Uzbekistan introduces stricter security requirements for P2P mobile transfers

Under the new rules, a user may link to their mobile application account only bank cards, bank accounts, or electronic wallets that belong either to the user personally or to their close relatives. P2P transfers may be carried out exclusively through these linked instruments.

As part of the registration and verification process, the system will automatically check the consistency between the user’s phone number and their personal identification number. If a mismatch is detected, registration in the mobile application and the linking of bank cards will be denied.

The regulation also strengthens biometric identification requirements. Credit and payment organizations are now required to verify so-called “liveness factors” during biometric checks, meaning identification cannot be completed using photographs or static images.

Several additional automated security measures have been introduced to prevent fraud. If a one-time SMS code is entered incorrectly three times, the user’s activity in the mobile application will be temporarily restricted for 15 minutes. If an account is accessed from a new device or a password recovery process is initiated, all bank cards linked to the account will be automatically removed from the application. In such cases, the transaction history associated with bank cards on that device will also be deleted.

According to the regulation, re-linking bank cards will be permitted only after the user has successfully passed biometric identification.

The new measures are aimed at enhancing user protection, reducing fraud risks, and strengthening trust in digital payment services.