LogoRegulatory Alerts
2020-12-23 | 129685

Rules for Regulating the Activities of Credit Bureaus in the Kyrgyz Republic

The National Bank of the Kyrgyz Republic issued these Rules to regulate credit bureau operations, mandating strict data security, accuracy, and transparency standards. The document defines key terminology, outlines permissible business activities, and requires credit bureaus to maintain their information systems within Kyrgyzstan while conducting regular IT audits. It further establishes comprehensive obligations for information protection, including physical security, access control, and incident management to safeguard credit histories and self-ban records.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Back

Print Version

Creation Date: 2025-12-31

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic of September 28, 2016 No. 40/5

RULES

for regulating the activities of credit bureaus in the territory of the Kyrgyz Republic

(In the edition of the Resolutions of the Board of the NB KR of May 31, 2017 No. 21/8, June 15, 2017 No. 2017-P-12/25-12, December 23, 2020 No. 2020-P-33/73-13, August 17, 2022 No. 2022-P-33/52-3, June 14, 2023 No. 2023-P-12/38-4, August 30, 2023 No. 2023-P-12/55-1, January 22, 2025 No. 2025-P-12/2-3-(NFPU), October 23, 2025 No. 2025-P-12/55-3-(NPA))

Chapter 1. General Provisions

  1. (Lost force in accordance with the Resolution of the Board of the NB KR of May 31, 2017 No. 21/8)

  2. The action of these Rules extends to the activities of all legal entities holding a license to carry out activities for the exchange of credit information and information on self-ban, and defines requirements for the activity of a credit bureau regarding:

  • ensuring the security of credit histories and information on self-ban;
  • functioning of the credit bureau;
  • ensuring the accuracy and integrity of data;
  • providing a credit report and information on self-ban;
  • managing changes in credit history;
  • reporting by the credit bureau;
  • organizing internal audit of the credit bureau's activities.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. The following terms are used in these Rules:

exchange of credit information - interaction between the credit bureau, subject, supplier, and user of credit information for the collection, processing, analysis, storage, provision, use, and protection of credit information for the purpose of forming a credit history and providing a credit report;

subject of credit information - a legal or natural person acting, respectively, as a borrower (debtor), lessee, client under a contract in accordance with Islamic principles of banking and financing, guarantor, surety, or having other financial indebtedness and obligation to the creditor according to a concluded civil-law contract, a natural person who has established a ban on concluding a credit transaction;

supplier of credit information - a legal or natural person providing credit information to the credit bureau;

user of credit information - a legal or natural person acting, respectively, as a creditor, lessor, pledgee;

credit transaction - a credit agreement, loan agreement, lease agreement, factoring agreement, and other agreements providing for the provision of monetary funds and other property on loan, as well as agreements in accordance with Islamic principles of banking and financing taking into account the specifics of the terminology used;

self-ban on concluding a credit transaction (hereinafter - self-ban) - independent expression of will by a natural person to establish a ban on concluding a credit transaction with him by a bank or non-bank financial and credit organization in accordance with the requirements of the Law of the Kyrgyz Republic "On the Exchange of Credit Information" and these Rules;

credit information - information on the status of a credit transaction, on the fulfillment of obligations on provided security (pledge, guarantee, surety, and other types of security), as well as other information contributing to the determination of the creditworthiness, payment discipline, and other qualities of the subject of credit information;

credit history - a set of credit information regarding the subject of credit information, formed by the credit bureau;

credit bureau - a legal entity that is a commercial organization providing services for the exchange of credit information and information on self-ban;

credit report - a document containing full or partial information included in the credit history;

confidentiality - a property of information consisting in its unavailability or non-disclosure of its content to unauthorized persons, subjects, or processes;

integrity - a property of information consisting in its accuracy and completeness;

availability - a property of information consisting in the fact that information is fit for use upon request by an authorized subject, in the form and place necessary for the user, and at the time when it is necessary for him;

information security (IS) - ensuring the confidentiality, integrity, and availability of information;

cryptographic information protection means - hardware, software, and hardware-software means, systems, and complexes implementing algorithms for cryptographic transformation of information, intended to protect the integrity and confidentiality of information during its processing, storage, and transmission via communication channels;

protection of information against leakage - a set of measures aimed at preventing the uncontrolled spread of protected information through technical and side channels using special technical means;

protection of information against unauthorized access - a set of measures aimed at preventing, identifying, and eliminating the possibility of obtaining protected information by violating access rules to protected information established by regulatory acts or the owner (holder) of the information;

protection of information against unintentional impact - a set of measures aimed at preventing unintentional impact on protected information due to user errors, software-hardware failures, natural phenomena, or other causes not aimed at changing information, but leading to distortion, destruction, copying, blocking access to information, as well as to its loss, destruction, or failure of the functioning of the material carrier of information;

information system (IS) - a set of interrelated information resources, technologies, methods, and personnel intended for storing, processing, and issuing information;

consent of the subject of credit history - written or electronic permission of the subject of credit history to provide information about him to the credit bureau or to issue a credit report about him to other persons from the credit bureau, оформляемое (formatted) in accordance with the requirement established by the legislation of the Kyrgyz Republic;

cross-border exchange - exchange of credit information in accordance with a concluded international agreement between participants of information exchange located in the territory of a state-member of this agreement, with the corresponding participant of information exchange located in the territory of another state-member;

IT audit - the process of obtaining and evaluating objective data on the current state of the information system, actions and events occurring in it, establishing the level of their compliance with certain criteria and providing results to interested parties;

log file - a registration file (journal) containing in chronological order information on the operation of the IS and information on user actions, including for example:

  • date and time of user visit;
  • IP address of the user's computer;
  • name of the user's browser;
  • URL of the page requested by the user.

For the purposes of these Rules, under credit, in addition to credit, loan, lease, factoring, and other operations providing for the provision of monetary funds and other property on loan may also be understood.

(In the edition of the Resolutions of the Board of the NB KR of January 22, 2025 No. 2025-P-12/2-3-(NFPU), October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. The National Bank of the Kyrgyz Republic (hereinafter - National Bank), for the purpose of regulating the activity of credit bureaus, establishes requirements for the organization of activities for the formation and use of credit histories, for the procedure for exchanging information on self-ban, ensuring minimum requirements for information security (hereinafter - IS) during the collection, storage, accumulation, processing, transmission, and destruction (exclusion) of the credit bureau's database and other information from credit histories, which are mandatory for all credit bureaus.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. The credit bureau carries out the formation of credit histories and the provision of credit reports as its main type of activity.

As additional types of activity, the credit bureau may carry out:

  • sale of special literature and other informational materials related to the activity of the credit bureau;
  • provision of consulting services related to the information support of participants in the formation of credit histories and their use;
  • issuance of credit ratings according to certain criteria, according to the methodology developed by it;
  • marketing and statistical research.

Credit bureaus are not entitled to carry out other types of activity not provided for by these Rules.

  1. In order to ensure the transparency of services provided, information on commission fees and tariffs for services must be open.

  2. Credit bureaus must carry out accounting of their operations and form financial reporting in accordance with the requirements of the legislation of the Kyrgyz Republic, as well as provide financial reporting to the National Bank in paper and electronic form on a quarterly basis.

  3. The National Bank may send a recommendation to the credit bureau on the need to conduct an external audit of the credit bureau's activity or its separate areas, as well as a recommendation to conduct additional procedures within the framework of the audit to ensure proper management of the credit bureau's activity in accordance with the legislation of the Kyrgyz Republic and the requirements of the National Bank. Upon completion of the execution of the recommendation, copies of audit reports certified by an external auditor are submitted to the National Bank.

  4. The credit bureau is obliged to conduct an IT audit at least once every 3 years for compliance with the requirements of the legislation of the Kyrgyz Republic and regulatory legal acts of the National Bank.

  5. The credit bureau publishes an annual report on the results of its activities in the mass media.

  6. Credit bureaus provide regular reporting on their activities to the National Bank, as well as any information regarding the activity of the credit bureau upon request by the National Bank.

  7. The National Bank carries out supervision and regulation of the activities of credit bureaus, including conducting inspectorate checks of the activities of credit bureaus, with access to the information systems of the credit bureau, and also has the right to request necessary documents and information.

Chapter 2. Requirements for Ensuring the Security of Credit Histories

  1. Credit information in any form, placed on any material carrier (for example: documents, slides, databases, files, dictaphones, flash drives, and other carriers that can be used to transmit information) must be protected.

13-1. The credit bureau is obliged to send a draft international agreement providing for cross-border exchange of credit information to the National Bank for coordination.

The specified drafts of international agreements may be signed after receiving a letter from the National Bank agreeing with the submitted draft.

(In the edition of the Resolution of the Board of the NB KR of August 17, 2022 No. 2022-P-33/52-3)

  1. The credit bureau must ensure the implementation of a set of information protection measures, which must include, but are not limited to:

  1. ensuring the integrity and confidentiality of credit information and information on self-ban during collection, storage, accumulation, processing, transmission, and destruction;

  2. availability of credit information and information on self-ban and related resources for authorized users;

  3. user access management;

  4. security of IS development and support processes and the use of legal and licensed software;

  5. protection of credit information and information on self-ban from unauthorized access and modification;

  6. backup and archiving of data;

  7. antivirus protection and protection against spam;

  8. ensuring physical security;

  9. ensuring network security;

  10. ensuring application and database security;

  11. ensuring uninterrupted and reliable operation of services and supporting engineering equipment (uninterruptible power supply systems, air conditioning, etc.);

  12. security incident management, minimizing impact and recovery time in case of IS incidents;

  13. effective IS risk management;

  14. training and drills;

  15. monitoring and audit of implemented IS measures.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

14-1. Information systems of the credit bureau ensuring the collection, storage, processing, and exchange of credit information and information on self-ban must be located within the territory of the Kyrgyz Republic.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

Chapter 3. Requirements for the Functioning of the Credit Bureau

  1. The credit bureau must ensure uninterrupted access to the IS for 24 hours a day in accordance with the technical procedures of the credit bureau.

  2. The credit bureau provides access to suppliers of credit information and recipients of credit reports to the IS of the credit bureau using password protection (or other means of identification and authentication for access) to the IS, or the credit bureau transfers specialized software necessary for implementing information processes to information suppliers and recipients of credit reports, or establishes appropriate requirements for the software used. The development of specialized software by information suppliers and recipients of credit reports is coordinated with the credit bureau.

  3. In the process of information interaction between the credit bureau and suppliers and recipients of credit reports and information on self-ban, the prescribed sequence of actions must be observed and the authenticity of identification data, digital certificates, or other electronic data used to ensure integrity and authenticity must be verified. In its activities, the credit bureau is obliged to constantly:

  1. ensure high-quality and uninterrupted functioning of the IS and the established level of security in carrying out electronic exchange of data between the credit bureau, suppliers, and recipients of credit information and information on self-ban, including ensuring availability, organizing reliable operation of the bureau's software-hardware complex equipment;

  2. maintain a database of credit information in electronic form, in accordance with the provided data;

  3. maintain in electronic form a database on the presence/removal of self-ban, date and time of establishment/removal of self-ban in accordance with the provided data;

  4. provide current and reliable information on self-ban upon request by users of credit information and subjects of credit information in the manner and timeframes established by the National Bank of the Kyrgyz Republic;

  5. maintain registration and accounting of received credit information;

  6. maintain registration and accounting of each access to the credit history, as well as information on the presence/removal of self-ban;

  7. enter credit information into the credit history no later than the next working day from the day of its receipt;

  8. maintain a rating assessment and, at the request of users of credit information, explain the calculation methodology for the rating assessment of the subject of credit information and factors that influenced the rating assessment of the subject of credit information;

  9. consult authorized persons of suppliers and users of credit information on issues related to the use of the software-hardware complex, as well as on other issues related to work with the credit bureau;

  10. assist subjects, suppliers, and users of credit information in detecting and correcting inaccurate or distorted information in credit information;

  11. register and maintain an accounting of all users of the IS (application user accounts, DB), having access to the credit history and information on the presence/removal of self-ban;

  12. ensure the collection, recording, storage, and protection of information on IS events (audit logs, access log files) from threats of intentional or unintentional destruction, blocking, distortion, and loss;

  13. ensure the protection and storage of credit information and information on the presence/removal of self-ban, date and time of establishment/removal of self-ban;

  14. carry out maintenance of technical complex components, promptly and timely eliminate malfunctions in the operation of the IS;

  15. take measures to improve and increase the efficiency of the IS;

  16. inform users of credit information about changes in the technical conditions of IS functioning within one day after the installation of changes;

  17. control the state of IS, record cases and attempts to violate security policy, conduct investigations of IS incidents, and take measures necessary to prevent and minimize their consequences.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. In order to perform its functions, the credit bureau has the right:

  1. to demand the elimination of cases of violation of IS operation rules;

  2. not to accept information provided by the supplier due to its incorrect or incomplete formatting, non-compliance of the data of the information supplier, recipient of the credit report, subject of the credit history, with IS requirements;

  3. to conclude agreements on the exchange of credit information and information on self-ban, as well as to carry out other transactions in accordance with the legislation of the Kyrgyz Republic;

  4. to receive from suppliers of credit information reliable, timely updated credit information;

  5. to provide consulting services to users of credit information in order to assist them in assessing the creditworthiness, financial position, solvency, payment discipline of subjects of credit information;

  6. to assist suppliers of credit information in providing credit information;

  7. to develop and use methodologies for calculating the rating assessment of subjects of credit information;

  8. to request from the user of the credit history the original of the consent obtained by the user of the credit history, or a copy certified in the manner provided by legislation for certifying copies of documents on paper;

  9. to request credit information and information on self-ban from other credit bureaus.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. In order to comply with the requirements of these Rules during the collection, storage, accumulation, processing, transmission, and destruction (exclusion) of information from credit histories and information on self-ban, the credit bureau must develop and approve norms on the functioning of the credit bureau, containing:

  1. rights and obligations of the credit bureau, users, and subjects of credit information and information on self-ban;

  2. procedure for sending and receiving electronic data, as well as its further use, modification, and exclusion;

  3. description of data formats accepted in the bureau;

  4. procedure for providing a credit report and information on self-ban;

  5. procedure for accessing information resources of the credit bureau;

  6. basic requirements for ensuring IS, in accordance with which the activity of the credit bureau will be carried out;

  7. management procedures and algorithm of actions in case of IS compromise (unauthorized change of the database, as a result of which information becomes unusable, or additional efforts are made to identify changes and restore true information);

  8. procedure for bringing the content of the mentioned norms and IS measures to the attention of participants, approval and acceptance by participants of obligations to comply with them;

  9. liability of the credit bureau, users, and subjects of credit information and information on self-ban for disclosure, unlawful use, or leakage of information.

(In the edition of the Resolution of the Board of the NB KR of October 23, 2025 No. 2025-P-12/55-3-(NPA))

  1. Norms on the functioning of the credit bureau are brought to the attention of all participants with whom an agreement on the exchange of credit information has been concluded.

  2. The organization of the IS of the credit bureau must be sufficiently flexible, allowing simple, without structural changes, development of the configuration of used means, increasing functions and resources.

  3. In the event of force majeure circumstances, as well as accidents or violations in the operation of the software-hardware complex of the IS due to the fault of third parties, suspension of the system's operation is possible, with subsequent notification of connected suppliers and users of credit information within one calendar day.

Chapter 4. Requirements for Ensuring the Accuracy and Integrity of Data

  1. The credit bureau must exclude the possibility of information leakage from the credit bureau's database.

  2. The credit bureau, when dealing with information that became known to it as a result of carrying out its activities, must ensure:

  1. compliance with the confidentiality regime;

  2. targeted use of information, database of credit histories;

  3. restriction of the circle of persons having access to information resources;

  4. procedure for controlled access and functional separation of duties of persons having access to information from the bureau's database;

  5. identification and authentication of participants using modern authentication means;

  6. measures to ensure security during storage, processing, and transmission of information via communication channels, including cryptographic protection measures.

  1. The credit bureau must develop and approve provisions, policies, and procedures on IS in accordance with international standards and best practices in the field of IS, which must contain:

  1. categories of information resources of the credit bureau;

  2. organizational model for ensuring the information security system with a description of roles and separation of responsibilities;

  3. IS risk management plan, which includes a set of organizational and technical measures provided for controlling these risks;

  4. business continuity plan for the credit bureau taking into account IS requirements, including plans for ensuring uninterrupted operation in the event of emergencies, such as: natural disasters, fires, power outages, damage to communication lines, public unrest, strikes, military actions;

  5. internal regulatory documents regulating changes in software and/or information in the credit bureau's databases (for example: access control policy, change management, incident management, operational procedures for managing/administering information resources, etc.);

  6. responsibility of credit bureau personnel for ensuring IS;

  7. procedures for internal audit of the credit bureau for compliance with IS requirements.

  1. The credit bureau must ensure:

  1. backup, storage, and restoration of information from the credit bureau's database and other information necessary to ensure its activities, as well as ensure, if necessary, the installation of additional and/or backup equipment;

  2. storage of backup copies of information and software resources of the credit bureau, etc.;

  3. compliance with the regulation for backup and destruction of credit bureau data.

  1. To minimize the risks of information leakage from the database, the credit bureau develops and implements a set of organizational and technical measures allowing control of the main channels of information leakage:
Share