This document defines key processes and control mechanisms aimed at preventing fraudulent activities in the payment sector.
The new rules will come into effect 15 days after their official publication, except for certain provisions that will take effect on March 1, 2026.
The Legal Department of the NBKR has been instructed to publish the text of the document on the regulator's website within three working days and to submit it to the Ministry of Justice for inclusion in the registry of regulatory legal acts.
The Methodology Supervision Department must also ensure the dissemination of information about this resolution among payment system operators, payment organizations, and the Association of Payment System Operators KG. Additionally, the "Board Secretariat" will notify internal divisions and territorial offices, including the NBKR representation in the Batken region.
The responsibility for monitoring the implementation of the resolution is assigned to the Board member responsible for methodology supervision.
Regulation REGULATION
on minimum requirements for the system of countering internal and external fraud in payment organizations and payment system operators of the Kyrgyz Republic
Chapter 1. General Provisions
This Regulation serves as the primary tool for combating fraud in the information systems of payment organizations and payment system operators, including cases where counter-fraud algorithms do not meet the requirements of the Regulation. It applies to all payment organizations and system operators operating under a license from the NBKR. Payment organizations and operators must establish and effectively operate fraud prevention systems that take into account the scale and nature of their activities. The counter-fraud systems must protect the interests of service users. Chapter 2. Policy and Organizational Measures
The payment organization and operator are required to develop and approve a Fraud Prevention Policy, which may be a separate document or part of an overall risk management policy. The main elements of the Policy should include:
- management commitments to protect customers from fraud;
- principles of early detection and prevention of fraudulent activities;
- procedures for applying automated response measures to fraud cases;
- employee accountability measures for improper performance of fraud prevention duties.
Chapter 3. Technical Implementation of Anti-Fraud Control
Payment organizations and operators must implement systems for monitoring and assessing fraud risk when using remote services. These systems can be implemented as separate modules or integrated into existing automated systems. The systems must ensure:
- basic operation checks;
- comparison with typical behavioral patterns;
- blocking suspicious operations based on pre-established criteria.
Chapter 4. Risk Categorization and Incident Actions
The system must assess the fraud risk for each operation, assigning one of three risk levels: - low risk: the operation is safe;
- medium risk: the operation raises suspicions;
- high risk: the operation is fraudulent.
Operations with medium risk must be verified, and the results of the verification must be documented. Payment organizations are required to maintain a register of prohibited identifiers used in fraudulent operations.
This register must include phone numbers, QR code IDs, and other attributes related to fraud.
Chapter 5. Signs of Fraudulent Operations
When assessing fraud risk, criteria defining suspicious operations must be used. The criteria may include:
- anomalous frequency of operations;
- group anomalous activity;
- unusual transaction amounts;
- unusual geographical location;
- transaction times atypical for the client;
- multiple failed login attempts and other factors.
The payment organization has the right to suspend operations for up to 30 days upon detecting suspicious actions. It is necessary to provide clients with the ability to report fraud through available channels.
Chapter 7. Maintaining a List of Identifiers
All operations with prohibited identifiers must be declined with notification to the client. Chapter 8. Evaluation of Anti-Fraud System Effectiveness
Payment organizations must develop systems for monitoring the effectiveness of fraud prevention measures. Chapter 9. Testing System Responsibilities
Regular stress testing of fraud prevention systems is mandatory to assess their effectiveness and resilience to new threats. The results of the testing must be documented and submitted to the NBKR.
