InfoHub Logo

Starting July 12, accessing banking applications in Kazakhstan will require more than just a phone number. New regulations mandate additional verification steps to confirm user identity, significantly altering the login process for millions.

Stricter Identity Verification

Under the new rules, financial institutions must verify a client's identity through the state's biometric database. This process will confirm that the phone number used for login genuinely belongs to the individual, preventing unauthorized access through stolen or fraudulently obtained numbers.

New Regulations for Financial Institutions

These updated requirements, outlined in a decree approved on April 20 by the Agency for Regulation and Development of the Financial Market (ARDFM), apply to banks, insurance companies, and other financial organizations operating with digital systems. The decree introduces unified standards covering everything from reporting hacking attempts to data storage protocols.

Leadership Accountability for Security

A key change places direct information security responsibility on the top executive of each financial institution. Leaders are now required to approve data protection policies, and new employees must familiarize themselves with and sign off on these security requirements within five working days of hiring.

Enhanced Third-Party Security

Cybersecurity mandates now extend to contractors, consultants, and technical partners who may access financial organizations' systems or data. These regulations must be incorporated into all relevant contracts.

Mandatory Incident Reporting

Banks and insurance companies are obligated to promptly report cyber incidents to the ARDFM. This includes unauthorized system access, DDoS attacks, malware infections, and issues with customer identification or fraudulent money transfers. Any event causing a digital system outage exceeding one hour must also be disclosed.

Data Transmission and Protection

Organizations must transmit information via the automated system of the authorized body (ASOI). If ASOI is unavailable, companies must notify the regulator by phone and follow up with an official letter. All external telecommunication links used by financial institutions must be encrypted, with the use of open data transmission channels considered a violation.

Secure Communication Channels

Email services, including correspondence with government bodies and clients, must be hosted exclusively within Kazakhstan. Additionally, organizations are required to implement SPF, DKIM, and DMARC protection mechanisms to prevent sender spoofing and phishing attacks.

Employee and Server Requirements

The decree prohibits granting local administrator rights to employees without valid justification. Antivirus systems or software integrity monitoring tools must be installed on all servers, workstations, and laptops, with users unable to disable these protections independently.

Cloud Services and Data Centers

If financial institutions utilize third-party data centers or cloud services, they must ensure these providers prevent unauthorized access to personal data, banking secrets, and other protected information.

New Customer Login Experience

For customers, the most noticeable change will be the new access procedure for digital services. Any login to mobile banking or a personal account will require at least two independent authentication factors. These factors can be a combination of a password or security question, a physical device or cryptographic key, and biometric data.

Login Activity Logging

Financial institutions must log all login attempts, both successful and unsuccessful, including IP addresses, security settings, and changes to accounts or access rights. This data must be readily available for at least three months and archived for at least one year.

Remote Registration Enhancements

Remote identification will now involve biometric verification via facial recognition against the state database, confirmation of phone number ownership through the state mobile number database, or verification via an electronic digital signature (EDS). Simply providing a name and phone number will no longer suffice for registration.

Specific monitoring mechanisms and sanctions for non-compliance are yet to be detailed in the document. Oversight of the decree's implementation falls under the Deputy Chairman of the ARDFM.

Bul týraly Infohub.kz aqparat agenttigi habarlaıdy.