Starting July 12, 2026, financial institutions in Kazakhstan will be required to verify clients through the state biometric database, El.kz reports citing Agency for Regulation and Development of the Financial Market.
Why the new rules were introduced
The resolution, dated April 20, 2026, applies to all banks, insurance companies, microfinance organizations, and other financial market participants. The primary goal is to ensure that the phone and its owner become a single entity in the digital world. This is not just a formality. The regulator is effectively acknowledging that old identification methods create too many risks for the public.
How to Register in the App Now
New client registration will become a two-step process. First, the bank will verify your face against the state biometric database. Then, it will confirm that the provided phone number is indeed registered to you in the mobile number database.
Without these two steps, opening an account or gaining access to the app will be impossible. The procedure will take longer but will be significantly more secure.
App Login
Starting July 12, accessing a mobile bank from an external connection will require at least two different methods of identity confirmation. This could be a password plus a fingerprint, or a one-time code combined with a face scan.
Banks are required to encrypt all external connections; open data transmission channels are no longer permitted. Additionally, employees' work devices must be equipped with antivirus systems that cannot be manually disabled.
Strict Internal Security Requirements for Banks
The chief executive of a financial organization is now personally liable for information security. In the event of a major hack or data leak, they will be the first to answer.
New employees are given only five working days to study internal cybersecurity rules. They will not be granted system access without signing a logbook. Local administrator rights will now be granted only in cases of urgent necessity and strictly according to job titles.
Mandatory noification of any attacks
Banks and insurers must instantly report serious incidents to the regulator, ranging from DDoS attacks to unauthorized money transfers. Even if an app is down for more than one hour, it must be reported.
Information is transmitted through an automated system. If the system is unavailable, they must call and follow up with an official paper letter. Banks must now store logs of logins and setting changes for at least three months in active access and for no less than a year in the archive.
The innovations take effect this summer. For clients, this means slightly more complex but significantly more protected access to their money. Banks, meanwhile, receive clear and uniform rules of the game and breaking them will become very costly.
