The CBRT guideline, in practice: a compliance playbook for payment companies

Türkiye’s central bank guideline for payment and e-money institutions is often read as a checklist. Read it as an architecture document instead: almost every clause maps to a property your system either has by design or will fake forever — continuous transaction monitoring, fraud prevention proportionate to risk, and the ability to reconstruct any decision after the fact.

Monitoring is the clearest example. A nightly batch report technically “monitors” transactions, but the guideline’s spirit is behavioral: velocity that spikes, devices that change, patterns that drift. That implies real-time counters and signals in the authorization path — not a data-warehouse job that finds problems three days late.

Auditability is the second pillar. When a regulator asks why a payment was declined — or worse, why a fraudulent one was approved — “the model said so” is not an answer. Every decision needs a reason code and a tamper-evident trail: append-only events, hash-chained so that nobody, including you, can quietly rewrite history.

Screening completes the picture. Sanctions and watchlist obligations in Türkiye are not just OFAC and UN — MASAK, and the local regulators’ lists matter, and so does Turkish-character matching: a screening engine that can’t see that two differently-spelled names are the same person will flood your analysts with noise while missing real hits.

The practical checklist, then: real-time risk signals in the hot path, explainable decisions with reason codes, an append-only audit trail with integrity verification, Türkiye-aware screening with analyst case management, and limits you can demonstrate, not just describe. Build those once, and the guideline stops being a compliance project — it becomes a property of the platform.