Kazakhstan -- Custody Regulations Regulatory Overview

Kazakhstan presents a dual regulatory landscape for digital assets, with the Astana International Financial Centre (AIFC) serving as the primary regulated hub for financial technology and digital asset activities, including custody. Outside the AIFC, a broader national framework is still developing, though recent legislation has formalized aspects of the crypto industry.

Here's a breakdown of the cryptocurrency/digital asset custody regulations in Kazakhstan, focusing on the AIFC's detailed framework:

Astana International Financial Centre (AIFC) Regulatory Framework

The AIFC operates under a separate legal system based on English common law principles, with the Astana Financial Services Authority (AFSA) as its independent regulator. The AFSA has specific rules for Digital Asset Business.

Governing Body:

• Astana Financial Services Authority (AFSA): The independent regulator for the AIFC.
  • URL: https://afsa.aifc.kz/
  • AFSA Rulebook: https://afsa.aifc.kz/rulebook/

Legal Basis (Key AIFC Acts and AFSA Rules):

• AIFC Digital Asset Business Rules (DABR): Contains specific requirements for firms involved in digital asset activities.
• AIFC Conduct of Business Rules (COB): General rules for how firms must conduct business with clients.
• AIFC Prudential Rules (PRU): Rules related to capital, risk management, and financial soundness.
• AIFC Anti-Money Laundering and Counter-Terrorist Financing Rules (AML): Mandatory for all regulated firms.

1. Custodial License Requirements

To provide digital asset custody services within the AIFC, an entity must be licensed by the AFSA.

• License Type: Firms typically seek a license for "Providing Digital Asset Custody Services" under the AIFC Digital Asset Business Rules. This falls under the broader category of "Digital Asset Business."
• Application Process:
  • Submission of a comprehensive application form.
  • Detailed business plan outlining operations, risk management, technology, and compliance.
  • Demonstration of "fit and proper" criteria for all significant shareholders, directors, and senior management (background checks, experience, integrity).
  • Proof of adequate financial resources (capital requirements – see Prudential Rules).
  • Robust Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) policies and procedures.
  • Demonstration of robust IT systems and cybersecurity measures.
• Regulatory Reference: AIFC Digital Asset Business Rules 2020 (DABR), specifically Part 3 (General Requirements for Digital Asset Business) and other relevant sections detailing specific activities.
  • URL (AFSA Rulebook): https://afsa.aifc.kz/rulebook/ (Navigate to "Digital Asset Business Rules")

2. Segregation of Client Assets Rules

The AFSA mandates strict rules for safeguarding client assets, crucial for custody services.

• Mandatory Segregation: Licensed custodians are required to segregate client digital assets from their own proprietary assets. These assets must be clearly identifiable as client assets.
• Record-Keeping: Detailed and accurate records of client assets, including ownership and transaction history, must be maintained.
• Trust Accounts/Safeguarding: Assets must be held in a manner that protects clients' interests, typically implying a trust or fiduciary arrangement where client assets are not subject to the custodian's creditors in case of insolvency.
• Regulatory Reference: AIFC Conduct of Business Rules 2020 (COB), particularly sections relating to client money and client asset safeguarding. Also implied by the Digital Asset Business Rules emphasizing client protection.
  • URL (AFSA Rulebook): https://afsa.aifc.kz/rulebook/ (Navigate to "Conduct of Business Rules")

3. Insurance/Bonding Requirements

While not always explicitly defined as a separate "insurance mandate" for crypto custodians in the same way traditional financial institutions might have professional indemnity, the AFSA's framework ensures adequate protection through other means:

• Capital Requirements: Licensed firms must meet specific minimum capital requirements (financial resources) based on the nature and scale of their business, as detailed in the Prudential Rules. This serves as a buffer against operational losses.
• Risk Management Framework: Firms are required to implement robust risk management systems covering operational risks, technology risks, and security risks. This indirectly encourages firms to consider appropriate insurance as part of their risk mitigation strategy, although not explicitly mandated as a bonding requirement.
• Operational Resilience: Firms must demonstrate operational resilience, including contingency plans for security breaches or loss of assets.
• Regulatory Reference: AIFC Prudential Rules 2020 (PRU), and relevant sections of the Digital Asset Business Rules concerning operational risk.
  • URL (AFSA Rulebook): https://afsa.aifc.kz/rulebook/ (Navigate to "Prudential Rules")

4. Cold Storage Mandates

The AFSA rules emphasize security and risk management for digital assets, which implicitly mandates best practices like cold storage, although a specific percentage might not be prescribed.

• Robust Cybersecurity: Firms must implement and maintain robust cybersecurity frameworks to protect client digital assets from theft, loss, or unauthorized access. This includes multi-factor authentication, encryption, and secure network protocols.
• Private Key Management: Detailed policies and procedures for the generation, storage, backup, and recovery of private keys are mandatory. This strongly implies the use of offline (cold) storage for a significant portion of client assets, especially those not actively traded.
• Risk Assessment: Custodians must conduct regular risk assessments of their storage solutions (hot, warm, cold) and implement appropriate controls.
• Operational Procedures: Clear and secure operational procedures for moving assets between different storage types are required.
• Regulatory Reference: AIFC Digital Asset Business Rules 2020 (DABR), especially sections on operational resilience, technology risk management, and safeguarding client assets.
  • URL (AFSA Rulebook): https://afsa.aifc.kz/rulebook/ (Navigate to "Digital Asset Business Rules")

5. Qualified Custodian Definition

Within the AIFC framework, a "qualified custodian" would be defined as:

• An entity that is licensed by the Astana Financial Services Authority (AFSA) to provide "Digital Asset Custody Services" in accordance with the AIFC Digital Asset Business Rules.
• Such an entity must comply with all relevant AFSA rules, including those pertaining to capital adequacy, client asset segregation, governance, risk management, and AML/CTF.
• Regulatory Reference: The very existence of the licensing regime for "Digital Asset Custody Services" defines who is a qualified provider within the AIFC. Refer to the AIFC Digital Asset Business Rules 2020.
  • URL (AFSA Rulebook): https://afsa.aifc.kz/rulebook/ (Navigate to "Digital Asset Business Rules")

Regulation Outside the AIFC (National Framework)

While the AIFC has a mature framework, the rest of Kazakhstan has been developing its national approach.

• Recent Legislation (February 2023): Kazakhstan's President Kassym-Jomart Tokayev signed a law in February 2023 "On Digital Assets in the Republic of Kazakhstan" which legalizes and regulates activities related to digital assets, including their issuance, circulation, and mining outside the AIFC.
• Focus: This law primarily focuses on regulating cryptocurrency mining, mandating licensing for crypto exchanges operating within the country (outside AIFC), and outlining the procedures for their operation.
• Custody Implications (Outside AIFC): While not explicitly creating a standalone "custody license" as detailed as the AIFC's, the licensing of crypto exchanges by the Agency for Financial Monitoring (AFM) implies that these exchanges offering custodial services will be subject to general financial regulations, AML/CTF requirements, and potentially rules on client asset safeguarding from the AFM. However, the specific, granular rules for custody are not as detailed as within the AIFC.
  • Agency for Financial Monitoring (AFM): https://www.gov.kz/memleket/entities/afm/about?lang=en
  • News Reference for 2023 Law: Search for "Kazakhstan Digital Assets Law February 2023" for various news reports. (e.g., Reuters, local news sites).

Pending Custody Legislation

• The February 2023 law was a significant step in formalizing the national crypto industry. However, given the rapid evolution of digital assets, further refinements and specific regulations, especially regarding "custody as a standalone service" outside the AIFC, could still be in development.
• The government and regulatory bodies (AFSA, National Bank, AFM) continue to monitor the market and update regulations as needed. Kazakhstan has shown a willingness to adapt its legal framework to embrace digital innovation while ensuring financial stability and consumer protection.
• Discussions often revolve around integrating digital assets into the broader financial system and addressing emerging risks. Any new legislation would likely aim to harmonize national standards with international best practices.

In summary:

• AIFC is the most comprehensive regulatory environment for digital asset custody in Kazakhstan, with specific licensing, asset segregation, and robust security requirements enforced by the AFSA.
• Outside AIFC, the national framework is developing, with recent laws legalizing crypto activities and licensing exchanges through the Agency for Financial Monitoring, which will have implications for custody offered by those exchanges.
• Firms seeking to offer robust and compliant digital asset custody services in Kazakhstan will primarily look to the AIFC's AFSA regulatory framework.

It is crucial for any entity considering providing digital asset custody services in Kazakhstan to consult directly with the AFSA for AIFC operations or the Agency for Financial Monitoring for operations outside AIFC, and to seek independent legal and compliance advice.