Kazakhstan’s commercial banks are increasingly offering attractive super-applications with convenient functions that go beyond traditional financial services for the country’s 21 million citizens With the help of a bank application, Kazakhstan’s citizens buy necessary goods, find required specialists, and even receive government services.
For security purposes, super-applications have switched to identifying the personal data and biometric imprints of citizens to speed up the process of entering the application and confirming the approval of operations. But there is a gap between the rapid development of digital ecosystems and the existing legislative regulation, raising questions regarding the level of protection of consumers’ rights.
The Power of One Button
In October 2023, Aidos Edil, a photographer in Astana, received an unofficial call from a representative of Kaspi, Kazakhstan’s dominant fintech giant. The demand was simple: delete a satirical 9-second TikTok video generated using AI that mocked the bank’s lending practices and mentioned its CEO, Mikhail Lomtadze. When Aidos refused, his Kaspi account was abruptly blocked without explanation.
For Edil, the consequences were immediate and paralyzing. In a country where Kaspi serves as the “operating system” for daily life – integrating banking, e-commerce, and government services – a blocked account means total exclusion from the modern economy.
“It turns out I have become dependent,” Aidos told Radio Azattyq, RFE/RL’s Kazakh Service, describing how he was forced to borrow cash just to buy groceries. Kaspi only restored his access after the story sparked a massive backlash on social media.
This incident highlights a growing crisis in Central Asia’s most advanced digital economy. With 13.5 million users in a nation of 21 million, Kaspi has moved beyond traditional banking to become a piece of critical social infrastructure. Yet Kazakhstan’s regulatory framework remains dangerously permissive.
The Agency for Regulation and Development of the Financial Market confirmed that commercial banks “independently determine internal procedures” for refusing services, effectively granting private corporations the power of extrajudicial punishment.
As Kazakhstanis entrust their biometric data and financial lives to these all-encompassing super-apps, the line between consumer convenience and corporate surveillance blurs. The rapid evolution of fintech has outpaced legislative protections, raising a fundamental geopolitical and ethical question: can a citizen truly be free when their access to society can be revoked by a single button in a private boardroom?
Super-Apps and the Illusion of Choice
The rise of Kazakhstan’s fintech sector is defined by an aggressive shift toward “super-apps.” Leading this charge is Kaspi.kz, a NASDAQ-listed giant valued at over $16 billion. Kaspi CEO Mikhail Lomtadze famously described the platform as a combination of Amazon, Booking.com, and Instacart. The platform’s dominance reached a geopolitical milestone in April 2026, when the Chinese conglomerate Tencent – creator of WeChat, the world’s most successful super-app – acquired a 3.2 percent stake in Kaspi.kz for approximately $518 million. This partnership signaled a deeper alignment between Kazakhstan’s digital infrastructure and the Chinese “all-in-one” business model.
However, this convenience comes with a systemic erosion of consumer autonomy. The market is now a battleground of ecosystems, including Halyk Bank and Timur Turlov’s Freedom Bank, the latter of which is aggressively expanding across Central Asia. These platforms share a common strategy: the use of “adhesion contracts.” Under Article 389 of Kazakhstan’s Administrative Code, these agreements are non-negotiable; a citizen must either accept every corporate condition or remain excluded from essential digital services.
The ethical implications are most visible in Freedom Bank’s data policies, which allow the sharing of client information, including geolocation and video surveillance, with 27 different legal entities without requiring further notification to the user. Similarly, Kaspi’s agreements utilize “dynamic consent,” where the bank can unilaterally change rules. Continued use of the app after such changes constitutes automatic acceptance of the new terms.
Freedom Bank and Kaspi did not respond to The Diplomat’s requests for comment regarding their policies.
Raushan Omarova, a senior law lecturer at Maqsut Narikbayev University, described this as “legalized coercion.” When a digital agreement becomes a mandatory gateway to basic financial life, the “accept” button ceases to be a voluntary choice. Furthermore, these contracts grant banks absolute discretion to block access to the entire ecosystem. For users like Alexandra Kelyatrishvili, whose card was blocked without warning or clear recourse, the reality of the super-app era is a profound lack of transparency.
Despite regulatory claims that banks must safeguard “bank secrets,” current contracts provide no specific timeframes for resolving disputes or mechanisms for urgent review by a neutral third party, leaving the consumer entirely dependent on a corporate algorithm.
The Risks of Centralization and a Biometric Trap
As Kazakhstan aggressively digitizes its public and financial sectors, the concentration of sensitive data has created a precarious “single point of failure,” said cybersecurity specialist Artem Tarasov. Today, Kazakhstani citizens use biometric data to access everything from government services to private banking apps, including advanced systems like Kaspi Alaqan, which identifies users by the vein patterns in their palms. While Kaspi CEO Lomtadze pitched this as the ultimate convenience – eliminating the need for cards, phones, or even internet access – Tarasov warned of a “honeypot effect.” By aggregating the financial lives, movement history, and biometric markers of millions into a single center, these platforms become high-value targets for catastrophic national-scale identity theft.
The ethical core of this centralization is the permanence of biometric data. Unlike a password, palm prints and facial structures cannot be changed if leaked. Tarasov warned that while a “digital twin” remains a future threat, faking biometrics is a plausible scenario if protections are breached. Furthermore, the industry lacks an “independent external audit” to verify corporate promises regarding the “right to be forgotten.” Despite claims that data is deleted upon request, the reality of duplicated backup servers makes irreversible erasure nearly impossible to confirm.
Legally, the burden of risk is heavily tilted against the consumer. Agreements from major players like ForteBank explicitly disclaim responsibility for “lost data” or “damage to business reputation” resulting from system failures or unauthorized access.
Digital rights specialist Dana Malikova-Buralkieva noted that 70 percent of data leaks originate from internal ethical failures rather than external hacks, yet platforms often use “legal tricks” — such as symbolic compensation limits of 1,000 tenge — to evade accountability in court.
This regulatory vacuum stands in stark contrast to international standards like the EU’s Digital Operational Resilience Act (DORA) or Singapore’s platform supervision. In Kazakhstan, the rapid evolution of fintech has outpaced the law, leading President Kassym-Jomart Tokayev to warn that the personal data of millions “is not just a commercial asset; it is a direct issue of national security.”
As the government aims to build more data centers, the challenge remains: ensuring that the convenience of financial ecosystems does not evolve into a “digital dictatorship” where a citizen’s unique identity is a permanent, vulnerable entry in a private corporate database
Failures in Consumer Protection
The fundamental difference between Kazakhstan’s fintech landscape and Western financial systems lies not in the “right to block,” but in what happens after a service is suspended. In the United States and European Union, banks also possess the authority to terminate contracts at will, primarily to combat money laundering. However, these actions are governed by strict procedural safeguards that currently do not exist in Kazakhstan.
In the U.S., Regulation “E” requires banks to investigate disputed transactions within 10 business days and often provide temporary credit to the client, effectively shifting the burden of proof onto the financial institution. Similarly, the EU’s Second Payment Services Directive (PSD2) mandates the immediate return of unauthorized payments. Furthermore, the United Kingdom’s Financial Conduct Authority (FCA) and the EU’s Artificial Intelligence Act (2024) require transparency regarding algorithmic decisions, granting citizens the right to a human review and an explanation for automated blocks.
In stark contrast, Kazakhstan’s regulatory environment offers almost no recourse for the individual. When Aidos Edil appealed the blocking of his account – an action the bank claimed was a preemptive strike against “deepfake” technology – state institutions like the National Bank and the Financial Monitoring Agency declined to intervene. Their official stance confirmed a permissive status quo: commercial banks have the “right to voluntarily enter into a contract” and independently determine internal risk management procedures. This hands-off approach leaves citizens in a legal deadlock; while anti-money laundering laws prohibit banks from “informing” clients of active investigations, this rule is often weaponized to avoid explaining ethical overreaches or technical errors.
Financial expert Ayagoz Khanet noted that this imbalance allows “human factors” and strict internal compliance to exceed ethical boundaries without consequence. Without a mandate for a 30- or 60-day warning period for non-fraudulent terminations, a standard requirement in the United Kingdom and United States, Kazakhstani users are left entirely vulnerable. Currently, there is no state body for the urgent review of groundless blocks, nor a mechanism for the temporary restoration of funds.
In this environment, social media has become the only effective regulator. As seen in Aidos Edil’s case, banks often act only when reputational pressure outweighs their unchecked administrative power. For the millions dependent on super-apps, the lack of a neutral third party to mediate disputes remains the greatest obstacle to true digital freedom in Kazakhstan.
