Commercial banks in Kazakhstan are increasingly offering attractive super-apps with convenient functions that go beyond traditional financial services for the country’s 21 million citizens. Using a banking application, citizens of Kazakhstan purchase the necessary goods, find the specialists they need and even benefit from government services.
For security reasons, super apps have shifted to identifying personal data and biometric fingerprints of citizens to speed up the process of entering the application and confirming approval of operations. But there is a gap between the rapid development of digital ecosystems and existing legislative regulation, raising questions about the level of protection of consumer rights.
The power of just one button
In October 2023, Aidos Edil, a photographer in Astana, received an unofficial call from a representative of Kaspi, Kazakhstan’s dominant fintech giant. The request was simple: delete a 9-second satirical TikTok video generated using AI that mocked the bank’s lending practices and mentioned its CEO, Mikhail Lomtadze. Faced with Aidos’ refusal, his Kaspi account was suddenly blocked without explanation.
For Edil, the consequences were immediate and paralyzing. In a country where Kaspi serves as an “operating system” for daily life – integrating banking, e-commerce and government services – a blocked account means total exclusion from the modern economy.
“It turns out I became addicted,” Aidos said Radio Azattyq, RFE/RL’s Kazakh service, describing how he was forced to borrow money just to buy groceries. Kaspi only reinstated his access after the story sparked a massive backlash on social media.
The incident highlights a growing crisis in Central Asia’s most advanced digital economy. With 13.5 million users in a country of 21 million, Kaspi has gone beyond the traditional banking system to become a piece of essential social infrastructure. Yet Kazakhstan’s regulatory framework remains dangerously permissive.
The Agency for Financial Market Regulation and Development confirmed that commercial banks “independently determine internal procedures” for refusing services, thereby granting private companies the power to impose extrajudicial sanctions.
As Kazakhs entrust their biometric data and financial lives to these global super-apps, the line between consumer convenience and corporate surveillance is blurring. The rapid evolution of fintech has outpaced legislative protections, raising a fundamental geopolitical and ethical question: Can a citizen truly be free when their access to society can be revoked with the push of a button in a private boardroom?
Super-applications and the illusion of choice
The rise of the fintech sector in Kazakhstan is characterized by an aggressive move towards “super-apps”. Leading this charge is Kaspi.kz, a NASDAQ-listed giant valued at over $16 billion. Kaspi CEO Mikhail Lomtadze is famous describe the platform as a combination of Amazon, Booking.com and Instacart. The platform’s dominance reached a geopolitical milestone in April 2026, when Chinese conglomerate Tencent – creator of WeChat, the world’s most successful super-app – acquired a 3.2 percent stake in Kaspi.kz for approximately $518 million. This partnership demonstrates a deeper alignment between Kazakhstan’s digital infrastructure and China’s “all-in-one” business model.
However, this convenience comes with a systemic erosion of consumer autonomy. The market is now a battleground between ecosystems including Halyk Bank and Timur Turlov’s Freedom Bank, the latter of which is aggressively expanding across Central Asia. These platforms share a common strategy: the use of “membership contracts”. Under Article 389 of the Administrative Code of Kazakhstan, these agreements are not negotiable; a citizen must either accept all of the company’s terms or remain excluded from essential digital services.
The ethical implications are most visible in the Freedom Bank report. data policieswhich enable the sharing of customer information, including geolocation and video surveillance, with 27 different legal entities without requiring additional notification to the user. Similarly, the Kaspi agreements use “dynamic consent“, where the bank can unilaterally change the rules. Continued use of the application after such changes constitutes automatic acceptance of the new conditions.
Freedom Bank and Kaspi did not respond to The Diplomat’s requests for comment regarding their policies.
Raushan Omarova, a law lecturer at Maqsut Narikbayev University, called this “legalized coercion.” When a digital agreement becomes a mandatory gateway to basic financial life, the “accept” button ceases to be a voluntary choice. Additionally, these contracts grant banks absolute discretion to block access to the entire ecosystem. For users like Alexandra Kelyatrishviliwhose card was blocked without warning or clear recourse, the reality of the super-app era is a profound lack of transparency.
Despite regulatory assertions that banks must protect “banking secrets,” current contracts provide no specific time frame for resolving disputes or any mechanism for urgent review by a neutral third party, leaving the consumer entirely dependent on a corporate algorithm.
The risks of centralization and a biometric trap
As Kazakhstan aggressively digitizes its public and financial sectors, the concentration of sensitive data has created a precarious “single point of failure,” said cybersecurity specialist Artem Tarasov. Today, Kazakh citizens use biometric data to access everything from government services to private banking apps, including advanced systems like Kaspi Alaqan, which identifies users by the veins in their palms. While Kaspi CEO Lomtadze spear This being an ultimate convenience – eliminating the need for cards, phones or even internet access – Tarasov warned of a “honeypot effect”. By aggregating the financial lives, movement history, and biometric markers of millions of people in a single hub, these platforms become high-value targets for catastrophic identity theft on a national scale.
The ethical core of this centralization is the permanence of biometric data. Unlike a password, palm prints and facial structures cannot be changed if leaked. Tarasov warned that while a “digital twin” remains a future threat, tampering with biometric data is a plausible scenario if protections are breached. Additionally, the industry does not have an “independent external audit” to verify companies’ promises regarding the “right to be forgotten.” Despite claims that data is deleted upon request, the reality of duplicate backup servers makes irreversible erasure almost impossible to confirm.
Legally, the burden of risk weighs heavily on the consumer. Agreements from major players like ForteBank explicitly We are not responsible for any “data loss” or “corporate reputational damage” resulting from system failures or unauthorized access.
Digital rights specialist Dana Malikova-Buralkieva pointed out that 70% of data leaks come from internal ethical breaches rather than external hacks. Yet platforms often use “legal tricks” – such as token compensation limits of 1,000 tenge – to avoid accountability in court.
This regulatory void stands in stark contrast to international standards such as the EU’s Digital Operational Resilience Act (DORA) or the Singapore platform monitoring. In Kazakhstan, the rapid evolution of fintech has outpaced the law, leading President Kassym-Jomart Tokayev to warn that the personal data of millions of people “is not just a business asset; they constitute a direct question of national security.”
As the government aims to build more data centers, the challenge remains: ensuring that the convenience of financial ecosystems does not evolve into a “digital dictatorship” where a citizen’s unique identity is a permanent and vulnerable entry into a private corporate database.
Consumer protection failures
The fundamental difference between Kazakhstan’s fintech landscape and Western financial systems lies not in the “blocking right”, but in what happens after a service is suspended. In the United States and the European Union, banks also have the power to terminate contracts at will, primarily to combat money laundering. However, these actions are governed by strict procedural guarantees that do not currently exist in Kazakhstan.
In the United States, Regulation “E” requires banks to investigate disputed transactions within 10 business days and often extend temporary credit to the customer, thereby shifting the burden of proof to the financial institution. Similarly, the Second European Payment Services Directive (PSD2) requires the immediate return of unauthorized payments. Additionally, the UK Financial Conduct Authority (FCA) and the EU Artificial Intelligence Act (2024) require transparency regarding algorithmic decisions, granting citizens the right to human review and explanation of automated blocks.
In contrast, Kazakhstan’s regulatory environment provides virtually no recourse for the individual. When Aidos Edil appealed the blocking of his account – an action the bank claimed was a pre-emptive attack against “deepfake” technology – public institutions like the National Bank and the Financial Supervisory Agency refused to intervene. Their official position confirms a permissive status quo: commercial banks have the “right to voluntarily enter into a contract” and independently determine internal risk management procedures. This hands-off approach leaves citizens in a legal bind; While anti-money laundering laws prohibit banks from “informing” their customers of ongoing investigations, this rule is often used as a weapon to avoid explaining ethical oversteps or technical errors.
Financial expert Ayagoz Khanet noted that this imbalance allows “human factors” and strict internal compliance to overstep ethical boundaries without consequence. Without a mandate for a 30 or 60 day warning period for non-fraudulent termination, a standard requirement in the UK and US, Kazakh users are left entirely vulnerable. There is currently no state body responsible for urgently examining unjustified blockages, nor any mechanism for temporary restoration of funds.
In this environment, social media has become the only effective regulator. As the case of Aidos Edil shows, banks often act only when the pressure of their reputation outweighs their unchecked administrative power. For the millions of people who rely on super apps, the lack of a neutral third party to arbitrate disputes remains the biggest obstacle to true digital freedom in Kazakhstan.