Starting April 22, Uzbekistan will implement new Central Bank regulations establishing minimum standards for information and cybersecurity within remote financial services.

The directive introduces rigorous measures designed to curb online fraud across mobile banking apps, payment platforms, and payment system operators.

Mandatory Biometrics
A cornerstone of the update is the mandatory integration of biometrics. For "critical operations"—such as logging in from a new device, linking a card, or resetting a password—an SMS code alone will no longer suffice. Users must undergo additional identification, specifically a "liveness check" via selfie; static photos will be rejected to ensure the physical presence of the user. Furthermore, app registration and card linking are now decoupled into distinct stages, each requiring unique biometric authentication.

Verification of Phone Numbers and Personal IDs
Financial applications are now required to verify that a user's phone number is officially registered to the cardholder. If a mismatch is detected between the phone record and the user's Personal Identification Number (PINFL), the system will restrict access to key functions, including app login and online payments from new devices.

It’s important to note that physical bank cards will not be blocked; they remain fully functional for transactions at ATMs and payment terminals.

According to clarifications by the Central Bank, these requirements will not impact everyone immediately. Existing users can continue using their apps as usual. The new restrictions will only trigger during specific "fresh" actions, such as registering for the first time, reinstalling the application, or linking a new card.

The regulator also noted an exception for family dynamics: apps can still be used if the phone number is registered to a close relative (parents, siblings, spouses, or children). Red flags and restrictions will primarily arise if a phone number or card is linked to an unrelated third party.

The Central Bank emphasized that these rules are primarily aimed at customers registering after April 22. For current users, the status quo remains. Additionally, under the new decree, users may only link accounts, cards, and e-wallets belonging to themselves or close relatives for P2P transfers. In this context, the definition of "close relative" is broad, encompassing parents, siblings, spouses, children (including adopted children), grandparents, grandchildren, and even in-laws.

Reassigning Phone Numbers
Users have the option to officially transfer a mobile number to their own name by visiting a service center of their mobile operator. This process requires the physical presence of both the current owner and the individual to whom the number is being registered. The service is subject to a fee, which varies by provider but averages around 25,000 UZS.

For "premium" or "vanity" numbers, an additional commission—ranging from 5% to 25% of the number's original value—may be charged. However, this commission is typically waived for transfers between close relatives, such as parents, spouses, children, or siblings. It is important to note that some operators may take up to 10 calendar days to process these applications. Consequently, even if initiated now, the transfer might not be finalized until after the April 22nd deadline. An alternative solution is to simply purchase a new SIM card registered in one's own name and link it to the bank's SMS notification service.

New Device Access and Session Management
To bolster security, when an account is accessed from a new device, applications are now required to automatically unbind linked cards and clear all local data, such as transaction history. The user will receive an immediate notification detailing the new device's parameters. Furthermore, every app must now feature a dedicated security section where users can view their login history, including specific devices, IP addresses, and timestamps. This allows users to monitor active sessions and manually terminate any suspicious or unauthorized access.

Call Restrictions and Remote Access Protection
Mobile banking applications will now automatically suspend functionality during active audio or video calls, including those made via messengers like Telegram or WhatsApp. This measure is specifically designed to neutralize "social engineering" tactics, where fraudsters manipulate victims over the phone in real-time. Additionally, systems will now actively scan for remote desktop software (such as AnyDesk or TeamViewer); if such programs are detected, all financial transactions will be immediately blocked.

New Protocols for SMS and OTP Codes
Security standards for One-Time Passwords (OTPs) are also being tightened. Codes must now be at least six characters long and consist of a mix of letters and numbers, with a strictly limited expiration window of 59 seconds. To prevent "brute-force" attacks, access will be locked for at least 15 minutes after three failed attempts, and users will be automatically logged out after three minutes of inactivity. Furthermore, an OTP issued for a loan or transfer is now tethered to the specific device that requested it, making it impossible for hackers to intercept and use the code on a different smartphone.

P2P Transfer and Privacy Limits
Card-to-card (P2P) transfers are now strictly limited to mobile applications; performing these transactions through web browsers is now prohibited. To balance transparency with privacy, mobile apps must display a cardholder’s full first name but only the first initial of their surname. During transfers, the data of cardholders linked to a specific phone number must be partially masked to protect user identity.

Furthermore, the digital management of SMS notification services is being significantly restricted. Enabling, disabling, or modifying SMS alerts for a bank card via mobile apps or web portals is now prohibited. These actions can only be performed in person at a bank branch or via physical infrastructure like ATMs and self-service terminals, where available.

New Safeguards for Online Loans
The decree introduces multi-layered protection for online lending to curb predatory or fraudulent borrowing. Banks are now mandated to cross-check for any voluntary "self-exclusion" bans on credit and monitor simultaneous applications across multiple institutions. To prevent "loan stacking"—where a fraudster or overwhelmed borrower takes out 5 or 6 loans across different banks in a single day—credit bureaus will now only fulfill one data request per PINFL (Personal ID) at a time. Once a loan is issued, a 24-hour lockout period is triggered, preventing other lenders from accessing that user's data.

Transparency is also being prioritized: before funds are disbursed, the bank must send a PUSH notification and an SMS detailing the total cost of the loan and the full debt obligation. The user retains the right to cancel the application at this final stage. Even after approval, the actual transfer of funds to a card is contingent upon a secondary biometric verification.

If Fraud Occurs
In the event of a security breach, mobile applications must now feature a dedicated, high-visibility "Report Fraud" button. This streamlined feedback form allows victims to submit an immediate alert directly to the bank’s security team.

Banks are now required to display their 24/7 customer support numbers on the back of all payment cards in a clear, legible format.

The new directive also codifies a specific legal roadmap for fraud victims:

• Initial Filing: The victim must report the incident to law enforcement.
• Immediate Freeze: Once an investigator or a court officially recognizes the individual as a victim of a crime, the bank is mandated to immediately halt all interest accruals, penalties, and fines associated with the "fraudulent" loan. All debt collection efforts must also cease instantly.
• Mandatory Restitution: If the bank has already debited funds to repay such a loan, it is legally obligated to credit those funds back to the victim’s card within 15 days of a court ruling taking effect.

These measures come at a critical time. During a presidential meeting in November, it was revealed that Uzbekistan now has over 31 million internet users. However, this digital growth has a dark side: cybercrime has surged 68-fold over the last five years. In the first ten months of last year alone, more than 46,000 cases were identified, with financial damages to individuals and businesses exceeding 1.2 trillion UZS.