Regulation on Minimum Requirements for Remote/Distant Services in the Kyrgyz Republic

---

Back

Print Version

Date of creation: 2026-02-13

Appendix

Approved by the Resolution of the Board of the National Bank of the Kyrgyz Republic dated April 15, 2015 No. 22/3

REGULATION on Minimum Requirements for Providing Remote/Distant Services in the Kyrgyz Republic

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, June 19, 2019 No. 2019-P-12/32-3, December 11, 2019 No. 2019-P-14/62-6, March 31, 2021 No. 2021-P-12/14-5, December 14, 2022 No. 2022-P-14/78-5, July 9, 2025 No. 2025-P-14/33-2-(PS), December 26, 2025 No. 2025-P-12/70-6-(PS), January 21, 2026 No. 2026-P-39/3-2-(NPA))

Chapter 1. General Provisions

1. (Ceased to be in force in accordance with the Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

2. This Regulation "On Minimum Requirements for Providing Remote/Distant Services in the Kyrgyz Republic" (hereinafter - the Regulation) establishes requirements for commercial banks, non-bank financial-credit organizations, payment system operators and payment organizations regarding the provision of banking and payment services to users remotely/distantly.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, December 11, 2019 No. 2019-P-14/62-6)

3. Within the framework of this Regulation, banking and payment services may be provided remotely/distantly via ATMs, self-service terminals (payment terminals), internet banking, mobile banking, mobile applications and other methods of remote/distant service not contradicting the legislation of the Kyrgyz Republic.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

3-1. When providing remote/distant services, the provider of remote/distant services (service provider) may, as necessary, conclude a contract with a telecommunications operator (mobile network operator/network mobile service operator) to provide communication services. When concluding a contract with the telecommunications operator, the service provider must provide for methods of protection and confidentiality of information transmitted via the operator's communication channels in accordance with the legislation of the Kyrgyz Republic.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, December 14, 2022 No. 2022-P-14/78-5)

3-2. When providing remote/distant services, service providers are obliged to comply with relevant regulatory legal acts regulating issues regarding the timeliness, security, reliability of payments and prevention of fraudulent transactions.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

Chapter 2. General Terms and Definitions

4. Terms and definitions used in this Regulation are understood in the sense in which they are used in banking legislation and payment system legislation of the Kyrgyz Republic.

The following terms and definitions are also used in this Regulation:

1. Authentication - the procedure of establishing user authenticity by checking and comparing characteristics of the presented identifier (PIN code, password, etc.).

2. Personal Account (User Cabinet) - a special user section in the remote/distant service system of the service provider, which allows access to data on account/credit limit status and fund movements, as well as other banking and payment services, including submitting applications, confirmations and instructions to the service provider.

3. Service Provider's Mobile Application (Mobile App) - one of the tools of remote/distant service systems, enabling the service provider to provide banking and payment services to users remotely/distantly. Mobile apps of agents provided for by the Regulation "On Regulation of Activities of Payment Organizations and Payment System Operators" are also included in service providers' mobile applications.

4. User's Obligations to the NFKO - user obligations arising from obtaining a loan in the NFKO, as well as through personal account management.

5. User - a natural person, legal entity or individual entrepreneur using banking and payment services through the remote/distant service system.

6. Provider of Remote/Distant Services (Service Provider) - banks, non-bank financial-credit organizations (hereinafter - NFKO), payment system operators and payment organizations holding a license/certificate from the National Bank for the right to carry out specific banking and payment services provided by the legislation of the Kyrgyz Republic.

7. Remote/Distant Service System - a set of telecommunications means, digital and information technologies, software and equipment ensuring communication between the user and the service provider for providing banking and payment services remotely/distantly using ATMs, payment terminals, internet banking, electronic wallets, mobile banking, mobile applications and other remote/distant service methods.

8. Remote/Distant Service - a method of providing services by the service provider based on instructions transmitted by the user remotely/distantly using remote/distant service systems.

9. PIN-code (Personal Identification Number) - a personal identification number allowing user authentication for transactions.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

Chapter 3. Requirements for Service Providers

5. The service provider for remote/distant services must at least:

• develop and approve internal regulatory documents defining the list, procedure and conditions of remote/distant services;
• ensure effective control over the provision of these services and the safety of users' funds;
• develop an internal risk management policy defining the service provider's responsibility when interacting with users, taking into account regulatory legal acts in the field of information security, considering risks associated with remote/distant services, as well as in case of emergency situations;
• develop and maintain up-to-date an internal regulatory document on the procedure for interaction and response to emergency situations in accordance with National Bank regulations;
• develop a procedure for dispute resolution and refund of funds to the user for erroneous or unauthorized transactions;
• develop standard contracts between service providers and users;
• comply with requirements for countering the financing of criminal activities and money laundering in accordance with Kyrgyz Republic legislation;
• ensure compliance with banking secrecy when transmitting messages and providing remote/distant services;
• develop and approve the procedure for recognizing and using electronic signatures when performing legally significant actions (expressing consent, submitting applications, concluding contracts and other transactions);
• maintain an electronic register of documents signed with an electronic signature;
• ensure monitoring and maintenance of a log (logs) of user connections to the remote/distant service system.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, June 19, 2019 No. 2019-P-12/32-3, December 14, 2022 No. 2022-P-14/78-5, December 26, 2025 No. 2025-P-12/70-6-(PS))

6. The service provider must inform the user about information on compliance with security requirements when providing remote/distant services in accordance with Appendix 1 to this Regulation. The service provider must also inform the user about the prohibition on selling/transferring to third parties remote/distant service systems, access logins and passwords, as well as the user's responsibility in accordance with Kyrgyz Republic legislation for transferring or selling to third parties remote/distant service systems, access logins and passwords, including for carrying out financial transactions using remote/distant service systems by instruction and in the interests of third parties to commit unlawful acts.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, January 21, 2026 No. 2026-P-39/3-2-(NPA))

6-1. The use of electronic signatures in remote/distant services must be carried out in accordance with the requirements of Appendix 2 to this Regulation.

(In the edition of Resolution of the Board of the National Bank of KR dated June 19, 2019 No. 2019-P-12/32-3)

6-2. The service provider is responsible for the services provided, including unauthorized transactions, except in cases where transactions occurred due to the user's own fault, according to the list, procedure and conditions of the remote/distant service system.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

7. The service provider must regularly conduct quality assessments of remote/distant services to ensure the necessary level of user trust.

(In the edition of Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

7-1. The service provider must provide special functions or other capabilities in mobile applications, ATMs and payment terminals, including solutions provided by third parties, which will allow persons with disabilities to use the services provided, as well as inform them about these capabilities. Special functions implemented for persons with disabilities must allow them to perform transactions in mobile applications, ATMs and payment terminals (corresponding adjustment of font sizes, sections, icons, speed and volume of audio playback, color contrast, text-to-speech functions on mobile app screens, presence of special highlights on the panel, etc.).

(In the edition of Resolution of the Board of the National Bank of KR dated July 9, 2025 No. 2025-P-14/33-2-(PS))

8. The service provider must ensure the continuity of its activities and accessibility to services in accordance with conditions established in the contract. When carrying out preventive and technical works, the service provider is obliged to notify users in a timely manner. 8-1. The service provider must inform users no later than five calendar days before the introduction of tariff changes to its services via website or mass media.

(In the edition of Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

9. (Ceased to be in force in accordance with the Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

Chapter 4. Requirements for Remote/Distant Services

(Chapter title in the edition of the Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

10. Remote/distant services must be provided based on a contract between the user and the service provider in accordance with Kyrgyz Republic legislation, which must specify:

• user data (surname, first name, patronymic, passport details (or other identity document details in accordance with Kyrgyz Republic legislation) and other user data allowing identification);
• list of services provided;
• methods of providing services remotely/distantly and accessing remote/distant service systems;
• rights, obligations and responsibilities of the user and service provider;
• requirements on the prohibition of selling/transferring to third parties remote/distant service systems, access logins and passwords, as well as the user's responsibility in accordance with Kyrgyz Republic legislation for transferring or selling to third parties remote/distant service systems, access logins and passwords, including for carrying out financial transactions using remote/distant service systems by instruction and in the interests of third parties to commit unlawful acts;
• types and amounts of commissions payable by the user;
• currency conversion scheme from one currency to another, providing for various conversion options when the user conducts transactions in a currency different from their bank account currency, as well as the procedure for informing clients about the exchange rate when conducting currency conversion transactions;
• methods for the service provider to provide statements on fund movements and balances in bank accounts, user obligations to NFKO or electronic wallets;
• main security compliance requirements for the user, including authentication and confirmation of client rights to use remote/distant service systems (use of PIN codes, passwords, limits, user actions in case of loss or theft of access devices);
• procedure for informing the service provider about loss, theft or unauthorized use of access devices to the remote/distant service system;
• distribution of responsibility between service providers and users in case of loss, theft or unauthorized use of access devices;
• conditions for suspension and termination of access to the remote/distant service system;
• methods for notifying the client in case of contract condition changes;
• contact details for communication with the service provider, including during non-working hours and weekends (holidays);
• distribution of risks and responsibilities between parties in case of security procedure violations or other contract conditions;
• dispute resolution procedure, submission/receipt of user complaints and claims, conditions for their consideration and resolution;
• mechanism for determining the user on whose behalf an electronic signature is used, and the obligation to maintain confidentiality of the electronic signature key.

(In the edition of Resolutions of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5, January 21, 2026 No. 2026-P-39/3-2-(NPA))

11. (Ceased to be in force in accordance with the Resolution of the Board of the National Bank of KR dated June 19, 2019 No. 2019-P-12/32-3) 11-1. Cash deposits through payment terminals for goods and services are made based on a public offer. Receiving or refusing a receipt is the user's choice when paying for goods and services through payment terminals by confirming on the screen.

(In the edition of Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

12. When providing voice banking services, the service provider must ensure audio recording of all conversations with users and notify them by sending to an electronic address or via SMS notification about the execution of instructions.
13. When accessing and servicing using ATMs and payment terminals:

1. remote/distant service via ATM is carried out using bank payment cards or other methods for receiving cash, making fund transfers and other non-cash payments, obtaining information on completed transactions from the bank account, issuing a receipt or SMS notification for all types of transactions to a mobile phone in accordance with the contract with the user;
2. the ATM/payment terminal transmits transaction data to the service provider's information system. After completing transaction processing, the ATM/payment terminal must present a confirming document on the completed transaction in accordance with Kyrgyz Republic legislation, containing the following mandatory details:

• receipt number;
• date and time of transaction/payment;
• transaction/payment amount;
• commission amount;

3. the service provider when providing remote/distant services via ATMs/payment terminals must:

• inform clients about possible risks associated with using ATMs and payment terminals, as well as precautionary measures;
• regularly conduct security checks at ATM and payment terminal locations and document the results;
• organize support centers (call centers) and ensure their daily and continuous operation;
• place an indicator on the ATM/payment terminal showing the bank/payment organization's ownership, logos of payment systems whose cards are accepted for servicing by the ATM and payment terminal.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

14. The service provider when providing remote/distant services via internet banking is obliged to:

• inform clients about possible risks and precautionary measures;
• inform clients about the need to comply with security rules and procedures when making payments via internet banking (preventing transfer of passwords, codes, keys to third parties);
• ensure confidentiality when transmitting financial messages and payments;
• use secure network protocols;
• apply mechanisms to prevent fraudulent spoofing of internet banking servers (user's personal account);
• use multi-factor authentication taking into account the risk assessment of the transaction (e.g., password/code/one-time code and PIN-code, biometric means, etc.);
• apply a policy providing for the use of complex passwords and their regular change;
• use mechanisms to prevent automatic password guessing;
• use mechanisms for blocking the connection session with the internet banking server when the user is inactive beyond the established time interval.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

15. The service provider when providing remote/distant services via mobile banking and mobile applications must provide for the following:

• conditions for user registration and identification with the service provider;
• security rules and procedures for making payments using remote/distant service systems/mobile devices (preventing information transfer to third parties without user consent when exchanging and transmitting messages between the user and service providers; ensuring confidentiality when transmitting financial messages and payments);
• taking necessary measures to protect user data;
• access procedure for making payments;
• other conditions established in paragraph 10 of this Regulation.

(In the edition of Resolution of the Board of the National Bank of KR dated December 14, 2022 No. 2022-P-14/78-5)

16. All payments made via remote/distant services are considered confirmed and final (unconditional and irrevocable) from the moment of completing mutual settlements in the corresponding service provider system and conducting final settlements. For the user, a payment is considered irrevocable at the moment of receiving confirmation that the payment has been accepted for execution and/or receiving a confirming document on the completed transaction (issuing a receipt, receiving SMS confirmation, etc.), and final - at the moment of entering funds into the payment terminal's bill acceptor or deducting funds from the user's bank account or electronic wallet and simultaneously crediting to the recipient's account.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14, December 14, 2022 No. 2022-P-14/78-5)

17. The user may contest a transaction conducted in the remote/distant service system by submitting an application to the service provider in accordance with contract conditions. The service provider carries out transaction cancellation according to the regulations and procedures of the corresponding payment system, unless otherwise provided by contract conditions.
18. The service provider is obliged to familiarize/inform the user with usage rules and tariffs for provided services before signing the contract or prior to the start of remote/distant services.

(In the edition of Resolution of the Board of the National Bank of KR dated June 19, 2019 No. 2019-P-12/32-3)

Chapter 5. Risk Management

19. The service provider must monitor risks arising during operations and improve risk management policies for remote/distant services in accordance with National Bank regulatory legal acts.

(In the edition of Resolution of the Board of the National Bank of KR dated June 8, 2017 No. 2017-P-14/23-14)

20. The service provider must develop and implement a comprehensive system for ensuring information security of remote/distant services.
21. The information security system for remote/distant services must at least contain the following aspects:

• identification and assessment of risks associated with providing remote/distant services;
• determination of risk reduction measures, including the application of appropriate client identification technologies and internal control norms (verification of authenticity and validity of identification means);
• determination of measures to protect client information from unauthorized access and ensure the integrity of such information;
• assessment of measures for informing clients;
• determination and assessment of limits for conducted transactions;
• control of transaction execution within limits established for opening and making payments through remote/distant service systems;
• monitoring of user actions.

(In the edition of Resolutions of the Board of the National Bank of KR dated June 19, 2019 No. 2019-P-12/32-3, December 14, 2022 No. 2022-P-14/78-5)

22. The service provider must, as necessary, adjust and update its information security system in accordance with any changes in remote/distant service technology, upon detecting vulnerabilities in information systems, to ensure fraud prevention, confidentiality and integrity of information in case of external or internal threats.
23. The service provider must submit information to the National Bank about violations and fraud cases in providing remote/distant services in accordance with established requirements of National Bank regulatory legal acts.
24. The service provider must ensure timely updates and modernization of security systems according to approved internal procedures.
25. To ensure identification of its users, the Service Provider must apply risk-reduction methodologies. The Service Provider must monitor, assess and implement new client identification technologies, and depending on the type of operation and access level, ensure implementation of corresponding changes in the client identification system based on existing risk factors. If risk assessment determines an insufficient security level when applying single-factor identification measures (e.g., password/code), providers should use multi-factor identification measures (e.g., password/code/one-time code, card number and personal identification number).