Instruction No. 201 on Remote Banking Services

---

"Registered" "Approved" Ministry of Justice of the Republic of Tajikistan, National Bank of Tajikistan Registered on 20 November 2013, No. 721; Approved by Resolution of the Board dated 26 September 2013, No. 235 Registered on 18 July 2025, No. 7211; Approved by Resolution of the Board dated 30 June 2025, No. 88 Amendments and additions

Instruction No. 201 "On Remote Banking Services"

The "Instruction on Remote Banking Services" (hereinafter, the Instruction) is developed in accordance with Article 3 of the Law of the Republic of Tajikistan "On Banking Activity" and establishes the procedure for credit organizations to provide remote banking services.

Chapter 1. General Provisions

1. The following terms are used in this Instruction: – remote banking services – banking services provided to clients using electronic, software, technical, and telecommunications means without visiting a credit organization (Resolution of the Board of NBT dated 30.06.2025, No. 88); – client – an individual or legal entity that has entered into a banking service agreement or an agreement on the provision of remote banking services with a credit organization; – identification – a procedure by which an applicant with an individual and unique identifier, registered in the information system, is identified and confirmed. To perform the identification procedure, a corresponding identifier must be pre-assigned to the client in the information system (i.e., the client must be registered in the information system). – authentication – a procedure enabling a credit organization to determine and verify the identity of a payment service user and check the rights for lawful use of an electronic payment instrument, including the use of personal protected data (Resolution of the Board of NBT dated 30.06.2025, No. 88); – personal identification number (PIN) – a personal code assigned by the issuer to the holder of a bank payment card (hereinafter, card) for identification purposes when carrying out operations using cards; – information system – a set of technical means, software, and organizational support for providing remote banking services; – internet browser – software for viewing websites; – customer account (account) – a set of client data in the credit organization's information system, necessary to verify their identity and provide access to their personal data and settings (Resolution of the Board of NBT dated 30.06.2025, No. 88).

2. Remote banking services are provided remotely via communication channels using personal computers, phones, ATMs, electronic terminals, including automated self-service terminals, and other methods not contradicting the legislation of the Republic of Tajikistan. 2.1. Credit organizations must provide remote banking services in accordance with the requirements of Tajikistan's legislation on combating money laundering, terrorist financing, and proliferation financing (Resolution of the Board of NBT dated 30.06.2025, No. 88).

Chapter 2. Control in Credit Organizations when Providing Remote Banking Services

3. Credit organizations are responsible for developing a strategy for implementing remote banking services and must ensure effective control over the provision of these services. To this end, credit organizations must:

• develop and approve internal regulatory documents defining the procedure and conditions for providing remote banking services;
• make corresponding amendments to the information security policy in connection with the provision of remote banking services.

3.1. When providing remote banking services, credit organizations must use a multi-factor authentication procedure. According to this procedure, the user must provide at least two independent factors from the following groups:

• information known only to the client (e.g., password, PIN, one-time password, secret word);
• a device or instrument in the client's possession (e.g., PC, mobile phone, bank payment card, token, or other electronic information carrier);
• the client's biometric data (e.g., face recognition, fingerprints, voice, iris) (Resolution of the Board of NBT dated 30.06.2025, No. 88).

Chapter 3. Risk Management and Internal Control

4. Credit organizations must control the execution and improvement of existing risk management policies arising from providing remote banking services, in accordance with the NBT regulatory act on requirements for risk management and internal control systems in credit organizations.
5. Credit organizations must develop and implement a comprehensive information security program for remote banking services.
6. The information security program for remote banking services must contain at least the following aspects:

• identification and assessment of risks related to providing remote banking services;
• definition of risk mitigation measures, including the application of appropriate client identification technologies and internal control standards;
• definition of measures to protect client information from unauthorized access and ensure the integrity of such information;
• assessment of measures for informing clients.

7. Credit organizations must, as necessary, adjust and update their information security program in accordance with any changes in remote banking service technology, upon detection of vulnerabilities in information systems, and when external or internal threats to the confidentiality and integrity of information arise.
8. Credit organizations must guarantee that necessary information security and internal control measures are established, updated, monitored, and assessed for potential risks when providing remote banking services.
9. To protect clients from fraud, theft, and other offenses related to remote banking services, credit organizations must implement the following minimum security requirements:

1. for ATMs and self-service terminals (hereinafter, terminals):

• install ATMs and terminals in visible locations;
• ensure sufficient lighting around ATMs and terminals;
• ATMs must be equipped with video surveillance and photo cameras recording user actions, with recordings and photos stored by the credit organization for at least 45 days (Resolution of the Board of NBT dated 30.06.2025, No. 88);
• inform clients about possible risks associated with using ATMs and terminals, as well as precautionary measures;
• conduct security checks at ATM/terminal locations at least twice a year and document the results (Resolution of the Board of NBT dated 30.06.2025, No. 88);
• organize support centers (Call-centers) and ensure their daily, continuous operation;
• place on the ATM or terminal an indicator of ownership by the credit organization, logos of payment systems whose cards are accepted, contact phone numbers, and phone numbers of the nearest police station for emergency contacts.

2. for Internet banking:

• use of screen keyboard;
• use of secure network protocols;
• application of mechanisms to prevent fraudulent substitution of Internet banking server web pages;
• use of multi-factor authentication (Resolution of the Board of NBT dated 30.06.2025, No. 88);
• application of a policy providing for the use of complex passwords and their regular change;
• use of a mechanism to prevent automatic password guessing;
• use of a session blocking mechanism with the Internet banking server when the user is inactive beyond a set time interval.

3. for mobile applications (mobile banking and electronic wallets):

• allow access to the client account simultaneously from only one registered device;
• stop login attempts to the client account from new or unknown devices and notify the client via instant notification (SMS alert and/or email);
• changing registered equipment and/or passwords/codes for the client account must be carried out using multi-factor authentication or by contacting the credit organization with a valid ID document;
• all outgoing transactions in the mobile application must be carried out using multi-factor authentication, except for payments for state services, payments via unified QR-code in trade and service enterprises up to 80 (eighty) calculation indicators per day, payments for goods and services via Internet that do not have the character of cross-border money transfers up to 20 (twenty) calculation indicators per day, online transfers to physical persons within the credit organization up to 20 (twenty) calculation indicators per day, and transfers to clients of other credit organizations in the Republic of Tajikistan up to 2 (two) calculation indicators per day, transfers to clients' personal accounts, and loan repayments in credit organizations;
• for attaching bank payment cards to mobile applications, secure online payment protocols (e.g., 3D Secure) implemented by the issuing credit organization must be used (Resolution of the Board of NBT dated 30.06.2025, No. 88).

10. Credit organizations must continuously study illegal actions arising from providing remote banking services (Resolution of the Board of NBT dated 30.06.2025, No. 88).
11. Credit organizations must submit quarterly reports in the form established by NBT to the National Bank of Tajikistan regarding offenses and fraud cases when providing remote banking services (Resolution of the Board of NBT dated 30.06.2025, No. 88).
12. Credit organizations must track the implementation of new security standards and proven practices, keeping abreast of modern information technologies and innovations in information protection.
13. To ensure identification of their clients using remote banking services, credit organizations must apply methods corresponding to possible risks. The application of appropriate identification methods must be determined during risk assessment. Used methods must consider the following aspects: type of remote banking service systems (informational or operational), system varieties (ATM-banking, client-bank systems, internet banking, mobile banking, etc.), client status (legal or physical), type of operations permitted by the system, volume and number of operations.
14. Credit organizations must track, assess, and implement new client identification technologies, and depending on the type of operation and access level, ensure corresponding changes to the client identification system based on existing risk factors. If risk assessment determines an insufficient security level when using single-factor identification measures (e.g., password/code), credit organizations should use multi-factor identification measures (e.g., password/code/one-time code, card number and PIN).
15. To reduce possible risks, credit organizations may apply a multi-level security system (e.g., service from a specific IP address, service time interval, and others).
16. Repealed (Resolution of the Board of NBT dated 30.06.2025, No. 88).

Chapter 4. Monitoring System and Operation Assessment

17. Credit organizations must have a monitoring system when providing remote banking services, enabling the detection of unauthorized and suspicious actions in information systems and client accounts (Resolution of the Board of NBT dated 30.06.2025, No. 88).
18. To determine unauthorized actions, detect intrusions into the information system, restore events, and track the progress of information security breaches, credit organizations must maintain registration logs.
19. Immediately suspend access to the client's bank account upon detection of unauthorized access or unauthorized actions.
20. To ensure control and management of information system security, an independent body (i.e., internal or external audit) must analyze reports reflecting the actions of the security administrator.
21. When managing systems or processes related to providing remote banking services by a third party, such party must ensure compliance with the security requirements imposed on credit organizations under this Instruction.

Chapter 5. Client Awareness Program and Service Accessibility

22. Credit organizations must provide their clients with a minimum awareness program to ensure security when carrying out operations within remote banking services and protecting personal data, as set forth in Appendix No. 1 of this Instruction.
23. Credit organizations should develop effective communication methods with clients to convey security information. For this purpose, multiple channels may be used (e.g., bank website, SMS alerts to the client's mobile phone, messages on bank statements, brochures, as well as direct communication with clients during in-branch service).
24. Credit organizations must implement and regularly evaluate client awareness programs and ensure the necessary level of client trust when providing remote banking services.
25. To minimize risks when providing remote banking services, credit organizations must provide clients with information about the rights and obligations of both parties and take necessary measures to ensure the security of client personal data and protect their rights.
26. Credit organizations must have effective capacity to ensure business continuity (e.g., service availability 24 hours a day, 7 days a week (24/7)). Credit organizations must develop and maintain an up-to-date interaction strategy and effective incident response mechanism related to unforeseen circumstances.
27. When carrying out banking operations via remote banking services, credit organizations must apply the same document processing procedures and storage conditions as those provided for paper-based banking operations.

Chapter 6. Contractual Relations between Credit Organization and Client

28. Remote banking services are provided based on a banking service agreement, which specifies the conditions for providing remote banking services and must contain at least the following data:

• list of banking operations that may be carried out via remote banking services;
• methods for providing and accessing remote banking services (via Internet, communication lines, telephone, personal computer, and other devices);
• rights and obligations of the client and credit organization when providing remote banking services;
• security procedures, including authentication order and confirmation of the client's rights to use remote banking services;
• liability of both parties for non-performance of obligations arising from providing remote banking services by the credit organization;
• grounds for suspension and termination of remote banking services by the credit organization;
• methods for notifying clients about changes to the agreement terms;
• methods for submitting client complaints and claims, conditions for their consideration and resolution;
• tariffs and commissions when providing remote banking services;
• phone numbers for client service.

Chapter 7. Claim Resolution

29. Upon receiving claims from clients regarding unauthorized bank account operations, credit organizations must ensure the availability of claim registration, review, and (if necessary) investigation tools. Additionally, credit organizations must develop procedures for resolving disputed/conflicting situations related to the use of remote banking service products.

Appendix No. 1 to Instruction No. 201 "On Remote Banking Services" Client Awareness Program when Providing Remote Banking Services

To ensure security during operations within remote banking services and protect personal data, clients must be informed of their obligations and responsibilities. The client awareness program is designed to ensure information security when providing remote banking services and contains the following: a) secure login and password/PIN:

• do not disclose your login, password, and PIN;
• do not store your login, password, and PIN on the computer;
• regularly change code, password, and PIN; do not use simple passwords like name or date of birth. Password must contain at least 6 characters, a combination of letters (upper and lower case), special symbols, and digits. b) confidentiality of personal information:
• do not disclose personal information such as address, mother's maiden name, phone or passport number, bank account number, or email address to untrusted persons; c) keep records of electronic operations:
• regularly check transaction history and statements to track errors or unauthorized account operations;
• immediately inform the credit organization of any cases of unauthorized account use or transactions. d) verify correctness and security of web pages:
• before conducting any online operations or providing personal information, ensure the correct internet banking web page is used. Beware of fake web pages created for fraud;
• verify web page security by checking Uniform Resource Locators (URLs), which must start with "https", and the internet browser status should show a secure connection icon;
• always enter the web page URL directly into the internet browser. Avoid redirection or links to other unreliable pages;
• where possible, use a program that automatically encrypts or encodes personal information during electronic operations; e) protect your computer from unauthorized access and malware:
• install a personal firewall and antivirus program;
• monitor regular updates of the antivirus program and its constant operation;
• do not download programs or files from untrusted sources; f) do not leave the computer on unattended:
• exit the site where electronic operations are conducted, even if the computer is left unattended for a short period;
• remember to log out after conducting electronic operations;
• clear cache memory and browsing history after logging out. g) review the site's security policy:
• carefully review site conditions regarding payments, transfers, account debiting/crediting, and other banking service terms;
• before entering personal financial information on the website, carefully review the terms of use or distribution of such information. h) mobile banking:
• do not disclose your mobile banking PIN (MPIN) to strangers;
• regularly change the PIN used for mobile banking;
• do not allow others to use your mobile phone through which banking operations are conducted.
• in case of loss or theft of the mobile phone, immediately notify the servicing credit organization. i) other security measures:
• do not send personal information, especially password or PIN, via email;
• avoid using others' computers for electronic operations;
• disable the "file sharing" function when conducting electronic banking operations.
• contact the credit organization if any questions regarding bank account security arise.

Necessary measures to ensure safe storage of cards, their details, PIN, and other data are defined in the "Recommendations for Safe Use of Bank Payment Cards", approved by Resolution of the Board of NBT dated 26 April 2012, No. 82.