By Mesut Aydın --- A European fintech is preparing to launch an AI-powered credit scoring product in Turkey. The product works. The market is ready. Then three things happen at once. Turkey’s banking regulator, BDDK, requires that all customer financial data stays within Turkish borders. The AI model, however, was trained on datasets hosted on AWS servers in Frankfurt — datasets that fall under the EU’s General Data Protection Regulation. And the EU AI Act, which entered its enforcement phase

The Signal

A European fintech is preparing to launch an AI-powered credit scoring product in Turkey. The product works. The market is ready. Then three things happen at once.

Why It Matters

Turkey’s banking regulator, BDDK, requires that all customer financial data stays within Turkish borders. The AI model, however, was trained on datasets hosted on AWS servers in Frankfurt — datasets that fall under the EU’s General Data Protection Regulation. And the EU AI Act, which entered its enforcement phase in 2025, classifies credit scoring AI as “high risk,” triggering a separate set of obligations around transparency, human oversight, and documentation that neither the Turkish nor the German legal teams had fully mapped.

The company’s general counsel calls an emergency meeting. Legal understands Turkish banking regulation but has never read the AI Act’s Annex III. The CTO understands the model architecture but doesn’t know whether “data localization” means the training data, the model weights, or the inference outputs — because the answer depends on which regulator you ask. The government affairs team has relationships in Ankara, but their mandate has never included algorithmic compliance.

This isn’t a story about one company. Variations of this scene play out quarterly — sometimes weekly — in organizations operating across regulatory jurisdictions. And the pattern is always the same: not a knowledge gap, but an architectural gap.

The Move

Every function at the table holds a piece of the puzzle. Legal knows the law. Engineering knows the system. Government affairs knows the stakeholders. But the puzzle itself — the question of how a single AI product simultaneously triggers obligations under three different regulatory frameworks, in three different countries, enforced by three different authorities with three different philosophical approaches to technology governance — that puzzle doesn’t belong to anyone.

For most of the last two decades, regulatory compliance has been a manageable exercise in parallel processing. You had data protection over here, financial regulation over there, trade compliance in another lane. Different teams, different frameworks, different rhythms. They occasionally overlapped, but rarely collided.

When the OECD updated its Due Diligence Guidance for Responsible Business Conduct to explicitly address AI systems in early 2026, it introduced a requirement that would have been unthinkable five years ago: traceability of training data provenance across the entire value chain. Not just “where is the data stored” but “where did it come from, who curated it, what biases were embedded in the selection, and can you document the chain of custody?”

Read the Full Analysis

For the full original analysis, read the Ghost version here: https://www.mesutaydin.link/ai-regulation-isnt-a-legal-problem-and-nobody-in-your-org-chart-owns-it/

This article is for strategic information only. It is not legal, investment, or tax advice.