Regulation on Minimum Requirements for the Anti-Fraud System Against Internal and External Fraud in Payment Organizations/Payment System Operators of the Kyrgyz Republic

Back to top

Print version

Date created: 2025-11-17

Appendix to the Resolution of the Board of Directors of the National Bank of the Kyrgyz Republic dated October 31, 2025 No. 2025-P-14/59-1-(PS)

REGULATION "On Minimum Requirements for the Anti-Fraud System Against Internal and External Fraud in Payment Organizations/Payment System Operators of the Kyrgyz Republic"

Chapter 1. General Provisions

1. This Regulation "On Minimum Requirements for the Anti-Fraud System Against Internal and External Fraud in Payment Organizations/Payment System Operators of the Kyrgyz Republic" (hereinafter – Regulation) applies as the primary mechanism for combating internal and external fraud in information systems of payment organizations and payment system operators, including cases where existing algorithms do not fully meet the requirements of this chapter.

2. The requirements of this Regulation apply to payment organizations and payment system operators conducting activities based on a license from the National Bank of the Kyrgyz Republic.

3. Payment organizations/payment system operators must ensure the presence and effective functioning of an anti-fraud system commensurate with their scale, nature, and types of activities, in accordance with this chapter.

4. The anti-fraud system must be directed at protecting the interests of users of payment organizations and payment system operators.

Chapter 2. Policy and Organizational Measures

5. Payment organizations and payment system operators must develop, approve by the executive management body and/or board of directors (if any), and implement a Fraud Counteraction Policy for remote/distance service systems (hereinafter – Policy). The Policy may be a standalone document or part of the organization's/ operator's risk management policy.

The Policy must reflect at least:

• Management commitment to protecting clients/users from internal and external fraud in remote/distance service systems;
• Principles for early detection, prevention, and mitigation of fraud in remote/distance service systems;
• Procedures for applying adequate and timely automated or semi-automated response measures to identified fraud cases or attempts, proportional to the assessed risk level;
• Liability measures under Kyrgyz Republic legislation applied to employees for inaction or improper actions in fraud counteraction, including threat monitoring, policy development and implementation, and incident response.

The Policy must be reviewed and updated at least once a year.

Internal procedures and documents governing fraud counteraction in remote/distance service systems must be reviewed as necessary, but at least once every two years, considering the effectiveness of applied measures, international best practices, and current threats.

Payment organizations/payment system operators must integrate these procedures and documents into their risk management system and ensure all relevant employees are familiar with them.

Chapter 3. Technical Implementation of Anti-Fraud Control

6. Payment organizations/payment system operators must implement an anti-fraud system in remote/distance service information systems to prevent both internal and external fraud. These systems must monitor and assess fraud risk for each operation conducted through remote/distance service systems. Implementation is permitted in two ways:

• As a separate, independent software and/or software-hardware complex interacting with existing remote/distance service automated systems;
• By integrating a specialized anti-fraud module directly into each of the used remote/distance service automated systems.

7. The anti-fraud system in remote/distance service information systems must assess fraud risk for each operation based on rules, templates, and analysis results.

The anti-fraud system must ensure at least:

• Basic operation verification;
• Comparison with typical customer behavioral patterns (if corresponding data is available);
• Blocking or suspension of suspicious operations based on predefined criteria.

8. When using software for anti-fraud control in information systems, payment organizations/payment system operators must submit a corresponding notification to the National Bank with a full description of the implemented architecture, operating principles, and risk assessment methods as required by this Regulation.

9. If full automation is not feasible, manual analysis by responsible employees is permitted.

Chapter 4. Risk Categorization and Incident Actions

10. The anti-fraud system in remote/distance service information systems must assess fraud risk for each operation based on rules, behavioral models, templates, and analysis results. Based on the assessment, the system must assign at least one of three levels:

• Low risk: operation is safe;
• Medium risk: operation is suspicious and may be fraudulent;
• High risk: operation is fraudulent.

11. Low risk must be assigned to operations matching typical customer behavior, having minor deviations, or successfully passing verification after initial medium-risk assignment.

12. When assigning medium risk based on significant deviation from standard customer behavior or a combination of factors, payment organizations/payment system operators must ensure mandatory verification. Verification may be performed automatically or manually by an authorized employee. Upon completion, payment organizations/payment system operators must perform one or more of the following actions:

• Reassess risk level and assign a new level (low or high);
• Make necessary changes to the rules and templates of the remote/distance service anti-fraud system, supplementing them with identified characteristics of high-risk operations;
• Ensure storage of complete information about the verification, including results, obtained data, employee decisions, and customer notifications in the remote/distance service anti-fraud system. This information must be stored for at least 5 (five) years from the operation date.

13. Payment organizations/payment system operators must form and maintain a registry of identifiers and attributes prohibited for service, used in fraudulent operations, when high risk is assigned.

This registry must include at least phone number, QR-code ID (unique QR for identification), service name (identifier) of the recipient or sender of the payment/banking system, as well as other identifiers and attributes related to fraudulent activity.

This registry must be used in subsequent risk assessment, with the ability to block or conduct additional verification.

14. Fraud risk assessment must cover all operations conducted through remote/distance service systems related to:

• Bank account operations;
• Operations via mobile applications, including mobile agent applications (hereinafter – MPA);
• Electronic wallet operations;
• QR-code/card operations;
• Domestic money transfers;
• International money transfers;
• Transfers to virtual asset wallets and foreign virtual asset trading operator accounts;
• Cash withdrawals;
• Credit of funds through remote/distance service systems;
• Other high-risk operations, as well as those defined by the payment organization/ operator within their fraud prevention policy.

Payment organizations/payment system operators must designate authorized persons/specialized departments responsible for real-time operation monitoring and regularly review the list of operations subject to risk assessment, considering new fraud schemes and digital security changes.

Chapter 5. Basic Indicators of Fraudulent Operations

15. For fraud risk assessment, payment organizations/payment system operators must use fraud criteria serving as the basis for classifying an operation as suspicious or fraudulent.

Fraud criteria represent one or a combination of indicators and behavioral models indicating deviation from standard customer activity and potential fraudulent attempts.

Applied fraud criteria must include, but not be limited to:

• Anomalous transaction frequency: sudden increase in initiated or received operations;
• Group anomalous activity: sudden growth in a customer group conducting similar-sum, recipient, or type operations;
• Anomalous transaction size (amount): amounts not matching typical customer behavior, or payments in unusual categories;
• Anomalous geographical location: unusual IP address, registration from a new mobile device, use of VPN or proxy servers;
• Anomalous transaction time: unusual time of day or day of the week for customer operations;
• Multiple failed login attempts: repeated unsuccessful authorization attempts;
• Frequent contact information changes: frequent updates, especially before large operations;
• Match with known fraud schemes: operation characteristics aligning with known fraud patterns;
• Frequent returns or cancellations: unusually high number of returned or cancelled operations;
• Use of suspicious recipients: transfers to accounts/mobile applications, including MPA/electronic wallets, identified as suspicious;
• Distribution of funds to multiple recipients: splitting operations and distributing funds across many recipients;
• Anomalous funding sources: account top-ups from sources atypical for the customer;
• Anomalous access mode changes: new authorization methods or login method changes atypical for the customer;
• Participation of mobile applications, including MPA/electronic wallets, in splitting or consolidating funds and rapid transfers to other accounts/mobile applications, MPAs/electronic wallets/cards in another bank/payment organization;
• Bank account/mobile application/MPA/electronic wallet/card top-ups by different persons using various tools, followed by withdrawals;
• Other criteria defined by the payment organization/ operator within their fraud prevention policy.

Chapter 6. Obligation to Suspend Operations and Interact with Clients

16. Payment organizations/payment system operators may suspend operations in mobile applications, MPAs, and electronic wallets for up to 30 days in the following cases:

• Upon identification of characteristics matching fraud criteria established in paragraph 15;
• In the absence of customer confirmation clearly indicating an independent operation;
• Upon customer notification regarding fraudulent actions in their mobile applications, MPAs, or electronic wallets.

17. Payment organizations/payment system operators must provide a function in remote service systems for individuals to submit notifications about fraudulent actions and generate operation statements for subsequent submission to law enforcement agencies.

This function must be implemented as:

• 24/7 availability;
• A dedicated communication channel exclusively for fraud operation notifications;
• A simple, intuitive notification submission form (SMS alert, email), allowing key operation parameters: date, amount, recipient details, circumstances description, and evidence availability;
• Automatic recording of notification submission in information systems with timestamp and customer identifier;
• Initiation of suspension and operation analysis procedures.

Notifications submitted via this function must be reviewed promptly with corresponding measures taken based on operation assessment, followed by customer notification, including recommendations for law enforcement contact.

18. Payment organizations/payment system operators must promptly inform customers/participating payment system participants about operation suspension using available communication channels (mobile application, MPA, phone, SMS alert, email, others).

Chapter 7. Maintenance of Identifier List and Monitoring of Repeats

19. All operations involving prohibited service identifiers must be rejected with corresponding customer/participant notification.

Payment organizations/payment system operators must have internal procedures and documents governing the process of adding identifiers to the prohibited registry, as well as removing records upon error discovery or customer confirmation of independent operation.

If facts of operations involving prohibited identifiers are identified, and violations of National Bank regulatory acts are confirmed, payment organizations/payment system operators must compensate customers for damages resulting from such operations.

20. The prohibited service identifier registry may be manually supplemented by authorized employees based on reliable information about the fraudulent nature of a customer identifier, obtained from state authorities and the National Bank.

21. The prohibited service identifier registry must be maintained securely, preventing unauthorized intervention by employees and third parties, ensuring record integrity.

Access to the registry is permitted only for authorized employees using multi-factor authentication.

22. Any system changes must be recorded in the event registration log, indicating the responsible person, time of change, and reasons for adjustment. Log data must be stored for at least 5 (five) years.

Chapter 8. Assessment of Anti-Fraud System Effectiveness

23. Payment organizations/payment system operators must develop and implement monitoring systems for fraud counteraction effectiveness, including the following metrics:

• Proportion of blocked suspicious operations subsequently confirmed as fraudulent;
• Proportion of false positives (erroneously blocked transactions) (False positive rate);
• Proportion of missed fraudulent operations among all confirmed cases (Recall);
• Mean time to detect incidents;
• Mean time to respond to incidents;
• Number of identified and documented fraud methods;
• Customer experience and system accuracy indicator (anti-fraud), including response speed and percentage of conflict resolution in favor of the customer during erroneous blocking;
• Quality indicator for maintaining the prohibited identifier registry (relevance, completeness, timeliness of updates).

Effectiveness assessment results must be documented and submitted to the National Bank according to the form in Appendix 1, at least once per quarter by the 25th day of the month following the reporting quarter.

Chapter 9. Testing and System Updating Obligations

24. Payment organizations/payment system operators must regularly conduct stress testing of internal and external anti-fraud systems to assess effectiveness, accuracy, and resilience to new threats.

Testing must be conducted at least once a year, as well as upon significant system changes.

Mandatory testing types include:

• Stress testing involving modeling of mass fraud attacks to verify system resilience;
• Penetration security testing;
• Testing of new algorithms based on current fraud methods.

Based on test results, payment organizations/payment system operators must develop and implement corresponding corrective measures within 30 working days for high-criticality vulnerabilities, and 60 working days for other cases. Deadlines may be extended based on a technical conclusion from the payment organization/ operator.

Payment organizations/payment system operators must document stress test results and submit them annually to the National Bank.

Testing documentation must be stored for at least 5 (five) years.

Appendix 1 to the Regulation "On Minimum Requirements for the Anti-Fraud System Against Internal and External Fraud in Payment Organizations/Payment System Operators of the Kyrgyz Republic"

REPORT on the assessment of effectiveness of fraud counteraction measures

System Name: ______________________________________________________ Payment System Operator Name: ____________________________________ Reporting Period: ____________________________________________________________

Metric Name	Indicators (proportion, average time, quantity, etc.)	Effectiveness Assessment Results	Decisions/Proposals for Fraud Counteraction and Risk Minimization	Additional Comments/Proposals
Proportion of blocked suspicious operations subsequently confirmed as fraudulent
Proportion of false positives (erroneously blocked transactions) (False positive rate)
Proportion of missed fraudulent operations among all confirmed cases (Recall)
Mean time to detect incidents
Mean time to respond to incidents
Number of identified and documented fraud methods
Customer experience and system accuracy indicator (anti-fraud), including response speed and percentage of conflict resolution in favor of customer during erroneous blocking
Quality indicator for maintaining the prohibited identifier registry (relevance, completeness, timeliness of updates)
Others

Contacts Public Reception: +996 (312) 61-04-86, +996 (312) 66-90-15, ext. +1257, +1256 Consumer Rights Protection Department: +996 (312) 66-90-15, ext. +1671, +1666 Report Corruption: +996 (312) 66-90-15, ext. +2120; +996 (312) 61-04-00 Auto-Informer of Official Exchange Rates: +996 (312) 61-07-11 Numismatic Museum: +996 (312) 66-90-15, ext. +1232; +996 (312) 61-24-14 E-mail: mail@nbkr.kg Media Relations: press@nbkr.kg 720010, Kyrgyz Republic, Bishkek city, Kiev street, 189