal remedies may include bank complaints, the Banks Association of Türkiye complaint mechanism, Consumer Arbitration Committees for claims below the 2026 threshold, mediation and consumer court lawsuits. For companies, commercial claims, mediation, litigation and criminal complaints may be necessary. Where personal data or AML issues are involved, additional regulatory dimensions may arise.
In Turkish banking law, unauthorized transaction disputes are not decided by a single question such as “Was the password used?” The real question is broader: Did the bank and the customer each act with the level of care expected from them, and did any failure cause the loss? A successful claim must answer this question with a precise timeline, strong evidence, accurate legal classification and a clear compensation request.
Yanıt yok