LogoRegulatory Alerts
2020-05-13 | 121851

Procedure for Remote Identification and Verification of Clients

The National Bank of the Kyrgyz Republic issued this regulation to establish mandatory procedures for commercial banks to remotely identify and verify Kyrgyz citizens and individual entrepreneurs without physical presence. The document mandates strict internal controls, risk management protocols, and specific technical requirements for photo-matching and video-verification processes to prevent fraud and money laundering. It further requires banks to ensure accessibility for persons with disabilities, maintain secure data storage, and utilize accurate biometric algorithms subject to regular auditing.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Return to previous page

Print version

Date of creation: 2024-10-08

Appendix

to the Resolution of the Board of the National Bank of the Kyrgyz Republic

of May 13, 2020 No. 2020-P-12/27-1-(NPA)

PROCEDURE

for identification and verification of clients in remote mode

(In the edition of the Resolutions of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1, December 8, 2023 No. 2023-P-12/76-1, December 20, 2023 No. 2023-P-12/80-3, February 28, 2024 No. 2024-P-12/8-4, September 25, 2024 No. 2024-P-12/46-3)

Chapter 1. General Provisions

  1. This Procedure for identification and verification of clients in remote mode (hereinafter - the Procedure) defines the procedure for banks to conduct identification and verification of individuals - citizens of the Kyrgyz Republic, including citizens of the Kyrgyz Republic engaged in entrepreneurial activity as individual entrepreneurs (hereinafter - clients), using client data obtained in electronic form without personal presence.

The requirements of this Procedure apply to commercial banks conducting operations in accordance with Islamic principles of banking and financing, including within the framework of the "Islamic window", taking into account the specifics of their activities and terminology applied by them in carrying out banking operations.

(In the edition of the Resolutions of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1, December 20, 2023 No. 2023-P-12/80-3)

  1. This Procedure does not apply to clients for whom the customer due diligence procedure has already been conducted and who are already being served by the bank.

  2. This Procedure may be used for additional confirmation of the identity of an individual when remotely providing access to remote banking systems to clients who have previously undergone identification in person.

In this case, banks must use reliable access provision algorithms, including the application of appropriate client identification and verification technologies via video communication and determining measures against unauthorized access on behalf of the client.

  1. When identifying and verifying clients in remote mode, banks must:

  • ensure an adequate internal control system, including a description of procedures related to the application of new technologies (new banking products) involving client identification without personal presence, the presence of internal regulatory documents on risk management, including measures for managing operational risk, terrorism financing risk and legalization (money laundering) of criminal proceeds (hereinafter - AML/CFT), compliance risk;

  • train personnel responsible for client identification and verification and AML/CFT risk management on the aforementioned procedures and proper application of this Procedure;

  • use information systems and software sufficient to comply with the requirements of this Procedure;

  • disclose information about the conditions and requirements for remote identification (on their official website or via the software used);

  • verify client data using information from relevant state registration systems of the Kyrgyz Republic;

  • record the results of client identification and verification and maintain a registry of clients who have undergone remote identification;

  • take measures to limit AML/CFT risks for clients identified in remote mode in accordance with the minimum requirements of Appendix 1 to this Procedure;

  • identify and document AML/CFT risks before launching remote identification and verification procedures, taking the requirements of this Procedure as a basis; banks have the right to introduce additional criteria for risk limitation.

  1. Banks are obliged to inform the client about the verification of basic personal data through state information systems or available data sources and about the consequences of providing incomplete information and unreliable data during remote identification and verification.

5-1. When using software for remote identification and verification of clients, the bank must send a corresponding notification with a full description of the software and methods for remote identification and verification of clients, in accordance with the requirements of the Procedure, as well as the internal document approved by the Board of Directors on AML/CFT risk analysis in accordance with the legislation of the Kyrgyz Republic, to the National Bank.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of February 28, 2024 No. 2024-P-12/8-4)

5-2. In order to ensure accessibility and equal opportunities for all clients, including persons with disabilities (hereinafter - persons with disabilities), the bank's website, mobile application, or specialized software must have functionality that allows remote identification and verification for this category of clients.

The functionality must comply with applicable legislative acts and norms, guarantee a high level of security, and also ensure simplicity and clarity of the identification process for users - persons with disabilities. The bank is obliged to provide appropriate instructions and guidelines for users, as well as to carry out regular monitoring and updating of the remote identification system, taking into account feedback from clients - persons with disabilities, in order to continuously improve the accessibility and convenience of the services provided.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 8, 2023 No. 2023-P-12/76-1)

Chapter 2. Remote identification and verification by photo matching

  1. Before starting identification, the bank must register the client in its own information systems via electronic interaction channels (website, mobile application, specialized software, messengers, etc.) indicating the client's phone number, tax identification number for a client who is an individual entrepreneur, and data for filling out the client questionnaire.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The bank also verifies the mobile phone number specified by the client by sending codes, passwords in an SMS message to the mobile phone number specified by the client or by other means during client registration.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. During identification, the bank must receive a photo of the front and back (reverse) sides of the identity document, and a photo of the client with the document via electronic interaction channels in accordance with the bank's established requirements.

  2. If the quality of the photos does not allow clearly determining that the photos belong to the same person, the bank may send an additional request to the client to obtain photos.

  3. The bank conducts a check of the client for the presence or absence in sanction lists and lists of persons, groups and organizations regarding which there is information about their participation in the legalization (money laundering) of criminal proceeds.

  4. The identity document must be verified for authenticity by requesting or sending document data for verification to relevant state information systems.

11-1. Verification of data on the tax registration of a client - an individual entrepreneur must be carried out by requesting and/or checking data from the corresponding information system of the tax service.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. If the data obtained from the client, as well as the client's photos, correspond to the image on the identity document, the bank sends a notification of successful identification and verification.

  2. Information received about the client is recorded in the client questionnaire, stored electronically with a mark of remote identification by photo matching.

  3. The bank has the right to use software solutions that will ensure compliance with the conditions and procedures provided for in this Procedure and the legislation of the Kyrgyz Republic in automatic mode. Such software must at least ensure automatic comparison of the photo in the identity document and the client's image, and also provide protection against data spoofing.

Chapter 3. Remote identification and verification using video communication

§ 1. Organization of identification and verification via video communication

  1. Before conducting a video communication session, the bank must register the client in its own information systems via electronic interaction channels (website, mobile application, specialized software, messengers, etc.) indicating the client's phone number, the tax identification number of the client individual entrepreneur, and data for filling out the client questionnaire.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The bank also verifies the mobile phone number (registered on the territory of the Kyrgyz Republic) specified by the client by sending information via a communication channel independent of that used for registration (by sending codes, passwords in an SMS message to the mobile phone number specified by the client or by other means).

  2. The bank conducts a check of the client for the presence or absence in sanction lists and lists of persons, groups and organizations regarding which there is information about their participation in the legalization (money laundering) of criminal proceeds.

  3. For the purpose of identification via video communication and verification of the client, the bank requests data about the client from relevant state registration systems.

18-1. Verification of data on the tax registration of a client - an individual entrepreneur must be carried out by requesting and/or checking data from the corresponding information system of the tax service.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. It is permissible to receive photos of the identity document and a photo of the client in a pre-agreed manner with verification by requesting or sending document data for verification to relevant state information systems.

  2. For the purpose of identification using video communication, the bank may use its own software or software provided by third parties, which will ensure compliance with the conditions and procedures provided for in this Procedure and the legislation of the Kyrgyz Republic. In this case, remote identification using video communication must be conducted by a bank employee and/or using information systems, technologies, algorithms, software in accordance with the requirements of the Procedure.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. If the data obtained from the client, as well as photos and video recording, allow identifying and verifying the client, the bank must send a notification to the client about successful identification and verification.

  2. Information received about the client is recorded in the client questionnaire and stored electronically with a mark of remote identification and verification using video communication.

§ 2. Requirements for video image

  1. The video communication session must be performed in real-time without interruptions. Video and audio streams must be synchronized. The image must be in color.

  2. During the communication session, the client's face and shoulders must be clearly visible. The client's face must be fully open; wearing sunglasses or other accessories covering the face is not allowed, as well as shadows falling on the client's face.

  3. A bank employee may instruct the client on how to ensure image quality corresponding to the requirements of this Procedure.

  4. During the video communication session, the client must be in a sufficiently lit room.

  5. Participation of third parties in the identification process is not allowed, except in cases where the client requires assistance from a third party due to limited health capabilities.

§ 3. Requirements for the video communication session

(Name of paragraph in the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. During the video communication session, a bank employee who has undergone appropriate training on remote client identification must conduct an interview with the client, or the client must perform actions according to the algorithm embedded in the software, in the case of client identification without the participation of a bank employee.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. When conducting a client interview by a bank employee, the bank employee must introduce themselves, stating their first name, last name, position, and the name of the bank.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. During the video communication session, the bank must take a photo of the client's face and their identity document in one frame; this photo must be stored together with the video recording.

  2. If the quality of the video image or sound does not allow successful identification, and there is a probability of risk occurrence, or any doubts arise regarding the client's identity document, the bank must take measures to eliminate obstacles, or with indication of reasons, terminate the video communication session.

  3. The bank must develop a corresponding questionnaire for conducting an interview or an algorithm of client actions to obtain or verify information necessary for entering into the client questionnaire, as well as to reduce the risk of providing a pre-prepared video recording or carrying out other manipulations with the video image.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. During the interview, the bank employee must not use the same sequence of questions.

Chapter 4. Recognition of client identification as unsuccessful

  1. Client identification in remote service is recognized as unsuccessful in the following cases:

  • information provided by the client cannot be verified or the verification results are negative;

  • if the quality of photos, video, and audio does not meet the requirements and internal control rules of the bank;

  • failure to provide necessary documents;

  • non-compliance with the requirements and instructions of the bank established in internal regulatory documents;

  • if the client, during identification via video communication, uses the help of a third party, except for cases provided for in this Procedure;

  • if there are suspicions that the client is acting not by their own will and/or under pressure from other persons;

  • in the presence of signs that the identification was initiated for the purpose of financing terrorist activities and legalization (money laundering) of criminal proceeds.

Chapter 4-1. Remote identification and verification of clients - individual entrepreneurs

(Chapter

in the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of February 28, 2024 No. 2024-P-12/8-4)

34-1. Remote identification and verification of clients - citizens of the Kyrgyz Republic engaged in entrepreneurial activity as individual entrepreneurs, via state information systems, is equated to identification and verification via video communication.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of February 28, 2024 No. 2024-P-12/8-4)

34-2. The maximum balance for clients - citizens of the Kyrgyz Republic engaged in entrepreneurial activity as individual entrepreneurs, identified and verified in remote mode, must comply with the requirements of Table 6-1 of Appendix 1 to this Procedure.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of February 28, 2024 No. 2024-P-12/8-4)

Chapter 5. Requirements for information and telecommunication technologies and information storage

  1. Banks must use information systems and methods that ensure protection against unauthorized access by third parties to the procedure and results of identification.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. Banks must use software that ensures end-to-end encryption of the video communication session and the photo transmission channel.

  2. Photos, video, and audio recordings must be transparent and of high quality, and must be inaccessible for use by unauthorized persons.

  3. Photos, video, and audio recordings must be stored in the initially set quality determined in the bank's remote identification system. Technical requirements for quality are determined by the bank independently and fixed in the bank's internal documents.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The photo and video recording file must also contain information about the time and date of recording, the client's first name, last name, patronymic, as well as other metadata. Software must record any changes made to the video subsequently.

  2. The video communication session recording, as well as the client's photo, must be stored by the bank in the client's file together with other information provided for by legal acts, for the purpose of countering AML/CFT.

  3. During the business relationship, the bank updates data in the manner established by legal acts for the purpose of countering AML/CFT.

  4. When checking the client's identity using artificial intelligence, machine learning, or other forms of predictive algorithms for processing biometric data, the bank must ensure the accuracy of determining genuine and fake cases of client identification and verification in accordance with the requirements of Chapters 4 and 5 of this Procedure.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The bank must ensure proper control over the preservation of confidential information about clients obtained as a result of the remote identification procedure, by continuously improving internal control processes, improving mechanisms and requirements for information security of its information resources.

  2. Client identification software or information systems, corresponding technologies, algorithms for client identification must contain a "one-to-one" identification algorithm for comparing the image from the video stream with already known photos in identity documents and state databases. Comparison of client images must be carried out using tools that determine the identity of individual fragments, elements of the face image with unique parameters obtained from the video stream with similar elements present in images from identity documents, including those obtained from state databases. Identification algorithms must take into account the possibility of checking for the sign of a living person to exclude video stream spoofing.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The implementation of client identification software must be accompanied by testing to determine the level of accuracy of algorithms used in the software, processing of biometric data. If the amount of data for determining the accuracy of the decision at the initial stage of deployment is limited, the bank must establish additional security measures, especially for products that pose a higher risk, or set a limit for all products related to inaccurate identification and verification of clients.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. When applying software for remote identification and verification of clients, the bank must use an appropriate combination of authentication factors when establishing measures to check the client's identity to a degree commensurate with the risks associated with inaccurate identification and verification of clients. The acceptable level of accuracy of used biometric data processing algorithms is determined by the bank in accordance with possible AML/CFT risks and internal restrictions on operations.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. An internal regulatory document providing for risk thresholds and the acceptable level of accuracy of the bank's application of remote identification and verification of clients using software for processing biometric data must be approved by the corresponding committee and approved by the bank's Board of Directors.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. Software for processing biometric data applied by the bank for remote identification and verification of clients must be subject to verification by the Bank with a frequency of at least once every six months to maintain an acceptable level of accuracy of used biometric data processing algorithms. At the same time, the results of the biometric data processing system assessment must be confirmed within the periodic external audit of the bank's information systems.

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

  1. The use of software for processing biometric data must cover the verification of client biometric data with government agency databases, and must also ensure the presence of fraud detection mechanisms (spoofing of biometric data).

(In the edition of the Resolution of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1)

Appendix 1

to the Procedure for identification and verification of clients in remote mode

(In the edition of the Resolutions of the Board of the National Bank of the Kyrgyz Republic of December 15, 2021 No. 2021-P-12/70-1, February 28, 2024 No. 2024-P-12/8-4, September 25, 2024 No. 2024-P-12/46-3)

  1. Measures to reduce risks by methods of client identification and verification in remote mode

Table 1. List of risks and measures to minimize them during remote identification and verification by photo matching

Risks

Mitigation measures

Data forgery (providing data of another person)

The bank checks the match of the client's image with the photo obtained from state information systems. Requirements are established for the quality of the photo of the identity document, the client's photo

Presentation of outdated (irrelevant) data

Data is verified based on the primary (original) source of data - the database of state information systems

Identification under pressure from third parties (under duress)

Remote customer due diligence measures allow access only to products and services with limited functionality. Continuous monitoring of client operations is carried out to confirm compliance with the risk profile

Table 2. List of risks and measures to minimize them during remote identification and verification using video communication

Risks

Risk minimization measures

Data forgery (providing data of another person)

The bank checks the match of the client's image with the photo obtained from state information systems. Requirements are established for the quality of the video image

Presentation of outdated (irrelevant) data

Data is verified based on the primary (original) source of data - the database of state information systems

Identification under pressure from third parties (under duress)

Requirements are established for video communication (prohibition on the participation of third parties in the procedure). Remote customer due diligence measures allow access only to products and services with limited functionality. Continuous monitoring of client operations is carried out to confirm compliance with the risk profile

  1. List
Share