Anti-fraud requirements tightened for mobile applications

In Uzbekistan, anti-fraud requirements are being strengthened for mobile applications that provide financial services. This is stipulated in the regulation titled “On Minimum Requirements for Ensuring Information Security and Cybersecurity and Preventing Fraud in the Provision of Remote Financial Services to Individuals by Credit and Payment Organizations and Payment System Operators,” which was jointly registered by the Ministry of Justice and the Central Bank on January 21.

According to the regulation, a user registered in a mobile application may link only bank accounts, bank cards, and electronic wallets belonging to the user or their close relatives. Peer-to-peer (P2P) transfers may be carried out only through such linked accounts.

The system will verify whether the user’s phone number matches their personal identification number (JSHSHIR). If no match is found, registration in the mobile application and linking of a bank card will not be permitted.

Credit and payment organizations are required to use liveness detection when conducting biometric identification of users, meaning identification through static images will not be allowed.

If a one-time SMS code sent to a phone is entered incorrectly three times, the user’s actions in the mobile application will be temporarily restricted for 15 minutes.

If an account is accessed from another device or if the password is reset, all bank cards linked to the account will be automatically removed from the mobile application.

In addition, the transaction history related to bank cards on that device will be deleted.

In such cases, bank cards may be relinked only after the user has successfully passed biometric identification.

It is worth noting that the same regulation also provides for the suspension of loan collection from citizens who have fallen victim to fraud when obtaining online loans.