RESOLUTION OF BOARD OF NATIONAL BANK OF THE REPUBLIC OF KAZAKHSTAN

of April 29, 2026 No. 47

About approval of Rules of forming of risk management system and internal control for operators of exchange of unsecured digital assets, operators of platform of digital financial assets, operators of trade platform of digital assets

According to the subitem 10) "About digital assets in the Republic of Kazakhstan" the Board of National Bank of the Republic of Kazakhstan DECIDES: parts two of Item 1 of article 4 of the Law of the Republic of Kazakhstan

1. Approve the enclosed Rules of forming of risk management system and internal control for operators of exchange of unsecured digital assets, operators of platform of digital financial assets, operators of trade platform of digital assets (further – Rules).

2. To provide to department of payment systems and digital financial technologies of National Bank of the Republic of Kazakhstan in the procedure established by the legislation of the Republic of Kazakhstan:

1) together with Legal department of National Bank of the Republic of Kazakhstan state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;

2) placement of this resolution on official Internet resource of National Bank of the Republic of Kazakhstan after its official publication;

3) within ten working days after state registration of this resolution submission to Legal department of National Bank of the Republic of Kazakhstan of data on execution of the action provided by the subitem 2) of this Item.

3. To impose control of execution of this resolution on the supervising vice-chairman of National Bank of the Republic of Kazakhstan.

4. This resolution becomes effective since May 1, 2026 and is subject to official publication.

Suspend till July 12, 2026:

subitems 1), 8) and 27) of Item 2 of Rules, having determined that during suspension these subitems are effective in the following edition:

"1) data asset – set of information and the object of information and communication infrastructure used for its storage and (or) processing;

8) risk of information security – probable emergence of damage owing to violation of confidentiality, deliberate violation of integrity or availability of data assets of PUTsA;

27) risk of information technologies – probability of emergence of damage owing to refusal (functioning violation) of the information and communication technologies operated by PUTsA;";

the subitem 16) of Item 2 of Rules, having determined that during suspension this subitem is effective in the following edition:

"16) operational risk – risk of emergence of expenses (losses) as a result of shortcomings or mistakes during implementation of internal processes made from workers (human resources) and the course of inadequate functioning of information systems, digital platforms (trade platforms) and technologies and also owing to influence of external events, except for strategic risk and reputation risk;";

the subitem 24) of Item 2 of Rules, having determined that during suspension this subitem is effective in the following edition:

"24) risk management system – set of the interconnected elements: procedures, techniques, the information systems united in single process for management of the realized and potential risks within risk level, acceptable for the shareholder (participant), and directed to goal achievement and tasks on risk management. In the course of identification and management of the realized and potential risks influencing activities of PUTsA bodies of PUTsA, leading employees and employees of structural divisions (ranking officers) within the fixed competence and responsibility participate. Process of identification and management of the realized and potential risks includes risk assessment, risk measurement, risk control and monitoring of risk;";

the subitem 1) of Item 3 of Rules, having determined that during suspension this subitem is effective in the following edition:

"1) effective management of risks of PUTsA by means of their timely identification, measurement, control and monitoring for ensuring compliance of activities of PUTsA, the chosen business model, to requirements for corporate management, functioning of information systems, digital platforms (trade platforms) and systems of management information, carrying out the permitted transactions, asset management and obligations, to functioning of system of accounting of PUTsA and others information and the PUTsA communication systems, and also to the level of the risks accepted by it and availability of appropriate level of liquidity;";

subitems 3), 4) and 5) of Item 7 of Rules, having determined that during suspension these subitems are effective in the following edition:

"3) carrying out regular monitoring of systems of accounting, other information and communication systems (digital platforms, trade platforms) for the purpose of ensuring uninterruptedness, going concern of process of rendering services of digital assets for PUTsA (except for the operator of exchange of unsecured digital assets), accounting of the rights on digital assets and other financial instruments, calculations in digital assets and (or) money, and also reflections of the data containing in the corresponding systems of accounting;

4) carrying out annual internal audit of the PUTsA software and hardware, including the information and communication systems used by PUTsA in the activities;

5) development and projects implementation, aimed at the further development and enhancement of activities of PUTsA regarding functioning of systems of accounting, information and communication systems (digital platforms, trade platforms), process of rendering services of digital assets for PUTsA, accounting of PUTsA (except for the operator of exchange of unsecured digital assets) it is right on digital assets, calculations in digital assets, reflections of the data containing in systems of accounting, automation of the separate transactions made in PUTsA and also process of collection, input, accounting, storage of information and other activities of PUTsA;";

the subitem 2) of Item 34 of Rules, having determined that during suspension this subitem is effective in the following edition:

"2) unavailability of technologies, including information and communication technologies (computer viruses, failure of computer hardware, communication loss);";

the subitem 2) of Item 42 of Rules, having determined that during suspension this subitem is effective in the following edition:

"2) inefficient strategy, politicians and (or) standards in information technologies, shortcomings of use of the software;";

the subitem 12) of Item 42 of Rules, having determined that during suspension this subitem is effective in the following edition:

"12) probability of emergence of mistakes and failures in functioning of the PUTsA software and hardware, including the corresponding systems of accounting, and also in the operated information and communication systems and technologies;";

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info