Kazakhstan’s business banks are more and more providing enticing super-applications with handy capabilities that transcend conventional monetary companies for the nation’s 21 million residents With the assistance of a financial institution utility, Kazakhstan’s residents purchase crucial items, discover required specialists, and even obtain authorities companies.
For safety functions, super-applications have switched to figuring out the non-public knowledge and biometric imprints of residents to hurry up the method of coming into the appliance and confirming the approval of operations. However there’s a hole between the fast growth of digital ecosystems and the present legislative regulation, elevating questions relating to the extent of safety of customers’ rights.
The Energy of One Button
In October 2023, Aidos Edil, a photographer in Astana, acquired an unofficial name from a consultant of Kaspi, Kazakhstan’s dominant fintech big. The demand was easy: delete a satirical 9-second TikTok video generated utilizing AI that mocked the financial institution’s lending practices and talked about its CEO, Mikhail Lomtadze. When Aidos refused, his Kaspi account was abruptly blocked with out rationalization.
For Edil, the results have been rapid and paralyzing. In a rustic the place Kaspi serves because the “working system” for every day life – integrating banking, e-commerce, and authorities companies – a blocked account means whole exclusion from the trendy economic system.
“It seems I’ve develop into dependent,” Aidos instructed Radio Azattyq, RFE/RL’s Kazakh Service, describing how he was compelled to borrow money simply to purchase groceries. Kaspi solely restored his entry after the story sparked a large backlash on social media.
This incident highlights a rising disaster in Central Asia’s most superior digital economic system. With 13.5 million customers in a nation of 21 million, Kaspi has moved past conventional banking to develop into a bit of essential social infrastructure. But Kazakhstan’s regulatory framework stays dangerously permissive.
The Company for Regulation and Growth of the Monetary Market confirmed that business banks “independently decide inside procedures” for refusing companies, successfully granting non-public companies the ability of extrajudicial punishment.
As Kazakhstanis entrust their biometric knowledge and monetary lives to those all-encompassing super-apps, the road between client comfort and company surveillance blurs. The fast evolution of fintech has outpaced legislative protections, elevating a elementary geopolitical and moral query: can a citizen actually be free when their entry to society may be revoked by a single button in a non-public boardroom?
Tremendous-Apps and the Phantasm of Selection
The rise of Kazakhstan’s fintech sector is outlined by an aggressive shift towards “super-apps.” Main this cost is Kaspi.kz, a NASDAQ-listed big valued at over $16 billion. Kaspi CEO Mikhail Lomtadze famously described the platform as a mix of Amazon, Reserving.com, and Instacart. The platform’s dominance reached a geopolitical milestone in April 2026, when the Chinese language conglomerate Tencent – creator of WeChat, the world’s most profitable super-app – acquired a 3.2 p.c stake in Kaspi.kz for roughly $518 million. This partnership signaled a deeper alignment between Kazakhstan’s digital infrastructure and the Chinese language “all-in-one” enterprise mannequin.
Nonetheless, this comfort comes with a systemic erosion of client autonomy. The market is now a battleground of ecosystems, together with Halyk Financial institution and Timur Turlov’s Freedom Financial institution, the latter of which is aggressively increasing throughout Central Asia. These platforms share a standard technique: the usage of “adhesion contracts.” Underneath Article 389 of Kazakhstan’s Administrative Code, these agreements are non-negotiable; a citizen should both settle for each company situation or stay excluded from important digital companies.
The moral implications are most seen in Freedom Financial institution’s knowledge insurance policies, which permit the sharing of shopper data, together with geolocation and video surveillance, with 27 completely different authorized entities with out requiring additional notification to the consumer. Equally, Kaspi’s agreements make the most of “dynamic consent,” the place the financial institution can unilaterally change guidelines. Continued use of the app after such adjustments constitutes automated acceptance of the brand new phrases.
Freedom Financial institution and Kaspi didn’t reply to The Diplomat’s requests for remark relating to their insurance policies.
Raushan Omarova, a senior legislation lecturer at Maqsut Narikbayev College, described this as “legalized coercion.” When a digital settlement turns into a compulsory gateway to fundamental monetary life, the “settle for” button ceases to be a voluntary alternative. Moreover, these contracts grant banks absolute discretion to dam entry to the whole ecosystem. For customers like Alexandra Kelyatrishvili, whose card was blocked with out warning or clear recourse, the fact of the super-app period is a profound lack of transparency.
Regardless of regulatory claims that banks should safeguard “financial institution secrets and techniques,” present contracts present no particular timeframes for resolving disputes or mechanisms for pressing assessment by a impartial third occasion, leaving the patron completely depending on a company algorithm.
The Dangers of Centralization and a Biometric Lure
As Kazakhstan aggressively digitizes its public and monetary sectors, the focus of delicate knowledge has created a precarious “single level of failure,” mentioned cybersecurity specialist Artem Tarasov. In the present day, Kazakhstani residents use biometric knowledge to entry every little thing from authorities companies to non-public banking apps, together with superior methods like Kaspi Alaqan, which identifies customers by the vein patterns of their palms. Whereas Kaspi CEO Lomtadze pitched this as the final word comfort – eliminating the necessity for playing cards, telephones, and even web entry – Tarasov warned of a “honeypot impact.” By aggregating the monetary lives, motion historical past, and biometric markers of thousands and thousands right into a single middle, these platforms develop into high-value targets for catastrophic national-scale identification theft.
The moral core of this centralization is the permanence of biometric knowledge. Not like a password, palm prints and facial constructions can’t be modified if leaked. Tarasov warned that whereas a “digital twin” stays a future menace, faking biometrics is a believable situation if protections are breached. Moreover, the business lacks an “impartial exterior audit” to confirm company guarantees relating to the “proper to be forgotten.” Regardless of claims that knowledge is deleted upon request, the fact of duplicated backup servers makes irreversible erasure practically unimaginable to substantiate.
Legally, the burden of danger is closely tilted in opposition to the patron. Agreements from main gamers like ForteBank explicitly disclaim duty for “misplaced knowledge” or “injury to enterprise status” ensuing from system failures or unauthorized entry.
Digital rights specialist Dana Malikova-Buralkieva famous that 70 p.c of information leaks originate from inside moral failures somewhat than exterior hacks, but platforms typically use “authorized tips” — corresponding to symbolic compensation limits of 1,000 tenge — to evade accountability in courtroom.
This regulatory vacuum stands in stark distinction to worldwide requirements just like the EU’s Digital Operational Resilience Act (DORA) or Singapore’s platform supervision. In Kazakhstan, the fast evolution of fintech has outpaced the legislation, main President Kassym-Jomart Tokayev to warn that the non-public knowledge of thousands and thousands “isn’t just a business asset; it’s a direct difficulty of nationwide safety.”
As the federal government goals to construct extra knowledge facilities, the problem stays: guaranteeing that the comfort of economic ecosystems doesn’t evolve right into a “digital dictatorship” the place a citizen’s distinctive identification is a everlasting, susceptible entry in a non-public company database
Failures in Shopper Safety
The basic distinction between Kazakhstan’s fintech panorama and Western monetary methods lies not within the “proper to dam,” however in what occurs after a service is suspended. In the USA and European Union, banks additionally possess the authority to terminate contracts at will, primarily to fight cash laundering. Nonetheless, these actions are ruled by strict procedural safeguards that presently don’t exist in Kazakhstan.
Within the U.S., Regulation “E” requires banks to analyze disputed transactions inside 10 enterprise days and sometimes present short-term credit score to the shopper, successfully shifting the burden of proof onto the monetary establishment. Equally, the EU’s Second Cost Companies Directive (PSD2) mandates the rapid return of unauthorized funds. Moreover, the UK’s Monetary Conduct Authority (FCA) and the EU’s Synthetic Intelligence Act (2024) require transparency relating to algorithmic choices, granting residents the fitting to a human assessment and an evidence for automated blocks.
In stark distinction, Kazakhstan’s regulatory atmosphere gives nearly no recourse for the person. When Aidos Edil appealed the blocking of his account – an motion the financial institution claimed was a preemptive strike in opposition to “deepfake” expertise – state establishments just like the Nationwide Financial institution and the Monetary Monitoring Company declined to intervene. Their official stance confirmed a permissive establishment: business banks have the “proper to voluntarily enter right into a contract” and independently decide inside danger administration procedures. This hands-off method leaves residents in a authorized impasse; whereas anti-money laundering legal guidelines prohibit banks from “informing” purchasers of lively investigations, this rule is commonly weaponized to keep away from explaining moral overreaches or technical errors.
Monetary professional Ayagoz Khanet famous that this imbalance permits “human components” and strict inside compliance to exceed moral boundaries with out consequence. And not using a mandate for a 30- or 60-day warning interval for non-fraudulent terminations, a normal requirement in the UK and United States, Kazakhstani customers are left completely susceptible. Presently, there isn’t any state physique for the pressing assessment of groundless blocks, nor a mechanism for the short-term restoration of funds.
On this atmosphere, social media has develop into the one efficient regulator. As seen in Aidos Edil’s case, banks typically act solely when reputational strain outweighs their unchecked administrative energy. For the thousands and thousands depending on super-apps, the dearth of a impartial third occasion to mediate disputes stays the best impediment to true digital freedom in Kazakhstan.
