Regulation on the Activities of the National Bank of the Kyrgyz Republic as a Certification Authority for Public Keys of Electronic Digital Signatures

Back Print Version Date of creation: 2016-06-20

Approved by the Resolution of the Board of the National Bank of the Kyrgyz Republic dated June 15, 2016 No. 25/6

REGULATION on the Activities of the National Bank of the Kyrgyz Republic as a Certification Authority for Public Keys of Electronic Digital Signatures

Chapter 1. General Provisions

1. The objectives of this Regulation are:

• ensuring legal conditions for the provision of services by the National Bank of the Kyrgyz Republic (hereinafter – the National Bank) as a certification authority (hereinafter – the Center) for key certification, as well as for the Center's verification of public keys of electronic digital signatures (hereinafter – EDS);
• ensuring legal conditions for the use of EDS in electronic message exchange processes in the Kyrgyz Republic, under which compliance EDS is recognized as equivalent to a handwritten signature.

2. The scope of this Regulation extends to all participants using the Center's electronic digital signature key certificates in their operations.

3. All participants undertake to recognize an electronic document bearing an EDS that serves as an equivalent of the responsible person's handwritten signature. The generation and verification of EDS must be carried out using private and public keys generated by the Center.

4. The use of EDS when transmitting electronic messages between participants is governed by the legislation of the Kyrgyz Republic, regulatory acts of the National Bank, agreements between participants of the payment system, and other regulatory acts.

Chapter 2. Terms and Definitions

5. The terms and definitions used in this Regulation correspond to those defined by the laws of the Kyrgyz Republic "On the Payment System of the Kyrgyz Republic" and "On Electronic Documents and Electronic Digital Signatures", as well as by regulatory acts of the National Bank.

6. Additionally, the following terms and definitions are used in this Regulation:

1. participant – the certificate holder (certificate owner) is a legal entity to which the Center issues a signature key certificate;
2. responsible person of the participant – an authorized representative of the participant in whose name a signature key certificate is issued and who holds the private EDS key on an individual information carrier corresponding to the public key specified in the certificate.

Chapter 3. Activities of the Center

§ 1. Legal Status and Activities of the Center

7. The National Bank acts as a certification authority for banks and other financial-credit institutions whose activities it licenses and regulates, as well as for other participants of systems operated by the National Bank.
8. The Center verifies public keys of EDS. Activities for verifying public keys of EDS are carried out in accordance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.
9. The Center confirms the ownership and authenticity of a participant's responsible person certificate within the framework defined by this Regulation.
10. The Center ensures interaction with participants at the republican level using EDS
11. The Center's interaction with participants and other certification authorities is carried out in accordance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.
12. The Center maintains a complete list of participants' responsible persons authorized to sign electronic messages on behalf of the participant.
13. Each participant's responsible person must undergo a registration procedure at the Center, receive an individual key information carrier with the necessary information, which will be used for signing electronic messages and their verification.
14. Each participant submits an application to the Center for obtaining a private key and a public signature key certificate. The application must contain reliable information about the applicant to the extent necessary for the Center to perform its duties. The Center may require the applicant to confirm the reliability of the relevant information.
15. When issuing a signature key certificate, the Center provides the following guarantees:

• full compliance of the information contained in the certificate with the participant's information submitted in the application;
• compliance of the certificate with the requirements of relevant legislative acts of the Kyrgyz Republic, including the presence in the certificate of all information necessary for its reliability;
• compliance of the private EDS key with the public key, confirmed by the Center upon certificate issuance;
• the presence at the Center of reliable information about the certificate recipient as provided by the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.

§ 2. Obligations and Liability of the Center

16. The Center undertakes the following obligations:

• act properly in accordance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank;
• establish and monitor the validity period of a participant's responsible person signature key certificate;
• notify the participant's responsible person about the expiration of the signature key certificate via an electronic message to the participant's email address;
• notify the certificate owner within one day of all facts known to the Center that may affect the reliability of the participant's key certificate (possibility of substitution, forgery, unauthorized alteration, hacking, etc.).

17. The Center ensures the availability of public keys necessary for the operation of payment, information, and other automated systems of the National Bank for all participants.
18. The authenticity of a participant's public key is verified by the corresponding electronic certificate of the Center.
19. The Center processes the issuance of paper confirmations (copies) of certificates in accordance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.
20. The Center is obligated to provide any system participant with the opportunity to verify that a public EDS key belongs to the certificate owner.
21. In accordance with the legislation of the Kyrgyz Republic, the Center is obligated to verify paper copies of electronic messages signed with EDS against a public key for which the Center has issued a signature key certificate.
22. The Center is liable for:

• registration of the private EDS key owner and issuance of a signature key certificate in accordance with the received application;
• issuance to the participant's responsible person of an individual carrier with a private key and a certified certificate in accordance with established procedures;
• hardware and software support of the certificate database;
• timely updates to the certificate database;
• compliance with security and confidentiality conditions when working with the Center's authorized persons' private keys, compliance with their storage and usage rules;
• intentional acts of Center staff that have resulted in changes to certificate integrity or their substitution.

23. The extent of the Center's liability is determined in accordance with the legislation of the Kyrgyz Republic.
24. The Center replaces a private key upon failure of the individual carrier containing it. Procedures for replacing the private key carrier are specified in regulatory documents, agreements, and contracts between participants of the payment system.
25. The Center ensures the publication, distribution, and storage of public key certificates and lists of revoked public key certificates of all accredited subordinate certification authorities.
26. The Center is not liable for non-performance and/or improper performance of its duties in the event of force majeure circumstances, such as: fires, accidents, natural disasters, etc., which prevent the Center from performing its duties, for the duration of such circumstances.
27. The Center is not liable for damages resulting from reliance on an invalid or forged EDS, if the Center has fulfilled all materially important requirements regarding the invalid or forged EDS in accordance with the legislation of the Kyrgyz Republic and regulatory documents of the National Bank.

§ 3. Obligations and Liability of the Participant

28. Upon receiving a signature key certificate issued and registered by the Center, the participant undertakes the following obligations and is liable for:

• compliance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank;
• reliability of the information provided by him in the application for obtaining a signature key certificate;
• lawful ownership and use of the private key corresponding to the public EDS key specified in the signature key certificate;
• compliance with security and confidentiality conditions when working with the private key by authorized persons of the participant, compliance with their storage and usage rules;
• ensuring information security for the normal functioning of computer programs related to electronic message exchange (antivirus support, network protection, etc.);
• timely application to the Center for certificate extension;
• timely notification to the Center about the dismissal of the participant's responsible person;
• timely notification to the Center about the death of the participant's responsible person;
• timely informing the Center about problems arising in using the private key carrier or the need for its replacement or cancellation;
• notifying the Center within one day of all facts known to the participant that may affect the reliability of the participant's key certificate (possibility of substitution, forgery, unauthorized alteration, hacking, etc.).

29. The participant is liable for damages resulting from a breach of information security measures related to electronic message exchange (information crimes, accidental or intentional intrusion into the system using a private key, impact of computer viruses and/or hacker attacks, etc.).

§ 4. Blocking (Cancellation) of the Signature Key Certificate

30. The Center is obligated to immediately block (cancel) the certificate upon request of the lawful owner of the EDS key specified in the certificate, or a participant's representative duly authorized to block (cancel) based on a written statement or by the corresponding act of an authorized state body or court.
31. The Center is obligated to cancel the signature key certificate or suspend its operation regardless of the consent of the signature key owner specified in the certificate, if the Center:

• receives documents confirming the reorganization or liquidation of the certificate owner, being a legal entity, or other evidence of its reorganization or liquidation;
• receives documents confirming the dismissal of the participant's responsible person;
• receives documents confirming the death of the participant's responsible person;
• receives court rulings that have entered into legal force;
• receives documents of the National Bank (Board Resolution, Supervision Committee Resolution) confirming a change in the powers of the signature key certificate owner;
• establishes non-performance or improper performance by the certificate owner of its obligations provided for by the Law of the Kyrgyz Republic "On Electronic Documents and Electronic Digital Signatures".

32. The Center is obligated to promptly notify the key owner specified in the certificate after the blocking (cancellation) of the signature key certificate takes effect.
33. The Center is obligated to update the public key certificate database no later than one day after the cancellation of the signature key certificate.
34. The Center suspends the performance of obligations provided for in paragraph 16 of this Regulation with respect to the given participant during the period of blocking the operation of the participant's signature key certificate.

§ 5. Termination of Center Activities

35. The termination of the Center's activities is carried out in accordance with the legislation of the Kyrgyz Republic.
36. Upon making a decision to terminate activities regarding the verification of public EDS keys, the Center is obligated to inform all owners of signature key certificates issued by the Center about this decision at least one month in advance.
37. Upon making a decision to terminate activities, signature key certificates issued by the Center are blocked (cancelled) in accordance with the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.

§ 6. Protection of Personal Data and Information Storage

38. The Center ensures the confidentiality of identification personal data of the certificate owner contained in documents submitted by the applicant, in accordance with the requirements of the legislation of the Kyrgyz Republic and regulatory acts of the National Bank.
39. Disclosure of personal data of signature key certificate owners by the Center is permitted only with the consent of the certificate owners or in accordance with the legislation of the Kyrgyz Republic.
40. The Center is obligated to store all active and blocked signature key certificates of participants.
41. The storage period for signature key certificates at the Center is established by the legislation of the Kyrgyz Republic.

Contacts Public Reception: +996 (312) 61-04-86, +996 (312) 66-90-15, ext. +1257, +1256 Consumer Protection Department: +996 (312) 66-90-15, ext. +1671, +1666 Report Corruption: +996 (312) 66-90-15, ext. +2120; +996 (312) 61-04-00 Official Currency Rates Auto-Information: +996 (312) 61-07-11 Numismatic Museum: +996 (312) 66-90-15, ext. +1232; +996 (312) 61-24-14 E-mail: mail@nbkr.kg Media Relations: press@nbkr.kg 720010, Kyrgyz Republic, Bishkek, Kiev Street, 189