Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The Kaspi Precedent: When Corporate Power Supersedes Rule of Law
In October 2023, Aidos Edil, a photographer based in Astana, experienced what amounts to digital banishment. After posting a nine-second satirical TikTok video mocking Kaspi’s lending practices and CEO Mikhail Lomtadze, he received an unofficial call demanding its removal. When Edil refused, Kaspi—Kazakhstan’s dominant fintech platform with 13.5 million users in a nation of 21 million—blocked his account without explanation or appeal mechanism. The consequences were immediate and total: unable to access banking, e-commerce, government services, or even purchase groceries, Edil was forced to borrow cash to meet basic needs. Kaspi only restored access after the incident triggered significant social media backlash.
This incident is not an isolated corporate overreach. It exemplifies a systemic crisis in Kazakhstan’s digital economy: the emergence of “super-apps” as parallel governance structures that operate beyond meaningful legal constraints. The Aidos Edil case reveals a fundamental asymmetry of power—one in which a private corporation can unilaterally revoke a citizen’s access to essential services without judicial review, transparent procedures, or enforceable recourse. Kazakhstan’s Agency for Regulation and Development of the Financial Market has formally confirmed that commercial banks “independently determine internal procedures” for refusing services, effectively legalizing extrajudicial punishment by private entities.
The Super-App Ecosystem: Market Concentration and Manufactured Consent
Kazakhstan’s fintech sector has undergone rapid consolidation around a handful of dominant platforms. Kaspi.kz, valued at over $16 billion and listed on NASDAQ, commands the market with CEO Mikhail Lomtadze’s explicit vision of replicating the “all-in-one” model pioneered by Amazon, Booking.com, and Instacart. In April 2026, this strategic positioning deepened significantly when Chinese conglomerate Tencent—the creator of WeChat, the world’s most successful super-app—acquired a 3.2 percent stake in Kaspi for approximately $518 million. This investment signals more than financial interest; it represents institutional alignment between Kazakhstan’s digital infrastructure and the Chinese ecosystem model that has normalized surveillance capitalism across East Asia.
Competing platforms including Halyk Bank and Timur Turlov’s Freedom Bank pursue identical strategies, aggressively expanding across Central Asia. However, market competition in this context creates an illusion of choice rather than genuine consumer protection. All major players employ “adhesion contracts”—non-negotiable agreements governed by Article 389 of Kazakhstan’s Administrative Code. Citizens face a binary choice: accept every corporate condition imposed unilaterally, or be excluded from essential digital services. This is not negotiation; it is legalized coercion.
Freedom Bank’s data policies exemplify the depth of this coercion. The platform explicitly permits sharing of client information—including geolocation data and video surveillance footage—with 27 different legal entities without requiring user notification or consent beyond initial account acceptance. Kaspi employs “dynamic consent” mechanisms, allowing the bank to unilaterally modify terms of service; continued app use constitutes automatic acceptance of new conditions. Neither Freedom Bank nor Kaspi responded to media inquiries regarding these policies, suggesting an institutional indifference to external accountability.
Raushan Omarova, senior law lecturer at Maqsut Narikbayev University, has characterized these contractual frameworks as “legalized coercion.” When digital agreement becomes a mandatory gateway to financial participation, the “accept” button ceases to function as voluntary choice. Users like Alexandra Kelyatrishvili—whose card was blocked without warning or explanation—experience the super-app era as profound opacity. Current agreements provide no specific timeframes for dispute resolution and no mechanisms for urgent review by neutral third parties, leaving consumers entirely dependent on corporate algorithms operating beyond transparency or accountability.
Biometric Data Aggregation: The Architecture of Vulnerability
Kazakhstan’s aggressive digitization of public and financial sectors has created what cybersecurity specialist Artem Tarasov describes as a precarious “single point of failure.” Citizens now use biometric authentication to access government services, private banking, and advanced systems like Kaspi Alaqan—a platform that identifies users by vein patterns in their palms. While Kaspi CEO Lomtadze has promoted this technology as ultimate convenience, eliminating the need for physical cards, phones, or internet access, the centralization of biometric data creates acute national security risks.
The vulnerability lies in the permanence of biometric markers. Unlike passwords, palm prints and facial structures cannot be changed if compromised. Tarasov has warned of a “honeypot effect”: by aggregating the financial lives, movement histories, and biometric markers of millions into single data centers, these platforms become high-value targets for catastrophic national-scale identity theft. While deepfake biometrics remain technically challenging, Tarasov assessed that faking biometrics is a “plausible scenario” if security protections are breached.
The industry lacks independent external audits to verify corporate claims regarding the “right to be forgotten.” Despite platform assertions that data is deleted upon user request, the reality of duplicated backup servers makes irreversible erasure nearly impossible to confirm. This creates a permanent digital shadow: biometric data intended for security purposes becomes a permanent liability.
Regulatory Vacuum and Corporate Liability Disclaimers
Kazakhstan’s legal framework provides minimal protection against these concentrated risks. Major platforms like ForteBank explicitly disclaim responsibility for “lost data” or “damage to business reputation” resulting from system failures or unauthorized access. Digital rights specialist Dana Malikova-Buralkieva has documented that 70 percent of data leaks originate from internal ethical failures rather than external hacks, yet platforms deploy “legal tricks”—including symbolic compensation limits of 1,000 tenge (approximately $2 USD)—to evade meaningful accountability in court.
This regulatory vacuum stands in stark contrast to international standards. The European Union’s Digital Operational Resilience Act (DORA) establishes mandatory operational resilience requirements, incident reporting timelines, and third-party audit mechanisms. Singapore’s platform supervision framework requires independent governance reviews and consumer dispute resolution procedures. Kazakhstan has adopted neither framework.
President Kassym-Jomart Tokayev has publicly acknowledged the stakes, warning that the personal data of millions “is not just a commercial asset; it is a direct issue of national security.” Yet regulatory response has remained incremental. The government continues planning expanded data centers without establishing binding data protection standards, independent oversight mechanisms, or enforceable consumer remedies.
Strategic Implications for Central Asia and Beyond
Kazakhstan’s unregulated super-app ecosystem presents a model that other Central Asian states are beginning to replicate. The success of Kaspi and Freedom Bank—operating with minimal consumer protection—creates competitive pressure for neighboring countries to adopt similar permissive frameworks. Timur Turlov’s Freedom Bank is already aggressively expanding across the region, exporting Kazakhstan’s contractual and data-sharing practices.
More significantly, the Tencent investment in Kaspi signals the integration of Central Asian digital infrastructure into Chinese-aligned technology ecosystems. As WeChat has become the operating system for daily life in China, Kaspi is becoming the operating system for Kazakhstan. This creates structural dependence on platforms whose governance, data practices, and algorithmic decision-making remain opaque to both users and regulators.
The Aidos Edil incident demonstrates that this dependence translates into political control. When a private corporation can unilaterally revoke access to essential services in response to speech it dislikes, the distinction between corporate and state power collapses. Kazakhstan’s government has not established clear boundaries protecting citizens from this form of private censorship.
Strategic Outlook: The Window for Regulatory Intervention
Kazakhstan faces a critical juncture. The rapid consolidation of digital infrastructure around super-apps has created genuine convenience for 13.5 million users. However, this convenience has been purchased at the cost of meaningful consumer protection, data security, and protection from arbitrary corporate punishment. The regulatory framework has not kept pace with technological capability or market concentration.
Effective intervention requires establishing: (1) mandatory independent audits of biometric data storage and deletion practices; (2) enforceable dispute resolution mechanisms with neutral third-party review before account termination; (3) explicit prohibition on account blocking for speech-related offenses absent legal process; (4) transparency requirements regarding data sharing with external entities; and (5) meaningful liability standards replacing symbolic compensation limits.
Without intervention, Kazakhstan’s digital economy will continue to function as a surveillance apparatus disguised as consumer convenience. Citizens will remain dependent on platforms that operate beyond accountability, storing permanent biometric records in aggregated databases, accessible to internal actors motivated by profit or political alignment. The Aidos Edil case will not be an anomaly; it will be a precedent.
