Crypto Compliance in Central Asia: What Payment and Remittance Operators Need to Know About Kyrgyzstan, Kazakhstan, and Uzbekistan

TL;DR

• Kyrgyzstan, Kazakhstan, and Uzbekistan have separate regulators, separate license requirements, and very different risk profiles. A license in one country covers nothing in another.
• All three require a locally incorporated entity, KYC/AML programs, and demonstrable key management controls. The bar, cost, and scrutiny level differ significantly.
• Kyrgyzstan is the fastest entry point on paper, but carries the highest external scrutiny from international banking partners right now.
• Kazakhstan routes regulated digital asset activity through a dedicated financial zone (AIFC) with the strongest institutional credibility in the region.
• Uzbekistan is the most tightly controlled, has the highest setup cost, and formally extended its framework to stablecoins from January 2026.

Why Central Asia Is on the Map for Payment Operators

This is not a speculative market.

According to World Bank data, remittances accounted for roughly 27% of Kyrgyzstan's GDP and 14% of Uzbekistan's GDP in 2024. These are structural pillars of two national economies, not peripheral flows. The money moves from migrant workers in Russia, South Korea, Turkey, and the UAE back to families at home, every month, at significant scale.

Traditional bank transfers across these corridors are slow, expensive, and increasingly unreliable following post-2022 financial fragmentation between Russia and Western correspondent banking infrastructure. The gap created by that friction is where crypto settlement has expanded.

According to The Diplomat's April 2026 reporting, estimated crypto turnover through licensed Kyrgyz operators reached between $20 and $32 billion in 2025 by public reporting estimates, a figure roughly two to three times Kyrgyzstan's entire GDP. The caveat matters: this is gross transaction volume, not net economic value transferred, and the majority reflects high-frequency USDT conversions rather than single large remittances. The scale signals adoption, not necessarily GDP-equivalent wealth movement.

Zooming out, TRM Labs data shows stablecoins reached their highest annual transaction volume on record in 2025, rising 83% year-on-year to over $4 trillion between January and July 2025, with retail-led adoption growing more than 125% over the same period. Chainalysis's 2025 Geography of Crypto report confirms USDT processed roughly $703 billion per month on average, peaking at $1.01 trillion in June 2025. The stablecoin infrastructure powering Central Asia's settlement flows is the same infrastructure driving the largest payment rails on the planet.

The market is real. The regulatory frameworks governing it are now live. None of them allow you to operate from outside.

Three Countries That Look Similar But Are Not

Kyrgyzstan, Kazakhstan, and Uzbekistan are frequently grouped under the "Central Asia" label. In regulatory terms, they could not be more different.

Kyrgyzstan functions as a high-volume informal crypto corridor closely tied to Russian and migrant-worker remittance flows. It is the most open market to enter, but also the most exposed to scrutiny from international banking partners.

Kazakhstan has positioned itself as the region's institutional financial hub by channeling regulated digital asset activity primarily through the Astana International Financial Centre (AIFC), a dedicated zone operating under English common law with its own independent regulator.

Uzbekistan, with the region's largest population at roughly 37 million, is building a more controlled domestic digital asset market under strong state oversight. As of January 2026, its regulatory framework formally extends to stablecoins for the first time.

How Money Moves, And Why Compliance Follows the Flow

The regulatory stakes become clearer when you see the operational reality first.

A typical remittance corridor works like this: a migrant worker in Russia or South Korea buys USDT through a local OTC desk or licensed exchange. That USDT transfers to a payout partner or family member in Kyrgyzstan or Uzbekistan. The recipient converts locally through a licensed exchange operator or a peer-to-peer network.

Crypto is not replacing banks here. It is functioning as a faster, cheaper settlement layer between fragmented local payment systems - bridging gaps that traditional wire transfers cannot fill cost-effectively. 

The dominant rail is USDT on Tron, which offers the lowest transaction fees and deepest liquidity for small-to-medium value transfers across emerging market corridors.

This flow also explains why international scrutiny increased after 2022. As sanctions pressure on Russia intensified, cross-border banking became more complicated, and parts of Central Asia saw growth in OTC crypto activity and alternative payment channels as Russian-linked capital and remittance flows sought new routes. This does not mean all activity is sanctions-related — the majority reflects genuine migrant remittances. But it explains why correspondent banks now apply materially higher scrutiny to Central Asia-connected crypto entities than three years ago.

TRM Labs has documented how this dynamic specifically affected Kyrgyzstan, and the EU's 20th Russia sanctions package in 2026 included the designation of a Kyrgyz-registered exchange. For a legitimate payment operator, this context is operational reality: your banking partners will ask about your jurisdiction, your counterparty relationships, and your sanctions screening procedures. The answers vary significantly depending on which of these three markets you operate in.

At a Glance: Three Very Different Compliance Frameworks

Regional Risk and Strategy Comparison

Kyrgyzstan: Fast to License, Harder to Bank

The appeal

Kyrgyzstan created one of the earliest crypto frameworks in Central Asia with the Law on Virtual Assets in 2022. The licensing process is formally capped at one month for a decision. By early 2026, the country had more than 200 registered crypto exchanges and exchange operators, and crypto-related tax revenue exceeded collections from the country's largest bazaar. USDT exchange services are widespread.

For operators targeting Russian-diaspora remittance flows or Central Asian settlement corridors, the market volume is real and the path to license is faster than most jurisdictions.

What you actually need to operate

• A legal entity registered in Kyrgyzstan with a real, verifiable address
• Local management presence, including resident representation, as generally expected by the regulator
• KYC procedures and transaction monitoring systems implemented before launch
• Local infrastructure or locally controlled hosting arrangements, subject to regulator expectations for your specific business model
• Travel Rule-style reporting for transfers above locally defined thresholds
• Ongoing transaction reporting to FinSupervision above applicable thresholds

One practical note: as of mid-2025, new license approvals had slowed as FinSupervision tightened controls following several money-laundering cases in 2024. Priority now goes to well-capitalized applicants with established international compliance backgrounds.

The risk operators underweight

Kyrgyzstan's open licensing environment has also attracted operators with poor compliance practices. The EU's 20th Russia sanctions package in 2026 designated Kyrgyz-registered exchange TengriCoin (operating as Meer.kg) for facilitating trades in Russian government-backed crypto instruments. Separately, public blockchain analytics reporting by TRM Labs identified multiple Kyrgyz-registered exchanges appearing in sanctions-related investigations, with several showing patterns consistent with shell company structures.

The risk here is counterparty-driven, not a blanket jurisdiction problem. A well-documented, legitimate operator with clean counterparty relationships can navigate this. But operating in this market means proactively managing banking relationships, running tighter counterparty screening, and producing more documentation than a cleaner jurisdiction demands.

Bottom line: Low barrier to license. Real compliance work still required. The primary operational risk is what correspondent banks conclude about Kyrgyz-registered crypto entities in the current environment, not the local regulator itself.

Kazakhstan: The Most Credible Path, Inside One Zone

How the AIFC system works

Kazakhstan's Law on Digital Assets, effective April 1, 2023, placed regulated digital asset activity primarily within the Astana International Financial Centre (AIFC). The AIFC operates under English common law and is regulated by the independent Astana Financial Services Authority (AFSA), which was recognized by IOSCO in October 2025 as one of the world's leading jurisdictions for digital asset oversight, fully aligned with all ten of IOSCO's priority recommendations.

According to the AFSA public registry, there are currently 30 licensed Digital Asset Service Providers operating within the AIFC framework. The regulated ecosystem processed $6.8 billion in crypto market turnover in 2025, according to The Astana Times citing AFSA data.

What you actually need to operate

• A company registered specifically within the AIFC. Registration in Kazakhstan generally is not sufficient for regulated digital asset activity.
• Real physical and operational presence. AFSA evaluates substance, and a paper company with operations outsourced does not pass authorization review. Banks apply the same test independently.
• Appointed key roles: CEO, CFO, Compliance Officer, and a dedicated Money Laundering Reporting Officer (MLRO)
• Minimum capital equivalent to at least six months of estimated operating expenses
• Full KYC, AML, transaction monitoring, and Travel Rule implementation
• Annual independent audit

Custody is a separately authorized activity. If you want to hold client assets on behalf of users, even temporarily during settlement, you need specific custody authorization in addition to any exchange or brokerage license. AFSA has been consulting on strengthened requirements around asset segregation, cybersecurity, and custody governance, meaning the standard is moving upward.

In late 2025, Kazakhstan's parliament passed amendments to the Law on Banks and Banking Activities formally recognizing digital financial assets as a legal category within mainstream banking. Banks can now hold, issue, and handle these assets subject to licensing requirements. This does not change the AIFC entry requirement, but signals that the framework is expanding toward full mainstream financial integration.

Bottom line: Highest institutional credibility in the region. Access to real banking infrastructure. But you are operating inside a specific zone, not Kazakhstan broadly. Substance requirements are genuine, not a checkbox process.

Uzbekistan: Tightly Controlled, With a New Door Open

How Uzbekistan regulates crypto

Uzbekistan has one of the most centralized crypto frameworks in Central Asia. The primary regulator, the National Agency of Perspective Projects (NAPP), reports directly to the President and holds authority over licensing, rule-making, and enforcement across all crypto service providers.

Since January 2023, Uzbek residents have been restricted from conducting crypto transactions through foreign platforms. Engaging with unlicensed foreign exchanges may be subject to penalties depending on the specific use case and applicable regulations. NAPP has imposed fines on Binance and taken legal action against foreign platforms serving Uzbek users without local authorization. Enforcement is active.

Two important distinctions that many operators miss: the retail restriction is not the same as the institutional licensing pathway. Licensed VASPs in Uzbekistan can serve both local and institutional clients under their authorization — the prohibition targets unlicensed foreign platforms serving retail Uzbek users, not all foreign participation. Operators entering through proper licensing channels face a high bar, but a clear one.

What changed in January 2026

Uzbekistan advanced a formal regulatory framework covering stablecoin-based settlement and tokenized financial instruments, with implementation beginning January 1, 2026. For payment and remittance operators, this opens a regulated path to operate stablecoin infrastructure in Uzbekistan through a licensed local entity — the first time such a path has had a clear legal basis.

What you actually need to operate

• A legal entity incorporated in Uzbekistan (LLC or JSC format)
• Minimum capital of approximately $300,000, held in an Uzbek bank account
• License fee to NAPP of approximately $51,400 for certain license categories, plus monthly operational fees of approximately $2,700
• Full AML/KYC program, transaction monitoring, and regular NAPP reporting aligned with FATF standards
• Local data storage: personal data of Uzbek users must be stored on servers physically within Uzbekistan

Operations through NAPP-licensed platforms currently benefit from tax exemptions, with VAT and profit tax relief running until January 2028. For an operator planning to be in the market for more than one year, zero-tax treatment on qualifying crypto transactions is meaningful and partially offsets the significant setup cost.

Bottom line: Highest barrier to entry. Strictest restrictions on foreign operators serving local retail users without a license. But the stablecoin framework is now formal, the tax relief window is real, and you face fewer competing licensed operators than in Kyrgyzstan.

The Shared Compliance Floor Across All Three Markets

Despite significant differences, the three markets share a common baseline:

• Local incorporation. You cannot serve users in any of these countries as a foreign company without incorporating locally and obtaining a license. Each regulator verifies this.
• KYC and AML. All three align with FATF international standards. You need customer identity verification, transaction monitoring, and the ability to report suspicious activity to the relevant national authority.
• Travel Rule, and the Protocol Fragmentation Problem. All three apply FATF Recommendation 16, requiring sender and recipient information to accompany transfers above defined thresholds. In practice, this means you need a technical protocol to transmit that information to your counterparty VASP.

This is where a real operational problem emerges across the region. There is no standard Travel Rule protocol common to all three markets. The leading industry solutions include TRUST, a not-for-profit network operated by Coinbase with over 125 member VASPs globally including Binance, OKX, Bybit, Kraken, and Revolut; TRISA, an open-source protocol focused on global interoperability; and Sygna, widely used across Asian corridors. Each operates on different technical standards and membership structures.

The practical problem: a licensed operator in Kazakhstan using TRUST may not complete an automated Travel Rule handshake with a licensed operator in Uzbekistan using a different protocol, because the two systems are not natively interoperable. Compliance practitioners call this the sunrise problem - jurisdictions adopt Travel Rule requirements at different speeds, with different thresholds, using different tools, creating data-sharing gaps in the chain that should exist between counterparty VASPs.

For cross-border payment operators running corridors across all three Central Asian markets, this means your Travel Rule implementation must support multiple protocols, not just one.

Key management and custody controls. None of the three publish prescriptive technical standards comparable to what Brazil's central bank issued in 2026. But all three require demonstrable security for client assets. Institutional-grade custody architectures increasingly rely on hardware-backed or MPC-based key management, where private keys never exist in complete form on a single device, because these approaches satisfy both the security and auditability requirements that regulators and banking partners are asking for.

Record-keeping and audit trails. All three require transaction records maintained typically for five years. Uzbekistan explicitly mandates local data storage. Kazakhstan expects annual independent audits for AFSA-licensed entities.

What Operators Usually Underestimate

1. Local incorporation is only the starting point. Each country requires staff, bank accounts, ongoing regulatory reporting, and operational management in-country. A shell entity registered locally but operated from abroad will not survive regulator review or banking due diligence.
2. Banking due diligence is often harder than licensing. Your correspondent bank will conduct its own review of your structure, jurisdiction, counterparties, and compliance controls. In Kyrgyzstan especially, this review has become significantly more demanding since 2022.
3. Russian exposure screening matters even without a Russian connection. Operating in jurisdictions where sanctioned entities have been documented means your compliance team needs to actively screen counterparties and demonstrate that process to banking partners.
4. Regulators are increasingly asking about custody infrastructure, not just policy documents. Having an AML policy is table stakes. What regulators and auditors want to see is how client funds are technically separated from company funds, how keys are managed, and what happens if a server is compromised.
5. Local staffing and language capability become critical during audits. Regulatory correspondence in Kyrgyzstan is primarily in Kyrgyz or Russian. Kazakhstan operates in English within the AIFC. Uzbekistan in Uzbek and Russian.

The Practical Challenge: Proving Operational Control

Getting licensed is one thing. Proving to regulators, banking partners, and auditors that you actually control your infrastructure is where most operators are underprepared.

This challenge manifests in two specific ways across Central Asia.

First, custody architecture. All three regulators will ask how client funds are protected, separated from company funds, and auditable. The answer needs to be demonstrated through your key management infrastructure, wallet segregation, and transaction logs, not described in a policy document.

Second, Travel Rule interoperability. Because Kazakhstan, Kyrgyzstan, and Uzbekistan do not share a common Travel Rule protocol standard, an operator running corridors across all three markets needs a transaction layer that can plug into multiple Travel Rule solutions without requiring separate infrastructure per jurisdiction.

These are the problems Fystack is built to solve.

What Fystack provides for operators entering Central Asia

Fystack's self-hosted MPC custody infrastructure runs within your own environment. Your private keys never exist in complete form on any single device or server, which means you can demonstrate to FinSupervision in Kyrgyzstan, AFSA in Kazakhstan, and NAPP in Uzbekistan that you control and can audit your own custody. No third-party custodian holds your keys. No audit requires vendor cooperation you cannot guarantee.

Why self-hosted matters specifically in this region. A Kyrgyz-licensed operator using a third-party cloud custodian based outside Kyrgyzstan faces two problems simultaneously: the regulator wants evidence of local operational control, and the banking partner wants evidence that your compliance infrastructure cannot be disrupted by a third-party vendor's own regulatory problems. Self-hosted MPC solves both because the infrastructure runs inside your own environment, inside your jurisdiction if needed, and the audit trail is yours to produce on demand.

The Travel Rule bridge. Because TRUST, TRISA, Sygna, and other protocols operate on different standards, a payment operator running Kyrgyzstan-Kazakhstan or Kazakhstan-Uzbekistan corridors cannot rely on a single protocol for full Travel Rule coverage. Fystack's transaction architecture is protocol-agnostic at the custody layer: it generates and retains the originator and beneficiary data that any Travel Rule protocol needs to function, without locking you into a single solution.

Who Fystack fits for Central Asia:

• Remittance operators running USDT corridors through Kyrgyzstan who need audit-ready custody to support banking due diligence conversations
• Institutional operators building inside the AIFC in Kazakhstan who need custody authorization documentation satisfying AFSA's asset segregation and cybersecurity requirements
• Long-term market entrants in Uzbekistan who need a custody layer that can operate from locally controlled infrastructure while meeting NAPP's reporting and data retention obligations

Three Countries, One Decision Framework

Which country is actually your priority?

Do not attempt all three simultaneously without the compliance infrastructure to support each independently. Each requires a local entity, local staff, and genuine operational presence.

What is your banking plan?

The license gives you legal permission. Banking relationships give you operational capability. These are separate workstreams, and in Kyrgyzstan especially, the banking question requires active management from day one.

Is your custody infrastructure audit-ready?

All three regulators will ask how you protect client assets. The answer needs to be demonstrable through architecture and logs, not just described in a policy document.

If you are evaluating market entry in Central Asia and want to assess your current custody setup against local regulatory expectations, talk to the Fystack team here.

FAQ