Regulation on Minimum Requirements for Internal Control Organization in Commercial Banks to Counter Financing of Criminal Activities and Money Laundering

Back

Print Version

Creation Date: 2026-01-23

Appendix 1 to the Resolution of the Board of the National Bank of the Kyrgyz Republic of August 14, 2019 No. 2019-P-12/42-1-(NPA)

REGULATION

On the Minimum Requirements for the Organization of Internal Control in Commercial Banks for the Purpose of Countering the Financing of Criminal Activities and Money Laundering (Proceeds of Crime)

(As amended by Resolutions of the Board of the National Bank of the Kyrgyz Republic of September 15, 2021 No. 2021-P-12/51-1, December 14, 2022 No. 2022-P-12/78-10, December 28, 2022 No. 2022-P-12/83-7, December 27, 2023 No. 2023-P-12/82-7, January 17, 2024 No. 2024-P-12/1-3, December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 1. General Provisions

1. This Regulation is developed to define the minimum requirements for the organization of internal control in commercial banks, including those operating in accordance with Islamic principles of banking and financing, banks with an Islamic window, microfinance companies attracting deposits, JSC "Financial Company of Credit Unions", and housing-savings credit companies (hereinafter - banks), for the purpose of countering the financing of terrorist activities and money laundering (proceeds of crime), as well as countering the financing of extremist activities, financing of organized groups or criminal communities, and financing of the proliferation of weapons of mass destruction (hereinafter - AML/CFT), as well as conducting operations having signs of suspicious transactions.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

2. The National Bank of the Kyrgyz Republic (hereinafter - National Bank) conducts inspections of banks' activities regarding the organization of internal control for AML/CFT purposes and sends information on the results to the authorized state body in the field of AML/CFT (hereinafter - financial intelligence unit).

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 2. Concepts and Definitions

3. For the purposes of this Regulation, the following concepts are used:

1. Beneficial Owner - a natural person (natural persons) who ultimately (through a chain of ownership and control) directly or indirectly (through third parties) owns the right of ownership or controls the client, or a natural person on whose behalf or in whose interests the transaction (deal) is carried out.

2. Close Relatives (parents, adoptive parents, adopted children, full and half-brothers and sisters, grandfathers, grandmothers, grandchildren, with respect to whom a public official bears financial costs, in part covering living expenses, education, healthcare, and other necessary expenses).

3. Verification - a procedure for checking the identification data of the client and/or beneficial owner.

4. High-Risk Countries - states and territories (formations) that do not apply or apply insufficiently international standards for combating money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction, as well as offshore zones.

5. Identification of Transactions Subject to Control and Reporting - a stage of the bank's internal control organization for AML/CFT, which includes determining transactions subject to control and reporting to the financial intelligence unit in accordance with the requirements of the regulatory legal acts of the Kyrgyz Republic.

6. AML/CFT Officer - a bank employee (at the level of the head of the compliance control service) appointed for the purpose of organizing internal control for AML/CFT, having access to all information regarding identification, verification, identification, recording, and transmission of data to the financial intelligence unit.

The AML/CFT Officer, for the purpose of operational execution of their functions, has the right to transfer powers to employees under their command. However, this circumstance does not relieve the officer of responsibility for improper performance of their functions.

7. Identification - a procedure for establishing identification data about the client and/or beneficial owner.

8. Source of Funds - information about the origin of specific funds or assets that are the subject of business relations between the client and the bank. The received information must be substantive, indicating the source and/or grounds for obtaining or acquiring these funds or assets.

9. Source of Other Property - information about the origin of the aggregate property of a public official (source of formation of all assets belonging to the client). The received information reflects data on the client's status and how the client acquired it.

10. Client - a natural or legal person (organization), foreign trust, or legal entity accepted for service or currently being served by a bank, or with which banks establish or have established business relations.

11. Financial Intelligence Unit - the authorized state body of the Kyrgyz Republic in the field of countering the financing of criminal activities and money laundering (proceeds of crime).

12. Suspicious Transaction (Deal) - a transaction (deal) falling under the following signs:

a) if there is suspicion or sufficient grounds to suspect that the funds are income obtained criminally, including from predicate crimes, or are related to money laundering (proceeds of crime);

b) if there is suspicion or sufficient grounds to suspect that the funds are related to financing:

• terrorists and extremists;
• terrorist and extremist organizations (groups);
• terrorist and extremist activities;
• proliferation of weapons of mass destruction;
• organized groups or criminal communities.

A suspicious transaction (deal) is determined by the AML/CFT Officer within the framework of legislation in the field of AML/CFT for transactions carried out with the funds or other property of the client and beneficial owner.

12. Internal Control Program - internal measures, procedures, and control systems applied by the bank for the purpose of complying with the legislation of the Kyrgyz Republic in the field of AML/CFT.

13. Public Officials - one of the following natural persons:

a) foreign public official - a person performing or having performed significant state or political functions (public functions) in a foreign state (heads of state or government, senior officials in government, courts, armed forces, state bodies, enterprises or institutions, prominent political figures, including prominent figures of political parties);

b) national public official - a person holding or having held a political and special state position in the Kyrgyz Republic provided for in the Registry of State and Municipal Positions approved by the President of the Kyrgyz Republic, as well as senior management of state corporations, prominent political figures, including prominent figures of political parties;

c) public official of an international organization - a senior official of an international organization entrusted or having been entrusted with important functions by an international organization (heads, deputy heads, and board members of an international organization or persons holding equivalent positions in an international organization).

14. Risk-Based Approach - the application of enhanced measures in the presence of a high level of risk or simplified measures in the presence of a low level of risk in accordance with established risk management procedures (identification, assessment, monitoring, control, risk reduction).

15. Sanctions Lists - the Consolidated Sanctions List of the Kyrgyz Republic and the Consolidated Sanctions List of the UN Security Council.

The procedure for forming and publishing sanctions lists is provided for in the Regulation "On Lists of Natural and Legal Persons, Groups and Organizations, Regarding Whom There Is Information About Their Participation in Criminal Activities and Money Laundering (Proceeds of Crime)", approved by the Resolution of the Cabinet of Ministers of the Kyrgyz Republic of November 14, 2025 No. 739.

16. Targeted Financial Sanctions - freezing of any transactions (deals) and/or funds of natural and legal persons, groups, and organizations included in the Sanctions Lists, and/or restricting access (direct or indirect) of such persons, groups, and organizations to any funds or financial services.

The concept of "extremist activity" corresponds to the norms of the conceptual apparatus of the Law of the Kyrgyz Republic "On Countering Extremist Activity".

"Islamic Bank", "Bank with an 'Islamic Window'", "Islamic principles of banking and financing", "Sharia standards", "Sharia Council" - these terms correspond to the norms of the conceptual apparatus of the Law of the Kyrgyz Republic "On Banks and Banking Activity" and regulatory legal acts of the National Bank.

All other concepts used in this sphere must not contradict the main concepts set out in this chapter.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 3. Bank Activities in the Field of AML/CFT

4. Bank activities in the field of AML/CFT, taking into account its subsidiaries and affiliated companies, include the following components:

1. implementation of the internal control program for AML/CFT;

2. assessment of the effectiveness of internal control for AML/CFT by the bank's internal audit service;

3. appointment of an AML/CFT Officer and a person who will replace the AML/CFT Officer in case of their dismissal (talent reserve);

4. training of bank employees involved in implementing AML/CFT policy.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

5. The Board of Directors jointly with the Management of the bank is responsible for ensuring adequate and effective bank activities in the field of countering the financing of criminal activities and money laundering (proceeds of crime), as well as preventing the bank's involvement in conducting operations having signs of suspicious transactions.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

6. The Board of Directors is responsible for:

• approving adequate and effective policy in the field of AML/CFT;
• approving the internal control program in the field of AML/CFT, as well as monitoring its implementation;
• determining measures to ensure the effective work of the AML/CFT Officer;
• appointing and dismissing the AML/CFT Officer;
• reviewing the report of the internal audit service and reports of the AML/CFT Officer;
• determining measures aimed at eliminating deficiencies in the field of AML/CFT identified by the internal audit service and indicated in the report of the AML/CFT Officer, as well as monitoring their implementation.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

7. The Management of the bank is responsible for:

• ensuring the implementation of the policy and internal control program in the field of AML/CFT approved by the Board of Directors of the bank;
• ensuring monitoring of compliance with the legislation of the Kyrgyz Republic in the field of AML/CFT;
• ensuring training of bank employees in the field of AML/CFT;
• ensuring the implementation of measures aimed at eliminating deficiencies in internal measures, procedures, and the internal control system, as well as ensuring the conduct of independent audits;
• ensuring compliance with the requirements of regulatory legal acts of the Kyrgyz Republic regarding the opening of bank accounts (including identification and verification of clients and beneficial owners), conducting transactions on accounts, and terminating contracts with clients (account holders) and depositors.

The bank's Management must take exhaustive measures to prevent the bank's involvement in conducting operations having signs of suspicious transactions.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 4. Internal Control Program for AML/CFT

8. The internal control program for AML/CFT is part of the bank's internal control system and must ensure the conduct in the bank of at least the following activities:

1. organization of internal control aimed at establishing the powers and responsibilities of officials for decision-making, interaction, and accountability among persons and subdivisions involved in the AML/CFT process;

2. implementation of measures to identify, assess, monitor, manage, reduce, and document risks of terrorist financing, proliferation of weapons of mass destruction, and money laundering (proceeds of crime) (hereinafter - AML/CFT Risk);

3. maintaining the AML/CFT Risk assessment in an up-to-date state (updating no less than once a year) and providing information on the risk assessment to the National Bank and the authorized financial intelligence unit (if necessary);

4. when conducting AML/CFT Risk assessment, considering all risk factors, and then determining the overall level of risk and measures to reduce it;

5. having internal normative documents approved by the Board of Directors that ensure effective management of AML/CFT Risk reduction, as well as taking into account risks identified at the country and/or relevant sector level;

6. conducting monitoring of the application of control measures, expanding them if necessary, and applying measures to manage and reduce identified high AML/CFT Risks;

7. conducting due diligence of clients, including:

• identification and verification of the client (one-time and permanent);
• obtaining information on the purpose and intended nature of business relations with the client;
• identification of the beneficial owner and taking available and reasonable measures to verify the beneficial owner of clients, including legal entities (foreign trusts, etc.);
• identification and verification of client transactions most susceptible to the risk of use for financing criminal activities and money laundering (proceeds of crime), conducting transactions having signs of suspicious transactions;
• identification and verification of bank transactions for all banking products and services most susceptible to the risk of use for financing criminal activities and money laundering (proceeds of crime), conducting transactions having signs of suspicious transactions;
• documentary recording of information obtained as a result of identification and verification of the client and beneficial owner;
• storage and updating of information and documents on client activities and their financial position, as well as information and documents obtained as a result of client due diligence;
• conducting continuous due diligence of the client throughout the entire period of business relations with the client and analyzing the compliance of transactions (deals) conducted by the client with existing information on the content of their activities, financial position, and source of funds, as well as on the nature of risks of financing criminal activities and money laundering (proceeds of crime).

The above-mentioned client due diligence measures are applied in cases and order established by the Cabinet of Ministers of the Kyrgyz Republic, as well as taking into account the results of risk assessment.

8. identification in client activities of transactions subject to control and reporting;

9. identification in client activities of transactions having signs of suspicious transactions, in accordance with the requirements of the financial intelligence unit, to confirm the validity or refute suspicions of the client carrying out such transactions;

10. establishing the order and grounds for refusing to open accounts to potential clients and correspondent banks, as well as for terminating client account services and correspondent relations with banks;

11. suspending transactions (deals) and applying targeted financial sanctions against persons included in the Sanctions Lists.

Suspension of transactions (deals) and application of targeted financial sanctions is carried out by the bank in accordance with the Regulation "On the Procedure for Suspension of Transaction (Deal), Freezing and Unfreezing of Transaction (Deal) and/or Funds, Providing Access to Frozen Funds and Managing Frozen Funds", approved by the Resolution of the Cabinet of Ministers of the Kyrgyz Republic of November 14, 2025 No. 739;

12. applying measures regarding high-risk countries in accordance with the requirements of the Regulation "On the Procedure for Applying Measures (Sanctions) Regarding High-Risk Countries", approved by the Resolution of the Cabinet of Ministers of the Kyrgyz Republic of November 14, 2025 No. 739;

13. timely submission to the financial intelligence unit of information and documents, as well as reports on transactions (deals) subject to control and reporting;

14. ensuring the storage of information and documents on transactions (deals), as well as information obtained as a result of client due diligence;

15. ensuring confidentiality of information;

16. implementing information systems in the bank that ensure the prompt provision of accurate and exhaustive information about the bank's activities, including client transactions;

17. establishing control and monitoring of the bank's constant compliance with the legislation of the Kyrgyz Republic on AML/CFT issues;

18. establishing control over bank employees whose activities are subject to high risk (cashiers, credit inspectors, employees of operational subdivisions of the bank, etc.), reflecting in job descriptions of employees of corresponding bank subdivisions the functions and duties for implementing AML/CFT policy;

19. conducting monitoring of the application of the internal control program and internal documents of the bank in the field of AML/CFT and improving them if necessary;

20. ensuring the fulfillment of other duties provided for in the legislation of the Kyrgyz Republic in the field of AML/CFT.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

9. For AML/CFT purposes, banks are obliged to develop a policy for organizing internal control in accordance with the requirements of this Regulation and the legislation of the Kyrgyz Republic in the field of AML/CFT, which must be approved by the Board of Directors of the bank. This policy is part of the general policy for organizing the bank's internal control system.

The policy for organizing internal control for AML/CFT must define the principles for building the bank's internal AML/CFT system.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

10. The bank must develop and ensure the implementation of internal control programs by its branches and representative offices, as well as subsidiaries and affiliated companies operating on the territory of the Kyrgyz Republic and foreign states.

If the legislation of a foreign state does not allow the application of internal control programs and the requirements of the legislation of the Kyrgyz Republic in the field of AML/CFT, the bank's branches and representative offices, as well as subsidiaries and affiliated companies, apply necessary risk management measures and report this to the National Bank of the Kyrgyz Republic.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 5. Assessment of the Effectiveness of Internal Control for AML/CFT by the Bank's Internal Audit Service

11. The assessment of the effectiveness of the internal control system for AML/CFT is carried out by the bank's internal audit service no less than once a year or more frequently, depending on the level of transaction risks and the dynamics of the bank's performance indicators.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

12. In the course of assessing the effectiveness of internal control for AML/CFT, the internal audit service conducts at least the following:

• assessment of the effectiveness of the organization of the internal control system, including policies, procedures, and organization of bank activities for AML/CFT;
• assessment of the methodology for determining risk levels accepted by the bank;
• assessment of measures applied by the bank to assess the bank's exposure to AML/CFT risks and manage them;
• selective testing of the AML/CFT Officer's activities, including the software used, including compliance with bank policies and procedures;
• assessment of measures applied by the bank's management, Management, and Board of Directors to eliminate violations identified during previous checks by the bank's internal audit service, external audit, National Bank, or financial intelligence unit;
• review-assessment of internal control, including assessment of the software used for the degree of effectiveness in identifying and generating reports on transactions (deals) subject to control and reporting;
• checking the adequacy of reports of the AML/CFT Officer provided to the Board of Directors and their compliance with the minimum requirements of the National Bank;
• checking the compliance of employee training programs involved in implementing AML/CFT policy.

As a result of checking the activities of the bank's structural subdivisions for compliance with the internal control system for AML/CFT, the internal auditor develops recommendations, which are also transmitted to the AML/CFT Officer for information.

13. For the purpose of high-quality and comprehensive conduct of the audit, the internal audit service holds discussions with the AML/CFT Officer to obtain information on internal measures, procedures, and control systems in the field of AML/CFT, as well as information on existing problems. The internal auditor must have access to all bank materials and reports.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

14. As a result of the conducted audit, the internal audit service prepares a report on the results of the assessment of the effectiveness of internal control for AML/CFT, including information on:

1. risks of financing criminal activities and money laundering (proceeds of crime);

2. violations of internal control programs and other internal documents of the bank in the field of AML/CFT;

3. violations of the legislation of the Kyrgyz Republic in the field of AML/CFT;

4. recommended measures necessary to eliminate and prevent identified violations.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

15. The internal auditor's report on the results of the assessment of the effectiveness of internal control for AML/CFT is submitted to the Board of Directors within 5 (five) working days from the date of signing the report for subsequent consideration and adoption of measures to eliminate identified violations and prevent them in the future.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

Chapter 6. Officer Appointed for the Purpose of Organizing Internal Control for AML/CFT

16. For the purpose of developing and implementing internal control policy, corresponding procedures, as well as other internal organizational measures for AML/CFT, the Board of Directors approves an officer accountable to the Board of Directors (hereinafter - AML/CFT Officer) and takes measures to ensure continuity, independence, impartiality, professional competence, and effective organization of working conditions.

(As amended by Resolution of the Board of the National Bank of the Kyrgyz Republic of December 19, 2025 No. 2025-P-12/68-2-(NPA))

17. The tasks of the AML/CFT Officer are:

1. taking appropriate measures to minimize the risk of the bank's involvement and the participation of its employees in committing criminal (illegal) acts related to the financing of criminal activities...