On approval of the Rules for providing electronic banking services by banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations

Updated Unofficial translation

Decree of the Board of the National Bank of the Republic of Kazakhstan dated August 31, 2016 No. 212. Registered with the Ministry of Justice of the Republic of Kazakhstan on October 18, 2016 No. 14337.

      Unofficial translation

      Footnote. Title - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      In accordance with sub-paragraphs 52-4) and 85) of part two of Article 15 of the Law of the Republic of Kazakhstan "On the National Bank of the Republic of Kazakhstan" and sub-paragraphs 10) and 25) of paragraph 1 of Article 4 of the Law of the Republic of Kazakhstan "On payments and payment systems", the Board of the National Bank of the Republic of Kazakhstan DECIDES:

      Footnote. The preamble as amended by the resolution of the Board of the National Bank of the Republic of Kazakhstan dated 17.09.2022 № 83 (shall be enforced ten calendar days after the date of its first official publication).

      1. To approve the attached Rules for providing electronic banking services by banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations (hereinafter- the Rules).

      Footnote. Paragraph 1 - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      2. Recognize invalid some of Decrees of the Board of the National Bank of the Republic of Kazakhstan, as well as the structural elements of some Decrees of the Board of the National Bank of the Republic of Kazakhstan according to the list in accordance with the Appendix to this Decree.

      3. The Department of Payment Systems (Ashykbekov Ye.T.) in the manner prescribed by the legislation of the Republic of Kazakhstan, shall ensure:

      1) together with the Legal Department (Sarsenova N.V.) the State Registration of this Decree with the Ministry of Justice of the Republic of Kazakhstan;

      2) direction of this Decree to the Republican State Enterprise on the Right of Economic Management "Republican Center for Legal Information of the Ministry of Justice of the Republic of Kazakhstan":

      for official publication in the Legal Information System "Adilet" within ten calendar days after its State Registration with the Ministry of Justice of the Republic of Kazakhstan;

      for inclusion in the State Register of Regulatory Legal Acts of the Republic of Kazakhstan, the Reference Control Bank of Regulatory Legal Acts of the Republic of Kazakhstan within ten calendar days from the date of its State Registration with the Ministry of Justice of the Republic of Kazakhstan;

      3) posting of this Decree on the official Internet resource of the National Bank of the Republic of Kazakhstan after its official publication.

      4. The Office for Protection of the Rights of Consumers of Financial Services and External Communications (Terentyev A.L.) to ensure the direction of this Decree for official publication in periodicals within ten calendar days after its State Registration with the Ministry of Justice of the Republic of Kazakhstan.

      5. The control over the implementation of this Decree shall be assigned to the Deputy Chairman of the National Bank of the Republic of Kazakhstan, Pirmatov G.O.

      6. This Decree shall be enforced upon expiry of ten calendar days after the day its first official publication, except for part two of Paragraph 6 and Paragraph 21 of the Rules, which shall come into force on June 1, 2017.

      Chairman
of the National Bank
D. Akishev

  Approved
by the Decree of the Board
of the National Bank of the
Republic of Kazakhstan
dated August 31, 2016 № 212

Rules for providing electronic banking services by banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations

      Footnote. Title - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

Chapter 1. General Provisions

      1. These Rules for provision of electronic banking services by banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations (hereinafter – the Rules) are developed in accordance with the Laws of the Republic of Kazakhstan "On the National Bank of the Republic of Kazakhstan", "On banks and banking activities in the Republic of Kazakhstan" (hereinafter – the Law on banks and banking activities), "On electronic document and electronic digital signature" (hereinafter – the Law on electronic document), "On informatization" (hereinafter – the Law on informatization), "On payments and payment systems" (hereinafter – the Law on payments and payment systems) and determine the procedure for provision of electronic banking services by banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations (hereinafter – banks).

      The procedure for provision of electronic banking services by banks includes the provision of electronic banking services, security procedures, measures against unauthorized access, suspension and termination of the provision of electronic banking services, storage of electronic documents when providing electronic banking services.

      The Rules do not apply to services related to accepting payments using payment cards in favor of persons selling goods and services on the Internet (Internet acquiring).

      Footnote. Paragraph 1 - as amended by the resolution of the Board of the National Bank of the Republic of Kazakhstan dated 17.09.2022 № 83 (shall be enforced ten calendar days after the date of its first official publication).

      2. The Rules use the concepts provided by the laws on banks and banking activity, on electronic document, on informatization, on payments and payment systems, as well as the following concepts:

      1) authentication - confirmation of the authenticity and correctness of electronic document in accordance with the requirements of the security procedure;

      2) biometric identification - a procedure for establishing the identity of a client with the aim of unambiguously confirming his rights to receive electronic banking services based on his physiological and biological characteristics;

      3) one-time (single) code - a unique sequence of electronic digital symbols created by software and hardware at the request of the client and intended for one-time use when providing the client with access to electronic banking services;

      4) security procedure - a set of organizational measures and software and hardware information protection designed to identify the client in preparation, transmission and receipt of electronic documents in order to establish his rights to receive electronic banking services and detect errors and (or) changes in the content of transmitted and received electronic documents;

      5) a unique user identifier - a digital, alphabetic or other symbols code assigned by bank to the client to enter the bank system, which provides access to electronic banking services;

      6) password - a set of digital, alphabetic and other symbols created to confirm the rights to enter the bank system to receive electronic banking services;

      7) an identification data exchange center (IDEC) - an operational center of an interbank money transfer system providing interaction with banks to exchange customer data from available sources for conducting customer identification procedures;

      7-1) IDEC Rules - internal rules of the operational center of the interbank money transfer system, regulating provision of IDEC services to banks when carrying out customer identification procedures;

      8) dynamic identification - a procedure for establishing a customer’s identity with the aim of unambiguously confirming his rights to receive electronic banking services by using a one-time (single) code;

      9) electronic document - a document in which information is presented in electronic digital form and verified by identification means, compiled by the sender and not containing distortions and (or) changes made to it after compilation, in the manner prescribed by the Rules;

      10) electronic payment services - electronic banking services related to making payments and (or) money transfers, exchange operations with foreign currency using a bank account and other types of banking operations not related to information banking services.

      Footnote. Paragraph 2 is in the wording of the Decree of the Board of the National Bank of the Republic of Kazakhstan dated 27.08.2018 № 182 (shall be enforced upon expiry of ten calendar days after the day its first official publication); dated 30.11.2020 № 139 (shall be enforced from 16.12.2020).

Chapter 2. The provision of electronic banking services

      3. Electronic banking services shall be provided through remote access systems.

      4. When opening an Internet resource for provision of electronic banking services, the bank shall notify the National Bank of the Republic of Kazakhstan (hereinafter referred to as the National Bank) in any written form within ten business days after the day the Internet resource is opened.

      The notice contains:

      1) domain name and email address of the Internet resource;

      2) a list of electronic banking services provided through the Internet;

      3) confirmation that the bank has approved security procedures and information protection from unauthorized access when providing electronic banking services.

      5. If the domain name or electronic address of the Internet resource is changed, the Bank shall notify the National Bank in any written form within ten business days from the date of change.

      6. The Bank provides electronic banking services only for banking operations, which shall be provided for a license issued by an authorized state authority.

      Prior to provision of electronic banking services, the Bank shall provide the customer with information on amount of commission charged in monetary terms for the electronic banking services provided.

      When providing payment services through an electronic terminal, it is allowed to indicate the amount of the commission charged in monetary terms after the customer deposits cash to the terminal.

      Footnote. Paragraph 6 is in the wording of Decree of the Board of the National Bank of the Republic of Kazakhstan dated 22.12.2017 № 248 (shall be enforced upon expiry of ten calendar days after the day its first official publication).

      7. The Bank develops and approves procedures and takes measures to prevent the use of existing or implemented methods and technologies for providing electronic banking services in schemes for the legalization (laundering) of proceeds from crime and financing of terrorism.

      When providing electronic banking services, the bank applies the necessary measures provided for by the Law of the Republic of Kazakhstan "On countering the legalization (laundering) of proceeds from crime and financing of terrorism" (hereinafter referred to as the Law on countering the legalization (laundering) of proceeds from crime and financing of terrorism), and also ensures the implementation of the functions of an agent of currency control.

      Footnote. Paragraph 7 - as amended by the resolution of the Board of the National Bank of the Republic of Kazakhstan dated 17.09.2022 № 83 (shall be enforced ten calendar days after the date of its first official publication).

      8. Electronic banking services shall be provided through the use of identification tools provided by the Law on Payments and Payment Systems, in compliance with the procedure established by the Rules. The bank shall provide electronic banking services to the client using an electronic digital signature if the client has a registration certificate, issued by an accredited certification center of the Republic of Kazakhstan or a foreign certification center registered with a trusted third party of the Republic of Kazakhstan.

      9. Electronic banking services shall be provided to the client on the basis of an agreement on provision of electronic banking services or a banking service agreement containing a condition for provision of electronic banking services (hereinafter referred to as the agreement).

      10. The agreement contains the following conditions:

      1) a list of electronic banking services;

      2) procedure and maximum term for provision of electronic banking services;

      3) methods (method) of providing electronic banking services and gaining access to them (via the Internet, telecommunications, digital and information technologies, software and equipment or other devices);

      4) size of the fees charged or indication of the Internet resource containing information about them, and the procedure for their collection;

      5) procedure and deadlines for bank to provide confirmation of sending and (or) receiving electronic documents, on the basis of which electronic banking services were provided to the client;

      6) the rights and obligations of the parties;

      7) security procedures, as well as authentication and confirmation of client's rights to receive electronic banking services;

      8) responsibility of the parties for non-performance or improper performance of their obligations under the contract;

      9) grounds for suspension, termination of provision of electronic banking services, indicating the procedure and form for notifying the client;

      10) procedure for making claims and methods for resolving disputes arising from the provision of electronic banking services by the bank;

      11) contact telephones and addresses, including for contacting the bank on issues related to the provision of electronic banking services;

      12) condition of non-disclosure of information by the bank received from the client in provision of electronic banking services;

      13) the right of the client to terminate the contract;

      14) procedure for determining the exchange rate used in provision of electronic banking services in foreign currency.

      It is allowed to include in the contract other conditions not contained in this Paragraph.

      11. At the conclusion of the contract, the bank provides the client with information about electronic banking services.

      12. If the contract indicates a reference to an electronic document posted on the bank’s Internet resource and containing additional conditions to the contract, the bank provides the client with possibility of unhindered access to the specified electronic document during the term of contract.

      13. If the bank provides electronic banking services via the Internet, the procedure and conditions for provision of electronic banking services shall be determined by the bank’s internal documents, which shall be posted on the bank’s Internet resource.

      14. Electronic payment services shall be provided to legal entities using the following identification methods: electronic digital signature, dynamic identification, biometric identification of their authorized persons.

      Footnote. Paragraph 14 is in the wording of Decree of the Board of the National Bank of the Republic of Kazakhstan dated 28.11.2019 № 221 (shall be enforced upon expiry of ten calendar days after the day its first official publication).
      15. Is excluded by Decree of the Board of the National Bank of the Republic of Kazakhstan dated 28.11.2019 № 221 (shall be enforced upon expiry of ten calendar days after the day its first official publication).

      16. Electronic payment services shall be provided to individuals using one of the following identification methods: electronic digital signature, dynamic identification, biometric identification or unique user identifier and password.

      17. When using dynamic identification to receive electronic payment services by individuals and legal entities, a one-time (single) code shall be created by the bank and sent to the client in accordance with the terms of the agreement concluded between them.

      The client may use a device generating a one-time (single) code to receive electronic payment services. The device generating a one-time (single) code shall be assigned to a specific authorized person of a legal entity to perform certain operations specified by him within his authority.

      It shall be allowed to use one device generating a one-time (single) code by one authorized person of several affiliated legal entities that are serviced in one bank on the basis of the relevant authorizing documents. These powers are granted in accordance with paragraph 47 of the Rules for opening, managing and closing customer bank accounts, approved by Resolution № 207 of the Board of the National Bank of the Republic of Kazakhstan dated August 31, 2016, registered in the Register of State Registration of Regulatory Legal Acts under № 14422.

      The device generating a one-time (single) code shall be used by entering a personal identification number into it and indicating a set of other identification means (unique user identifier, password) when accessing the services.

      The authorized person of a legal entity shall not be allowed to use the device generating a one-time (single) code belonging to another authorized person.

      Footnote. Paragraph 17 - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      18. When using dynamic identification for each access to electronic payment services, the creation of a new one-time (single) code shall be required.

      When the client re-accesses electronic payment services, the creation and use of a new one-time (single) code shall be required.

      19. Information banking services shall be provided using one of the following identification methods: electronic digital signature, dynamic identification, biometric identification, or unique identifier and password. The password shall be used on a multiple basis or changed at the request of the client.

      20. The use of a unique user identifier and password specified in the bank system for access to electronic payment services shall not be recognized as a dynamic identification.

      21. It is allowed for the client to receive electronic banking services through the remote access system of a third-party payment service provider.

      In order for a client to receive electronic banking services from a third-party payment service provider, the bank servicing the client's bank account provides the third-party payment service provider with access to the bank account and client information.

      When providing electronic banking services, a third-party payment service provider ensures compliance with the requirements established by the Law on Payments and Payment Systems and the Rules.

      22. It is allowed to transfer the bank to third parties on the basis of an agreement on the provision of services for provision of information technology functions necessary for provision of electronic banking services (hereinafter referred to as the outsourcing agreement). The outsourcing procedure for provision of electronic banking services shall be determined by the internal documents of the bank and the outsourcing agreement and shall be carried out in accordance with the requirements of Paragraphs 16, 17 of Article 13 of the Law on Payments and Payment Systems.

Chapter 2-1. Features of use of IDEC services when providing services remotely

      Footnote. The Rules are supplemented by Chapter 2-1 in accordance with the Decree of the Board of the National Bank of the Republic of Kazakhstan dated 27.08.2018 № 182 (shall be enforced upon expiry of ten calendar days after the day its first official publication).

      22-1. When providing electronic banking services, business relations with a client shall be established remotely in accordance with the Requirements for the due diligence of customers in the event of remote establishment of business relations by financial monitoring entities approved by the Decree of the National Bank of the Republic of Kazakhstan dated June 29, 2018, № 140, registered in the State Register Registration of Regulatory Legal Acts under № 17250.

      22-2. It shall be allowed to avail of the IDEC services to identify a client with the use of biometric identification means when establishing business relations with a client remotely, as well as when providing a client with electronic banking services.

      Footnote. Paragraph 22-2 - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      22-3. In the case referred to in paragraph 22-2 of the Rules, basing on the client's consent to the collection, processing, storage and presentation, including, if necessary, to third parties, of his personal data, confirmed through identification means, the bank shall conduct with the client using the client's devices and (or) other devices of the bank a videoconference session or apply the technology of detecting the movement of the client. The content of the videoconference session (the list of check questions, if any), as well as the list and scope of services provided by banks for remote identification of clients, shall be established by the banks independently.

      The bank shall transmit to the IDEC the individual or business identification number of the client and the video image of the client obtained from the videoconference session or through the technology of detecting the movement of the interviewee in the process of remote identification.

      Using the software the IDEC determines the degree of compliance with biometric parameters of the photo image obtained from a video conference session or using the technology of detecting the client's movement, with the client's photo image from available sources. Video recordings of customer requests shall be stored in the bank.

      Footnote. Paragraph 22-3 - as amended by Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      22-4. IDEC shall be allowed to provide additional services to banks for identifying the client, as prescribed by the IDEC Rules. The IDEC rules shall be posted on the IDEC official website.

      Footnote. The Rules supplemented by paragraph 22-4 in accordance with Resolution № 139 of the Board of the National Bank of the Republic of Kazakhstan dated 30.11.2020 (shall be enforced from 16.12.2020).

      22-5. When the bank provides electronic banking services, the bank uses a system and (or) software and hardware that automates the process of countering unauthorized payments and (or) money transfers.

      Footnote. The Rules as added by the paragraph 22-5 in accordance with the resolution of the Board of the National Bank of the Republic of Kazakhstan dated 23.10.2023 № 84 (shall enter into force from 01.01.2024).

Chapter 3. Security procedures

      23. The provision of electronic banking services by the bank shall be carried out in accordance with the security procedures established by the bank’s internal documents and the agreement.

      24. Security procedures provide:

      1) reliable identification of the client and his right to receive appropriate electronic banking services;

      2) detecting the presence of distortions and (or) changes in the content of electronic documents, on the basis of which electronic banking services shall be provided to the client;

      3) protection against unauthorized access to information constituting a bank secrecy, and the integrity of this information.

      25. The provision of electronic banking services shall be authorized if the client performs security procedures established by the bank’s internal documents and the agreement.

      26. The bank provides storage of confirmation of sending and (or) receiving messages, on the basis of which electronic banking services shall be provided to the client.

      27. At the client’s request, the bank provides him with confirmation of sending and (or) receiving electronic documents confirming the provision (receipt) of electronic banking services in the manner and terms stipulated by the contract.

      28. It is allowed to provide electronic banking services to an individual, as well as information banking services to a legal entity by telephone without using an identification tool based on the application of security procedures established by the bank’s internal documents and the agreement.

      When an electronic payment service shall be provided to an individual by telephone, the bank has a confirmation of the initiation of a payment service by the individual customer, received in accordance with the security procedures established by the bank’s internal documents and the agreement.

      Footnote. Paragraph 28 is in the wording of the Decree of the Board of the National Bank of the Republic of Kazakhstan dated 27.08.2018 № 182 (shall be enforced upon expiry of ten calendar days after the day its first official publication).

Chapter 4. Unauthorized Access Measures

      29. Upon detection of unauthorized access to information constituting bank secrecy, its unauthorized change, making an unauthorized payment and (or) transferring money and other unauthorized actions, the bank shall notify the client in respect of which such actions were taken no later than the next business day after they shall be discovered.

      30. In the event of unauthorized actions specified in Paragraph 29 of the Rules, the bank immediately takes all necessary measures to eliminate their consequences and prevent their assumption in the future.

Chapter 5. Suspension and termination of electronic banking services

      31. The Bank suspends or terminates the provision of electronic banking services to the client in the following cases:

      1) violation by the client of procedure and conditions for obtaining electronic banking services provided by the contract;

      2) malfunctions of technical means providing electronic banking services;

      3) on other grounds provided by the Laws On Banks and Banking Activity, On Payments, and Payment Systems, on CLPFT, the Civil Code, of the Republic of Kazakhstan (Special Part) of December 27, 1994 and the contract.

      32. In the event of suspension or termination of provision of electronic banking services on the grounds provided by Paragraph 31 of the Rules, the bank shall notify the client in the manner and terms established by the contract, with the exception of cases of suspension or termination of provision of electronic banking services provided by Subparagraph 3) of Paragraph 31 of the Rules.

      33. Upon elimination of reasons that led to suspension of the client’s right to receive electronic banking services, the bank resumes the provision of electronic banking services to the client with subsequent notification in writing or in electronic form, with the exception of cases of suspension or termination of the provision of electronic payment services provided by Subparagraph 3) of Paragraph 31 of the Rules.

Chapter 6. Storage of electronic documents in provision of electronic banking services

      34. Electronic documents shall be stored in the format in which they were generated, sent or received in compliance with their integrity and invariability and do not require printing or other display of the contents of electronic document on paper for storage.

      35. The procedure and terms of storage of electronic documents shall be determined by the bank’s internal documents developed in accordance with the Law on Payments and Payment Systems and the Law on CLPFT.

  Appendix
to Decree of the Board
of the National Bank of the
Republic of Kazakhstan
dated August 31, 2016 № 212

List
of some Decrees of the Board of the National Bank of the Republic of Kazakhstan,
as well as the structural elements of some of the Decrees of the Board of the National Bank
of the Republic of Kazakhstan, recognized as invalid

      1. Decree of the Board of the National Bank of the Republic of Kazakhstan dated April 21, 2000 № 146 “On Approval of the Rules for Exchange of Electronic Documents when Making Payments and Money Transfers in the Republic Kazakhstan” (registered in the Register of State Registration of Regulatory Legal Acts under № 1148, published on July 14, 2000 in the newspaper "Yuridicheskaya Gazeta" № 31).

      2. Decree of the Board of the National Bank of the Republic of Kazakhstan dated July 4, 2003 № 228 “On Amendments and Additions to the Decree of the Board of the National Bank of the Republic of Kazakhstan dated April 21, 2000 № 146 “On Approval of the Rules for Exchange of Electronic Documents when Making Payments and Money Transfers in the Republic Kazakhstan”, registered with the Ministry of Justice of the Republic of Kazakhstan under № 1148” (registered in the Register of State Registration of Regulatory Legal Acts under № 2434).

      3. Decree of the Board of the National Bank of the Republic of Kazakhstan dated March 28, 2008 № 18 “On Approval of the Rules for Provision by Second-Tier Banks and Organizations Engaged in Certain Types of Banking Operations of Electronic Banking Services” (registered in the Register of State Registration of Regulatory Legal Acts under № 5189, published May 23, 2008 in the newspaper “Yuridicheskaya Gazeta” № 77 (1477).

      4. Paragraph 3 of the List of Decrees of the Board of the National Bank of the Republic of Kazakhstan, which is amended and supplemented, which is an Appendix to Decree of the Board of the National Bank of the Republic of Kazakhstan dated August 24, 2009 № 85 “On Amendments and Additions to Some Decrees of the Board of the National Bank of the Republic of Kazakhstan” (registered in the Register of State Registration of Regulatory Legal Acts under № 5806, published on October 30, 2009 in the newspaper “Yuridicheskaya Gazeta” № 166 (1763).

      5. Paragraph 3 of the List of Changes and Additions that are made to Some Decrees of the Board of the National Bank of the Republic of Kazakhstan on the issues of making payments and money transfers, which is an Appendix to the Decree of the Board of the National Bank of the Republic of Kazakhstan dated May 30, 2011 № 52 “On Amendments and Additions to Some Decrees of the Board of the National Bank of the Republic of Kazakhstan on the issues of making payments and money transfers” (registered in the Register of State Registration of Regulatory Legal Acts under № 7080, published on August 3, 2011 in the newspaper “Yuridicheskaya Gazeta” № 110 (2100).

      6. Paragraphs 1 and 7 of the List of Regulatory Legal Acts on the issues of making payments and money transfers, which are amended and supplemented, which is an appendix to Resolution of the National Bank of the Republic of Kazakhstan dated April 26, 2013 № 117 “On Amendments and Additions to Some Regulatory Legal Acts on issues of making payments and money transfers” (registered in the Register of State Registration of Regulatory Legal Acts under № 8513, published July 23, 2013 in the newspaper “Yuridicheskaya Gazeta” № 107 (2482).

      7. Paragraphs 1 and 7 of the List of Regulatory Legal Acts of the Republic of Kazakhstan, which are amended and supplemented, approved by the Decree of the Board of the National Bank of the Republic of Kazakhstan dated August 27, 2014 № 168 “On Amendments and Additions to Some Regulatory Legal Acts of the Republic of Kazakhstan” (registered in the Register of State Registration of Regulatory Legal Acts under № 9796, published on November 12, 2014 in the Legal Information System "Adilet" of the Republican State Enterprise on the Right of Economic Management "Republican Legal Information Center of the Ministry of Justice of the Republic of Kazakhstan").

If you found any error on the page, please highlight a word or a phrase and then press «Ctrl+Enter» key combination

 

On-page search

Enter text to search

Hint: Browser has internal on-page search. It works faster and is usually activated by pressing ctrl-F.