Founder
July 18, 2025
18 min read
This article analyzes the core dynamics shaping the technology strategy of the Turkish banking sector, with a particular focus on the constraints imposed by the Banking Regulation and Supervision Agency (BDDK) and the Law on the Protection of Personal Data (KVKK). Due to strict obligations regarding data sovereignty and customer confidentiality, the banking sector is unable to effectively utilize global public cloud services. This increases dependency on costly and less flexible on-premise infrastructures. Such a regulatory posture creates a risk of “regulatory-induced technical debt,” thereby limiting both the speed of innovation and global competitiveness.
This paper explores how Zero-Knowledge Proof (ZKP) technologies provide a solution to this fundamental impasse. ZKP, with its principle of “prove without revealing,” enables the verification of personal data without disclosing it, aligning seamlessly with the core principles of KVKK such as data minimization and purpose limitation. This technology offers banks an “intermediate window” that enables both compliance with legal obligations and a secure transition to modern and efficient infrastructures like cloud computing.
Our analysis reveals that ZKP represents not only a strategic necessity for the banking sector but a mandatory technological evolution for all industries processing sensitive data under KVKK.
The Turkish banking sector represents one of the world’s most robust and tightly regulated ecosystems in terms of technological infrastructure and data security practices. The highly prescriptive regulations set forth by the Banking Regulation and Supervision Agency (BDDK), combined with the stringent confidentiality obligations under the Law on the Protection of Personal Data (KVKK), overwhelmingly shape the sector’s technology strategy.
As a result, the industry has developed a structure that is highly secure compared to its global peers but significantly less agile. While banks strive to respond to the pace of innovation and customer expectations in a rapidly digitalizing world, they simultaneously face a "compliance moat"—a barrier of regulatory obligations that is difficult to overcome.
At the heart of this dilemma lies “data.” Traditional banking and regulatory models are built on the premise of “seeing” and “processing” data. In order to verify a transaction, confirm a customer’s identity, or conduct a risk analysis, raw data must flow between systems and be processed in its original form. This fundamental requirement constitutes the greatest technological and operational deadlock facing the sector. Data sovereignty obligations and data localization requirements effectively prevent banks from benefiting from the flexibility, scalability, and cost-efficiency offered by global public cloud services.
At this point, Zero-Knowledge Proof (ZKP) technology emerges as a revolutionary solution that radically transforms this paradigm. ZKP enables one party to cryptographically prove the truth of a piece of information to another party without disclosing the information itself. Simply put, assertions such as “My account has sufficient balance for this transaction” or “I am over the age of 18” can be mathematically proven without revealing sensitive data like account balance or date of birth.
In the following sections, we will detail the fundamental challenges faced by the Turkish banking sector and analyze how ZKP technology provides radical and feasible solutions to these problems, based on available references. It will be demonstrated that ZKP is a strategic key that enables banks to innovate without abandoning their security fortresses while also enhancing their compliance with regulatory obligations.
The current technology strategy of the Turkish banking sector is built on two fundamental pillars: “security” and “stability.” However, this robust structure also brings with it a set of challenges that constrain the sector’s agility and capacity for innovation.
The primary reason Turkish banks are unable to migrate to global public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) is not a matter of technological preference, but rather a consequence of strict legal obligations imposed by the Banking Regulation and Supervision Agency (BDDK). The BDDK’s “Regulation on Information Systems” mandates that all “primary systems,” which are critical to core banking operations, as well as their “secondary systems” (i.e., backups), must be physically hosted within the country.
The underlying rationale behind this rule is the protection of “data sovereignty” and “customer confidentiality.” Primary systems are broadly defined to include all infrastructures that process sensitive information such as customer databases, transaction engines, and identity verification data. In conventional cloud architectures, such data may be physically stored outside of Turkey or in shared environments that fail to meet the BDDK’s stringent segregation criteria. This constitutes a cross-border transfer of data qualifying as customer secrets, which is either prohibited or subject to extremely restrictive conditions under Article 9 of the Law on the Protection of Personal Data (KVKK) and the stricter provisions regarding “customer secrets” in the Banking Law.
The core issue is this: under the traditional model, executing an operation on the infrastructure of a cloud provider necessitates that the data be “visible” to that infrastructure. Any scenario in which sensitive data becomes visible to an external party presents an unacceptable regulatory risk. Consequently, the sector is deprived of the cost and innovation advantages offered by global cloud services. Banks are effectively forced to rely on high-cost, less flexible local (on-premise) solutions or compliant private cloud alternatives.
Although the on-premise infrastructure model mandated by BDDK regulations may give banks the impression of full control over their data, this approach imposes significant financial and operational burdens. In the long term, it leads to a series of issues that undermine banks’ competitive strength:
Building and operating local data centers requires substantial capital expenditure (CapEx) for hardware such as servers, storage units, and network equipment. Additionally, ongoing operational expenses (OpEx) such as energy, cooling, maintenance contracts, and skilled IT personnel salaries significantly increase costs.
Scaling in on-premise infrastructure is a slow and costly process, requiring the purchase, installation, and configuration of new hardware. When workloads decrease, idle capacity results in inefficiency. It lacks the elasticity of the cloud’s “pay-as-you-go” model.
All hardware and software updates, patching, security configurations, and 24/7 monitoring fall entirely under the bank’s internal IT team's responsibility. This diverts a significant portion of resources away from innovation toward merely maintaining existing systems.
Hosting data on internal servers does not inherently protect it from insider threats. The risk of data leaks or misuse by authorized or unauthorized internal personnel is always present. Centralized database breaches and social engineering attacks are among the most serious risks. As long as data remains "visible," it is vulnerable—regardless of where it is stored.
While global competitors benefit from advanced cloud-based services like data analytics, machine learning, and artificial intelligence, Turkish banks must recreate these capabilities within their closed and costly environments. This results in long-term “regulatory-induced technical debt,” which constrains the sector’s capacity for innovation.
In conclusion, while the current on-premise hosting model may build a fortress of security, it simultaneously traps banks within that fortress—isolating them from the agility required by the digital age.
The key technology capable of resolving the "security-agility" dilemma and the "data visibility" challenge facing the banking sector is Zero-Knowledge Proof (ZKP). ZKP constitutes a cryptographic revolution that fundamentally transforms the nature of data-driven processes.
A Zero-Knowledge Proof (ZKP) is a cryptographic protocol that allows one party (the "prover") to mathematically prove to another party (the "verifier") the validity of certain information (such as a password or an account balance) without disclosing the information itself in any way. The three fundamental properties forming the basis of ZKP are as follows:
Completeness: If the prover’s claim is true and both parties follow the protocol, the verifier will always accept the proof.
Soundness: If the prover’s claim is false, a dishonest prover will not be able to convince the verifier that the claim is true (except with an extremely low probability).
Zero-Knowledge: The verifier learns nothing about the prover’s secret information other than the fact that the statement being proven is valid.
To concretize this concept, the frequently referenced analogy of "Ali Baba’s Cave" can be used: Imagine a cave shaped like a ring with two paths and a locked door in between. Alice wants to prove to Bob that she knows the secret password to open the door, but she doesn’t want to reveal the password itself. She enters the cave through one of the two paths. Bob, who waits outside, randomly shouts either “come out from the right” or “come out from the left.” If Alice knows the password, she can always unlock the door and exit through the path Bob requests. If this process is repeated multiple times, Bob becomes convinced—with near absolute certainty—that Alice indeed knows the password, as it would be nearly impossible for her to exit correctly each time without knowing it. Crucially, Bob learns nothing about what the actual password is. ZKPs function in a similar manner using mathematical protocols to achieve this result.
The revolutionary nature of ZKP for the banking sector stems from this “zero knowledge” property. Unlike traditional systems, ZKP enables data to be “verified” without being “seen.” This makes possible the principle of “processes running in the background while no one can see the data in the frontend.”
When a customer applies for a loan, the bank does not need to see the customer’s payslip to answer the question: “Is the customer’s income above 50,000 TRY?” Instead, the customer provides a zero-knowledge proof attesting that their income exceeds this threshold. The bank verifies the validity of this claim without ever learning the actual salary amount.
Likewise, during a money transfer, the system does not need to view the sender’s account balance to check whether there are sufficient funds. The sender simply submits a ZK proof indicating that the balance requirement is met. In models like zkLedger, even the transaction amount and the identities of the parties can remain hidden while still proving the transaction’s validity.
This approach redefines data security. Since data can be processed without being disclosed, a natural protective shield is formed against both external attacks and internal threats. The risk of data leakage is eliminated entirely—because the data is never actually shared.
The theoretical strength of Zero-Knowledge Proof (ZKP) becomes tangible in its ability to offer direct and practical solutions to some of the most fundamental and seemingly intractable problems in the banking sector. ZK-based services emerge not merely as a technological innovation in the face of growing cybersecurity threats and regulatory pressure, but as a strategic necessity for ensuring privacy and security (Koç, 2025 | See detailed article for more).
ZKP directly addresses the core obstacle preventing banks from transitioning to cloud computing—namely, the “data visibility” problem. By using ZK technology, a bank can send a cryptographic proof verifying the validity of a transaction or the result of a compliance check without sending customer data or transaction details to the cloud provider.
In this model:
Sensitive customer data (e.g., identity, account balance) remains within the bank’s own environment—either on-premises or in a compliant private cloud under its control.
The cloud infrastructure never sees the raw data. It processes only a ZK proof that confirms a specific rule (e.g., “the balance is sufficient”) has been met, without containing any meaningful or interpretable information itself.
As a result, regulatory concerns raised by BDDK (Banking Regulation and Supervision Agency) and KVKK regarding data sovereignty and customer confidentiality are effectively mitigated. Sensitive or confidential customer information is neither transferred abroad nor disclosed to third parties.
This new technology thus enables a bank to legitimately assert both technically and legally: “I have a ZK infrastructure, and therefore I can benefit from the processing power and flexibility of the global cloud without disclosing my data.”
In turn, this allows banks to break free from the burdens of high total cost of ownership (TCO) associated with on-premise infrastructures and transition to more agile, scalable, and cost-efficient operational models.
One of the most significant operational burdens for banks is the auditing process and regulatory compliance. In traditional audits, regulators or auditors often request access to large data sets in order to conduct risk assessments. This practice creates not only an operational strain but also a substantial data privacy risk.
Zero-Knowledge Proof (ZKP) technology offers an elegant solution to this problem through the mechanism of Selective Disclosure. Instead of exposing the entire data set to the auditor, the bank provides a cryptographic proof that answers the auditor’s specific question with a simple “yes” or “no.”
Example: If an auditor asks, “Were there any suspicious transactions exceeding anti-money laundering (AML) thresholds this quarter?”, the bank does not need to disclose its entire transaction list. Instead, it can generate a single ZKP that cryptographically proves “No, there were none.”
In this approach, the auditor receives the assurance they need with mathematical certainty, while no customer names, transaction amounts, or other sensitive information are disclosed.
This creates a secure and efficient intermediate window for audits. Banks can fulfill their transparency and legal compliance obligations without compromising customer privacy. In turn, this accelerates audit procedures, reduces costs, and eliminates the security risks associated with accidental data exposure.
ZKP’s ability to “narrow and obscure data” has the potential to make core banking processes more secure and efficient.
During the account opening process, a customer does not need to share their entire identity document. Instead, the customer can use a government-approved digital identity to prove statements such as “I am over 18 years old,” “I am a citizen of the Republic of Turkey,” or “I am not on a blacklist” without disclosing the underlying data (e.g., date of birth, national ID number). This fully complies with the principle of data minimization while meeting KYC requirements.
When applying for credit, a customer can provide a ZK proof that their credit score exceeds a certain threshold or that they have a clean financial record, without sharing their full financial history or detailed credit report with the bank.
In money transfers, the identities of the sender and recipient, as well as the transaction amount, can be kept completely confidential. ZK protocols can verify that the transaction does not involve double-spending and that the sender has sufficient balance—without revealing these details to the network or unauthorized personnel.
These applications not only improve the customer experience but also significantly reduce banks’ obligations for data storage and protection.
The core problems that ZKP solves are not unique to the banking sector. The paradigm shift introduced by this technology applies to all institutions and industries that process personal data under the scope of KVKK.
The fundamental vulnerability of all organizations that process personal data lies in the requirement that “data must be visible to be processed.” The KVKK is built upon core principles such as “data minimization” (no more data than necessary should be processed) and “purpose limitation” (data should not be used beyond the original purpose for which it was collected). ZKP is the most powerful tool to technologically realize these principles.
Healthcare Sector: A patient can prove—via a zero-knowledge proof—whether or not they have a specific genetic predisposition without disclosing their entire genetic profile to a research institution.
Insurance Sector: A customer can demonstrate that they have not been involved in any major accidents in the past five years without disclosing the full details of their claims history.
E-commerce: A user can confirm they have sufficient credit or balance to complete a purchase without revealing the exact limit or balance on their credit card.
These examples demonstrate that ZKP is not merely a banking solution but a necessary technological evolution to preserve privacy as a fundamental right in the digital age. All sectors processing sensitive data need this technology both to ensure legal compliance and to build user trust.
The application of ZK technology in banking requires careful planning and proper technology selection. That these technologies are not merely theoretical but practically applicable has been demonstrated by concrete protocols such as zkBank, which operates on the Sui blockchain and supports features like multi-party signatures and notary validation (Nzengi, 2025 | See for details!).
There are various ZK protocols available in the market, each offering different advantages and trade-offs.
zk-SNARKs: These proofs are extremely small in size and feature very fast verification times, making them ideal for high-throughput financial applications. However, they generally require a "trusted setup"—a security assumption whereby no party must gain access to the so-called "toxic waste" generated during the setup phase.
zk-STARKs: These do not require a trusted setup (they are transparent) and are considered resistant to quantum computer attacks. However, their proof sizes are significantly larger than those of SNARKs, which may increase storage and network costs.
Bulletproofs and Others (e.g., PLONK): Bulletproofs are particularly efficient for proving that a value lies within a specific range (range proofs) and do not require any setup. Newer-generation protocols such as PLONK offer a "universal" structure that allows for proof generation across many different circuits with a single setup, thereby enhancing flexibility.
For banking applications, zk-SNARK or PLONK-based solutions are often more suitable due to their small proof sizes and fast verification speeds. However, if trusted setup is a regulatory or operational concern, or if highly complex proofs are needed, zk-STARKs should be considered as an alternative.
The recommended roadmap for banks to implement ZK-based solutions should begin with a legal and regulatory feasibility assessment. This initial phase involves a detailed review of KVKK and BDDK regulations and obtaining official opinions regarding the viability of scenarios such as “private cloud + ZK.”
Next, the ZK protocol most appropriate for the bank's specific use case—as well as its performance and security requirements—should be selected. The infrastructure should then be built in accordance with BDDK regulations, hosted either in domestic data centers or in a compliant private cloud environment.
Following infrastructure readiness, a pilot project should be launched in a low-risk domain (e.g., an internal authentication mechanism), and compliance and performance should be evaluated by internal audit and security units. The positive results of the pilot project should be submitted to regulatory authorities for formal approval, and bank personnel should receive training on the technology.
Once approval is granted, the solution should be scaled gradually to broader areas, and a compliance committee should be established to ensure ongoing monitoring of both regulatory developments and technological advancements.
The Turkish banking sector stands on a solid foundation shaped by security and regulation. However, the digital age demands not only the preservation of this robustness but also agility and innovation. The current "data visibility" paradigm forces the sector to choose between these two goals, leaving it to cope with the costs and flexibility constraints imposed by local infrastructures.
Zero-Knowledge Proof (ZKP) technology is not merely a cryptographic tool but a strategic enabler with the potential to resolve this fundamental conflict. With its principle of “prove the data without revealing it,” ZKP allows banks to:
Overcome the visibility barrier and transition securely to modern and efficient infrastructures such as global cloud computing;
Enhance auditability and compliance processes in a more efficient and secure manner, while preserving customer privacy and the spirit of KVKK;
Minimize data leakage and internal threat risks, thereby elevating their security posture to the highest level;
Reduce operational costs and redirect resources toward innovation, ultimately increasing global competitiveness.
In the near future, banks may transform from institutions that store and process data into entities that merely “verify” information without disclosing it. Regulators may shift from demanding access to raw data to accepting cryptographic proofs instead. This will lay the groundwork for a new financial order—positioned at the intersection of centralized and decentralized finance—centered on privacy and trust.
ZKP offers the Turkish banking sector a historic opportunity to transcend the rigid boundaries imposed by regulation—not by bypassing them, but by turning them into guarantees for a technological leap forward.
Koç, S. (2025). ZK-based Banking Services: Necessity for Privacy and Security. TechRxiv. Access link: https://www.techrxiv.org/users/837126/articles/1265620-zk-based-banking-services-necessity-for-privacy-and-security
Zengi, N. (2025). Zero-Knowledge Banking: A Multi-Party Signature Protocol on Sui Blockchain. Access link: https://github.com/nzengi/zkbanking-sui/blob/main/zkbank_paper.pdf