Kazakhstan’s Agency for Regulation and Development of the Financial Market, together with the National Bank, has approved new rules on biometric authentication. The regulation mandates verification through the Identification Data Exchange Center (IDEC) for banks, microfinance institutions and payment organizations.
In addition to facial recognition, the rules allow the use of palmprint identification. Verified client images with a high match score will be automatically added to the National Biometric Authentication System (NBAS).
Implementation timeline and scope
The new regulation takes effect July 12, 2026. It applies to all financial and payment institutions and significantly expands requirements for remote and online transactions.
When biometric verification is required
Banks, including branches of foreign lenders and institutions providing individual banking services, must use IDEC in the following cases:
- Remote account opening.
- Issuance of an electronic digital signature, if the client has not previously undergone biometric verification in person or through the centralized information system.
- Loan issuance above thresholds set by the regulator.
- First-time client registration via a mobile app or website.
- Periodic updates of client data in line with anti-money laundering requirements.
- Other cases defined in internal compliance policies.
Microfinance institutions will also be required to use IDEC when issuing loans above regulatory thresholds.
How the verification process works
Biometric authentication will be conducted using two methods.
The first is facial recognition, performed via a smartphone or computer camera, either online or offline. The system will confirm «liveness» by prompting the user to complete at least three actions, such as turning their head or blinking.
If verification fails, the process is repeated. After three unsuccessful attempts, the verification is deemed unsuccessful.
If successful, the client’s photo and identification data are sent to IDEC for comparison with reference images stored in government databases or NBAS. All results are recorded in electronic documents and secured with a digital signature.
Palmprint authentication as alternative
The second method uses palmprint recognition, which is conducted offline only. The system scans for characteristics such as hand volume, temperature and vascular patterns to prevent spoofing.
As with facial recognition, three failed attempts result in verification failure. In both methods, communication channels must be encrypted, and all actions are logged.
Accessibility considerations
The regulation includes flexibility for people with disabilities. Clients may choose between video conferencing or image-based verification, depending on their needs.
