Kazakhstan’s business banks are more and more providing enticing super-applications with handy capabilities that transcend conventional monetary providers for the nation’s 21 million residents With the assistance of a financial institution utility, Kazakhstan’s residents purchase crucial items, discover required specialists, and even obtain authorities providers.
For safety functions, super-applications have switched to figuring out the private information and biometric imprints of residents to hurry up the method of getting into the appliance and confirming the approval of operations. However there’s a hole between the fast growth of digital ecosystems and the prevailing legislative regulation, elevating questions relating to the extent of safety of customers’ rights.
The Energy of One Button
In October 2023, Aidos Edil, a photographer in Astana, obtained an unofficial name from a consultant of Kaspi, Kazakhstan’s dominant fintech large. The demand was easy: delete a satirical 9-second TikTok video generated utilizing AI that mocked the financial institution’s lending practices and talked about its CEO, Mikhail Lomtadze. When Aidos refused, his Kaspi account was abruptly blocked with out rationalization.
For Edil, the results had been fast and paralyzing. In a rustic the place Kaspi serves because the “working system” for every day life – integrating banking, e-commerce, and authorities providers – a blocked account means whole exclusion from the fashionable financial system.
“It seems I’ve turn into dependent,” Aidos advised Radio Azattyq, RFE/RL’s Kazakh Service, describing how he was pressured to borrow money simply to purchase groceries. Kaspi solely restored his entry after the story sparked a large backlash on social media.
This incident highlights a rising disaster in Central Asia’s most superior digital financial system. With 13.5 million customers in a nation of 21 million, Kaspi has moved past conventional banking to turn into a chunk of important social infrastructure. But Kazakhstan’s regulatory framework stays dangerously permissive.
The Company for Regulation and Growth of the Monetary Market confirmed that business banks “independently decide inside procedures” for refusing providers, successfully granting personal firms the facility of extrajudicial punishment.
As Kazakhstanis entrust their biometric information and monetary lives to those all-encompassing super-apps, the road between shopper comfort and company surveillance blurs. The fast evolution of fintech has outpaced legislative protections, elevating a basic geopolitical and moral query: can a citizen actually be free when their entry to society will be revoked by a single button in a non-public boardroom?
Tremendous-Apps and the Phantasm of Alternative
The rise of Kazakhstan’s fintech sector is outlined by an aggressive shift towards “super-apps.” Main this cost is Kaspi.kz, a NASDAQ-listed large valued at over $16 billion. Kaspi CEO Mikhail Lomtadze famously described the platform as a mix of Amazon, Reserving.com, and Instacart. The platform’s dominance reached a geopolitical milestone in April 2026, when the Chinese language conglomerate Tencent – creator of WeChat, the world’s most profitable super-app – acquired a 3.2 p.c stake in Kaspi.kz for about $518 million. This partnership signaled a deeper alignment between Kazakhstan’s digital infrastructure and the Chinese language “all-in-one” enterprise mannequin.
Nevertheless, this comfort comes with a systemic erosion of shopper autonomy. The market is now a battleground of ecosystems, together with Halyk Financial institution and Timur Turlov’s Freedom Financial institution, the latter of which is aggressively increasing throughout Central Asia. These platforms share a typical technique: using “adhesion contracts.” Underneath Article 389 of Kazakhstan’s Administrative Code, these agreements are non-negotiable; a citizen should both settle for each company situation or stay excluded from important digital providers.
The moral implications are most seen in Freedom Financial institution’s information insurance policies, which permit the sharing of consumer data, together with geolocation and video surveillance, with 27 completely different authorized entities with out requiring additional notification to the consumer. Equally, Kaspi’s agreements make the most of “dynamic consent,” the place the financial institution can unilaterally change guidelines. Continued use of the app after such modifications constitutes computerized acceptance of the brand new phrases.
Freedom Financial institution and Kaspi didn’t reply to The Diplomat’s requests for remark relating to their insurance policies.
Raushan Omarova, a senior regulation lecturer at Maqsut Narikbayev College, described this as “legalized coercion.” When a digital settlement turns into a compulsory gateway to primary monetary life, the “settle for” button ceases to be a voluntary selection. Moreover, these contracts grant banks absolute discretion to dam entry to your entire ecosystem. For customers like Alexandra Kelyatrishvili, whose card was blocked with out warning or clear recourse, the fact of the super-app period is a profound lack of transparency.
Regardless of regulatory claims that banks should safeguard “financial institution secrets and techniques,” present contracts present no particular timeframes for resolving disputes or mechanisms for pressing evaluate by a impartial third celebration, leaving the patron totally depending on a company algorithm.
The Dangers of Centralization and a Biometric Entice
As Kazakhstan aggressively digitizes its public and monetary sectors, the focus of delicate information has created a precarious “single level of failure,” stated cybersecurity specialist Artem Tarasov. Right now, Kazakhstani residents use biometric information to entry all the things from authorities providers to personal banking apps, together with superior techniques like Kaspi Alaqan, which identifies customers by the vein patterns of their palms. Whereas Kaspi CEO Lomtadze pitched this as the last word comfort – eliminating the necessity for playing cards, telephones, and even web entry – Tarasov warned of a “honeypot impact.” By aggregating the monetary lives, motion historical past, and biometric markers of thousands and thousands right into a single middle, these platforms turn into high-value targets for catastrophic national-scale id theft.
The moral core of this centralization is the permanence of biometric information. In contrast to a password, palm prints and facial buildings can’t be modified if leaked. Tarasov warned that whereas a “digital twin” stays a future menace, faking biometrics is a believable situation if protections are breached. Moreover, the trade lacks an “unbiased exterior audit” to confirm company guarantees relating to the “proper to be forgotten.” Regardless of claims that information is deleted upon request, the fact of duplicated backup servers makes irreversible erasure almost unimaginable to verify.
Legally, the burden of threat is closely tilted in opposition to the patron. Agreements from main gamers like ForteBank explicitly disclaim duty for “misplaced information” or “injury to enterprise popularity” ensuing from system failures or unauthorized entry.
Digital rights specialist Dana Malikova-Buralkieva famous that 70 p.c of knowledge leaks originate from inside moral failures moderately than exterior hacks, but platforms typically use “authorized methods” — resembling symbolic compensation limits of 1,000 tenge — to evade accountability in courtroom.
This regulatory vacuum stands in stark distinction to worldwide requirements just like the EU’s Digital Operational Resilience Act (DORA) or Singapore’s platform supervision. In Kazakhstan, the fast evolution of fintech has outpaced the regulation, main President Kassym-Jomart Tokayev to warn that the private information of thousands and thousands “is not only a business asset; it’s a direct situation of nationwide safety.”
As the federal government goals to construct extra information facilities, the problem stays: making certain that the comfort of monetary ecosystems doesn’t evolve right into a “digital dictatorship” the place a citizen’s distinctive id is a everlasting, weak entry in a non-public company database
Failures in Shopper Safety
The elemental distinction between Kazakhstan’s fintech panorama and Western monetary techniques lies not within the “proper to dam,” however in what occurs after a service is suspended. In the USA and European Union, banks additionally possess the authority to terminate contracts at will, primarily to fight cash laundering. Nevertheless, these actions are ruled by strict procedural safeguards that at present don’t exist in Kazakhstan.
Within the U.S., Regulation “E” requires banks to research disputed transactions inside 10 enterprise days and infrequently present short-term credit score to the consumer, successfully shifting the burden of proof onto the monetary establishment. Equally, the EU’s Second Cost Companies Directive (PSD2) mandates the fast return of unauthorized funds. Moreover, the UK’s Monetary Conduct Authority (FCA) and the EU’s Synthetic Intelligence Act (2024) require transparency relating to algorithmic selections, granting residents the best to a human evaluate and an evidence for automated blocks.
In stark distinction, Kazakhstan’s regulatory setting presents virtually no recourse for the person. When Aidos Edil appealed the blocking of his account – an motion the financial institution claimed was a preemptive strike in opposition to “deepfake” know-how – state establishments just like the Nationwide Financial institution and the Monetary Monitoring Company declined to intervene. Their official stance confirmed a permissive established order: business banks have the “proper to voluntarily enter right into a contract” and independently decide inside threat administration procedures. This hands-off method leaves residents in a authorized impasse; whereas anti-money laundering legal guidelines prohibit banks from “informing” shoppers of lively investigations, this rule is commonly weaponized to keep away from explaining moral overreaches or technical errors.
Monetary skilled Ayagoz Khanet famous that this imbalance permits “human components” and strict inside compliance to exceed moral boundaries with out consequence. With no mandate for a 30- or 60-day warning interval for non-fraudulent terminations, a regular requirement in the UK and United States, Kazakhstani customers are left totally weak. Presently, there isn’t any state physique for the pressing evaluate of groundless blocks, nor a mechanism for the short-term restoration of funds.
On this setting, social media has turn into the one efficient regulator. As seen in Aidos Edil’s case, banks typically act solely when reputational stress outweighs their unchecked administrative energy. For the thousands and thousands depending on super-apps, the dearth of a impartial third celebration to mediate disputes stays the best impediment to true digital freedom in Kazakhstan.
