Why this guide matters right now
Uzbekistan's anti-money laundering regime has been rebuilt almost from scratch over the past five years, and it is still moving. The foundational statute, Law ZRU-660 of 2004, underwent a landmark reform in 2019 that introduced proliferation financing, a risk-based approach, and beneficial ownership requirements. Cabinet of Ministers Resolution No. 402 of 2021 -- the principal implementing regulation -- has been amended eleven times in five years. Fourteen sector-specific Internal Control Acts (ICAs) have each been revised multiple times, with the most recent amendment to the banking ICA (2886-12) taking effect in May 2026.
In 2022, Uzbekistan completed its Mutual Evaluation by the Eurasian Group (EAG), the FATF-style regional body. Assessors arrived in Tashkent in June 2021. A follow-up review in 2023 saw three recommendations upgraded -- R.6, R.7, and R.22, each moving from "partially compliant" to "largely compliant" -- and the country shifted from enhanced monitoring to regular follow-up. By regional standards, that is one of the fastest trajectories on record.
Enforcement is tightening in parallel. In May 2026, the Central Bank gained the authority to fine bank executives personally for deficiencies in internal controls, for decisions that breach the law, and for concealing violations. Sector-specific penalties for banks and MFOs have been increased roughly tenfold, with the new amounts effective from August 2026. The formula itself has changed: instead of fixed sums, penalties are now tied to a percentage of aggregate capital, with hard minimum and maximum floors.
For any company entering the market, the message is straightforward: AML/CFT is the first thing you will face at licensing and the last thing you will be forgiven for getting wrong.
Regime architecture: three tiers
Uzbekistan's AML/CFT framework is organized into three layers, each progressively more granular than the last.
Tier one -- the Law. Law of the Republic of Uzbekistan No. 660-II, dated August 26, 2004, "On Countering the Legalization of Proceeds of Crime, the Financing of Terrorism, and the Financing of Proliferation of Weapons of Mass Destruction" -- as currently amended (last major revision: ZRU-516, January 15, 2019). The Law establishes the fundamentals: scope, definitions, countermeasures, customer due diligence requirements, the powers of the designated competent authority, information retention, international cooperation, and liability. Notably, the Law is extraterritorial in scope: it extends to Uzbek citizens and legal entities conducting transactions abroad.
Tier two -- sub-legislative acts. Three instruments matter most. Cabinet of Ministers Resolution No. 402 (June 29, 2021) sets threshold amounts for mandatory reporting, reporting templates, national risk assessment procedures, and the list of politically exposed persons (PEP) positions. Prosecutor General's Order No. 3327 (October 19, 2021) governs the procedure for suspending operations and freezing assets of persons linked to terrorism and WMD proliferation. And Presidential Decree PF-6252 (June 28, 2021) sets out the National AML/CFT/CPF Strategy, defining medium-term development priorities.
Tier three -- sector-specific Internal Control Acts (ICAs). Fourteen separate regulations, each jointly issued by the relevant sector regulator and the Department for Combating Economic Crimes under the Prosecutor General's Office (DBEP). This is where the operational detail lives: sector-specific suspicious transaction indicators, unique thresholds, CDD procedures, and reporting mechanics. Banks operate under ICA 2886, payment organizations under ICA 3266, MFOs under ICA 2925, crypto exchanges under ICA 3309, and so on.
One structural detail matters: DBEP is a co-author of every single one of the fourteen ICAs. It is never the Central Bank or NAPP acting alone -- it is always a dual signature: the sector regulator and the law enforcement body. That design choice sets the tone for the entire system.
Who is obligated: the full perimeter
Article 12 of the Law defines organizations conducting operations with monetary funds or other property that are required to comply with the AML/CFT regime. With the perimeter expanded through CMR 402, coverage now fully meets the FATF standard -- both financial institutions and designated non-financial businesses and professions (DNFBPs).
Supervised by the Central Bank of Uzbekistan (CBU):
Commercial banks (ICA 2886); non-bank credit organizations -- MFOs, pawnshops, factoring and guarantee organizations (ICA 2925); payment organizations and payment system operators (ICA 3266); leasing companies (ICA 2265).
Supervised by NAPP (National Agency for Prospective Projects):
Crypto-asset service providers (ICA 3309); insurance companies (ICA 2036); securities market professionals (ICA 2033); lottery operators (ICA 3310); commodity exchanges (ICA 2038).
Other supervisors:
Notaries and lawyers -- supervised by the Ministry of Justice (ICA 2020). Audit firms -- supervised by the Ministry of Finance (ICA 3101). Real estate agents -- overseen by the Agency for State Asset Management (ICA 2257). The national postal operator, "Uzbekiston pochtasi" (ICA 3061), which processes consumer money transfers including international ones -- supervised by the Ministry of Digital Technologies. And separately, dealers in precious metals and stones (ICA 2034), where the ICA was issued by DBEP alone, without a sector regulator as co-author. This is the only sector where supervision runs directly through law enforcement, with no financial regulator as a buffer.
Client due diligence (CDD)
Article 7 of the Law establishes the framework for customer due diligence. The details are in the sector-specific ICAs, and that is where meaningful differences begin.
Standard CDD is mandatory when establishing a business relationship, when conducting a one-off transaction at or above the threshold set by CMR 402, when there are grounds to suspect ML/TF, and when there are doubts about the accuracy of previously obtained data.
For individuals, identification covers full name, date and place of birth, citizenship, identity document details (type, series, number, issuing authority and date), address, and PINFL (the national personal identification number). For legal entities: full name, TIN, legal address, information about governing bodies, and -- crucially -- beneficial ownership data.
Beneficial ownership. The control threshold is 10% or more of the charter capital (ICA 2886, ICA 3266, and other sector ICAs). The obligated entity must take all reasonable measures to identify the ultimate beneficial owner, obtain details of the ownership structure, and maintain up-to-date records. If the beneficial owner cannot be identified, the Law requires the entity to decline the business relationship. In practice, the 2022 MER noted that non-bank financial institutions had weak beneficial ownership identification mechanisms, and that fit-and-proper requirements for beneficial owners and affiliated persons were not established in law.
Simplified CDD is permitted for low-risk clients: government bodies, publicly listed companies, and supervised financial institutions.
Enhanced due diligence (EDD) is mandatory for politically exposed persons (PEPs), non-residents from high-risk jurisdictions, correspondent banking relationships, and complex transactions with no apparent economic rationale. For PEPs, the Law requires senior management approval, verification of the source of wealth and source of funds, and enhanced ongoing monitoring. These measures extend to the PEP themselves, their family members, and close associates.
An important caveat: at the time of the 2022 MER, enhanced measures applied only to foreign and international PEPs. There was no statutory requirement for domestic PEPs. Assessors flagged this as a gap.
Non-residents are high-risk by default. Across all sector ICAs, non-residents -- foreign nationals and representatives of foreign companies -- are automatically classified as high-risk clients. This matters for any foreign business entering the market. However, in the banking (ICA 2886) and payments (ICA 3266) sectors, recent amendments have softened this: non-residents who have obtained a PINFL in Uzbekistan are no longer automatically classified as high-risk.
Sector-specific differences. Crypto exchanges (ICA 3309) are the only sector where the one-off CDD threshold is denominated not in BRVs (the statutory base calculation unit) but in dollars: $1,000 USD. MFOs (ICA 2925) apply CDD when a third party pays a client's obligations in amounts above 10 BRV, in pawnshop storage, in Islamic microfinance, and in factoring.
Controlled operations
The Law distinguishes two reporting regimes: mandatory reporting for operations above a threshold (currency transaction reports, or CTRs) and suspicious transaction reports (STRs), which carry no monetary threshold.
Mandatory reporting (Article 13). Operations at or above the threshold set by CMR 402 must be reported to DBEP. The core thresholds are:
- Cash operations (banks): 100 BRV (~41.2 million UZS, ~$3,200)
- Foreign currency exchange: 50 BRV
- International transfers: 100 BRV
- Real estate transactions: 1,000 BRV
- Securities transactions: 500 BRV
Reports must be filed no later than the next business day.
Suspicious transaction reports (Articles 13, 15). When there are grounds to believe an operation is related to ML/TF/PF, the entity must file an STR with DBEP regardless of amount. The deadline is one business day from the date of detection (per CMR 402). Tipping-off -- informing the client or any third party that an STR has been filed -- is prohibited.
Reporting in Uzbekistan is fully electronic, routed through a dedicated system operated by the Prosecutor General's Office. This is not a Central Bank portal. New market entrants should be prepared for significant technical integration work and should hire staff who know how to operate this system.
Sector-specific thresholds are one of the most distinctive features of the Uzbek regime. Beyond the core thresholds in CMR 402, each sector ICA sets its own quantitative triggers. There are far more than can be listed here; the following are illustrative examples to show the logic and spread:
Payment organizations (ICA 3266): transfers to a single card or e-wallet totaling more than 500 BRV over 30 days. MFOs (ICA 2925): receiving a cash loan exceeding 400 BRV. Postal operator (ICA 3061): transfers totaling more than 500 BRV over 30 days, or ten or more transfers to different addresses -- suspicious regardless of the amount of each individual transfer. Insurance (ICA 2036): payouts to a single policyholder exceeding 1,000 BRV per quarter. Leasing (ICA 2265): sale-leaseback transactions exceeding 1,000 BRV. Commodity exchanges (ICA 2038): purchases exceeding 5,000 BRV over 30 days -- the highest threshold of any sector. Lotteries (ICA 3310): payment of a large prize exceeding 1,500 BRV when the winner holds two or more winning tickets.
And one legislative anomaly: dealers in precious metals (ICA 2034) are the only sector where the threshold is pegged not to the BRV but to the minimum wage (MZP): 600 minimum wages over 3 months. These are different calculation bases, and the inconsistency has not been resolved.
The full set of thresholds and quantitative triggers lives in each sector ICA. When entering the market, you need to study your sector's regulation end to end.
Indicators
Every sector ICA contains its own list of suspicious transaction indicators. The common core is broadly similar: refusal to provide documents, contradictory information, structuring to avoid thresholds (smurfing), transactions with no apparent economic purpose, activity inconsistent with the client profile, non-residents from high-risk jurisdictions. But the real value lies in the sector-specific indicators that exist only within a single ICA.
Banks (ICA 2886) have the most complex indicator structure of any sector. Only the banking ICA draws a formal distinction between "doubtful" and "suspicious" operations -- two separate regimes, two separate indicator lists, two separate response procedures. Doubtful operations are those that display unusual characteristics (atypical turnover, profile mismatch) but do not, on their own, indicate ML/TF. Suspicious operations are those where there are grounds to believe a connection to ML/TF/PF exists. Other sectors make no such distinction: anything that raises questions goes through a single procedure. For banks, this means a more granular escalation framework -- and, as a consequence, substantially more internal documentation.
Crypto assets (ICA 3309) -- 22 indicators, the most detailed list of any sector. Among them: transferring crypto to exchanges followed by withdrawal to private wallets; receipts from wallets previously used in criminal activity (a direct blockchain analytics requirement -- banks are not held to this); rapid price increases in new tokens traded on only one platform; absence of a White Paper, or a White Paper containing false claims such as government guarantees; regular use of IP masking by a client; opening a large number of wallets from a single IP address; discrepancy between the client's actual domain and their country of registration.
Payments (ICA 3266): transfers from five or more e-wallets to a single foreign wallet within 30 days (and the mirror pattern -- inflows from one foreign wallet to five or more). A unique bilateral monitoring obligation: when the payment organization controls both the sender and the recipient, it must consider data from both sides when assessing suspicion. Another distinctive feature: the payment operator must screen the client against sanctions lists even when acting on a bank's instruction to issue a card.
Insurance (ICA 2036): increasing the insured amount by more than double with a corresponding premium increase; frequent changes of beneficiary; early policy termination with premium refund where the original funds came from a foreign bank; receipt of reinsurance commissions from entities in non-cooperative jurisdictions.
Real estate (ICA 2257): intent to state a sale price above the actual value in the purchase agreement (overvaluation -- a classic ML typology); purchase of real estate exceeding 1,000 BRV by a legal entity registered less than three months earlier; buyer and seller as related entities (same founders, same directors, same address).
Leasing (ICA 2265): sale-leaseback transactions above 1,000 BRV are flagged as a distinct suspicious transaction type; full lump-sum or accelerated (within three months) payment of all lease installments from funds of unverified origin.
Commodity exchanges (ICA 2038): sham transactions where ownership does not actually change hands but the appearance of trading activity is created (wash trading); indicators of price manipulation; opening a trading account (INP) under a power of attorney from a foreign entity.
Postal operator (ICA 3061): ten or more transfers to different addresses within 30 days -- suspicious regardless of the amount of each transfer; an undelivered transfer is also an indicator.
Notaries and lawyers (ICA 2020): no quantitative indicators -- the list is entirely qualitative. But the sector has a unique response deadline: when freezing assets of a person on the sanctions list, notaries and lawyers must notify DBEP within three hours -- compared to the standard one-business-day deadline for all other sectors.
Auditors (ICA 3101): a sector-specific indicator unavailable to anyone else by its very nature -- detection of unrecorded financial and economic transactions, and destruction of accounting records before the statutory retention period expires. The auditor sees what is hidden from the bank.
Freezing and suspension
This is the mechanism that in 2023 allowed Uzbekistan to upgrade its ratings on Recommendations R.6 and R.7 and move out of EAG enhanced monitoring. Prosecutor General's Order No. 3327 of October 19, 2021, replaced the previous Cabinet of Ministers resolution from 2016 and built a system that meets the FATF standard.
Two regimes operate side by side.
Suspension of operations (Articles 5 and 9 of the Law, Order 3327). DBEP may suspend a specific operation for up to five business days, with the possibility of extension to up to thirty business days. At expiry, the operation is either unblocked or the case file is referred to law enforcement. The obligated entity must execute the suspension immediately.
Sanctions list freezing. This applies when a client's or counterparty's identification data match the List of Persons Involved in Terrorist Activity or WMD Proliferation. The List is compiled by DBEP on the basis of submissions from the State Security Service (SSS), the Ministry of Internal Affairs, and the Prosecutor General's Office, as well as consolidated lists of the UN Security Council (Resolutions 1267, 1373, 1540, and subsequent).
Freezing is immediate. No court order is required. No prior approval from anyone. The obligated entity must freeze independently and notify DBEP within one business day. The freeze remains in effect indefinitely -- until the person is removed from the List or a court orders otherwise. Access to frozen property is available only on humanitarian grounds, to cover basic living necessities.
Internal controls
Article 6 of the Law requires every obligated entity to develop and implement internal control rules (known locally by the Russian abbreviation PVK). But the real requirements are in the sector-specific ICAs -- and that is what the regulator will inspect against.
Mandatory internal control programs (using the banking ICA 2886 as an example) cover: client identification and study, risk management, transaction monitoring, mandatory and suspicious reporting, correspondent due diligence (including a prohibition on relationships with shell banks), record retention, and staff training.
AML compliance officer -- appointed by order of the entity's head, directly accountable to the board of directors or management board, and may not hold functions that create a conflict of interest (for example, sales). For crypto exchanges (ICA 3309) and securities market participants (ICA 2033), data on the compliance officer must be submitted to NAPP annually, and from there to DBEP. In the securities sector, this role is designated not as "responsible officer" but as "controller" -- the only such terminology across all fourteen sectors.
Risk assessment. An institutional risk assessment must be conducted annually. For MFOs, a sectoral risk assessment is formally approved by the CBU's Banking Supervision Committee jointly with non-bank credit organizations at least once a year. A separate requirement -- and an important one -- is a pre-deployment risk assessment for new products, technologies, and service channels, conducted before launch. This is enshrined in the Law itself and specified in the banking (ICA 2886), payments (ICA 3266), crypto (ICA 3309), and other sector ICAs. In effect, it is a market standard: no new product should go live without a prior ML/TF risk assessment.
Training. A baseline AML/CFT course is required upon hiring; knowledge must be refreshed at least once a year. For crypto and securities, training programs must be coordinated with NAPP. Training outcomes are tested and documented.
Record retention: five years from the end of the business relationship -- across all categories (identification, transactions, STRs). If the relationship is ongoing, data is retained indefinitely for its duration.
Client data updates: high-risk clients -- at least annually; all others -- at least every two years (MFOs). Upon any event that changes the client's risk profile -- immediately.
Correspondent banking relationships (banks). ICA 2886 requires collecting information on the reputation of the correspondent bank, assessing the quality of supervision in its jurisdiction, and obtaining senior management approval for relationships with banks in high-risk jurisdictions. Establishing relationships with shell banks is expressly prohibited.
Supervision and penalties
Institutional map. AML/CFT supervision is distributed among regulators according to their supervised sectors. The CBU covers banks, MFOs/NCOs, payment organizations, and leasing. NAPP covers crypto, insurance, securities, lotteries, and commodity exchanges. Other sectors are overseen by their respective ministries -- the Ministry of Justice (notaries and lawyers), the Ministry of Finance (auditors), and others. DBEP, as co-author of all ICAs, plays a coordinating role across the entire system.
Liability. The Law provides for three types. Administrative liability -- fines under the Code of Administrative Responsibility. Criminal liability -- Article 243 of the Criminal Code (legalization of proceeds of crime: 3 to 15 years' imprisonment with confiscation) and Article 155³ (terrorism financing: 8 to 25 years). And supervisory measures -- remediation orders, operational restrictions, and recommendations to revoke the license.
But the real enforcement lives in the sector-specific penalty frameworks. For banks and MFOs/NCOs, the key document is CBU Regulation No. 3492 (registered January 2024, updated by Amendment 3492-1 of May 2026, effective August 6, 2026). Chapter 5 is devoted entirely to AML/CFT violations.
Humans / UPay -- when a regulatory matter turns criminal
The case involving senior executives of the Humans group and the payment organization UPay is one of the most illustrative cases at the intersection of AML/CFT and criminal law. Executives were detained, in part because the payment infrastructure was used to service unlawful financial flows.
Uzbekistan on the FATF map
In 2022, Uzbekistan completed its Mutual Evaluation by the Eurasian Group (EAG), a FATF-style regional body. Assessors arrived in Tashkent in the summer of 2021 and examined the entire system: both the law on the books and how it operates in practice.
The result was one of the strongest in Central Asia. Out of forty FATF Recommendations, Uzbekistan received no "non-compliant" ratings. Seven were rated fully compliant; the majority were largely compliant. Key strengths: DBEP as the FIU (broad powers, operational agility, connections with FIUs in over 160 countries), inter-agency coordination, and the CBU's banking supervision framework.
Weaknesses were identified as well. Money laundering investigations overwhelmingly involve self-laundering -- where individuals legalize their own illicit proceeds. Investigation and prosecution of professional (third-party) laundering is virtually absent. Non-financial sectors (with the exception of notaries and exchanges) file very few STRs. The shadow economy remains a structural vulnerability.
In 2023, the first follow-up took place: three recommendations were upgraded (R.6, R.7, and R.22), and Uzbekistan moved from enhanced monitoring to regular follow-up. For the region, that counts as rapid progress.
What is changing right now
The regime is not standing still. Here is what has already happened or will take effect in the coming months.
Personal liability for bank executives -- enacted in May 2026. Grounds: deficiencies in risk management and internal controls, decisions that breach the law, concealment of violations, and permitting conflicts of interest.
Expansion of the CBU supervisory perimeter -- now encompasses microfinance banks, factoring companies, guarantee organizations, and credit bureaus.
Tenfold increase in penalties -- Regulation 3492-1 takes effect on August 6, 2026. The new formula: a percentage of aggregate capital with hard minimum floors.
Rapid evolution of digital monitoring tools -- payment organizations, crypto exchanges, and banks are all under pressure to continuously enhance their control and risk mitigation systems. This is not a one-time setup. It is a living infrastructure that evolves alongside the market.
Expected developments: inclusion of independent lawyers (not advocates) and accounting firms within the AML/CFT perimeter (a 2022 MER recommendation); development of third-party and "professional laundering" investigations; an updated national risk assessment with a focus on the shadow economy; and expanded use of confiscation.
Checklist for new entrants
If you are entering the Uzbek market in a regulated sector, here is the sequence in which to build your AML/CFT system.
Before launch. Determine which regulator supervises you -- CBU, NAPP, or another authority. Identify your sector ICA -- each sector has its own, with unique indicators and thresholds. Appoint an AML compliance officer. Draft your internal control rules in accordance with the sector ICA and coordinate them with your regulator. Conduct an institutional risk assessment.
At launch. Set up the technical integration with the Prosecutor General's electronic reporting system. Deploy automated transaction monitoring -- manual controls do not scale. Configure real-time sanctions screening -- on every transaction and on every List update. Train all client-facing staff.
Ongoing operations. Update client data: high-risk clients annually, all others every two years. Refresh the institutional risk assessment every year. Conduct annual training and testing. Retain all records for five years. And above all -- maintain an active line of communication with DBEP and be prepared to respond quickly.
Conclusion
If you have read this far, the picture is probably already clear: Uzbekistan's AML/CFT system is detailed, multi-layered, and alive. Fourteen sector ICAs, each with its own indicators and thresholds. An FIU embedded within the prosecutorial vertical, giving it speed and authority that most FIUs in the region lack. Penalties are rising. Personal liability for executives is already law.
In practice, the chief risk is not the size of the fine itself. It is the speed at which the Department responds. An AML/CFT mistake is not a remediation notice with a thirty-day cure period. It is a frozen account and a case file forwarded to law enforcement. So, as obvious as it may sound, AML/CFT is genuinely the first thing to get right when entering this market.
We have worked on both sides of this system -- building internal controls and advising through inspections. That helps us understand what exactly the regulator will ask, in what format it expects documentation, and where violations are typically found. If you need help, we are here.
Entering the Uzbek market? Let's talk.
Juris Advisory helps banks, payment providers, MFOs, crypto exchanges, and foreign investors build their AML/CFT system -- from the first ICA to the first inspection.
Get in touch →This article is a general overview. Specific norms, numerical requirements, and procedural deadlines are regularly updated through sub-legislative acts and regulatory decisions. Verify against the current edition of the relevant law before making legally significant decisions, or consult an advisor.
Juris Advisory -- legal and fintech advisory in Tashkent. Contact: hello@juris.uz · juris.uz · @hellojuris