Мы используем cookie-файлы
Хорошо
Login to personal account
1. General Provisions
Payment System Functioning Rules
Freedompay.kg
Freedompay.kg
1. General Provisions.
The product is a software complex (hereinafter referred to as the System), designed to organize technical interaction between online stores (merchants), individuals (buyers) and payment systems, and hereinafter jointly referred to as the system participants.
The System provides the ability to interact between system participants according to uniform standards and algorithms, regardless of the payment system through which the corresponding order (goods/services) is paid.
1.1. This document is an internal regulatory document of the System Operator.
1.2. This document defines the general procedure and conditions for connecting to and disconnecting from the System.
1.3. The System Operator may introduce changes to this document. Such changes are aimed at:
- improving the quality of services provided by the System Operator
- improving the efficiency and reliability of the System
- compliance with the Applicable Requirements and amendments thereto.
1.4. The Regulatory legislation shall have priority over any provisions of this document.
1. Terms and Definitions.
1.1. System Operator means Freedom Pay Kyrgyzstan LLC, which is a legal entity operating in accordance with the Applicable Requirements, acting as the authorized owner of the System and ensuring the procedure and conditions for its use.
1.2. System is hardware and software complex, as well as related means and resources used by the System Operator to provide services for the execution of the Payment Instruction.
1.3. Funds and resources include technological, intellectual, informational, labor, financial and other means and resources used, including, but not limited to, software, ATMs, terminals, websites, cash registers, premises, personnel, communication channels and utilities.
1.4. Applicable requirements are represented by regulatory legislation, rules and standards of the Payment Systems involved, and accepted contractual obligations, including the Agreement.
1.5. Regulatory legislation is an applicable legislation of the Kyrgyz Republic.
1.6. Agreement is the Agreement concluded between the System Operator and the Merchant.
1.7. Payment Instruction is a request to carry out a transfer transaction for payment or transfer, or payment of funds initiated in the Merchant's infrastructure through the System.
1.8. Merchant's Infrastructure includes the means and resources used by the Merchant to transmit the Payment Instruction in the System.
1.9. Payment System is a fund transfer system that ensures uniform rules and standards for processing, accounting and settlement of transactions, and authorizes a specific method of executing the Payment Instruction, including, but not limited to, the international payment system VISA Inc. or international payment system MasterCard Worldwide.
1.10. Merchant is a supplier of goods and/or works and/or services, in whose infrastructure the Payment Instruction is initiated.
1.11. Personal account is a specialized section of the Merchant in the System, which displays information about the operations carried out to execute Payment instructions.
3. System Architecture and its Operating Scheme
3.1. The technical result consists in the fact that the system can combine several payment systems and provide access to them for the merchant through its single interface, within the framework of one contract and a single technical integration. The system can also combine Internet/online stores, thereby providing the Buyer with the ability to select various goods, types of goods in the same place on one website, without the need to go to them, and pay for purchases with one common payment, using any available form of payment, since the system combines all currently available forms of cash and non-cash payment for the selected product, while allowing any payment systems to be connected to the system as quickly as possible, as well as making additional payments for orders from another payment system, if the payer has no balance within the selected one. The operation of the System is based on electronic invoices created at the relevant requests of buyers by sellers (suppliers of goods/services). In this case, the request for issuing an electronic invoice can be carried out either fully automatically using the API, or manually through a special web interface available to the seller/supplier of the goods/services. Information about the receipt of payment/payout for the electronic invoice comes to the supplier of the goods/services within a few seconds in online mode.
3.2. Connection of payment systems is carried out by connecting them to the system's electronic gateway, which is capable of interacting with various types of payment systems (hereinafter referred to as Payment agents) used worldwide, such as: Internet acquiring of bank cards, cash payment systems (banking organizations, service payment terminals, POS terminals, communication stores, money transfer systems), electronic money systems and mobile payments.
3.3. One of the features of such system is a fully automated online back office, which allows you to control the operation of the System online, connect new suppliers of goods/services and payment agents as quickly as possible, configure security settings and change them depending on the needs of a particular participant in the system, and conduct mutual settlements and reconciliations online.
3.4. The main functionality of the System consists of 17 unique services/modules:
1. Payment system connection gateways.
2. Electronic invoice issuing and accounting system.
3. Store connection API is a set of ready-made procedures, functions, structures and constants provided by the system for use in external software products/online stores.
4. CMS connection modules are the modules for ensuring and organizing the joint process of creating, editing and managing of content.
5. Connection to booking systems.
6. Client interface for stores.
7. Payment gateway management system.
8. Service for returning, canceling and/or adjusting erroneous payments.
9. Service for arbitrary payments.
10. Payer notification module.
11. Manual invoicing service.
12. Anti-fraud filters for counteracting fraud through the System.
13. Statistical reporting.
14. Register reconciliation module.
15. Creation of legal and accounting documents.
16. Automatic connection to the system.
17. Integration with billing and access control system.
3.5. Interaction of the payment system with the online store owner (seller) is carried out via open communication channels of the public Internet. The https protocol is used for exchange.
3.6. Communication is authorized by creating an EDS (electronic digital signature). Each request contains an EDS, which is checked before any actions with the request. The source text (base signature string) for constructing the EDS is a string obtained by sequential (in the order of issuance) concatenation of all values in the final XML separated by a semicolon.
3.7. Requests from the payment system to the Service Provider's server are transmitted using the POST method of the http protocol with parameters in the form of XML.
3.8. Responses are returned as XML documents in UTF-8 encoding.
4. Procedure for joining and leaving the system.
System connection procedure and conditions
4.1. The procedure for connecting a Merchant to the System consists of the following conditional stages:
• Application registration
• Access to the personal account
• Filling out the questionnaire
• Collection of documents
• Verification
• Accession to the Agreement
• Integration
• Configuration of transaction processing parameters
• Testing
• Activation of the "combat mode"
4.2. The Merchant is connected to the System under the following conditions:
4.2.1. Application registration:
The Merchant initiates a connection to the System using the appropriate functionality for submitting a connection application on the website: The System automatically registers the Merchant's connection application and sends a confirmation to the email address specified when submitting the application.
4.2.2. Access to the Personal Account:
Confirmation of registration of the Merchant's connection application contains instructions, an identifier (login) and a password for authorizing access to the Merchant's Personal Account in the System. Following these instructions, the Merchant logs in to the Personal Account and proceeds to filling out the questionnaire.
4.2.3. Filling out the questionnaire:
The Merchant fills out the questionnaires in the Personal Account by entering data in accordance with the requirements of the applicable legislation of the Kyrgyz Republic on the legalization (laundering) of proceeds from crime or financing of terrorism. To get assistance in filling out the questionnaire, the Merchant may contact the System support service via the contacts specified in the received confirmation of application registration or on the Internet site https://freedompay.kg
To assist in filling out the questionnaire, the System Operator may independently contact the Merchant via the contacts specified in the connection application.
4.2.4. Collection of the package of documents:
The Merchant provides the System Operator with a set of documents in accordance with the requirements of the applicable legislation of the Kyrgyz Republic on the legalization (laundering) of proceeds from crime or financing of terrorism. The set of documents is initially provided by the Merchant by uploading photographs or copies of the original documents in the Personal Account.
4.2.5. Verification:
The System Operator checks the completeness and compliance of the questionnaire and the set of documents with the Applicable Requirements. If necessary, in accordance with the Applicable Requirements, the System Operator requests missing or additional documents from the Merchant for verification. The System Operator informs the Merchant of the verification result.
4.2.6. Conclusion of the Agreement or the Questionnaire for connection to the System:
In case of a positive verification result, the Merchant signs the questionnaire for connection to the System or concludes the Agreement with the System Operator. Unless otherwise expressly specified in the Agreement, the signing by the Merchant of the necessary documents that form the constituent parts of the Agreement and/or the Questionnaire for connection to the System shall be deemed as the conclusion of the Agreement and the acceptance by the Merchant of the General Terms of Use of the System, posted as a public offer in the public domain on the website. When concluding the Agreement, the Merchant provides the System Operator with a set of documents (originals) in accordance with the requirements of the applicable legislation of the Kyrgyz Republic.
4.2.7. Integration:
The System Operator provides the Merchant with documentation on integration with the System and, if necessary, assists the Merchant in implementing integration with the System. The Merchant, in accordance with the received documentation, implements integration with the System.
4.2.8. Configuration of transaction processing parameters:
The System Operator shall configure the parameters for processing the Merchant’s transactions in the System in accordance with the terms and conditions of the Agreement and the Applicable Requirements.
4.2.9. Testing:
Initially, the System Operator will configure a test mode for performing Merchant’s transactions. The Merchant will perform transactions in test mode via the System, notify the System Operator of any errors identified, and eliminate any errors that may occur on the Merchant’s side. The System Operator will eliminate any errors identified and notify the Merchant of any errors that occur on the Merchant’s side.
4.2.10. Activation of "combat mode":
Upon elimination of all errors, the System Operator will activate the "combat mode" for conducting the Merchant's transactions in the System.
5. Procedure and Conditions for Disconnection from the System.
5.1. The procedure for disconnection of a Merchant from the System consists of the following conditional stages:
• Agreement termination notification
• Blocking transactions
• Conducting mutual settlements
• Blocking access to the Personal Account
• Storing documents
5.2. The Merchant is disconnected from the System under the following conditions:
5.2.1. Agreement termination notification.
The Party initiating disconnection from the System sends the other Party an Agreement termination notification in accordance with the requirements of the Agreement, indicating the date and reasons (if any) for such termination. The termination period is set out in accordance with the requirements of the Agreement, as well as the Applicable Requirements.
5.2.2. Blocking transactions.
The Party initiating disconnection from the System blocks transactions through the System in accordance with the terms and conditions of the Agreement. The Party that received the Agreement termination notification shall block transactions via the Freedompay.kg System from the date of receipt of such notification, unless otherwise specified in the terms and conditions of the Agreement.
5.2.3. Conducting mutual settlements.
Once the transactions through the System are blocked, the parties will perform reconciliation and subsequent mutual settlement within the terms and under the conditions specified in the Agreement.
5.2.4. Blocking access to the Personal Account.
The Agreement shall be considered terminated provided that the parties complete mutual settlements and fulfill the obligations assumed hereunder. After termination of the Agreement, the System Operator shall block the Merchant's access to the Personal Account in the System.
5.2.5. Storage of data and documents.
After termination of the Agreement, the System Operator will store the Merchant's data and documents for the period established in accordance with the Special Conditions and other Applicable Requirements.
6. Procedure for connection of participants to the System.
6.1. The Merchant sends a connection request via the website.
6.2. The System Operator immediately sends test access to the system to the Personal Account, and integration keys.
6.3. In the Personal Account, the Questionnaire for connection to the System of the System Operator is filled out.
6.4. The Merchant sends constituent and registration documents.
6.5. The generated file is signed (signature, seal or digital signature)
6.6. Following the bilateral signing of the Merchant's Questionnaire, the "combat mode" becomes available.
7. Processing procedure.
7.1. Carrying out purchase of goods/works/services by the Cardholder 1 on the Merchant's website using Payment cards (their details) through the Internet Payment System of the Organization, as well as the procedure for settlements between the Bank and the Organization.
7.2. An individual creates an order on the merchant's website and selects the System Operator to make the payment.
7.3. The Merchant registers and transfers the order data to the System Operator.
7.4. The Payment Organization registers the order data, assigns a payment ID in the system, checks for the presence of the telephone number and E-mail of the Individual, and returns 1D payment and the URL of the payment page to the store.
7.5. After successful verification, the Individual enters the card details and clicks
"Pay".
7.6. The Individual’s card details are sent as a payment request to the Bank.
7.7. The Bank makes the payment, credits the amount to the Bank's account, returns the Individual to the page with the payment result, and transfers the payment result data to the System Operator.
7.8. The System Operator registers the payment result data, transfers the payment result data to the merchant's billing.
7.9. The Merchant records the payment for the order and fulfills the order for the Individual.
7.10. The Bank transfers the payment to the Individual after deduction of the commission fee for the Bank and the System Operator to the merchant's account within 1-5 business days.
7.11. The Bank transfers the commission fee on the Individual's payment to the System Operator's account within 1-5 business days.
7.12. To register a merchant in the Bank's system, the System Operator transfers the Application and the List of goods/works/services to the Bank to verify the information specified in these documents and makes a decision on the possibility of registering the merchant.
7.13. In case of a positive decision on the possibility of registering the specified merchant in the Bank System, the Bank shall carry out the above registration no later than 3 (three) business days from the date of receipt of the Application by the Bank.
7.14. In case of refusal to register the Merchant in the Bank System, the Bank undertakes to provide the System Operator with a reasoned justification.
7.15. After successful registration in the Bank System on the merchant's website, online payments for goods and services by cardholders become available.
8. Procedure for providing information by the payment system participants about their activities to the payment system operator
8.1. Information established for the purpose of identifying a legal entity.
Freedom Pay Kyrgyzstan LLC as the System Operator establishes and records the following information regarding legal entities:
• Name, corporate name in Russian or Kyrgyz (full and (or) abbreviated).
• Organizational and legal form.
• Taxpayer identification number for a resident, taxpayer identification number or foreign organization code - for a non-resident (if any).
• Information on state registration: registration number (for a non-resident, the registration number in the country of registration); series and number of the document confirming the state registration.
• Place of state registration and location.
• Information on the legal entity bodies (structure and personnel of the governing bodies of the legal entity).
• Information on the presence or absence at the address (location) of the legal entity of its permanent management body, other body or person entitled to act on behalf of the legal entity without a power of attorney.
• Contact telephone and fax numbers (if any).
• Date of commencement of relations with the client.
• Last name, first name, and patronymic (unless otherwise provided by law or national custom), position of the employee who completed the questionnaire, his signature (if the questionnaire is completed on paper). If organizations and individual entrepreneurs record other information, then their list shall be included in the internal control rules.
• Other information (at the discretion of the organization and individual entrepreneur).
• Information (documents) received for the purpose of identifying individual entrepreneurs.
• Information provided for in Appendix 2 to these internal control rules.
• Information on the state registration of an individual as an individual entrepreneur: state registration number; date of state registration and details of the document confirming the fact of entry into the Unified State Register of Individual Entrepreneurs of a record of the abovementioned state registration; name and address of the registering authority.
• Postal address and contact telephone and fax numbers.
9. Payment system risk management system, including the risk management model applied, a list of measures and risk management methods
9.1. The risk management system of the System Operator means a set of measures taken by the System Operator for the purpose of timely identification, measurement, control and monitoring of risks to ensure financial stability and stable functioning. For effective risk management, the System Operator developed a risk management policy, which consists of:
• risk identification, measurement, control and monitoring;
• assessment of the effectiveness of their application;
• control over the execution of all monetary transactions;
• development and practical implementation of measures to prevent and minimize risks.
9.2. The main objective of risk regulation at the Oney System Operator is to maintain acceptable ratios of profitability with security and liquidity indicators in the course of managing the assets and liabilities of the System Operator, i.e. minimization of losses. The risk management process in the Payment Organization includes:
• risk anticipation, determination of probable extent and consequences;
• development and implementation of measures to prevent or minimize associated losses.
9.3. All this implies the development of an in-house risk management strategy in such a way as to use all the development opportunities of the System Operator in a timely and consistent manner while simultaneously keeping risks at an acceptable and manageable level.
9.4. The risk management system is characterized by such elements as management activities and methods. Risk management activities include: determining the organizational structure of risk management that ensures control over the fulfillment by agents and subagents of the System Operator of the risk management requirements established by the risk management rules of the System Operator; communicating relevant information on risks to the management bodies of the System Operator; determining the indicators and procedure for ensuring the uninterrupted functioning of the System Operator of certain risk analysis methods; determining the procedure for exchanging information necessary for risk management; determining the procedure for interaction in controversial} non-standard and emergency situations, including cases of system failures; determining the procedure for changing operational and technological means and procedures; determining the procedure for ensuring the protection of the System Operator's information.
9.5. Requirements for storing information about cards and card transactions made:
• The organization is obliged to ensure compliance with the following basic requirements for storing information about cards and card transactions made;
• Do not store under any circumstances;
• The full content of any of the tracks of the magnetic strip located on the back of the card; Card validation code is a 3-digit number printed on the signature panel of the card;
• Store only that part of the card information that is essential for the business (i.e. cardholder name, card number, card expiration date).
• Ensure the protection of the information stored by the Organization on card details and transactions made using them in accordance with the requirements of PCI DSS (Payment Card Industry Data Security Standard).
• Store all materials containing information on card details and transactions made using them in a secure place accessible only to authorized persons.
• Destroy or clear all information media containing outdated data on transactions made using cards.
9.6. In case of suspected fraudulent actions of the Wallet Owner/third parties, upon detection of a failure of software and hardware, in order to ensure security by the Operator of the Electronic Money System, the Issuer shall independently block the electronic wallet or sends a written request to the Operator to block the electronic wallet of the Electronic Money Owner indicating the reason for which it is necessary to block the electronic wallet. In case of receiving such a request from the Issuer to block the electronic wallet of the Electronic Money Owner, the Operator shall block the specified electronic wallet.
Exceeding the restrictions on the types and amounts of transactions with electronic money by the Electronic Money Owner, as well as the discovery by the Operator of the transfer of information by the Electronic Wallet Owner about his own authorization parameters (user name, password) to other persons, also entails blocking of the electronic wallet by the Operator.
9.7. Risk management regulation to ensure the safety of the client's money is provided through automatic blocking of the acceptance of payments by the system if the amount of the security deposit is exhausted.
9.8. Risk management by the System Operator is determined by such methods as managing the order of execution of orders by officials; making settlements within the limits of funds provided by the agents of the Payment Organization; making settlements with the System Operator before the end of the working day; ensuring the possibility of providing a limit; other methods of risk management.
10. Information security requirements
10.1. The Participants of the System Operator shall maintain confidentiality of non-public information about other Participants of the System Operator that has become known to the Participants of the System Operator in connection with accession with these Rules, except for cases if the information:
• is disclosed at the request or with the permission of the Participant of the System Operator who is the Owner of this information;
• is subject to provision to third parties to the extent necessary to fulfill the obligations stipulated by these Rules;
• requires disclosure according to the legislation of the Kyrgyz Republic.
10.2. Providing confidential information to a third party for the purpose of fulfilling the Rules and other agreements of the Participants of the System Operator; provision of confidential information upon the legal request of law enforcement and other authorized state bodies, as well as in other cases stipulated by the applicable legislation of the Kyrgyz Republic shall not constitute a violation of the confidentiality and security of the Participants of the System Operator.
10.3. Access to the electronic wallet and performing special transactions using the electronic wallet is possible only after authentication of the Electronic Money Owner.
10.4. Authentication of the Electronic Money Owner when accessing the electronic wallet is carried out by the software of the Payment Organization using the authorization data of the Electronic Money Owner: login, password, mobile phone number and, if necessary, special SMS messages.
10.5. The Operator shall ensure the uninterrupted functioning of the System in 24/7/365 mode (24 hours a day, 7 days a week, 365 days a year), except for the time necessary for maintenance.
10.6. The Operator shall ensure the protection of information about the means and methods of ensuring information security, personal data and other information subject to mandatory protection in accordance with the legislation of the Kyrgyz Republic, which may become known to him in the course of activities: in the EM Payment Organization.
10.7. The Participants of the System Operator undertake to take all necessary measures to ensure security and protection of information and documents exchanged within the Payment Organization or which are available to the Participants of the System Operator in connection with the use of the System Operator, as well as for the purpose of identifying (preventing) fraud and combating the legalization of proceeds from crime and the financing of terrorism.
10.8. The means and measures to prevent unauthorized access to software and hardware used in the System Operator, including software and hardware protection tools, must ensure the level of information protection and maintenance of its privacy in accordance with the requirements established by the legislation of the Kyrgyz Republic. The Participants of the System Operator shall take all necessary measures to maintain confidentiality, prevent unauthorized use and protect identification data from unauthorized access by third parties.
10.9. In the event of loss of authorization data by the Participant, the System Operator shall provide the Participant with the opportunity to restore access to the electronic wallet by submitting a corresponding application in the form established by the Operator to the Operator's Internet resource.
10.10. In this case, an unidentified Owner of Electronic Money (an individual) in order to restore access to an electronic wallet shall submit a corresponding application in the form established by the Operator to any of the Operator's offices, as well as provide evidence of ownership and use of the electronic wallet, access to which is being restored: (for example, by providing a list of the latest transactions using the wallet), while the sufficiency of such evidence shall be determined at the sole discretion of the Operator.
10.10. Server structure:
The Service is developed on the PHP server technology, and involves PHP version 5.6, launched in Fast CGI mode. MySQL Server version 5.5 is used as a data storage system. The Freedompay.kg server structure consists of a firewall, two identical transaction processing nodes, a database server and a backup database server, which also ensures the creation and storage of backups; All servers are running CentOS 7.
10.11. Fault tolerance.
Fault tolerance of the service is ensured by distributing the load between two application servers. This function is performed by software Nginx version 1.8, which acts as a frontend server proxying requests to application servers in round-robin mode. In case of unavailability of one of the servers (communication channel drop, high current load, server failure), all requests will be without delay automatically switched to the server that remains online. Thus, a balance is achieved in the performance of the servers in the basic operating mode and ensures uninterrupted transaction processing in the event of unforeseen circumstances, when one of the servers temporarily fails for some reason. The database server operates in the Master-Slave replication mode with a backup server, and in the event of a failure of the main server, the transaction processing nodes are automatically switched to the backup one.
10.12. Backup:
The database server is backed up using built-in MySQL tools, with backups saved on the backup database server for one month. The backup scheme is as follows: every hour + final at 1:00 with deletion of hourly copies. Backups older than one month are deleted in order to prevent the data storage from overfilling. The relevance and preservation of the transaction processing system code base is ensured by the version control system. The code repositories themselves are stored on the BitBucket.com service, from which deployment, can be performed in the shortest possible time in the event of server failure.
10.13. Server infrastructure access security:
Administrative access to any of the servers is possible only with a 2048-bit SSH2-RSA key. It is impossible to gain access to the server infrastructure by brute-forcing passwords or any other unauthorized method. Client access to the personal account, as well as administrator access to the transaction management account, is carried out only through two-factor authorization, which is provided by the teddyid.com service. To pass authorization using this service, you must have an extension installed in your browser or a mobile application. Authorization in this area using other, less secure methods is not possible.
10.14. Transaction security:
PCIDSS
PayBox system was certified according to the PCI DSS standard and carries out all transactions in accordance with this certificate, which meets the requirements for ensuring the security of data about payment card holders stored and processed by the company.
As part of this certificate, the Digital Management Payment Organization fulfills the following requirements:
Building and maintaining a secure network:
• Installation and ensuring the functionality of firewalls to protect cardholder details;
• Restriction on use of the default system passwords and other security parameters set by manufacturers.
Cardholder Data Protection
• Ensuring the protection of cardholder data during storage;
• Ensuring encryption of cardholder data during transmission over public networks.
Support of a vulnerability management program
• Use and regular update of antivirus software;
• Development and support of secure systems and applications.
Implementation of strict access control measures
• Limiting access to cardholder data in accordance with the business need;
• Assigning a unique identifier to each person with access to the information infrastructure;
• Limiting physical access to cardholder data.
Regular network monitoring and testing
• Control and tracking of all access sessions to network resources and cardholder data;
• Regular testing of security systems and processes.
Support of information security policy
• Development, support and implementation of an information security policy.
CyberSource
Each transaction in the РауBох service passes through the CyberSource filter. This filter is a highly effective measure to protect transaction security that provides a high level of protection against fraud. More than 68 billion transactions are processed annually through the CyberSource service. Based on this data, as well as machine learning algorithms, the service decides, whether a transaction is fraudulent or not. CyberSource does not require 3D-Secure or another transaction security protection method, which allows the РayВох service to significantly expand its user base of payers with subscribers who do not have or do not enable 3D-Secure.
Trustkeeper
The РayВох server infrastructure is periodically scanned for vulnerabilities using the Trustkeeper service. During testing, the servers are subject to emulation of modern types of attacks, the use of new vulnerabilities and penetration methods. This procedure allows for timely detection and elimination of security issues.
Anti-fraud
All transactions with payment cards after their transfer from the РayВох service to the bank's payment system pass through the anti-fraud filter. Based on a set of rules, such as the presence of a card mask for sale on the black market, the reliability of the IP address from which the transaction is made, the use of a TOR client, etc., the filter calculates the risk level of the transaction and assigns it a certain rating. Depending on the level of transaction reliability set by the merchant, the bank's system processes or rejects the transaction.
11. Procedure for Settling and Resolving Disputes.
11.1. In the presence of legislative norms in force in the territory of the state, excluding the application of contractual terms in relations related to the implementation of the activities of the System Operator, the aforementioned imperative norms shall have priority over the terms of these Rules.
11.2. Disagreements between the Participants of the System Operator related to the implementation of the activities of the System Operator, or settlements between the Participants, which may serve as the basis for the emergence of the need for judicial consideration of disputes between the Participants, shall be considered by the System Operator under the claim procedure.
11.3. A claim of a Participant of the System Operator, set out in writing on official letterhead signed by its authorized official, shall be sent to the other party by registered mail or by other means confirming delivery of the claim to the addressee. The claim must be filed within 10 (ten) business days after the grounds for the claim arose, and contain an indication of the circumstances serving as the basis for its presentation, as well as the date of occurrence of the aforementioned circumstances. Claims received after the expiration of the specified period will not be taken into consideration.
11.4. Consideration of claims includes the study of circumstances that allow establishing the performance (non-performance) by the Participants of the System Operator of their functions and obligations arising from these Rules and the agreements concluded therewith. The System Operator may request from the Participants of the System Operator any information necessary to clarify the aforementioned circumstances.
11.5. A decision on the claim must be made within 15 calendar days after receipt of the claim and is communicated to the Participant who sent it in writing.
11.6. If it is impossible to resolve disagreements in the claim procedure, disputes shall be resolved by the Arbitration Court at the location of the System Operator in accordance with the legislation of the Kyrgyz Republic.
12. Procedure to be followed by participants in emergency situations in the system
12.1. This section contains the procedure for actions of the System Operator employees in emergency situations (hereinafter referred to as the Regulations).
12.2. The object of influence, control and management in the event of emergency situations is the uninterrupted functioning of the System, including:
- software; and
- hardware.
12.3. The nature of an emergency situation in the System is expressed as follows:
- failure in operation (suspension or incorrect functioning);
- detection of a fact or attempt at unauthorized access.
12.4. The factors causing emergency situations include:
- deliberate actions or inactions (of employees or third parties);
- natural phenomena (earthquake, fire, flood, hurricane, etc.);
- other factors (negligence, premature wear, accident, etc.).
List of emergency situations:
The product is a software complex (hereinafter referred to as the System), designed to organize technical interaction between online stores (merchants), individuals (buyers) and payment systems, and hereinafter jointly referred to as the system participants.
The System provides the ability to interact between system participants according to uniform standards and algorithms, regardless of the payment system through which the corresponding order (goods/services) is paid.
1.1. This document is an internal regulatory document of the System Operator.
1.2. This document defines the general procedure and conditions for connecting to and disconnecting from the System.
1.3. The System Operator may introduce changes to this document. Such changes are aimed at:
- improving the quality of services provided by the System Operator
- improving the efficiency and reliability of the System
- compliance with the Applicable Requirements and amendments thereto.
1.4. The Regulatory legislation shall have priority over any provisions of this document.
1. Terms and Definitions.
1.1. System Operator means Freedom Pay Kyrgyzstan LLC, which is a legal entity operating in accordance with the Applicable Requirements, acting as the authorized owner of the System and ensuring the procedure and conditions for its use.
1.2. System is hardware and software complex, as well as related means and resources used by the System Operator to provide services for the execution of the Payment Instruction.
1.3. Funds and resources include technological, intellectual, informational, labor, financial and other means and resources used, including, but not limited to, software, ATMs, terminals, websites, cash registers, premises, personnel, communication channels and utilities.
1.4. Applicable requirements are represented by regulatory legislation, rules and standards of the Payment Systems involved, and accepted contractual obligations, including the Agreement.
1.5. Regulatory legislation is an applicable legislation of the Kyrgyz Republic.
1.6. Agreement is the Agreement concluded between the System Operator and the Merchant.
1.7. Payment Instruction is a request to carry out a transfer transaction for payment or transfer, or payment of funds initiated in the Merchant's infrastructure through the System.
1.8. Merchant's Infrastructure includes the means and resources used by the Merchant to transmit the Payment Instruction in the System.
1.9. Payment System is a fund transfer system that ensures uniform rules and standards for processing, accounting and settlement of transactions, and authorizes a specific method of executing the Payment Instruction, including, but not limited to, the international payment system VISA Inc. or international payment system MasterCard Worldwide.
1.10. Merchant is a supplier of goods and/or works and/or services, in whose infrastructure the Payment Instruction is initiated.
1.11. Personal account is a specialized section of the Merchant in the System, which displays information about the operations carried out to execute Payment instructions.
3. System Architecture and its Operating Scheme
3.1. The technical result consists in the fact that the system can combine several payment systems and provide access to them for the merchant through its single interface, within the framework of one contract and a single technical integration. The system can also combine Internet/online stores, thereby providing the Buyer with the ability to select various goods, types of goods in the same place on one website, without the need to go to them, and pay for purchases with one common payment, using any available form of payment, since the system combines all currently available forms of cash and non-cash payment for the selected product, while allowing any payment systems to be connected to the system as quickly as possible, as well as making additional payments for orders from another payment system, if the payer has no balance within the selected one. The operation of the System is based on electronic invoices created at the relevant requests of buyers by sellers (suppliers of goods/services). In this case, the request for issuing an electronic invoice can be carried out either fully automatically using the API, or manually through a special web interface available to the seller/supplier of the goods/services. Information about the receipt of payment/payout for the electronic invoice comes to the supplier of the goods/services within a few seconds in online mode.
3.2. Connection of payment systems is carried out by connecting them to the system's electronic gateway, which is capable of interacting with various types of payment systems (hereinafter referred to as Payment agents) used worldwide, such as: Internet acquiring of bank cards, cash payment systems (banking organizations, service payment terminals, POS terminals, communication stores, money transfer systems), electronic money systems and mobile payments.
3.3. One of the features of such system is a fully automated online back office, which allows you to control the operation of the System online, connect new suppliers of goods/services and payment agents as quickly as possible, configure security settings and change them depending on the needs of a particular participant in the system, and conduct mutual settlements and reconciliations online.
3.4. The main functionality of the System consists of 17 unique services/modules:
1. Payment system connection gateways.
2. Electronic invoice issuing and accounting system.
3. Store connection API is a set of ready-made procedures, functions, structures and constants provided by the system for use in external software products/online stores.
4. CMS connection modules are the modules for ensuring and organizing the joint process of creating, editing and managing of content.
5. Connection to booking systems.
6. Client interface for stores.
7. Payment gateway management system.
8. Service for returning, canceling and/or adjusting erroneous payments.
9. Service for arbitrary payments.
10. Payer notification module.
11. Manual invoicing service.
12. Anti-fraud filters for counteracting fraud through the System.
13. Statistical reporting.
14. Register reconciliation module.
15. Creation of legal and accounting documents.
16. Automatic connection to the system.
17. Integration with billing and access control system.
3.5. Interaction of the payment system with the online store owner (seller) is carried out via open communication channels of the public Internet. The https protocol is used for exchange.
3.6. Communication is authorized by creating an EDS (electronic digital signature). Each request contains an EDS, which is checked before any actions with the request. The source text (base signature string) for constructing the EDS is a string obtained by sequential (in the order of issuance) concatenation of all values in the final XML separated by a semicolon.
3.7. Requests from the payment system to the Service Provider's server are transmitted using the POST method of the http protocol with parameters in the form of XML.
3.8. Responses are returned as XML documents in UTF-8 encoding.
4. Procedure for joining and leaving the system.
System connection procedure and conditions
4.1. The procedure for connecting a Merchant to the System consists of the following conditional stages:
• Application registration
• Access to the personal account
• Filling out the questionnaire
• Collection of documents
• Verification
• Accession to the Agreement
• Integration
• Configuration of transaction processing parameters
• Testing
• Activation of the "combat mode"
4.2. The Merchant is connected to the System under the following conditions:
4.2.1. Application registration:
The Merchant initiates a connection to the System using the appropriate functionality for submitting a connection application on the website: The System automatically registers the Merchant's connection application and sends a confirmation to the email address specified when submitting the application.
4.2.2. Access to the Personal Account:
Confirmation of registration of the Merchant's connection application contains instructions, an identifier (login) and a password for authorizing access to the Merchant's Personal Account in the System. Following these instructions, the Merchant logs in to the Personal Account and proceeds to filling out the questionnaire.
4.2.3. Filling out the questionnaire:
The Merchant fills out the questionnaires in the Personal Account by entering data in accordance with the requirements of the applicable legislation of the Kyrgyz Republic on the legalization (laundering) of proceeds from crime or financing of terrorism. To get assistance in filling out the questionnaire, the Merchant may contact the System support service via the contacts specified in the received confirmation of application registration or on the Internet site https://freedompay.kg
To assist in filling out the questionnaire, the System Operator may independently contact the Merchant via the contacts specified in the connection application.
4.2.4. Collection of the package of documents:
The Merchant provides the System Operator with a set of documents in accordance with the requirements of the applicable legislation of the Kyrgyz Republic on the legalization (laundering) of proceeds from crime or financing of terrorism. The set of documents is initially provided by the Merchant by uploading photographs or copies of the original documents in the Personal Account.
4.2.5. Verification:
The System Operator checks the completeness and compliance of the questionnaire and the set of documents with the Applicable Requirements. If necessary, in accordance with the Applicable Requirements, the System Operator requests missing or additional documents from the Merchant for verification. The System Operator informs the Merchant of the verification result.
4.2.6. Conclusion of the Agreement or the Questionnaire for connection to the System:
In case of a positive verification result, the Merchant signs the questionnaire for connection to the System or concludes the Agreement with the System Operator. Unless otherwise expressly specified in the Agreement, the signing by the Merchant of the necessary documents that form the constituent parts of the Agreement and/or the Questionnaire for connection to the System shall be deemed as the conclusion of the Agreement and the acceptance by the Merchant of the General Terms of Use of the System, posted as a public offer in the public domain on the website. When concluding the Agreement, the Merchant provides the System Operator with a set of documents (originals) in accordance with the requirements of the applicable legislation of the Kyrgyz Republic.
4.2.7. Integration:
The System Operator provides the Merchant with documentation on integration with the System and, if necessary, assists the Merchant in implementing integration with the System. The Merchant, in accordance with the received documentation, implements integration with the System.
4.2.8. Configuration of transaction processing parameters:
The System Operator shall configure the parameters for processing the Merchant’s transactions in the System in accordance with the terms and conditions of the Agreement and the Applicable Requirements.
4.2.9. Testing:
Initially, the System Operator will configure a test mode for performing Merchant’s transactions. The Merchant will perform transactions in test mode via the System, notify the System Operator of any errors identified, and eliminate any errors that may occur on the Merchant’s side. The System Operator will eliminate any errors identified and notify the Merchant of any errors that occur on the Merchant’s side.
4.2.10. Activation of "combat mode":
Upon elimination of all errors, the System Operator will activate the "combat mode" for conducting the Merchant's transactions in the System.
5. Procedure and Conditions for Disconnection from the System.
5.1. The procedure for disconnection of a Merchant from the System consists of the following conditional stages:
• Agreement termination notification
• Blocking transactions
• Conducting mutual settlements
• Blocking access to the Personal Account
• Storing documents
5.2. The Merchant is disconnected from the System under the following conditions:
5.2.1. Agreement termination notification.
The Party initiating disconnection from the System sends the other Party an Agreement termination notification in accordance with the requirements of the Agreement, indicating the date and reasons (if any) for such termination. The termination period is set out in accordance with the requirements of the Agreement, as well as the Applicable Requirements.
5.2.2. Blocking transactions.
The Party initiating disconnection from the System blocks transactions through the System in accordance with the terms and conditions of the Agreement. The Party that received the Agreement termination notification shall block transactions via the Freedompay.kg System from the date of receipt of such notification, unless otherwise specified in the terms and conditions of the Agreement.
5.2.3. Conducting mutual settlements.
Once the transactions through the System are blocked, the parties will perform reconciliation and subsequent mutual settlement within the terms and under the conditions specified in the Agreement.
5.2.4. Blocking access to the Personal Account.
The Agreement shall be considered terminated provided that the parties complete mutual settlements and fulfill the obligations assumed hereunder. After termination of the Agreement, the System Operator shall block the Merchant's access to the Personal Account in the System.
5.2.5. Storage of data and documents.
After termination of the Agreement, the System Operator will store the Merchant's data and documents for the period established in accordance with the Special Conditions and other Applicable Requirements.
6. Procedure for connection of participants to the System.
6.1. The Merchant sends a connection request via the website.
6.2. The System Operator immediately sends test access to the system to the Personal Account, and integration keys.
6.3. In the Personal Account, the Questionnaire for connection to the System of the System Operator is filled out.
6.4. The Merchant sends constituent and registration documents.
6.5. The generated file is signed (signature, seal or digital signature)
6.6. Following the bilateral signing of the Merchant's Questionnaire, the "combat mode" becomes available.
7. Processing procedure.
7.1. Carrying out purchase of goods/works/services by the Cardholder 1 on the Merchant's website using Payment cards (their details) through the Internet Payment System of the Organization, as well as the procedure for settlements between the Bank and the Organization.
7.2. An individual creates an order on the merchant's website and selects the System Operator to make the payment.
7.3. The Merchant registers and transfers the order data to the System Operator.
7.4. The Payment Organization registers the order data, assigns a payment ID in the system, checks for the presence of the telephone number and E-mail of the Individual, and returns 1D payment and the URL of the payment page to the store.
7.5. After successful verification, the Individual enters the card details and clicks
"Pay".
7.6. The Individual’s card details are sent as a payment request to the Bank.
7.7. The Bank makes the payment, credits the amount to the Bank's account, returns the Individual to the page with the payment result, and transfers the payment result data to the System Operator.
7.8. The System Operator registers the payment result data, transfers the payment result data to the merchant's billing.
7.9. The Merchant records the payment for the order and fulfills the order for the Individual.
7.10. The Bank transfers the payment to the Individual after deduction of the commission fee for the Bank and the System Operator to the merchant's account within 1-5 business days.
7.11. The Bank transfers the commission fee on the Individual's payment to the System Operator's account within 1-5 business days.
7.12. To register a merchant in the Bank's system, the System Operator transfers the Application and the List of goods/works/services to the Bank to verify the information specified in these documents and makes a decision on the possibility of registering the merchant.
7.13. In case of a positive decision on the possibility of registering the specified merchant in the Bank System, the Bank shall carry out the above registration no later than 3 (three) business days from the date of receipt of the Application by the Bank.
7.14. In case of refusal to register the Merchant in the Bank System, the Bank undertakes to provide the System Operator with a reasoned justification.
7.15. After successful registration in the Bank System on the merchant's website, online payments for goods and services by cardholders become available.
8. Procedure for providing information by the payment system participants about their activities to the payment system operator
8.1. Information established for the purpose of identifying a legal entity.
Freedom Pay Kyrgyzstan LLC as the System Operator establishes and records the following information regarding legal entities:
• Name, corporate name in Russian or Kyrgyz (full and (or) abbreviated).
• Organizational and legal form.
• Taxpayer identification number for a resident, taxpayer identification number or foreign organization code - for a non-resident (if any).
• Information on state registration: registration number (for a non-resident, the registration number in the country of registration); series and number of the document confirming the state registration.
• Place of state registration and location.
• Information on the legal entity bodies (structure and personnel of the governing bodies of the legal entity).
• Information on the presence or absence at the address (location) of the legal entity of its permanent management body, other body or person entitled to act on behalf of the legal entity without a power of attorney.
• Contact telephone and fax numbers (if any).
• Date of commencement of relations with the client.
• Last name, first name, and patronymic (unless otherwise provided by law or national custom), position of the employee who completed the questionnaire, his signature (if the questionnaire is completed on paper). If organizations and individual entrepreneurs record other information, then their list shall be included in the internal control rules.
• Other information (at the discretion of the organization and individual entrepreneur).
• Information (documents) received for the purpose of identifying individual entrepreneurs.
• Information provided for in Appendix 2 to these internal control rules.
• Information on the state registration of an individual as an individual entrepreneur: state registration number; date of state registration and details of the document confirming the fact of entry into the Unified State Register of Individual Entrepreneurs of a record of the abovementioned state registration; name and address of the registering authority.
• Postal address and contact telephone and fax numbers.
9. Payment system risk management system, including the risk management model applied, a list of measures and risk management methods
9.1. The risk management system of the System Operator means a set of measures taken by the System Operator for the purpose of timely identification, measurement, control and monitoring of risks to ensure financial stability and stable functioning. For effective risk management, the System Operator developed a risk management policy, which consists of:
• risk identification, measurement, control and monitoring;
• assessment of the effectiveness of their application;
• control over the execution of all monetary transactions;
• development and practical implementation of measures to prevent and minimize risks.
9.2. The main objective of risk regulation at the Oney System Operator is to maintain acceptable ratios of profitability with security and liquidity indicators in the course of managing the assets and liabilities of the System Operator, i.e. minimization of losses. The risk management process in the Payment Organization includes:
• risk anticipation, determination of probable extent and consequences;
• development and implementation of measures to prevent or minimize associated losses.
9.3. All this implies the development of an in-house risk management strategy in such a way as to use all the development opportunities of the System Operator in a timely and consistent manner while simultaneously keeping risks at an acceptable and manageable level.
9.4. The risk management system is characterized by such elements as management activities and methods. Risk management activities include: determining the organizational structure of risk management that ensures control over the fulfillment by agents and subagents of the System Operator of the risk management requirements established by the risk management rules of the System Operator; communicating relevant information on risks to the management bodies of the System Operator; determining the indicators and procedure for ensuring the uninterrupted functioning of the System Operator of certain risk analysis methods; determining the procedure for exchanging information necessary for risk management; determining the procedure for interaction in controversial} non-standard and emergency situations, including cases of system failures; determining the procedure for changing operational and technological means and procedures; determining the procedure for ensuring the protection of the System Operator's information.
9.5. Requirements for storing information about cards and card transactions made:
• The organization is obliged to ensure compliance with the following basic requirements for storing information about cards and card transactions made;
• Do not store under any circumstances;
• The full content of any of the tracks of the magnetic strip located on the back of the card; Card validation code is a 3-digit number printed on the signature panel of the card;
• Store only that part of the card information that is essential for the business (i.e. cardholder name, card number, card expiration date).
• Ensure the protection of the information stored by the Organization on card details and transactions made using them in accordance with the requirements of PCI DSS (Payment Card Industry Data Security Standard).
• Store all materials containing information on card details and transactions made using them in a secure place accessible only to authorized persons.
• Destroy or clear all information media containing outdated data on transactions made using cards.
9.6. In case of suspected fraudulent actions of the Wallet Owner/third parties, upon detection of a failure of software and hardware, in order to ensure security by the Operator of the Electronic Money System, the Issuer shall independently block the electronic wallet or sends a written request to the Operator to block the electronic wallet of the Electronic Money Owner indicating the reason for which it is necessary to block the electronic wallet. In case of receiving such a request from the Issuer to block the electronic wallet of the Electronic Money Owner, the Operator shall block the specified electronic wallet.
Exceeding the restrictions on the types and amounts of transactions with electronic money by the Electronic Money Owner, as well as the discovery by the Operator of the transfer of information by the Electronic Wallet Owner about his own authorization parameters (user name, password) to other persons, also entails blocking of the electronic wallet by the Operator.
9.7. Risk management regulation to ensure the safety of the client's money is provided through automatic blocking of the acceptance of payments by the system if the amount of the security deposit is exhausted.
9.8. Risk management by the System Operator is determined by such methods as managing the order of execution of orders by officials; making settlements within the limits of funds provided by the agents of the Payment Organization; making settlements with the System Operator before the end of the working day; ensuring the possibility of providing a limit; other methods of risk management.
10. Information security requirements
10.1. The Participants of the System Operator shall maintain confidentiality of non-public information about other Participants of the System Operator that has become known to the Participants of the System Operator in connection with accession with these Rules, except for cases if the information:
• is disclosed at the request or with the permission of the Participant of the System Operator who is the Owner of this information;
• is subject to provision to third parties to the extent necessary to fulfill the obligations stipulated by these Rules;
• requires disclosure according to the legislation of the Kyrgyz Republic.
10.2. Providing confidential information to a third party for the purpose of fulfilling the Rules and other agreements of the Participants of the System Operator; provision of confidential information upon the legal request of law enforcement and other authorized state bodies, as well as in other cases stipulated by the applicable legislation of the Kyrgyz Republic shall not constitute a violation of the confidentiality and security of the Participants of the System Operator.
10.3. Access to the electronic wallet and performing special transactions using the electronic wallet is possible only after authentication of the Electronic Money Owner.
10.4. Authentication of the Electronic Money Owner when accessing the electronic wallet is carried out by the software of the Payment Organization using the authorization data of the Electronic Money Owner: login, password, mobile phone number and, if necessary, special SMS messages.
10.5. The Operator shall ensure the uninterrupted functioning of the System in 24/7/365 mode (24 hours a day, 7 days a week, 365 days a year), except for the time necessary for maintenance.
10.6. The Operator shall ensure the protection of information about the means and methods of ensuring information security, personal data and other information subject to mandatory protection in accordance with the legislation of the Kyrgyz Republic, which may become known to him in the course of activities: in the EM Payment Organization.
10.7. The Participants of the System Operator undertake to take all necessary measures to ensure security and protection of information and documents exchanged within the Payment Organization or which are available to the Participants of the System Operator in connection with the use of the System Operator, as well as for the purpose of identifying (preventing) fraud and combating the legalization of proceeds from crime and the financing of terrorism.
10.8. The means and measures to prevent unauthorized access to software and hardware used in the System Operator, including software and hardware protection tools, must ensure the level of information protection and maintenance of its privacy in accordance with the requirements established by the legislation of the Kyrgyz Republic. The Participants of the System Operator shall take all necessary measures to maintain confidentiality, prevent unauthorized use and protect identification data from unauthorized access by third parties.
10.9. In the event of loss of authorization data by the Participant, the System Operator shall provide the Participant with the opportunity to restore access to the electronic wallet by submitting a corresponding application in the form established by the Operator to the Operator's Internet resource.
10.10. In this case, an unidentified Owner of Electronic Money (an individual) in order to restore access to an electronic wallet shall submit a corresponding application in the form established by the Operator to any of the Operator's offices, as well as provide evidence of ownership and use of the electronic wallet, access to which is being restored: (for example, by providing a list of the latest transactions using the wallet), while the sufficiency of such evidence shall be determined at the sole discretion of the Operator.
10.10. Server structure:
The Service is developed on the PHP server technology, and involves PHP version 5.6, launched in Fast CGI mode. MySQL Server version 5.5 is used as a data storage system. The Freedompay.kg server structure consists of a firewall, two identical transaction processing nodes, a database server and a backup database server, which also ensures the creation and storage of backups; All servers are running CentOS 7.
10.11. Fault tolerance.
Fault tolerance of the service is ensured by distributing the load between two application servers. This function is performed by software Nginx version 1.8, which acts as a frontend server proxying requests to application servers in round-robin mode. In case of unavailability of one of the servers (communication channel drop, high current load, server failure), all requests will be without delay automatically switched to the server that remains online. Thus, a balance is achieved in the performance of the servers in the basic operating mode and ensures uninterrupted transaction processing in the event of unforeseen circumstances, when one of the servers temporarily fails for some reason. The database server operates in the Master-Slave replication mode with a backup server, and in the event of a failure of the main server, the transaction processing nodes are automatically switched to the backup one.
10.12. Backup:
The database server is backed up using built-in MySQL tools, with backups saved on the backup database server for one month. The backup scheme is as follows: every hour + final at 1:00 with deletion of hourly copies. Backups older than one month are deleted in order to prevent the data storage from overfilling. The relevance and preservation of the transaction processing system code base is ensured by the version control system. The code repositories themselves are stored on the BitBucket.com service, from which deployment, can be performed in the shortest possible time in the event of server failure.
10.13. Server infrastructure access security:
Administrative access to any of the servers is possible only with a 2048-bit SSH2-RSA key. It is impossible to gain access to the server infrastructure by brute-forcing passwords or any other unauthorized method. Client access to the personal account, as well as administrator access to the transaction management account, is carried out only through two-factor authorization, which is provided by the teddyid.com service. To pass authorization using this service, you must have an extension installed in your browser or a mobile application. Authorization in this area using other, less secure methods is not possible.
10.14. Transaction security:
PCIDSS
PayBox system was certified according to the PCI DSS standard and carries out all transactions in accordance with this certificate, which meets the requirements for ensuring the security of data about payment card holders stored and processed by the company.
As part of this certificate, the Digital Management Payment Organization fulfills the following requirements:
Building and maintaining a secure network:
• Installation and ensuring the functionality of firewalls to protect cardholder details;
• Restriction on use of the default system passwords and other security parameters set by manufacturers.
Cardholder Data Protection
• Ensuring the protection of cardholder data during storage;
• Ensuring encryption of cardholder data during transmission over public networks.
Support of a vulnerability management program
• Use and regular update of antivirus software;
• Development and support of secure systems and applications.
Implementation of strict access control measures
• Limiting access to cardholder data in accordance with the business need;
• Assigning a unique identifier to each person with access to the information infrastructure;
• Limiting physical access to cardholder data.
Regular network monitoring and testing
• Control and tracking of all access sessions to network resources and cardholder data;
• Regular testing of security systems and processes.
Support of information security policy
• Development, support and implementation of an information security policy.
CyberSource
Each transaction in the РауBох service passes through the CyberSource filter. This filter is a highly effective measure to protect transaction security that provides a high level of protection against fraud. More than 68 billion transactions are processed annually through the CyberSource service. Based on this data, as well as machine learning algorithms, the service decides, whether a transaction is fraudulent or not. CyberSource does not require 3D-Secure or another transaction security protection method, which allows the РayВох service to significantly expand its user base of payers with subscribers who do not have or do not enable 3D-Secure.
Trustkeeper
The РayВох server infrastructure is periodically scanned for vulnerabilities using the Trustkeeper service. During testing, the servers are subject to emulation of modern types of attacks, the use of new vulnerabilities and penetration methods. This procedure allows for timely detection and elimination of security issues.
Anti-fraud
All transactions with payment cards after their transfer from the РayВох service to the bank's payment system pass through the anti-fraud filter. Based on a set of rules, such as the presence of a card mask for sale on the black market, the reliability of the IP address from which the transaction is made, the use of a TOR client, etc., the filter calculates the risk level of the transaction and assigns it a certain rating. Depending on the level of transaction reliability set by the merchant, the bank's system processes or rejects the transaction.
11. Procedure for Settling and Resolving Disputes.
11.1. In the presence of legislative norms in force in the territory of the state, excluding the application of contractual terms in relations related to the implementation of the activities of the System Operator, the aforementioned imperative norms shall have priority over the terms of these Rules.
11.2. Disagreements between the Participants of the System Operator related to the implementation of the activities of the System Operator, or settlements between the Participants, which may serve as the basis for the emergence of the need for judicial consideration of disputes between the Participants, shall be considered by the System Operator under the claim procedure.
11.3. A claim of a Participant of the System Operator, set out in writing on official letterhead signed by its authorized official, shall be sent to the other party by registered mail or by other means confirming delivery of the claim to the addressee. The claim must be filed within 10 (ten) business days after the grounds for the claim arose, and contain an indication of the circumstances serving as the basis for its presentation, as well as the date of occurrence of the aforementioned circumstances. Claims received after the expiration of the specified period will not be taken into consideration.
11.4. Consideration of claims includes the study of circumstances that allow establishing the performance (non-performance) by the Participants of the System Operator of their functions and obligations arising from these Rules and the agreements concluded therewith. The System Operator may request from the Participants of the System Operator any information necessary to clarify the aforementioned circumstances.
11.5. A decision on the claim must be made within 15 calendar days after receipt of the claim and is communicated to the Participant who sent it in writing.
11.6. If it is impossible to resolve disagreements in the claim procedure, disputes shall be resolved by the Arbitration Court at the location of the System Operator in accordance with the legislation of the Kyrgyz Republic.
12. Procedure to be followed by participants in emergency situations in the system
12.1. This section contains the procedure for actions of the System Operator employees in emergency situations (hereinafter referred to as the Regulations).
12.2. The object of influence, control and management in the event of emergency situations is the uninterrupted functioning of the System, including:
- software; and
- hardware.
12.3. The nature of an emergency situation in the System is expressed as follows:
- failure in operation (suspension or incorrect functioning);
- detection of a fact or attempt at unauthorized access.
12.4. The factors causing emergency situations include:
- deliberate actions or inactions (of employees or third parties);
- natural phenomena (earthquake, fire, flood, hurricane, etc.);
- other factors (negligence, premature wear, accident, etc.).
List of emergency situations:
12.5. Due to with the occurrence of emergency situations, employees are divided into:
- person discovered the emergency;
- coordinator;
- responsible person;
- other employees.
13. Procedure in case of an emergency
13.1. General procedure
a. The person who discovered the emergency informs the coordinator of the emergency by any available means. If it is impossible to inform, the person who discovered it shall act independently as the coordinator.
b. Based on the information received, the coordinator determines the object of influence, the nature and the factor of the emergency. Depending on these parameters, the coordinator contacts the other employees by any available means, appoints and instructs the responsible persons. In the event of an emergency for which the procedure for action is not regulated, the coordinator develops a specific action plan taking into account the current situation.
c. The responsible persons act in accordance with the instructions received and inform the coordinator of the results of eliminating the emergency.
d. Other employees shall provide the coordinator and the responsible persons with necessary assistance.
e. In the event of a suspension of the System's operation, the coordinator shall ensure that the responsible person sends a notification to the users/clients of the System indicating the reasons and terms of the suspension.
f. The Coordinator ensures that the responsible person records in the System operation log all information about any emergency situations that have arisen, the work carried out to eliminate them, and the fact that the emergency situation has been eliminated.
g. If necessary, an official investigation is conducted on the occurrence of an emergency situation and the determination of its cause.
13.2. Specific actions subject to occurrence of various emergency situations.
a. Software failure
The Coordinator, together with the responsible person (the employee of the department that experienced the emergency situation), determines the cause of the failure. If the error cannot be corrected on their own, an information message with accompanying materials about the situation is sent to the software developer.
b. Power outages or lack of power.
In the event of a power outage, periodic power outages or surges, the server equipment must be transferred to backup power sources. The coordinator, together with the responsible person (the employee of the department that experienced the emergency), conducts an analysis for data loss and/or violation of the integrity of data and software, and checks the operability of the equipment. If necessary, the software and data are restored from the latest backup copy.
c. Lack of access to the local network.
The coordinator, together with the responsible person (the employee of the department that experienced the emergency), conducts an analysis for data loss and/or violation of the data and software integrity, and checks the operability of the equipment. If necessary, the software and data are restored from the latest backup copy.
d. Server failure.
The coordinator, together with the responsible person (the employee of the department that experienced the emergency), takes measures to immediately put the backup server into operation to ensure continuous operation. If necessary, work is carried out to restore software and data from backup copies.
e. Data loss and/or data integrity violation
If data loss is detected, the coordinator, together with the responsible person, carries out activities to find and eliminate the causes of data loss (anti-virus scan, integrity and operability of software, integrity and operability of equipment, etc.). If necessary, software and data are restored from backup copies.
f. Software virus attack
If a virus is detected, the virus is localized in order to prevent its further spread, for which it is necessary to physically disconnect the "infected" computer from the local network and analyze the computer's condition. The analysis is carried out by an employee competent in this area. The result of the analysis may be an attempt to save the data, since after rebooting the computer, and the data may already be lost. After successfully eliminating the virus, the saved data must also be checked for the presence of the virus. After eliminating the virus, it is necessary to conduct an unscheduled anti-virus scan on all computers using updated anti-virus databases. If necessary, software, data and backup copies are restored. An official investigation is carried out into the fact of the virus appearing on the computer (local network).
g. Data leak
The coordinator and the responsible person conduct an internal investigation. If the data leak occurred due to technical reasons, the system security is analyzed and, if necessary, measures are taken to eliminate the vulnerability and prevent their occurrence.
h. System hacking
If a server hack is detected, the coordinator and the responsible person are notified. If possible, the server is temporarily disconnected from the network to check for viruses and Trojan horse back-ups. A temporary transition to a backup server is possible. Considering that software back-ups may not be detected by antivirus software, the integrity of executable files should be checked especially carefully in accordance with the hash functions of the reference software, and the state of script files and server logs should be analyzed. It is necessary to change all passwords that were related to this server. If necessary, the software and data are restored from their reference archive and backup copies. Based on the results of the situation analysis, it is necessary to check the probability of penetration of unauthorized programs into the local network, after which similar work should be carried out to check and restore software and data on other computers. The server hacking is subjected to the official investigation.
i. Password compromise
If the data leak is detected, the coordinator and the responsible person (head of department) are notified. If a password is compromised, it is necessary to immediately change the password, analyze the situation for the consequences of the compromise and take the necessary measures to minimize possible (or caused) damage (blocking user accounts, etc.). If necessary, an internal investigation is carried out.
j. Failure of telecommunications lines
The Coordinator is notified. The cause of damage to the local network or telecommunications lines and possible threats to information security are determined. If there is a suspicion of a deliberate failure of equipment, an internal investigation is carried out, the software is checked for the presence of malicious backdoor programs, the integrity of the software and data. Electronic logs are analyzed. If necessary, measures are taken to restore the software and data from their backup copies.
This section is mandatory for all employees and is communicated to the employees by the coordinator against signature.
The Coordinator shall periodically, but not less than once a year, analyze registered emergency situations in order to develop measures to prevent them in future.
Based on the results of internal investigations, analysis of registered emergency situations, training and inspections in the event of development of new or improvement of existing measures to prevent and respond to emergency situations, the Coordinator shall update the Regulations.
These internal control rules (hereinafter referred to as the "Rules") have been developed taking into account the requirements of the legislation of the Kyrgyz Republic on Combating the legalization (laundering) of proceeds from crime and the financing of terrorism.
13.3. Key objective of the internal control rules:
a) ensure compliance with the requirements of the Law of the Kyrgyz Republic "On Combating the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism or Extremism ";
b) maintain the effectiveness of the internal control system at a level sufficient to manage the risks of legalization (laundering) of proceeds from crime and the financing of terrorism, as well as associated risks;
c) exclude direct or indirect participation/involvement in the execution of payment and other transactions related to the legalization (laundering) of proceeds from crime, as well as the financing of terrorism.
14. Program for Organization of Internal Control for Combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism.
14.1. In order to ensure the implementation of the internal control program, the Company has appointed a compliance officer (hereinafter referred to as the "Responsible Employee") of the department combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism to perform the following functions:
a) Ensuring the availability of internal control rules and/or amendments (additions) thereto developed and agreed upon with the executive collegial body, as well as monitoring their observance in the organization;
b) Submission and monitoring of the provision of reports to the authorized body for financial monitoring in accordance with the legislation of the Kyrgyz Republic on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism;
c) Making decisions on recognizing client transactions as suspicious and the need to send reports to the authorized body for financial monitoring in the manner prescribed by the internal documents of the organization;
d) Making or agreeing with the authorized body or official on refusing to conduct client transactions in cases stipulated by the law on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism and in the manner prescribed by the internal documents of the organization;
e) Sending requests to the executive body to make a decision on establishing, continuing or terminating business relations with clients in the cases and in the manner stipulated by the law on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism and/or internal documents of the organization;
f) Informing authorized bodies and officials about identified violations of internal control rules in the manner stipulated by the internal documents of the organization;
g) Preparing and coordinating with the executive body information on the results of implementing internal control rules and recommended measures to improve risk management and internal control systems for combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism for generating reports to the authorized bodies of the organization.
14.2. The responsible employee of the department combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism is vested with the following powers:
a) Obtaining access to all premises, information systems, telecommunications, documents and files, to the extent that they can fully perform their functions and in the manner stipulated by the internal documents of the organization;
b) Ensuring the confidentiality of information obtained in the performance of their functions;
c) Ensuring the safety of documents and files received from departments.
14.3. The functions of the Responsible Employee are not combined with the functions of the internal audit service or other body authorized to conduct internal audit, as well as the functions of departments carrying out the operational (current) activities of the organization.
14.4. For the purposes of combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism, automated systems are used that allow:
a) Maintaining client files (questionnaires), including changes (additions) made thereto;
b) Identifying threshold and suspicious transactions according to pre-set criteria, taking into account the requirements of the Kyrgyz Republic legislation on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism, as well as the results of the assessment of the degree of exposure of the services provided to the risk of legalization (laundering) of proceeds from crime and terrorist financing;
c) Preventing deletion of information from the database of client files (questionnaires), transactions performed, messages sent to the authorized body for financial monitoring;
d) Maintaining the data backup and storage system;
e) Maintaining a log of each user's work, protected from modification.
- person discovered the emergency;
- coordinator;
- responsible person;
- other employees.
13. Procedure in case of an emergency
13.1. General procedure
a. The person who discovered the emergency informs the coordinator of the emergency by any available means. If it is impossible to inform, the person who discovered it shall act independently as the coordinator.
b. Based on the information received, the coordinator determines the object of influence, the nature and the factor of the emergency. Depending on these parameters, the coordinator contacts the other employees by any available means, appoints and instructs the responsible persons. In the event of an emergency for which the procedure for action is not regulated, the coordinator develops a specific action plan taking into account the current situation.
c. The responsible persons act in accordance with the instructions received and inform the coordinator of the results of eliminating the emergency.
d. Other employees shall provide the coordinator and the responsible persons with necessary assistance.
e. In the event of a suspension of the System's operation, the coordinator shall ensure that the responsible person sends a notification to the users/clients of the System indicating the reasons and terms of the suspension.
f. The Coordinator ensures that the responsible person records in the System operation log all information about any emergency situations that have arisen, the work carried out to eliminate them, and the fact that the emergency situation has been eliminated.
g. If necessary, an official investigation is conducted on the occurrence of an emergency situation and the determination of its cause.
13.2. Specific actions subject to occurrence of various emergency situations.
a. Software failure
The Coordinator, together with the responsible person (the employee of the department that experienced the emergency situation), determines the cause of the failure. If the error cannot be corrected on their own, an information message with accompanying materials about the situation is sent to the software developer.
b. Power outages or lack of power.
In the event of a power outage, periodic power outages or surges, the server equipment must be transferred to backup power sources. The coordinator, together with the responsible person (the employee of the department that experienced the emergency), conducts an analysis for data loss and/or violation of the integrity of data and software, and checks the operability of the equipment. If necessary, the software and data are restored from the latest backup copy.
c. Lack of access to the local network.
The coordinator, together with the responsible person (the employee of the department that experienced the emergency), conducts an analysis for data loss and/or violation of the data and software integrity, and checks the operability of the equipment. If necessary, the software and data are restored from the latest backup copy.
d. Server failure.
The coordinator, together with the responsible person (the employee of the department that experienced the emergency), takes measures to immediately put the backup server into operation to ensure continuous operation. If necessary, work is carried out to restore software and data from backup copies.
e. Data loss and/or data integrity violation
If data loss is detected, the coordinator, together with the responsible person, carries out activities to find and eliminate the causes of data loss (anti-virus scan, integrity and operability of software, integrity and operability of equipment, etc.). If necessary, software and data are restored from backup copies.
f. Software virus attack
If a virus is detected, the virus is localized in order to prevent its further spread, for which it is necessary to physically disconnect the "infected" computer from the local network and analyze the computer's condition. The analysis is carried out by an employee competent in this area. The result of the analysis may be an attempt to save the data, since after rebooting the computer, and the data may already be lost. After successfully eliminating the virus, the saved data must also be checked for the presence of the virus. After eliminating the virus, it is necessary to conduct an unscheduled anti-virus scan on all computers using updated anti-virus databases. If necessary, software, data and backup copies are restored. An official investigation is carried out into the fact of the virus appearing on the computer (local network).
g. Data leak
The coordinator and the responsible person conduct an internal investigation. If the data leak occurred due to technical reasons, the system security is analyzed and, if necessary, measures are taken to eliminate the vulnerability and prevent their occurrence.
h. System hacking
If a server hack is detected, the coordinator and the responsible person are notified. If possible, the server is temporarily disconnected from the network to check for viruses and Trojan horse back-ups. A temporary transition to a backup server is possible. Considering that software back-ups may not be detected by antivirus software, the integrity of executable files should be checked especially carefully in accordance with the hash functions of the reference software, and the state of script files and server logs should be analyzed. It is necessary to change all passwords that were related to this server. If necessary, the software and data are restored from their reference archive and backup copies. Based on the results of the situation analysis, it is necessary to check the probability of penetration of unauthorized programs into the local network, after which similar work should be carried out to check and restore software and data on other computers. The server hacking is subjected to the official investigation.
i. Password compromise
If the data leak is detected, the coordinator and the responsible person (head of department) are notified. If a password is compromised, it is necessary to immediately change the password, analyze the situation for the consequences of the compromise and take the necessary measures to minimize possible (or caused) damage (blocking user accounts, etc.). If necessary, an internal investigation is carried out.
j. Failure of telecommunications lines
The Coordinator is notified. The cause of damage to the local network or telecommunications lines and possible threats to information security are determined. If there is a suspicion of a deliberate failure of equipment, an internal investigation is carried out, the software is checked for the presence of malicious backdoor programs, the integrity of the software and data. Electronic logs are analyzed. If necessary, measures are taken to restore the software and data from their backup copies.
This section is mandatory for all employees and is communicated to the employees by the coordinator against signature.
The Coordinator shall periodically, but not less than once a year, analyze registered emergency situations in order to develop measures to prevent them in future.
Based on the results of internal investigations, analysis of registered emergency situations, training and inspections in the event of development of new or improvement of existing measures to prevent and respond to emergency situations, the Coordinator shall update the Regulations.
These internal control rules (hereinafter referred to as the "Rules") have been developed taking into account the requirements of the legislation of the Kyrgyz Republic on Combating the legalization (laundering) of proceeds from crime and the financing of terrorism.
13.3. Key objective of the internal control rules:
a) ensure compliance with the requirements of the Law of the Kyrgyz Republic "On Combating the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism or Extremism ";
b) maintain the effectiveness of the internal control system at a level sufficient to manage the risks of legalization (laundering) of proceeds from crime and the financing of terrorism, as well as associated risks;
c) exclude direct or indirect participation/involvement in the execution of payment and other transactions related to the legalization (laundering) of proceeds from crime, as well as the financing of terrorism.
14. Program for Organization of Internal Control for Combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism.
14.1. In order to ensure the implementation of the internal control program, the Company has appointed a compliance officer (hereinafter referred to as the "Responsible Employee") of the department combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism to perform the following functions:
a) Ensuring the availability of internal control rules and/or amendments (additions) thereto developed and agreed upon with the executive collegial body, as well as monitoring their observance in the organization;
b) Submission and monitoring of the provision of reports to the authorized body for financial monitoring in accordance with the legislation of the Kyrgyz Republic on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism;
c) Making decisions on recognizing client transactions as suspicious and the need to send reports to the authorized body for financial monitoring in the manner prescribed by the internal documents of the organization;
d) Making or agreeing with the authorized body or official on refusing to conduct client transactions in cases stipulated by the law on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism and in the manner prescribed by the internal documents of the organization;
e) Sending requests to the executive body to make a decision on establishing, continuing or terminating business relations with clients in the cases and in the manner stipulated by the law on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism and/or internal documents of the organization;
f) Informing authorized bodies and officials about identified violations of internal control rules in the manner stipulated by the internal documents of the organization;
g) Preparing and coordinating with the executive body information on the results of implementing internal control rules and recommended measures to improve risk management and internal control systems for combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism for generating reports to the authorized bodies of the organization.
14.2. The responsible employee of the department combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism is vested with the following powers:
a) Obtaining access to all premises, information systems, telecommunications, documents and files, to the extent that they can fully perform their functions and in the manner stipulated by the internal documents of the organization;
b) Ensuring the confidentiality of information obtained in the performance of their functions;
c) Ensuring the safety of documents and files received from departments.
14.3. The functions of the Responsible Employee are not combined with the functions of the internal audit service or other body authorized to conduct internal audit, as well as the functions of departments carrying out the operational (current) activities of the organization.
14.4. For the purposes of combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism, automated systems are used that allow:
a) Maintaining client files (questionnaires), including changes (additions) made thereto;
b) Identifying threshold and suspicious transactions according to pre-set criteria, taking into account the requirements of the Kyrgyz Republic legislation on combating the legalization (laundering) of proceeds from crime, as well as the financing of terrorism, as well as the results of the assessment of the degree of exposure of the services provided to the risk of legalization (laundering) of proceeds from crime and terrorist financing;
c) Preventing deletion of information from the database of client files (questionnaires), transactions performed, messages sent to the authorized body for financial monitoring;
d) Maintaining the data backup and storage system;
e) Maintaining a log of each user's work, protected from modification.
15. Program for managing the risks of legalization (laundering) of proceeds from crime and financing of terrorism.
15.1. It is necessary to assess on an annual basis the degree of exposure of the services provided to the following types of risks of legalization (laundering) of proceeds from crime and financing of terrorism, including, but not limited to:
a) Risk by type of clients
b) Country (geographical) risk
c) Risk of the service and/or method of its provision
15.2. Key types of clients whose status and/or whose activities increase the risk of legalization (laundering) of proceeds from crime and terrorist financing include:
a) Foreigners, including foreign public officials, their close relatives and representatives;
b) Foreign financial institutions.
c) Legal entities and individual entrepreneurs, whose activities are related to the intensive cash turnover, including:
i. Organizers of the gambling business, as well as persons providing services or receiving income from the activities of online casinos outside the Kyrgyz Republic;
ii. Persons providing tourist services, as well as other services related to intensive cash turnover;
d) Insurance (reinsurance) organizations, insurance brokers operating in the life insurance sector (except for subsidiaries of the bank that comply with requirements for combating legalization (laundering) of proceeds from crime and financing of terrorism established by the bank);
e) Persons operating as insurance agents;
f) Persons carrying out intermediary activities in the purchase and sale of real estate;
g) Non-profit organizations, in the organizational and legal form of funds, religious associations;
h) Persons located (registered) in foreign states specified in paragraph 15 of the Requirements, as well as branches and representative offices of such persons located in the Kyrgyz Republic.
15.3. It is necessary to assess the country (geographical) risk associated with the provision of services to clients in their foreign countries. Foreign countries, transactions with which increase the risk of legalization (laundering) of proceeds from crime and terrorist financing are:
a. Foreign countries (territories) included in the list of countries (territories) that do not comply or insufficiently comply with the recommendations of the Financial Action Task Force on Money Laundering (FATF), compiled by the authorized body for financial monitoring;
b. Foreign countries (territories) against which international sanctions (embargoes) adopted by resolutions of the United Nations Security Council are applied;
c. Foreign countries (territories) included in the list of offshore zones for the purposes of the Law on the combating legalization (laundering) of proceeds from crime and financing of terrorism;
d. Foreign countries (territories) determined by the organization as posing a high risk of legalization (laundering) of proceeds from crime and terrorist financing based on other factors (information on the level of corruption, illegal production, trafficking and/or transit of drugs, information on support for international terrorism, etc.).
15.4. The following are the services, the provision of which is subject to a high risk of legalization (laundering) of proceeds from crime and terrorist financing:
a. Remote customer service, including servicing via electronic terminals;
b. Services for the sale (distribution) of electronic money and payment cards;
c. Services for the acceptance and processing of payments made using electronic money in excess of an amount equal to one hundred times the monthly calculation indicator established for the relevant financial year by the law on the republican budget;
d. Services for the processing of payments initiated by the client in electronic form, and the transfer of the necessary information to the bank, an organization carrying out certain types of banking operations, for making a payment and/or transferring or accepting money for these payments.
15.5. It is necessary to establish the risk level of the client (group of clients) based on the results of the analysis of information about the client (clients) obtained as part of the procedures for identifying and monitoring client transactions, and assess it according to a risk level determination scale, which consists of three levels: low, medium and high.
16. Customer Identification Program
16.1. In order to carry out activities to record and verify the accuracy of information about the client (his representative), identify the beneficial owner and record information about him, establish and record the intended purpose of business relations or a one-time operation (transaction), it is necessary to identify clients and their beneficial owners.
16.2. The extent of the activities carried out, the depth and detail of identification depend on the client's risk level.
16.3. In the process of identifying the client (identifying the beneficial owner), it is necessary to check for the presence of such client (beneficiary owner) in the list of persons and organizations associated with the financing of terrorism and extremism, obtained in accordance with the Law on combating legalization (laundering) of proceeds from crime and financing of terrorism (hereinafter referred to as the List).
17. Customer Operations Monitoring and Study Program
17.1. It is necessary to regularly carry out activities to update and/or obtain additional information about clients (their representatives) and beneficial owners, as well as to study client transactions and identify threshold and suspicious transactions.
17.2. The results of monitoring and studying client transactions must be used to annually assess the degree of exposure of the organization's services to the risks of legalization (laundering) of proceeds from crime and terrorist financing, as well as to review client risk levels.
17.3. The program for monitoring and studying client transactions includes:
a. A list of signs of unusual and suspicious transactions;
b. Distribution of responsibilities between employees to update previously received and/or to obtain additional information about the client (his representative) and beneficial owner;
c. Distribution of responsibilities between employees of the organization to identify and transfer between employees information about threshold, unusual and suspicious transactions;
d. Description of the mechanism for interaction between departments in identifying threshold, unusual and suspicious transactions;
e. The procedure, grounds and timeframe for the responsible employee to make a decision on the qualification of a client transaction;
f. The procedure for interaction between employees to make a decision to refuse to carry out a client transaction, as well as to terminate business relations with the client;
g. The procedure for interaction between divisions (employees) of the organization to identify clients and beneficial owners included in the List, as well as to immediately freeze transactions with money and/or other property of such clients;
h. The procedure for recording (including recording methods) and storing information on the results of studying unusual transactions, as well as information on threshold and suspicious transactions (including the transaction amount, transaction currency);
i. The procedure for submitting messages on threshold and suspicious transactions to the authorized body for financial monitoring;
j. The procedure for informing (if necessary) authorized bodies and officials of the organization about the identification of a threshold and suspicious transaction;
k. The procedure for adoption and a description of the measures taken in relation to the client and its transactions in the event that the client systematically and/or in significant volumes carries out unusual and/or suspicious transactions.
17.4. If doubts arise regarding the legality of classifying a transaction as a threshold transaction, as well as if an unusual or suspicious transaction is identified, the employee who identified the said transaction is obliged to send a message about such transaction to the Responsible Employee in the manner, form and within the timeframes established by the internal documents of the organization.
18. Program for training and education of employees on issues of combating legalization (laundering) of proceeds from crime and financing of terrorism
18.1. On a regular basis, with the frequency established by the applicable legislation of the Kyrgyz Republic, it is necessary to conduct a program of training and education of employees on issues of combating legalization (laundering) of proceeds from crime and financing of terrorism in order to ensure that the knowledge and skills of the company's employees correspond to the required level.
19. Rights, obligations and responsibilities of participants of the Payment System
19.1. Rights and obligations of the System Operator (hereinafter referred to as the Operator) when interacting with Merchants:
19.1.1. The Operator is entitled to:
• The Operator, on behalf of and at the expense of the Merchant, may accept payments from Payers using payment cards, electronic wallets and electronic money, including using MPA, cash and non-cash funds, and undertakes to transfer the accepted payment to the Merchant (or make settlements in another legal manner) in the manner prescribed by these Rules, in turn, the Merchant undertakes to pay the Operator a fee in the manner prescribed by these Rules. The amount of the fee is determined by the Agreement/or the Questionnaire for connection;
• The Operator may accept payments personally or entrust the acceptance of payments to third parties - Agents of the Operator;
• The Operator and/or Agents of the Operator may accept (receive) payments from Payers in any manner not prohibited by law (cash, non-cash funds); as well as through other payment systems and instruments not prohibited by the legislation of the Kyrgyz Republic);
19.1.2. Responsibilities of the Operator:
• Register the Merchant in its electronic database and assign it the corresponding ID;
• Ensure the transfer of Payments accepted by the Operator and/or the Operator's Agents in the order of execution of the Offer Agreement/Questionnaire for connection to the System, accepted by the Operator and/or the Operator's Agents of Payments, on the terms and within the timeframes stipulated by the Offer Agreement/Questionnaire for connection to the System. In this case, the Operator's obligations to transfer to the Merchant the payments accepted in his favor are considered fulfilled from the moment the corresponding amount of funds is written off from the Operator's bank account;
• The Operator and the Supplier sign the Reconciliation Statement for the reporting period. The procedure and timeframe for providing the Act, reviewing the Statement and signing it are determined by the Offer Agreement/Questionnaire for connection to the System signed with the Merchant;
19.2. Rights and obligations of the Supplier of goods/services.
19.2.1. The Merchant is obliged to:
• For the purposes of registering the Supplier of goods/services in the Operator's electronic database and the proper execution of payments, as well as for the purposes of interaction between the parties in the execution of the Agreement with the Merchant, submit information to the Operator and provide them with the documents stipulated by paragraphs 4.2.3. - 4.2.4 hereof;
• Notify the Operator of changes in the Payment parameters that may affect the identification of the Payer and, in general, the correctness of the Payment;
• In the event of an erroneous transfer by the Operator in favor of the Merchant of funds transferred by the Operator in the course of fulfilling the Operator's obligations to the Merchant, which arose as a result of any technical error, return to the Operator, upon his written application, the erroneously transferred funds within three (3) banking days from the date of receipt of the relevant request;
• In case of an erroneous payment due to the fault (including careless) of the Payer (incorrect indication of the personal account number, incorrect indication of the payment amount, incorrect indication of the telephone number, etc.), upon written application of the Operator, return to the Operator the erroneously transferred funds, or change the payment parameters, if such return and such change of payment parameters are possible and available;
• Agree on the monthly Reconciliation Statement for the relevant reporting month by signing it. The procedure and term for receiving the monthly Statement is determined by the Offer Agreement/Questionnaire for connection with the Merchant;
• Pay the Operator remuneration in the manner and amount established in the Offer Agreement/Questionnaire for connection with the Merchant;
19.2.3. Rights of the Merchant of goods/services:
• Require from the Operator timely fulfillment of financial obligations incurred by the Operator for acceptance of Merchant Payments by the Operator and/or its Agents;
• Require the Operator to properly fulfill the obligations stipulated by these Rules and the Offer Agreement/Questionnaire for connection with the Merchant;
19.3. Rights of the Operator
19.3.1. Require the Merchant to properly fulfill the obligations stipulated by these Rules and the Offer Agreement/Questionnaire for connection;
19.3.2. Require the Merchant to pay the remuneration due to the Operator in the manner and within the timeframes specified in the Offer Agreement/Questionnaire for connection with the Merchant for the Payments accepted by the Operator and/or the Operator's Agents;
19.3.3. In case of erroneous payments, the adjustment and cancellation (revocation) of payments shall be made in accordance with the procedures (order) stipulated by these Rules;
19.3.5. The Parties may place each other's trademarks by using their own information resources solely for the purpose of advertising the goods (works, services) of the trademark owners;
19.4. Liability of the Parties in the interaction of the Operator with the Merchant
19.4.1. The Parties shall be liable for improper fulfillment of their obligations in accordance with the provisions of these Rules, as well as the Offer Agreement/Questionnaire for connection with the Merchant, and in cases not stipulated by the Rules and the Offer Agreement/Questionnaire for connection - in accordance with the legislation of the Kyrgyz Republic;
19.4.2. In the event of a breach by the Operator of the obligations to transfer Payments to the Merchant, accepted in the order of execution of the Offer Agreement/Questionnaire for connection with the Merchant, the Operator shall pay the Merchant a penalty in the amount, manner and within the time limits specified in the Agreement with the Merchant;
19.4.3. In the event of a breach by the Merchant of the procedure for paying remuneration stipulated in the Offer Agreement/Questionnaire for connection with the Merchant and/or in its relevant appendices (amount, terms), the Merchant undertakes to pay the Operator a penalty in the amount, manner and within the time limits specified in the Offer Agreement/Questionnaire for connection;
19.4.4. In case of temporary suspension or termination of acceptance of Payments by the Operator, including in connection with termination of the Offer Agreement/Questionnaire for connection with the Merchant, the latter shall not be entitled to demand, and the Operator shall not be obliged to compensate the Merchant for any indirect damages (lost profits, lost income (profit), etc.), unless otherwise provided by the Offer Agreement/Questionnaire for connection;
19.4.5. The Operator shall not be liable for the untimely transfer of accepted Payments to the Merchant in the event of untimely notification by the Merchant of a change in its details, as well as in the event of a failure in the electronic systems of the servicing bank;
19.4.6. The Operator shall not be liable for errors made by the Payer when making a Payment;
20. Tariff Policy
20.1. The Tariff Policy reflects the general goals of the Operator, which it seeks to achieve by setting prices for the services provided.
20.2. When setting prices for goods, general economic criteria are taken into account, determining price deviations in one direction or another based on the consumer value of payment services.
20.3. These criteria can be divided into internal (depending on the management and various services of the company) and external (independent of the company itself and located outside it).
Internal criteria include:
20.5. In certain cases dictated by the requirements of suppliers of services and goods (including state and budgetary companies), demand and price level for tariffs, commission fees and remuneration, with respect to services rendered by payment organizations and payment system operators of the Kyrgyz Republic, as well as decisions of the Company, the structure of tariffs, commission fees and remuneration may differ from the established level of profitability.
20.6. Before determining tariffs, commission fees and remuneration, a market analysis of demand and price level for tariffs, commission fees and remuneration rendered by payment organizations and payment system operators of the Kyrgyz Republic shall be carried out.
20.7. Notification of Participants and users about the applied tariffs, commission fees and remuneration is carried out in accordance with these Rules and the Agreement of the Participant.
20.8. The payment system operator shall provide the National Bank with information on approved and current tariffs once a year from the date of receipt of the license. The payment system operator shall, within 10 (ten) business days after changing the tariffs, notify the National Bank of all changes made to the current tariffs.
15.1. It is necessary to assess on an annual basis the degree of exposure of the services provided to the following types of risks of legalization (laundering) of proceeds from crime and financing of terrorism, including, but not limited to:
a) Risk by type of clients
b) Country (geographical) risk
c) Risk of the service and/or method of its provision
15.2. Key types of clients whose status and/or whose activities increase the risk of legalization (laundering) of proceeds from crime and terrorist financing include:
a) Foreigners, including foreign public officials, their close relatives and representatives;
b) Foreign financial institutions.
c) Legal entities and individual entrepreneurs, whose activities are related to the intensive cash turnover, including:
i. Organizers of the gambling business, as well as persons providing services or receiving income from the activities of online casinos outside the Kyrgyz Republic;
ii. Persons providing tourist services, as well as other services related to intensive cash turnover;
d) Insurance (reinsurance) organizations, insurance brokers operating in the life insurance sector (except for subsidiaries of the bank that comply with requirements for combating legalization (laundering) of proceeds from crime and financing of terrorism established by the bank);
e) Persons operating as insurance agents;
f) Persons carrying out intermediary activities in the purchase and sale of real estate;
g) Non-profit organizations, in the organizational and legal form of funds, religious associations;
h) Persons located (registered) in foreign states specified in paragraph 15 of the Requirements, as well as branches and representative offices of such persons located in the Kyrgyz Republic.
15.3. It is necessary to assess the country (geographical) risk associated with the provision of services to clients in their foreign countries. Foreign countries, transactions with which increase the risk of legalization (laundering) of proceeds from crime and terrorist financing are:
a. Foreign countries (territories) included in the list of countries (territories) that do not comply or insufficiently comply with the recommendations of the Financial Action Task Force on Money Laundering (FATF), compiled by the authorized body for financial monitoring;
b. Foreign countries (territories) against which international sanctions (embargoes) adopted by resolutions of the United Nations Security Council are applied;
c. Foreign countries (territories) included in the list of offshore zones for the purposes of the Law on the combating legalization (laundering) of proceeds from crime and financing of terrorism;
d. Foreign countries (territories) determined by the organization as posing a high risk of legalization (laundering) of proceeds from crime and terrorist financing based on other factors (information on the level of corruption, illegal production, trafficking and/or transit of drugs, information on support for international terrorism, etc.).
15.4. The following are the services, the provision of which is subject to a high risk of legalization (laundering) of proceeds from crime and terrorist financing:
a. Remote customer service, including servicing via electronic terminals;
b. Services for the sale (distribution) of electronic money and payment cards;
c. Services for the acceptance and processing of payments made using electronic money in excess of an amount equal to one hundred times the monthly calculation indicator established for the relevant financial year by the law on the republican budget;
d. Services for the processing of payments initiated by the client in electronic form, and the transfer of the necessary information to the bank, an organization carrying out certain types of banking operations, for making a payment and/or transferring or accepting money for these payments.
15.5. It is necessary to establish the risk level of the client (group of clients) based on the results of the analysis of information about the client (clients) obtained as part of the procedures for identifying and monitoring client transactions, and assess it according to a risk level determination scale, which consists of three levels: low, medium and high.
16. Customer Identification Program
16.1. In order to carry out activities to record and verify the accuracy of information about the client (his representative), identify the beneficial owner and record information about him, establish and record the intended purpose of business relations or a one-time operation (transaction), it is necessary to identify clients and their beneficial owners.
16.2. The extent of the activities carried out, the depth and detail of identification depend on the client's risk level.
16.3. In the process of identifying the client (identifying the beneficial owner), it is necessary to check for the presence of such client (beneficiary owner) in the list of persons and organizations associated with the financing of terrorism and extremism, obtained in accordance with the Law on combating legalization (laundering) of proceeds from crime and financing of terrorism (hereinafter referred to as the List).
17. Customer Operations Monitoring and Study Program
17.1. It is necessary to regularly carry out activities to update and/or obtain additional information about clients (their representatives) and beneficial owners, as well as to study client transactions and identify threshold and suspicious transactions.
17.2. The results of monitoring and studying client transactions must be used to annually assess the degree of exposure of the organization's services to the risks of legalization (laundering) of proceeds from crime and terrorist financing, as well as to review client risk levels.
17.3. The program for monitoring and studying client transactions includes:
a. A list of signs of unusual and suspicious transactions;
b. Distribution of responsibilities between employees to update previously received and/or to obtain additional information about the client (his representative) and beneficial owner;
c. Distribution of responsibilities between employees of the organization to identify and transfer between employees information about threshold, unusual and suspicious transactions;
d. Description of the mechanism for interaction between departments in identifying threshold, unusual and suspicious transactions;
e. The procedure, grounds and timeframe for the responsible employee to make a decision on the qualification of a client transaction;
f. The procedure for interaction between employees to make a decision to refuse to carry out a client transaction, as well as to terminate business relations with the client;
g. The procedure for interaction between divisions (employees) of the organization to identify clients and beneficial owners included in the List, as well as to immediately freeze transactions with money and/or other property of such clients;
h. The procedure for recording (including recording methods) and storing information on the results of studying unusual transactions, as well as information on threshold and suspicious transactions (including the transaction amount, transaction currency);
i. The procedure for submitting messages on threshold and suspicious transactions to the authorized body for financial monitoring;
j. The procedure for informing (if necessary) authorized bodies and officials of the organization about the identification of a threshold and suspicious transaction;
k. The procedure for adoption and a description of the measures taken in relation to the client and its transactions in the event that the client systematically and/or in significant volumes carries out unusual and/or suspicious transactions.
17.4. If doubts arise regarding the legality of classifying a transaction as a threshold transaction, as well as if an unusual or suspicious transaction is identified, the employee who identified the said transaction is obliged to send a message about such transaction to the Responsible Employee in the manner, form and within the timeframes established by the internal documents of the organization.
18. Program for training and education of employees on issues of combating legalization (laundering) of proceeds from crime and financing of terrorism
18.1. On a regular basis, with the frequency established by the applicable legislation of the Kyrgyz Republic, it is necessary to conduct a program of training and education of employees on issues of combating legalization (laundering) of proceeds from crime and financing of terrorism in order to ensure that the knowledge and skills of the company's employees correspond to the required level.
19. Rights, obligations and responsibilities of participants of the Payment System
19.1. Rights and obligations of the System Operator (hereinafter referred to as the Operator) when interacting with Merchants:
19.1.1. The Operator is entitled to:
• The Operator, on behalf of and at the expense of the Merchant, may accept payments from Payers using payment cards, electronic wallets and electronic money, including using MPA, cash and non-cash funds, and undertakes to transfer the accepted payment to the Merchant (or make settlements in another legal manner) in the manner prescribed by these Rules, in turn, the Merchant undertakes to pay the Operator a fee in the manner prescribed by these Rules. The amount of the fee is determined by the Agreement/or the Questionnaire for connection;
• The Operator may accept payments personally or entrust the acceptance of payments to third parties - Agents of the Operator;
• The Operator and/or Agents of the Operator may accept (receive) payments from Payers in any manner not prohibited by law (cash, non-cash funds); as well as through other payment systems and instruments not prohibited by the legislation of the Kyrgyz Republic);
19.1.2. Responsibilities of the Operator:
• Register the Merchant in its electronic database and assign it the corresponding ID;
• Ensure the transfer of Payments accepted by the Operator and/or the Operator's Agents in the order of execution of the Offer Agreement/Questionnaire for connection to the System, accepted by the Operator and/or the Operator's Agents of Payments, on the terms and within the timeframes stipulated by the Offer Agreement/Questionnaire for connection to the System. In this case, the Operator's obligations to transfer to the Merchant the payments accepted in his favor are considered fulfilled from the moment the corresponding amount of funds is written off from the Operator's bank account;
• The Operator and the Supplier sign the Reconciliation Statement for the reporting period. The procedure and timeframe for providing the Act, reviewing the Statement and signing it are determined by the Offer Agreement/Questionnaire for connection to the System signed with the Merchant;
19.2. Rights and obligations of the Supplier of goods/services.
19.2.1. The Merchant is obliged to:
• For the purposes of registering the Supplier of goods/services in the Operator's electronic database and the proper execution of payments, as well as for the purposes of interaction between the parties in the execution of the Agreement with the Merchant, submit information to the Operator and provide them with the documents stipulated by paragraphs 4.2.3. - 4.2.4 hereof;
• Notify the Operator of changes in the Payment parameters that may affect the identification of the Payer and, in general, the correctness of the Payment;
• In the event of an erroneous transfer by the Operator in favor of the Merchant of funds transferred by the Operator in the course of fulfilling the Operator's obligations to the Merchant, which arose as a result of any technical error, return to the Operator, upon his written application, the erroneously transferred funds within three (3) banking days from the date of receipt of the relevant request;
• In case of an erroneous payment due to the fault (including careless) of the Payer (incorrect indication of the personal account number, incorrect indication of the payment amount, incorrect indication of the telephone number, etc.), upon written application of the Operator, return to the Operator the erroneously transferred funds, or change the payment parameters, if such return and such change of payment parameters are possible and available;
• Agree on the monthly Reconciliation Statement for the relevant reporting month by signing it. The procedure and term for receiving the monthly Statement is determined by the Offer Agreement/Questionnaire for connection with the Merchant;
• Pay the Operator remuneration in the manner and amount established in the Offer Agreement/Questionnaire for connection with the Merchant;
19.2.3. Rights of the Merchant of goods/services:
• Require from the Operator timely fulfillment of financial obligations incurred by the Operator for acceptance of Merchant Payments by the Operator and/or its Agents;
• Require the Operator to properly fulfill the obligations stipulated by these Rules and the Offer Agreement/Questionnaire for connection with the Merchant;
19.3. Rights of the Operator
19.3.1. Require the Merchant to properly fulfill the obligations stipulated by these Rules and the Offer Agreement/Questionnaire for connection;
19.3.2. Require the Merchant to pay the remuneration due to the Operator in the manner and within the timeframes specified in the Offer Agreement/Questionnaire for connection with the Merchant for the Payments accepted by the Operator and/or the Operator's Agents;
19.3.3. In case of erroneous payments, the adjustment and cancellation (revocation) of payments shall be made in accordance with the procedures (order) stipulated by these Rules;
19.3.5. The Parties may place each other's trademarks by using their own information resources solely for the purpose of advertising the goods (works, services) of the trademark owners;
19.4. Liability of the Parties in the interaction of the Operator with the Merchant
19.4.1. The Parties shall be liable for improper fulfillment of their obligations in accordance with the provisions of these Rules, as well as the Offer Agreement/Questionnaire for connection with the Merchant, and in cases not stipulated by the Rules and the Offer Agreement/Questionnaire for connection - in accordance with the legislation of the Kyrgyz Republic;
19.4.2. In the event of a breach by the Operator of the obligations to transfer Payments to the Merchant, accepted in the order of execution of the Offer Agreement/Questionnaire for connection with the Merchant, the Operator shall pay the Merchant a penalty in the amount, manner and within the time limits specified in the Agreement with the Merchant;
19.4.3. In the event of a breach by the Merchant of the procedure for paying remuneration stipulated in the Offer Agreement/Questionnaire for connection with the Merchant and/or in its relevant appendices (amount, terms), the Merchant undertakes to pay the Operator a penalty in the amount, manner and within the time limits specified in the Offer Agreement/Questionnaire for connection;
19.4.4. In case of temporary suspension or termination of acceptance of Payments by the Operator, including in connection with termination of the Offer Agreement/Questionnaire for connection with the Merchant, the latter shall not be entitled to demand, and the Operator shall not be obliged to compensate the Merchant for any indirect damages (lost profits, lost income (profit), etc.), unless otherwise provided by the Offer Agreement/Questionnaire for connection;
19.4.5. The Operator shall not be liable for the untimely transfer of accepted Payments to the Merchant in the event of untimely notification by the Merchant of a change in its details, as well as in the event of a failure in the electronic systems of the servicing bank;
19.4.6. The Operator shall not be liable for errors made by the Payer when making a Payment;
20. Tariff Policy
20.1. The Tariff Policy reflects the general goals of the Operator, which it seeks to achieve by setting prices for the services provided.
20.2. When setting prices for goods, general economic criteria are taken into account, determining price deviations in one direction or another based on the consumer value of payment services.
20.3. These criteria can be divided into internal (depending on the management and various services of the company) and external (independent of the company itself and located outside it).
Internal criteria include:
- service quality;
- Operator's image.
- social significance of the service;
- availability and expansion of the payment services market;
- Participants and their requirements for the payment services market;
- regulatory framework;
- political stability of the state;
- availability and level of competition;
- other factors.
20.5. In certain cases dictated by the requirements of suppliers of services and goods (including state and budgetary companies), demand and price level for tariffs, commission fees and remuneration, with respect to services rendered by payment organizations and payment system operators of the Kyrgyz Republic, as well as decisions of the Company, the structure of tariffs, commission fees and remuneration may differ from the established level of profitability.
20.6. Before determining tariffs, commission fees and remuneration, a market analysis of demand and price level for tariffs, commission fees and remuneration rendered by payment organizations and payment system operators of the Kyrgyz Republic shall be carried out.
20.7. Notification of Participants and users about the applied tariffs, commission fees and remuneration is carried out in accordance with these Rules and the Agreement of the Participant.
20.8. The payment system operator shall provide the National Bank with information on approved and current tariffs once a year from the date of receipt of the license. The payment system operator shall, within 10 (ten) business days after changing the tariffs, notify the National Bank of all changes made to the current tariffs.
21. Description of mechanisms for managing directories of senders and recipients in order to check clients against international and national lists of persons involved in terrorist and extremist activities or the proliferation of weapons of mass destruction.
21.1. The Supplier/Agent Department conducts client due diligence in any of the following cases:
21.1.1. establishing business relationships with suppliers of goods/services, agents and counterparties;
21.1.2. if the employees of the Supplier/Agent Department and the Company's lawyer suspect that the supplier of goods/services, agent and counterparty are financing terrorism and legalizing (laundering) proceeds from crime, as well as other illegal activities.
Identification
21.2. When conducting due diligence on suppliers of goods/services, agents and counterparties, the Supplier/Agent Department identifies partners by collecting identification data. The collection of identification data is ensured by filling out and signing the Client and Beneficial Owner Questionnaire by the partner.
Verification
21.3. Verification of partners is carried out by the Manager of the Suppliers/Agents Support Department (Head of the Suppliers/Agents Support Department) by checking the identification information specified in the client's Questionnaire. The Suppliers/Agents Support Department requests the following information:
- in case of a legal entity: the name of the organization (full, abbreviated), information on the registration of the legal entity, legal address, contacts, taxpayer identification number (for residents), registration number of the Social Fund of the Kyrgyz Republic, type of activity;
- in case of an individual entrepreneur: a certificate of registration as an individual entrepreneur (along with a copy of the entrepreneur's passport), patent details (date of issue and number, authority issued the patent, patent validity period), certifying the client's status as an individual entrepreneur;
- in case of an individual - full name, identity card details (passport), place of residence, citizenship, local address, contact details).
21.4. The Supplier/Agent Department establishes the beneficial owners and information about the management bodies of subagents in cases where the subagent is a legal entity (structure and personnel).
21.5. The Supplier/Agent Department, before entering into any agreements with suppliers of goods and services, shall take all possible measures (phone call, letter, e-mail) to establish and identify the beneficial owner (beneficiary) of the supplier of goods and services. A legal dossier of suppliers of goods and services, consisting of at least the following documents shall be formed:
− a copy of the certificate of state registration (re-registration) of a legal entity with the authorized state body of the Kyrgyz Republic. For non-residents: a copy of an extract from the trade register of the country of the client's registration as a legal entity or another document confirming the client's registration as a legal entity in accordance with the requirements of the legislation of the country of origin (copies shall be certified by the seal of the legal entity and the signature of its manager);
- a copy of the constituent documents depending on the organizational and legal form of the organization, with amendments and additions thereto, certified by a notary or the seal of the legal entity and the signature of its manager;
- in cases where a legal entity carries out activities subject to mandatory licensing in accordance with the legislation of the country of origin - a copy of the license (the copy is certified by the seal of the legal entity and the signature of its manager);
- for non-residents of the Kyrgyz Republic:
- a certificate from the tax service authority on the fact of tax registration of the taxpayer;
- information about the services and goods of the supplier.
- for individual entrepreneurs:
- a certificate of registration as an individual entrepreneur;
- a patent certifying the client's status as an individual entrepreneur
21.6. If the supplier, agent, subagent or counterparty fails to provide the information and/or documents required to conduct due diligence on the client, the Head of the Supplier/Agent Department shall submit one of the following decisions to the General Director and the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration:
21.6.1. Do not establish a business relationship with the client (refuse to accept for service or open an account);
21.6.2. Suspend or terminate the established business relationship with the client (refusal to provide service) and terminate the concluded agreement with the client;
21.6.3. Do not make a payment or send funds to the recipient's bank account.
When making a decision in this case, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration is obliged to send a corresponding message to the financial intelligence agency within one business day from the date of such decision.
21.7. The relationship between the Company and suppliers of goods and services, subagents, their responsibility, rights and obligations are reflected in the relevant agreements concluded between them after identifying the supplier of goods and services and the subagent.
21.8. When conducting due diligence on suppliers of goods/services, agents, subagents, identifying their beneficial owners, the Supplier/Agent Department checks for officials, founders and beneficiaries on the Sanctions List of the Kyrgyz Republic.
21.9. If the full names of officials, founders and beneficiaries are on the list, based on the application of the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration, the General Director makes a decision to refuse to provide any types of services and the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration immediately reports the information to the SFIS under the Government of the Kyrgyz Republic.
Payer Due Diligence
21.10. The Company ensures verification of the identification data of payers received by the Company's automated system.
21.11. When conducting an electronic money transfer, the Company:
1) generates the required information about the sender and recipient of the money transfer;
2) ensures that the required information about the sender and recipient of the money transfer are integral parts of the electronic money transfer and accompany the electronic money transfer during the payment;
3) monitors electronic money transfers and identifies electronic money transfers that do not contain information about the sender and (or) recipient, and takes appropriate measures to properly verify the client;
4) checks the sender and recipient of the money transfer for presence or absence in the Sanctions Lists;
21.12. The IT Department of the Company provides the software and hardware complex of the Company, including the interface of payment terminals, with functions for entering identification data, in cases where payments are made:
21.12.1. when making a one-time transaction (payment) or several interrelated one-time transactions in the amount equal to or exceeding 70,000 soms;
12.21. when making a one-time electronic money transfer in the amount equal to or exceeding 70,000 soms;
13.21. The Company carries out identification of the payer upon detection of payment in favor of service providers - non-residents of the Kyrgyz Republic (foreign service providers with current accounts in foreign banks and personal accounts in foreign currency), with whom the Company has concluded a direct agency agreement, by displaying on the screen of the payment device the fields for filling in the full name and passport data (TIN, date of issue and expiration, issuing authority).
In this case, the amount of the transaction (payment) performed must not exceed 60,000 soms or the equivalent in foreign currency.
If the payment amount exceeds 60,000 soms, the payment should not be made to the recipient's account. The payer must come to the Company with passport data and write an application for a refund of the remaining amount. The Company establishes the Procedure for clients to contact on controversial issues.
21.14. The IT department ensures that the System has appropriate software solutions that allow entering the payer's identification data. The IT department ensures that the System stores information on cross-border payments, including:
● identification data of the payer;
● time and place of payment;
● payment amount;
● name of the payee;
● other data.
21.15. The Company sets limits on transactions in accordance with the legislation of the Kyrgyz Republic. The limit on a one-time transaction in favor of a service provider being residents of the Kyrgyz Republic is "70,000 soms" (seventy thousand soms) (limited for all services), while one-time transaction in favor of a service provider being non-residents of the Kyrgyz Republic - no more than 60,000 soms (sixty thousand soms).
Re-identification of clients
21.16. Re-identification of clients is carried out at least once a year if the client's transactions are classified as a high degree (level) of risk, once every three years - as medium and low risk. The responsibility for re-identification is assigned to the employee responsible for the initial identification.
21.17. Re-identification of the client, his representative, establishment and identification of the beneficial owner shall not be performed if such client, his representative, beneficial owner have already been identified by the Company in accordance with the Law on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime and these Rules. Information about this client, his representative or beneficial owner shall be promptly accessible on a permanent basis.
21.18. Re-identification of the client, his representative, establishment and identification of the beneficial owner shall be performed if:
- doubts arise as to the reliability of the information previously obtained as a result of the implementation of this procedure;
- the transaction (payment) is of a confusing or unusual nature, indicating the absence of obvious economic sense or obvious legal purpose, or the performance of the said transaction (payment) gives reason to believe that the purpose of its implementation is to evade the mandatory control procedures stipulated by the Law on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
Procedure for maintaining client questionnaires.
21.19. The client's details and those of their beneficial owner are recorded in the relevant questionnaires, which are stored in the client's file. The questionnaire is filled in directly by the client; control over the questionnaire's completion is assigned to the employee responsible for client identification. The part of the questionnaire containing information on the risk level is checked by the responsible employee of the Company conducting the verification.
21.20. The following information must be entered into the client's questionnaire:
● information obtained as a result of client identification;
● information on the Company's client belonging to the public official category;
● information on the degree (level) of risk, including the rationale for the risk assessment;
● date of commencement of relations with the client;
● date of filling in and updating the client's questionnaire;
● reasons and date of change in the risk level;
● other information.
21.21. The client's questionnaire is filled in by the client and the Company's employee in electronic form and on paper, using technical means, and is signed by the client.
21.22. In the event of a change in the information contained in the client and/or beneficial owner questionnaire, the client is obliged to provide the Company with updated information and documents. The Company employee responsible for identifying the client enters updated information into the client questionnaire on the day of its receipt.
21.23. The client questionnaire is subject to storage in the Company for at least five years from the date of termination of relations with the client.
21.24. Risk-based approach to customer due diligence.
21.24.1. The supplier/agent department and the compliance department shall apply enhanced or simplified customer due diligence measures, using a risk-based approach, when conducting customer due diligence.
21.24.2. The Company classifies its customers based on risk criteria (high, medium and low).
21.24.3. In case of establishing a high risk, the following enhanced customer due diligence measures shall be applied:
- collecting additional identification information and documents regarding the customer from accessible and reliable sources of information, and using this information in assessing the risk associated with the customer;
- collecting additional information about the customer and the beneficial owner to thoroughly understand the risk of possible involvement of such customer and beneficial owner in criminal activity;
- requesting additional information from the customer regarding the purpose and intended nature of the business relationship, as well as the source of the customer's funds;
- verification of the sources of the client's funds used in establishing the business relationship in order to ensure that the funds are not the proceeds of crime;
- regular updating of the identification data of the client and the beneficial owner, but at least once a year;
- requesting additional information from the client explaining the reason or economic meaning of the planned or executed operations (transactions);
21.24.4. In case of establishing a medium risk, the Compliance Control Department establishes measures at its own discretion with the approval of the General Director.
21.24.5. In case of establishing a low risk, the following simplified due diligence measures are applied on a client:
- obtaining general information about the purpose and intended nature of the business relationship;
- verification of the client and the beneficial owner after establishing the business relationship;
- reducing the frequency of updating the identification data of the client and the beneficial owner;
Procedure for applying measures to high-risk countries
21.25. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall monitor the list of high-risk countries compiled and published by the financial intelligence agency and check the register of suppliers of goods/services and agents for their place of registration in high-risk jurisdictions.
21.26 The Supplier/Agent Department, when establishing business relations with clients, checks for the place of registration in high-risk jurisdictions.
21.27 In the event that the place of registration of the supplier of goods/services and agents in high-risk countries coincides, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime makes a proposal to apply enhanced customer due diligence measures, including a request for additional information.
21.28 The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime also makes a proposal to the General Director of the Company to take the following measures:
21.28.1. reporting to the financial intelligence agency any payments with individuals or legal entities from high-risk countries (individuals or legal entities registered or operating in high-risk countries), regardless of the amount of the transaction (payment);
21.28.2. refusal to establish business relations and make payments to individuals or legal entities from high-risk countries;
21.28.3. Termination of the application of enhanced customer due diligence measures or other measures (sanctions) in relation to high-risk countries is carried out upon exclusion of the country from the List of High-Risk Countries or based on a decision of the Commission on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime under the Government of the Kyrgyz Republic.
Procedure for identifying payments subject to control and reporting
21.29. In order to identify payments subject to control and reporting to the financial intelligence agency, the Company ensures continuous monitoring of payments made through the Company's payment system by providing access to the System to the official on the Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
21.30. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall continuously monitor the following types of payments subject to mandatory control and reporting:
- suspicious payments;
- payments in favor of individuals or legal entities from high-risk countries;
- payments with individuals who have served a sentence for legalization (laundering) of proceeds from crime, terrorism or extremism;
- non-cash payments in excess of the established threshold amount.
21.31. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure that a message is sent to the financial intelligence agency concerning the payments subject to mandatory control and reporting, in accordance with the procedure established by the Regulation on the submitting information and documents to the financial intelligence agency of the Kyrgyz Republic, approved by the Resolution of the Government of the Kyrgyz Republic No. 606 dated December 25, 2018.
In order to send messages to the financial intelligence agency, the official shall register on the information resource of the financial intelligence agency. The IT department shall ensure the installation of an automated workstation, being specialized software that supports automated generation and sending of messages on transactions (payments) to the financial intelligence agency.
The electronic messages are generated and sent by a compliance officer to the financial intelligence agency through an automated workstation. The sequence of actions for generating an electronic message through an automated workstation, the format and structure of the electronic message, as well as the procedure for using cryptographic protection tools for the electronic message, are provided for in the instructions accompanying the automated workstation and additionally posted on the official website (www.fiu.gov.kg)
21.32. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure continuous monitoring of payments by means of:
− software solution that provides protection against fraudulent actions, identification of suspicious and dubious transactions (operations) with the automatic blocking feature;
− uploading reports with automatic checking for suspicious transactions;
− customer support service that monitors incoming requests for signs of suspicious transactions;
− manual verification of transactions that have signs of suspicious nature.
21.33. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the employees of the Customer Support Department shall identify suspicious transactions by monitoring the payments being made and taking into account the following criteria:
− if there is a suspicion or sufficient grounds to suspect that the funds represent proceeds of crime, including from predicate crimes, or are related to the legalization (laundering) of Proceeds from Crime;
− if there is a suspicion or sufficient grounds to suspect that the funds are related to the financing of:
− a) terrorists and extremists;
− b) terrorist and extremist organizations (groups);
− c) terrorism and extremism.
21.34. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the employees of the Customer Support Department shall apply the guidelines for identifying suspicious transactions (deals) developed and published by the financial intelligence agency.
The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure that the employees of the Customer Support Department are familiar with the guidelines for identifying suspicious transactions (deals).
21.35. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, together with the employees of the Customer Support Department, shall identify payments in favor of individuals or legal entities from high-risk countries, using the list of transactions (deals) with individuals or legal entities from high-risk countries developed by the financial intelligence agency based on the results of the national risk assessment of issues related to Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime available in the Kyrgyz Republic.
21.36. The IT Department shall ensure the integration of the list of persons who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism, as well as for the financing of such activities.
When identifying payments with persons who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism, as well as for the financing of such activities, the System notifies the Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime to forward messages to the financial intelligence agency.
21.37. The Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, together with the employees of the Customer Support Department, shall identify the non-cash payments in excess of the established threshold amount.
The list of transactions (deals) with threshold amounts is established by the financial intelligence agency. The Official constantly monitors the information resources of the financial intelligence agency to identify changes or additions to the list of transactions with threshold amounts subject to mandatory control.
21.38. The official, together with the employees of the Customer Support Department, identifies the following payments:
- payments made more than three times in an amount exceeding 30,000 soms per day;
- multiple growth in the volume of payments for services over a short period to a service provider for which a stable volume of payments was observed;
- agreement by the service provider to pay an exorbitant fee for accepting payments for its services (above 20%).
21.39. If an unusual transaction or its signs are detected in the client's activities, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the Suppliers/Agents Support Department may take the following actions:
a) ask the client to provide the necessary explanations, including additional information explaining the economic meaning of the unusual transaction;
b) ensure increased attention (monitoring) in accordance with these rules and the requirements of the legislation on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, to all transactions of this client;
c) take other necessary actions subject to compliance with the legislation of the Kyrgyz Republic.
21.40. Based on the payments study results, the General Director, on the recommendation of the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, shall makes a decision:
a) to recognize the client's payments as subject to mandatory control and reporting;
b) to recognize the identified unusual payment as a suspicious transaction (payment), the implementation of which may be aimed at legalization (laundering) of proceeds from crime or financing of terrorism;
c) to consider the need to take additional measures to study unusual payments by the client;
d) to submit information on payments to the financial intelligence agency.
Procedure for storing information and documents on transactions (payments), as well as information obtained as a result of client due diligence.
21.41. The IT department, together with the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, shall ensure that information on following payments subject to mandatory control and reporting is stored in the system for five years:
21.41.1. suspicious payments;
21.41.2. payments in favor of individuals or legal entities from high-risk countries;
21.41.3. payments with individuals who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism;
21.41.4. non-cash payments above the established threshold amount.
21.42. Based on the results of the transaction detection procedure, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the Technical Director shall document and maintain the confidential nature of the information upon detection of signs of the client committing suspicious actions.
21.43. The Technical Director of the Company shall be responsible for maintaining information on payments in the system.
21.44. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall store information on messages sent to the financial intelligence agency on paper in special box files.
21.45. The Suppliers/Agents Support Department shall ensure the storage of documents and information obtained as a result of proper verification of suppliers of goods/services, agents, subagents and counterparties during the entire period of business relations with them, as well as for five years after the termination of business relations.
21.46. The Supplier/Agent Manager ensures that the validity period of contractual relations with suppliers and agents is recorded in the relevant register, and also ensures that documents and files are stored in special box files. The Supplier/Agent Manager ensures classification and sorting, which allows for the timely location of documents and information.
21.47. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime is obliged to document and ensure the preservation on paper of documents and information prepared for consideration by the Management Board of the Company, including proposals to terminate business relations, the results of risk assessment in the Company and reports on the results of the implementation of the internal control program for the Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
21.48. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime ensures the storage for at least 5 years from the date of termination of relations with the client of:
21.48.1. documents on transactions for which internal messages were drawn up;
21.48.2. documents of internal messages;
21.48.3. results of the study of the grounds and purposes of the identified unusual transactions;
21.48.4. documents related to the client's activities (in the amount determined by the organization), including business correspondence and other documents at the discretion of the Company;
21.48.5. other documents obtained as a result of applying the internal control rules.
21.49. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure the storage of the abovementioned documents in such a way that the data can be promptly accessed by the financial intelligence agency, as well as other government agencies in accordance with their competence in cases established by the legislation of the Kyrgyz Republic.
Procedure for system organization in the Company
21.50. The General Director of the Company shall ensure the organization of the internal control system in the Company for the purposes of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime by approving the Internal Control Rules and delegating functions for the implementation of the requirements of the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime to a specially appointed official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, who heads the compliance control department.
21.51. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall perform the following functions:
− development and submission to the General Director of draft internal control rules and other internal documents on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, including risk assessment methodology and risk management procedures;
− organization of implementation of internal control rules;
− monitoring of due diligence on the client and other participants in transactions;
− monitoring and analysis of transactions (payments) of the client;
− making a decision on recognizing a transaction (payment) as suspicious and sending a message about a suspicious transaction (payment) to the financial intelligence agency, with subsequent notification of the executive body;
− submission to the financial intelligence agency of messages about transactions (payments) subject to control and reporting, in accordance with the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime;
− assisting authorized representatives of inspection bodies when they conduct inspections of the Company's activities on issues of compliance with the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime;
− preparing methodological documents (if necessary), consulting the Company's employees on issues arising during the implementation of internal control programs.
− conducting introductory and unscheduled training for the Company's employees on issues of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
− Submission to the General Director, within the timeframes established by the General Director, but not less than once every six months, of a written report on the results of the implementation of the rules and procedures of internal control for the purpose of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
− Making decisions on reports on transactions submitted to him by the Company's employees, on the advisability of their submission to the General Director.
− Ensuring the confidentiality of information received in the course of performing the functions assigned to him.
− Ensuring appropriate regime for the protection and storage of recorded information.
− Other functions in accordance with these rules and the Company's internal control documents.
21.52. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime or other person authorized by the Manager shall systematically, but not less than once every six months:
- conduct internal audits of the Company's compliance with internal control rules, requirements of legislation of the Kyrgyz Republic and other regulatory legal acts
- submit to the General Director of the Company a written report based on the audit results, containing information on all identified violations of the Kyrgyz Republic legislation on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, internal control rules and other organizational and administrative documents of the Company adopted in order to organize and implement internal control.
21.53. To perform the specified functions, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall be entitled to:
- Receive the necessary information and documents from the managers and employees of the Company's divisions, including organizational and administrative documents of the Company, accounting and monetary settlement documents in the manner established by the Company.
− Make copies of documents received, receive and store copies of files, copies of any records stored in local information networks and autonomous computer systems of the Company in the manner established by the Company.
− Receive explanations from employees regarding the implementation of the rules.
− Exercise other rights in accordance with internal control documents of the Company.
21.54. In order to reduce the risks associated with cases of fraud, the Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall carry out the following activities:
− Activities to identify and assess the risks of laundering of proceeds or financing of terrorism that may arise in connection with the development of new products and new business practices, including new transfer mechanisms, and the use of new or developing technologies for both new and existing products.
− Activities to check existing systems for vulnerabilities and the risk of fraud using technical, technological, software and other vulnerabilities of the HSC.
− Activities to develop new methods to combat fraud, including but not limited to:
− Development of additional methods, systems, rules for identifying HSC system users;
− Development of methods for monitoring, early detection of fraudulent transactions using algorithms and search masks.
21.1. The Supplier/Agent Department conducts client due diligence in any of the following cases:
21.1.1. establishing business relationships with suppliers of goods/services, agents and counterparties;
21.1.2. if the employees of the Supplier/Agent Department and the Company's lawyer suspect that the supplier of goods/services, agent and counterparty are financing terrorism and legalizing (laundering) proceeds from crime, as well as other illegal activities.
Identification
21.2. When conducting due diligence on suppliers of goods/services, agents and counterparties, the Supplier/Agent Department identifies partners by collecting identification data. The collection of identification data is ensured by filling out and signing the Client and Beneficial Owner Questionnaire by the partner.
Verification
21.3. Verification of partners is carried out by the Manager of the Suppliers/Agents Support Department (Head of the Suppliers/Agents Support Department) by checking the identification information specified in the client's Questionnaire. The Suppliers/Agents Support Department requests the following information:
- in case of a legal entity: the name of the organization (full, abbreviated), information on the registration of the legal entity, legal address, contacts, taxpayer identification number (for residents), registration number of the Social Fund of the Kyrgyz Republic, type of activity;
- in case of an individual entrepreneur: a certificate of registration as an individual entrepreneur (along with a copy of the entrepreneur's passport), patent details (date of issue and number, authority issued the patent, patent validity period), certifying the client's status as an individual entrepreneur;
- in case of an individual - full name, identity card details (passport), place of residence, citizenship, local address, contact details).
21.4. The Supplier/Agent Department establishes the beneficial owners and information about the management bodies of subagents in cases where the subagent is a legal entity (structure and personnel).
21.5. The Supplier/Agent Department, before entering into any agreements with suppliers of goods and services, shall take all possible measures (phone call, letter, e-mail) to establish and identify the beneficial owner (beneficiary) of the supplier of goods and services. A legal dossier of suppliers of goods and services, consisting of at least the following documents shall be formed:
− a copy of the certificate of state registration (re-registration) of a legal entity with the authorized state body of the Kyrgyz Republic. For non-residents: a copy of an extract from the trade register of the country of the client's registration as a legal entity or another document confirming the client's registration as a legal entity in accordance with the requirements of the legislation of the country of origin (copies shall be certified by the seal of the legal entity and the signature of its manager);
- a copy of the constituent documents depending on the organizational and legal form of the organization, with amendments and additions thereto, certified by a notary or the seal of the legal entity and the signature of its manager;
- in cases where a legal entity carries out activities subject to mandatory licensing in accordance with the legislation of the country of origin - a copy of the license (the copy is certified by the seal of the legal entity and the signature of its manager);
- for non-residents of the Kyrgyz Republic:
- a certificate from the tax service authority on the fact of tax registration of the taxpayer;
- information about the services and goods of the supplier.
- for individual entrepreneurs:
- a certificate of registration as an individual entrepreneur;
- a patent certifying the client's status as an individual entrepreneur
21.6. If the supplier, agent, subagent or counterparty fails to provide the information and/or documents required to conduct due diligence on the client, the Head of the Supplier/Agent Department shall submit one of the following decisions to the General Director and the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration:
21.6.1. Do not establish a business relationship with the client (refuse to accept for service or open an account);
21.6.2. Suspend or terminate the established business relationship with the client (refusal to provide service) and terminate the concluded agreement with the client;
21.6.3. Do not make a payment or send funds to the recipient's bank account.
When making a decision in this case, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration is obliged to send a corresponding message to the financial intelligence agency within one business day from the date of such decision.
21.7. The relationship between the Company and suppliers of goods and services, subagents, their responsibility, rights and obligations are reflected in the relevant agreements concluded between them after identifying the supplier of goods and services and the subagent.
21.8. When conducting due diligence on suppliers of goods/services, agents, subagents, identifying their beneficial owners, the Supplier/Agent Department checks for officials, founders and beneficiaries on the Sanctions List of the Kyrgyz Republic.
21.9. If the full names of officials, founders and beneficiaries are on the list, based on the application of the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration, the General Director makes a decision to refuse to provide any types of services and the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime for consideration immediately reports the information to the SFIS under the Government of the Kyrgyz Republic.
Payer Due Diligence
21.10. The Company ensures verification of the identification data of payers received by the Company's automated system.
21.11. When conducting an electronic money transfer, the Company:
1) generates the required information about the sender and recipient of the money transfer;
2) ensures that the required information about the sender and recipient of the money transfer are integral parts of the electronic money transfer and accompany the electronic money transfer during the payment;
3) monitors electronic money transfers and identifies electronic money transfers that do not contain information about the sender and (or) recipient, and takes appropriate measures to properly verify the client;
4) checks the sender and recipient of the money transfer for presence or absence in the Sanctions Lists;
21.12. The IT Department of the Company provides the software and hardware complex of the Company, including the interface of payment terminals, with functions for entering identification data, in cases where payments are made:
21.12.1. when making a one-time transaction (payment) or several interrelated one-time transactions in the amount equal to or exceeding 70,000 soms;
12.21. when making a one-time electronic money transfer in the amount equal to or exceeding 70,000 soms;
13.21. The Company carries out identification of the payer upon detection of payment in favor of service providers - non-residents of the Kyrgyz Republic (foreign service providers with current accounts in foreign banks and personal accounts in foreign currency), with whom the Company has concluded a direct agency agreement, by displaying on the screen of the payment device the fields for filling in the full name and passport data (TIN, date of issue and expiration, issuing authority).
In this case, the amount of the transaction (payment) performed must not exceed 60,000 soms or the equivalent in foreign currency.
If the payment amount exceeds 60,000 soms, the payment should not be made to the recipient's account. The payer must come to the Company with passport data and write an application for a refund of the remaining amount. The Company establishes the Procedure for clients to contact on controversial issues.
21.14. The IT department ensures that the System has appropriate software solutions that allow entering the payer's identification data. The IT department ensures that the System stores information on cross-border payments, including:
● identification data of the payer;
● time and place of payment;
● payment amount;
● name of the payee;
● other data.
21.15. The Company sets limits on transactions in accordance with the legislation of the Kyrgyz Republic. The limit on a one-time transaction in favor of a service provider being residents of the Kyrgyz Republic is "70,000 soms" (seventy thousand soms) (limited for all services), while one-time transaction in favor of a service provider being non-residents of the Kyrgyz Republic - no more than 60,000 soms (sixty thousand soms).
Re-identification of clients
21.16. Re-identification of clients is carried out at least once a year if the client's transactions are classified as a high degree (level) of risk, once every three years - as medium and low risk. The responsibility for re-identification is assigned to the employee responsible for the initial identification.
21.17. Re-identification of the client, his representative, establishment and identification of the beneficial owner shall not be performed if such client, his representative, beneficial owner have already been identified by the Company in accordance with the Law on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime and these Rules. Information about this client, his representative or beneficial owner shall be promptly accessible on a permanent basis.
21.18. Re-identification of the client, his representative, establishment and identification of the beneficial owner shall be performed if:
- doubts arise as to the reliability of the information previously obtained as a result of the implementation of this procedure;
- the transaction (payment) is of a confusing or unusual nature, indicating the absence of obvious economic sense or obvious legal purpose, or the performance of the said transaction (payment) gives reason to believe that the purpose of its implementation is to evade the mandatory control procedures stipulated by the Law on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
Procedure for maintaining client questionnaires.
21.19. The client's details and those of their beneficial owner are recorded in the relevant questionnaires, which are stored in the client's file. The questionnaire is filled in directly by the client; control over the questionnaire's completion is assigned to the employee responsible for client identification. The part of the questionnaire containing information on the risk level is checked by the responsible employee of the Company conducting the verification.
21.20. The following information must be entered into the client's questionnaire:
● information obtained as a result of client identification;
● information on the Company's client belonging to the public official category;
● information on the degree (level) of risk, including the rationale for the risk assessment;
● date of commencement of relations with the client;
● date of filling in and updating the client's questionnaire;
● reasons and date of change in the risk level;
● other information.
21.21. The client's questionnaire is filled in by the client and the Company's employee in electronic form and on paper, using technical means, and is signed by the client.
21.22. In the event of a change in the information contained in the client and/or beneficial owner questionnaire, the client is obliged to provide the Company with updated information and documents. The Company employee responsible for identifying the client enters updated information into the client questionnaire on the day of its receipt.
21.23. The client questionnaire is subject to storage in the Company for at least five years from the date of termination of relations with the client.
21.24. Risk-based approach to customer due diligence.
21.24.1. The supplier/agent department and the compliance department shall apply enhanced or simplified customer due diligence measures, using a risk-based approach, when conducting customer due diligence.
21.24.2. The Company classifies its customers based on risk criteria (high, medium and low).
21.24.3. In case of establishing a high risk, the following enhanced customer due diligence measures shall be applied:
- collecting additional identification information and documents regarding the customer from accessible and reliable sources of information, and using this information in assessing the risk associated with the customer;
- collecting additional information about the customer and the beneficial owner to thoroughly understand the risk of possible involvement of such customer and beneficial owner in criminal activity;
- requesting additional information from the customer regarding the purpose and intended nature of the business relationship, as well as the source of the customer's funds;
- verification of the sources of the client's funds used in establishing the business relationship in order to ensure that the funds are not the proceeds of crime;
- regular updating of the identification data of the client and the beneficial owner, but at least once a year;
- requesting additional information from the client explaining the reason or economic meaning of the planned or executed operations (transactions);
21.24.4. In case of establishing a medium risk, the Compliance Control Department establishes measures at its own discretion with the approval of the General Director.
21.24.5. In case of establishing a low risk, the following simplified due diligence measures are applied on a client:
- obtaining general information about the purpose and intended nature of the business relationship;
- verification of the client and the beneficial owner after establishing the business relationship;
- reducing the frequency of updating the identification data of the client and the beneficial owner;
Procedure for applying measures to high-risk countries
21.25. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall monitor the list of high-risk countries compiled and published by the financial intelligence agency and check the register of suppliers of goods/services and agents for their place of registration in high-risk jurisdictions.
21.26 The Supplier/Agent Department, when establishing business relations with clients, checks for the place of registration in high-risk jurisdictions.
21.27 In the event that the place of registration of the supplier of goods/services and agents in high-risk countries coincides, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime makes a proposal to apply enhanced customer due diligence measures, including a request for additional information.
21.28 The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime also makes a proposal to the General Director of the Company to take the following measures:
21.28.1. reporting to the financial intelligence agency any payments with individuals or legal entities from high-risk countries (individuals or legal entities registered or operating in high-risk countries), regardless of the amount of the transaction (payment);
21.28.2. refusal to establish business relations and make payments to individuals or legal entities from high-risk countries;
21.28.3. Termination of the application of enhanced customer due diligence measures or other measures (sanctions) in relation to high-risk countries is carried out upon exclusion of the country from the List of High-Risk Countries or based on a decision of the Commission on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime under the Government of the Kyrgyz Republic.
Procedure for identifying payments subject to control and reporting
21.29. In order to identify payments subject to control and reporting to the financial intelligence agency, the Company ensures continuous monitoring of payments made through the Company's payment system by providing access to the System to the official on the Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
21.30. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall continuously monitor the following types of payments subject to mandatory control and reporting:
- suspicious payments;
- payments in favor of individuals or legal entities from high-risk countries;
- payments with individuals who have served a sentence for legalization (laundering) of proceeds from crime, terrorism or extremism;
- non-cash payments in excess of the established threshold amount.
21.31. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure that a message is sent to the financial intelligence agency concerning the payments subject to mandatory control and reporting, in accordance with the procedure established by the Regulation on the submitting information and documents to the financial intelligence agency of the Kyrgyz Republic, approved by the Resolution of the Government of the Kyrgyz Republic No. 606 dated December 25, 2018.
In order to send messages to the financial intelligence agency, the official shall register on the information resource of the financial intelligence agency. The IT department shall ensure the installation of an automated workstation, being specialized software that supports automated generation and sending of messages on transactions (payments) to the financial intelligence agency.
The electronic messages are generated and sent by a compliance officer to the financial intelligence agency through an automated workstation. The sequence of actions for generating an electronic message through an automated workstation, the format and structure of the electronic message, as well as the procedure for using cryptographic protection tools for the electronic message, are provided for in the instructions accompanying the automated workstation and additionally posted on the official website (www.fiu.gov.kg)
21.32. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure continuous monitoring of payments by means of:
− software solution that provides protection against fraudulent actions, identification of suspicious and dubious transactions (operations) with the automatic blocking feature;
− uploading reports with automatic checking for suspicious transactions;
− customer support service that monitors incoming requests for signs of suspicious transactions;
− manual verification of transactions that have signs of suspicious nature.
21.33. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the employees of the Customer Support Department shall identify suspicious transactions by monitoring the payments being made and taking into account the following criteria:
− if there is a suspicion or sufficient grounds to suspect that the funds represent proceeds of crime, including from predicate crimes, or are related to the legalization (laundering) of Proceeds from Crime;
− if there is a suspicion or sufficient grounds to suspect that the funds are related to the financing of:
− a) terrorists and extremists;
− b) terrorist and extremist organizations (groups);
− c) terrorism and extremism.
21.34. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the employees of the Customer Support Department shall apply the guidelines for identifying suspicious transactions (deals) developed and published by the financial intelligence agency.
The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure that the employees of the Customer Support Department are familiar with the guidelines for identifying suspicious transactions (deals).
21.35. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, together with the employees of the Customer Support Department, shall identify payments in favor of individuals or legal entities from high-risk countries, using the list of transactions (deals) with individuals or legal entities from high-risk countries developed by the financial intelligence agency based on the results of the national risk assessment of issues related to Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime available in the Kyrgyz Republic.
21.36. The IT Department shall ensure the integration of the list of persons who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism, as well as for the financing of such activities.
When identifying payments with persons who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism, as well as for the financing of such activities, the System notifies the Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime to forward messages to the financial intelligence agency.
21.37. The Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, together with the employees of the Customer Support Department, shall identify the non-cash payments in excess of the established threshold amount.
The list of transactions (deals) with threshold amounts is established by the financial intelligence agency. The Official constantly monitors the information resources of the financial intelligence agency to identify changes or additions to the list of transactions with threshold amounts subject to mandatory control.
21.38. The official, together with the employees of the Customer Support Department, identifies the following payments:
- payments made more than three times in an amount exceeding 30,000 soms per day;
- multiple growth in the volume of payments for services over a short period to a service provider for which a stable volume of payments was observed;
- agreement by the service provider to pay an exorbitant fee for accepting payments for its services (above 20%).
21.39. If an unusual transaction or its signs are detected in the client's activities, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the Suppliers/Agents Support Department may take the following actions:
a) ask the client to provide the necessary explanations, including additional information explaining the economic meaning of the unusual transaction;
b) ensure increased attention (monitoring) in accordance with these rules and the requirements of the legislation on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, to all transactions of this client;
c) take other necessary actions subject to compliance with the legislation of the Kyrgyz Republic.
21.40. Based on the payments study results, the General Director, on the recommendation of the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, shall makes a decision:
a) to recognize the client's payments as subject to mandatory control and reporting;
b) to recognize the identified unusual payment as a suspicious transaction (payment), the implementation of which may be aimed at legalization (laundering) of proceeds from crime or financing of terrorism;
c) to consider the need to take additional measures to study unusual payments by the client;
d) to submit information on payments to the financial intelligence agency.
Procedure for storing information and documents on transactions (payments), as well as information obtained as a result of client due diligence.
21.41. The IT department, together with the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, shall ensure that information on following payments subject to mandatory control and reporting is stored in the system for five years:
21.41.1. suspicious payments;
21.41.2. payments in favor of individuals or legal entities from high-risk countries;
21.41.3. payments with individuals who have served a sentence for legalization (laundering) of Proceeds from Crime, terrorism or extremism;
21.41.4. non-cash payments above the established threshold amount.
21.42. Based on the results of the transaction detection procedure, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime together with the Technical Director shall document and maintain the confidential nature of the information upon detection of signs of the client committing suspicious actions.
21.43. The Technical Director of the Company shall be responsible for maintaining information on payments in the system.
21.44. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall store information on messages sent to the financial intelligence agency on paper in special box files.
21.45. The Suppliers/Agents Support Department shall ensure the storage of documents and information obtained as a result of proper verification of suppliers of goods/services, agents, subagents and counterparties during the entire period of business relations with them, as well as for five years after the termination of business relations.
21.46. The Supplier/Agent Manager ensures that the validity period of contractual relations with suppliers and agents is recorded in the relevant register, and also ensures that documents and files are stored in special box files. The Supplier/Agent Manager ensures classification and sorting, which allows for the timely location of documents and information.
21.47. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime is obliged to document and ensure the preservation on paper of documents and information prepared for consideration by the Management Board of the Company, including proposals to terminate business relations, the results of risk assessment in the Company and reports on the results of the implementation of the internal control program for the Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
21.48. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime ensures the storage for at least 5 years from the date of termination of relations with the client of:
21.48.1. documents on transactions for which internal messages were drawn up;
21.48.2. documents of internal messages;
21.48.3. results of the study of the grounds and purposes of the identified unusual transactions;
21.48.4. documents related to the client's activities (in the amount determined by the organization), including business correspondence and other documents at the discretion of the Company;
21.48.5. other documents obtained as a result of applying the internal control rules.
21.49. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall ensure the storage of the abovementioned documents in such a way that the data can be promptly accessed by the financial intelligence agency, as well as other government agencies in accordance with their competence in cases established by the legislation of the Kyrgyz Republic.
Procedure for system organization in the Company
21.50. The General Director of the Company shall ensure the organization of the internal control system in the Company for the purposes of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime by approving the Internal Control Rules and delegating functions for the implementation of the requirements of the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime to a specially appointed official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, who heads the compliance control department.
21.51. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall perform the following functions:
− development and submission to the General Director of draft internal control rules and other internal documents on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, including risk assessment methodology and risk management procedures;
− organization of implementation of internal control rules;
− monitoring of due diligence on the client and other participants in transactions;
− monitoring and analysis of transactions (payments) of the client;
− making a decision on recognizing a transaction (payment) as suspicious and sending a message about a suspicious transaction (payment) to the financial intelligence agency, with subsequent notification of the executive body;
− submission to the financial intelligence agency of messages about transactions (payments) subject to control and reporting, in accordance with the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime;
− assisting authorized representatives of inspection bodies when they conduct inspections of the Company's activities on issues of compliance with the legislation of the Kyrgyz Republic on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime;
− preparing methodological documents (if necessary), consulting the Company's employees on issues arising during the implementation of internal control programs.
− conducting introductory and unscheduled training for the Company's employees on issues of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
− Submission to the General Director, within the timeframes established by the General Director, but not less than once every six months, of a written report on the results of the implementation of the rules and procedures of internal control for the purpose of Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime.
− Making decisions on reports on transactions submitted to him by the Company's employees, on the advisability of their submission to the General Director.
− Ensuring the confidentiality of information received in the course of performing the functions assigned to him.
− Ensuring appropriate regime for the protection and storage of recorded information.
− Other functions in accordance with these rules and the Company's internal control documents.
21.52. The official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime or other person authorized by the Manager shall systematically, but not less than once every six months:
- conduct internal audits of the Company's compliance with internal control rules, requirements of legislation of the Kyrgyz Republic and other regulatory legal acts
- submit to the General Director of the Company a written report based on the audit results, containing information on all identified violations of the Kyrgyz Republic legislation on Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime, internal control rules and other organizational and administrative documents of the Company adopted in order to organize and implement internal control.
21.53. To perform the specified functions, the official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall be entitled to:
- Receive the necessary information and documents from the managers and employees of the Company's divisions, including organizational and administrative documents of the Company, accounting and monetary settlement documents in the manner established by the Company.
− Make copies of documents received, receive and store copies of files, copies of any records stored in local information networks and autonomous computer systems of the Company in the manner established by the Company.
− Receive explanations from employees regarding the implementation of the rules.
− Exercise other rights in accordance with internal control documents of the Company.
21.54. In order to reduce the risks associated with cases of fraud, the Official responsible for Combating the Financing of Terrorism and the Legalization (Laundering) of Proceeds from Crime shall carry out the following activities:
− Activities to identify and assess the risks of laundering of proceeds or financing of terrorism that may arise in connection with the development of new products and new business practices, including new transfer mechanisms, and the use of new or developing technologies for both new and existing products.
− Activities to check existing systems for vulnerabilities and the risk of fraud using technical, technological, software and other vulnerabilities of the HSC.
− Activities to develop new methods to combat fraud, including but not limited to:
− Development of additional methods, systems, rules for identifying HSC system users;
− Development of methods for monitoring, early detection of fraudulent transactions using algorithms and search masks.
© 2024 Freedom Pay
The company is PCI DSS compliant
Payment system operator license – №2022160218 dated 16.02.2018.
Payment company license - №3027111019 dated 11.02.2019.
Payment system operator license – №2022160218 dated 16.02.2018.
Payment company license - №3027111019 dated 11.02.2019.
Company
Help
Developers
Payment solutions
Address and contacts
125/1 Toktogula str., BC "Avangard", Tower "B", 7th floor, office 703, Bishkek
info@freedompay.kg
Operating hours: 9:00 - 19:00
support@freedompay.kg
Аныкталган коопсуздук боюнча көйгөйлөр тууралуу is@freedompay.kg аркылуу кабарлаңыз
Согласие на сбор и обработку персональных данных
Cубъект персональных данных (далее - субъект) - физическое лицо, к которому относятся персональные данные;
Персональные данные – любые относящиеся к субъекту сведения, зафиксированные на электронном, бумажном и/или ином материальном носителе;
Сбор персональных данных - действия, направленные на получение персональных данных;
Организация – Общество с ограниченной ответственностью «Диджитал Пэйментс-К»;
Текст настоящего согласия прочитан Субъектом лично, дополнений и возражений не имеет.
Персональные данные – любые относящиеся к субъекту сведения, зафиксированные на электронном, бумажном и/или ином материальном носителе;
Сбор персональных данных - действия, направленные на получение персональных данных;
Организация – Общество с ограниченной ответственностью «Диджитал Пэйментс-К»;
Текст настоящего согласия прочитан Субъектом лично, дополнений и возражений не имеет.