Why this matters right now
If we had sat down to write this article five years ago, half the laws in it wouldn't have existed — and the other half would have read very differently. Uzbekistan's Law on Payments and Payment Systems was passed in November 2019. The revised Law on Banks came out the same month. The new Law on Non-Bank Credit Institutions arrived in April 2022, with amendments rolling out in waves through 2024 and 2025. The Law on Insurance Activity dates from November 2021, and its implementing regulations are still being written. The Law on Cybersecurity was adopted in April 2022. Mandatory localization of personal data took effect in April 2021.
This doesn't mean the regulatory framework is "new and unfinished." It means it was drafted by people who had seen how financial markets work elsewhere — and made deliberate choices about what to import and what to keep distinctly Uzbek. You can feel Basel, FATF, and IOSCO in most of these laws. At the same time, you can also feel the local understanding that nobody in Tashkent builds a bank around a single corporate client, and that a fintech startup has to survive in a country where the average transaction is twenty dollars and every cent of margin matters.
The way we organize this overview is by the person on the other side of the table. Two regulators run the financial market: the Central Bank covers anything involving money, credit, and payments; NAPP — the National Agency of Perspective Projects — handles capital markets, insurance, securities, and crypto. Three more topics apply across the board: AML, cybersecurity, and personal data.
If you're trying to figure out which door to knock on, this is the map worth starting with.
The Central Bank camp
Over the past seven years, the Central Bank of Uzbekistan has transformed from a Soviet-style supervisor into a fairly progressive — and increasingly tough — Western-style regulator. It still runs monetary policy and underwrites financial stability, but it has added to that openness to technology conversations, a working regulatory sandbox, active engagement with fintech, and — at the same time — sharply higher capital and sanctions for anyone playing on its turf. The four sectors we focus on here cover most of the institutional players: banks, payments, microfinance and non-bank credit institutions, and leasing. Beyond these, the Central Bank also oversees credit bureaus, mortgage refinancing, currency regulation, parts of consumer lending, and a long list of adjacent areas.
Banking
The Law on Banks, in its 2019 redaction, reads like a carefully assembled Basel handbook. The license is single and general, but the road to it is long. Minimum chartered capital for an ordinary bank is now 500 billion soums as of 1 January 2025 — up from 350 billion since April 2024. For a microfinance bank, a separate category introduced in February 2025, the threshold sits at 50 billion. This sits between a "full" bank and an MFO: deposits from a single individual are capped at the guaranteed-deposit amount, single-borrower exposure can't exceed 5 billion soums, and at least 70% of the loan portfolio must go to entrepreneurial lending.
What usually surprises foreign founders: branches of foreign banks are flat-out prohibited by the statute itself. Only representative offices are permitted — with no commercial activity, accredited by the Central Bank. A foreign bank can hold equity in an Uzbek bank, but cannot run its own branch on the ground. The combined share of non-residents who aren't IFIs, foreign banks, or credit institutions can't exceed 50% of chartered capital.
Control over shareholders is real. 5% and above counts as material ownership, and each tier — 5%, 20%, 50% — needs its own prior approval from the Central Bank. The assessment of a potential buyer takes two months and covers business reputation, fit-and-proper review of nominees to governance bodies, source of funds, and AML/CFT screening. A transaction without approval is void; the shares lose voting and dividend rights.
In practice, Uzbek banks treat client-data exchange — even with fintech partners, even under NDA — extremely conservatively. Any startup hoping to build a product around "open" access to client bank account data hits this wall first. It's probably the single biggest structural barrier for fintech in CB-regulated segments — and it can't be engineered around with a contract or an architecture diagram.
The sanctions framework is three-tiered, with explicit gradation. Gross violations (24 categories: from unlicensed activity to capital falling 50% below the floor, AML/CFT breaches, cybersecurity incidents) can trigger fines of up to twice the revenue from the violation, or 5% of prior-year net profit, or 1% of total capital. On top of that: license revocation, plus up to 100% of annual remuneration recovered from a specific board member. Serious violations carry caps roughly a third lower. Minor violations draw a warning or up to 0.1% of capital.
Running in parallel with this framework is a separate Central Bank Board regulation that sets specific monetary penalties for specific violations — a price list, essentially. That price list was recently raised by roughly 10x. So the familiar "we'll get a notice, fix it, move on" logic that many banks operated on is being rewritten in real time. The cost of the next mistake today is materially higher than it was even two years ago.
Payments, processing, and electronic money
This is the most competitive market in the country, full stop. Click, Payme, Uzum, Paynet, and dozens of smaller players fight for every second of the user's card journey. The governing statute is the Law on Payments and Payment Systems (ZRU-578 of 1 November 2019), and it's already been amended five times. The most recent, ZRU-964 of 20 September 2024, took effect on 22 December 2024 and meaningfully raised the bar on information security.
Two categories of license sit at the core: payment system operators (legal entities running a payment system) and payment organizations (PSPs — payment service providers). The Central Bank issues both within 30 days — one of the fastest turnarounds anywhere in financial regulation. A payment organization can offer eight specific services, from cash acceptance to processing payments via e-money, but it cannot itself issue e-money or bank cards: by law, only the Central Bank and banks can issue electronic money (Art. 40).
This is a structural choice that fintechs often miss at first. Under PSD2 in Europe, a payment institution can issue e-money. In Uzbekistan, it can't. If your business model depends on issuing e-money, the path is partnership with a bank. Working under a bank's brand doesn't solve it either — the issuer is still the bank, with all the obligations that go with it. E-money is denominated only in the national currency; only Uzbek-issued e-money is accepted for payments inside the country.
Limits on electronic money operate in base calculation units (BHM; 412,000 soums as of the date of publication). The cap on a single transaction for an identified holder is 100 BHM, for an unidentified holder 1 BHM, and the maximum balance on an unidentified device is 5 BHM. On paper that sounds tight, but identification in Uzbekistan is wired through electronic ID systems — most users clear it almost instantly.
An interesting structural carve-out is the agent-based model (Art. 19). Banks and payment organizations can deliver services through payment agents and sub-agents without a separate license. This is what enabled the distributed payment-acceptance network that now runs nationwide. The catch: the principal carries joint and several liability with its agents toward end users. That gives a lot of design room — but any agent's mistake hits the principal's license.
The most interesting norm in the latest revision is the redrafted Article 15, which effectively states an open-banking principle: users have the right to use either their own bank's remote-service channel or the services of another payment provider, and providers must ensure equal access. This isn't PSD2 yet — there are no mandatory API standards, no required open interface — but the legal foundation is in place.
Apple Pay, Google Pay, and digital wallets aren't governed by a dedicated rule. The statute does recognize virtual bank cards (Art. 35: "a bank card may be debit, credit, including virtual, without a physical carrier"), and the regulator has consistently accommodated tokenization models when they come through the issuing bank. This is a familiar pattern: the framework adapts to real technology — but the adaptation happens through dialogue, not by assuming "anything not banned is permitted."
Microfinance and non-bank credit institutions
This is the most thoroughly rewritten segment. The old law on microfinance organizations ended in April 2022; in its place came ZRU-765 — a single statute for non-bank credit institutions and microfinance activity. It has since been revised four times, most recently by ZRU-1058 of 17 April 2025. Five categories of NBCI now live under one roof: microfinance organization, pawnshop, mortgage refinancing organization, guarantee provider, and factoring organization.
Capital requirements are differentiated and meaningful:
- Guarantee provider — 100 billion soums;
- Mortgage refinancing organization — 25 billion;
- MFO and factoring organization — 2 billion;
- Pawnshop — 500 million.
All in national currency, funded only by founders' cash, with no credit-sourced or encumbered funds permitted.
Loan-size limits are their own story. A microloan to an individual: up to 100 million soums. A micro-credit to an entrepreneur: up to 300 million. The most consequential rule: a hard cap on total borrowing cost — interest, fees, and penalties combined on a contract with an individual cannot exceed half the loan amount per year. That's effectively a 50% APR ceiling written directly into the law — and it's materially tighter than most jurisdictions, where the regulator typically anchors to "market average plus N percentage points."
Fees for application processing, loan-account servicing, disbursement, and early repayment are all prohibited. New loans cannot be issued to anyone with an existing delinquency. Residential real estate cannot be taken as collateral for microloans of less than a year. Unlike banks, NBCIs aren't licensed but rather entered into a Central Bank register. The process takes 15 working days and there's no fee.
One of the few sandbox regimes in the region with real legal teeth
Article 25 of ZRU-765 and the parallel Article 67-1 of the Central Bank Law set up the regulatory sandbox — a special regime for testing new financial operations and technologies for up to three years.
The Central Bank has a track record of using this regime in various forms and across different products. It isn't a dormant clause: the channel for talking to the regulator about a not-yet-codified technology is formally open.
Leasing
Leasing is the odd one out. After the 2002 amendment, the law explicitly classified leasing as investment activity, not financial-credit activity. That has a simple consequence: a standalone lessor doesn't need a separate license. If you're a bank, leasing sits inside your banking license. If you're an independent leasing company, you register as an ordinary legal entity.
The law recognizes two deal shapes: direct leasing (three parties: seller, lessor, lessee) and sale-leaseback (lessee and seller are the same person). Almost any non-consumable asset used for business activity can be the object; land, natural resources, and items withdrawn from civil circulation cannot. Financial leasing is qualified by strict tests: term over 12 months; transfer of title at end of term; or term exceeding 80% of useful life; or the present value of payments exceeding 90% of the asset's value.
The asset is recorded on the lessee's balance sheet, with the tax and depreciation consequences that follow. It's a structure that's easy to enter: low barriers, standardized contracts, leased-asset turnover protected.
The NAPP camp
NAPP — the National Agency of Perspective Projects — is a relatively young regulator that's been handed a large and somewhat heterogeneous portfolio over the past five years: capital markets, insurance, crypto-asset trading, parts of corporate governance, and e-commerce oversight. The market often describes NAPP as a regulator with a more experimental temperament — open to dialogue, willing to try new formats. That's more of a shared impression than a formally measurable trait, and it sits alongside another observation: in several segments under NAPP's umbrella, the culture of hard supervision is still finding its shape. Discipline is tightening year by year.
Crypto trading
Uzbekistan is one of the few jurisdictions where crypto-asset trading was placed inside a formal legal perimeter from the outset — rather than being "legalized retroactively." Presidential Decree PD-3832 of 2018 set out the architecture; NAPP's regulation on licensing crypto-market participants sets the rules of play.
Four core activities are licensed: crypto-exchange, crypto-service provider, crypto-shop, and mining pool. The bar for an exchange is high. Minimum chartered capital is 5,000 BHM (about 2.06 billion soums, or roughly $170,000 at the rate on the publication date), of which 3,000 BHM is held in a dedicated account at an Uzbek commercial bank. The licensing fee is 73,400 BHM (about 30.2 billion soums, or roughly $2.5 million). Servers must sit on Uzbek territory. Records on transactions and clients must be kept for at least five years. KYC/AML is mandatory.
The most unusual rule: a crypto-exchange license is issued only to foreign legal entities, and only by way of incorporating a subsidiary or similar entity on Uzbek territory. An ordinary Uzbek legal entity without a foreign parent cannot apply. The regulator's logic is transparent: it wants a foreign player with its own regulatory history and reputation behind every exchange.
Tax treatment is favorable: crypto-asset transactions are outside the scope of VAT, and individual income from transactions on licensed platforms is exempt. Mining operations have their own electricity tariff regime.
Insurance
The Law on Insurance Activity (ZRU-730 of 23 November 2021) is the first statute that names NAPP directly as the competent state body. Article 5 spells it out: "a license issued by the National Agency of Perspective Projects of the Republic of Uzbekistan." Before that, the insurance regulator was identified only as "the competent authority," and the evolution of that role (State Insurance Supervision → Ministry of Finance → NAPP) gave the market a periodically shifting set of expectations.
The key structural rule is the strict separation between life and non-life insurers. A single insurer cannot be licensed across both branches at the same time (exceptions for certain classes of non-life are provided for separately in legislation). Reinsurance is licensed on its own — a reinsurer cannot do primary insurance, and vice versa. Each branch carries its own prudential framework.
Beyond insurers, the law recognizes six market subjects: insurance broker, reinsurance broker, insurance agent, adjuster, actuary, and surveyor. Each has its own qualification standards. The adjuster is particularly interesting as a standalone figure: an assessor of loss after a covered event, prohibited from being an insurer or intermediary, and barred from holding equity in an insurer. In many CIS jurisdictions this function is still informal; here it's codified and regulated.
The statute itself doesn't fix specific minimum capital figures — those are delegated to sub-regulatory acts. A Presidential roadmap for the insurance market, adopted in March 2024, sets out phased increases. This is a familiar regulatory move: a "soft" requirement in the law, a hard number in the regulation, and periodic re-indexation.
One of the most forward-looking features is Article 31, which formalizes electronic policies and digital exchange. An electronic policy, signed with the insurer's electronic signature and accepted by the policyholder through premium payment, is legally equivalent to its paper counterpart. This is still under debate in some European jurisdictions; in Uzbekistan it's settled law.
Consumer protection (Arts. 63–64) includes tools rarely seen in insurance legislation across the region: a ban on "bundled" cross-selling, NAPP's right to conduct unannounced mystery shopping, mandatory disclosure of market data on the regulator's website. Oversight has become noticeably tougher — primarily through transparency rather than through fines.
Joint-stock companies, securities, and investor protection
The Law on the Securities Market (ZRU-387 of 3 June 2015, in current redaction) and the Law on Joint-Stock Companies (ZRU-370 of 6 May 2014, in current redaction) form the pairing that governs both instruments and issuers. Both have been meaningfully updated since 2021. NAPP regulates the securities market — though the statute itself hides this behind the phrase "the competent state body designated by the President" (Art. 55).
The instrument menu is broad: shares, corporate bonds, infrastructure bonds, exchange bonds, international bonds, share options, depositary receipts, government treasury bonds, certificates of deposit, and bills of exchange. Digital securities, crowdfunding, and Islamic securities aren't yet codified — those are niches still awaiting their regulatory shape.
The most interesting innovation is exchange bonds (Article 6¹, introduced in 2021). These are issued without conventional state registration — the exchange itself registers the issue in coordination with NAPP. Tenor cannot exceed one year. This is a simplified channel for short-term debt that materially shortens the path to market and lowers transaction cost. The closest analogues are European STS-securitisations or UK retail bonds.
Among professional participants, licensing is required only for investment intermediaries and trustees. The investment adviser, investment fund, and transfer-agent all operate on notification. That's a meaningful relaxation versus most jurisdictions, where even advisory work is licensed. Specialist certification is valid for five years.
Issuance itself: 30 days for NAPP registration, fee of 0.01% of nominal value. Disclosure is detailed, channeled through the Unified Corporate Information Portal, with concrete deadlines: annual report within two weeks of the AGM, quarterly within one month of period-end, related-party transactions within 72 hours. Market manipulation and insider trading are explicitly prohibited under Article 54.
The JSC Law is a statute where a decade of work has gone into minority-shareholder protection. A holder of more than 50% of voting shares qualifies as a majority shareholder (Art. 28¹), with explicit duties: don't act against the company's interest, don't put items on the agenda that harm other shareholders. A mandatory offer triggers on crossing the 50% threshold — the new majority shareholder has 30 days to offer the remaining shareholders a buy-out at market price (Art. 40).
Public JSCs and companies with state ownership above 50% must have at least one independent member on the supervisory board (Art. 76¹, introduced in 2023). The independence criteria are detailed: no ties to the company or affiliates in the last three years; no material commercial relationships (threshold: an active contract above 2,000 BHM); no more than six consecutive years on the board. This standard sits closer to the UK Corporate Governance Code than to most post-Soviet regimes.
Particularly notable is the minority shareholders committee (Art. 82) — a body formed from among minorities, with the right to petition NAPP for rights protection, and to participate in proposals on major transactions and related-party deals. The institution isn't running at full capacity yet, but it exists legally — and active minorities do use it.
Sitting on top of the corporate framework is the Law on Investments and Investment Activity (ZRU-598 of 25 December 2019). It gives foreign investors national treatment, protection against expropriation without due compensation, the right to freely repatriate profits, and a stabilization clause (Art. 19) — the ability to apply prior rules if legislation moves adversely. For large projects, a dedicated tool is available: an investment agreement with the Government — a formal contract between the state and the investor that fixes individual terms (tax incentives, infrastructure support, commitments from adjacent agencies). On top of all this sits an ecosystem of preferential regimes: IT-Park with a 0% rate on most taxes for residents, free economic zones, industrial parks. Together, these make Uzbekistan one of the most "negotiable" jurisdictions in the region for foreign direct investment.
Three cross-cutting pillars
These three themes aren't tied to a sector — they apply across the board. The regimes are identical for a bank, an insurer, a crypto exchange, or a factoring company, with adjustments for data and transaction specifics. This is the slice of the regulatory framework that has changed most actively over the past two years — and where the regulator is most willing to come down hard.
Anti-money laundering (AML)
The base statute is Law No. 660-II of 26 August 2004, in current redaction (with the last major overhaul through ZRU-516 of 15 January 2019). Uzbekistan is a member of the Eurasian Group (EAG), FATF's regional body, and went through baseline mutual evaluation in 2022, with a first follow-up in 2023: a country making progress, with key technical deficiencies being closed.
The financial intelligence unit is Uzbekistan's FIU (financial intelligence unit) — the Department for Combating Economic Crimes within the General Prosecutor's Office. Structurally, the FIU sits inside the prosecutorial vertical, which gives it meaningfully more teeth than models where the FIU is an independent agency or part of the Ministry of Finance. In practice, Uzbekistan's FIU moves fast, has direct access to financial information across the board, and pushes cases through to law enforcement without bureaucratic friction.
The law extends the AML perimeter to banks, payment organizations, MFOs, insurers, pawnshops, exchanges, crypto-service providers, notaries, auditors, real estate agents, precious metals dealers, lawyers, and attorneys (in respect of specific transactions). That's a full FATF perimeter. The specific threshold amounts for mandatory monitoring, FIU reporting deadlines, the risk-based approach to identification, the format for handling PEPs and beneficial owners — all of this sits in sub-regulatory acts (FIU regulations, Central Bank and NAPP requirements for their respective supervised entities).
Cybersecurity
The Law on Cybersecurity (ZRU-764 of 15 April 2022) is a framework statute. The regulator is the State Security Service (SGB). This decision surprises Western investors at first — "an intelligence service regulates cybercrime?" — but in practice it works. SGB combines technical expertise, the institutional legitimacy for operational action, and a direct line to the prosecutor's office and law enforcement.
The law introduces the concept of critical information infrastructure (CII): information systems in public administration, defense, energy, chemicals, metallurgy, water, agriculture, healthcare, utilities, the banking and financial system, transport, ICT, and other sectors. A bank, a large insurance company, a payment organization, an exchange — all automatically qualify as CII entities.
CII assets fall into three categories: high, medium, and low. Entities carry concrete obligations: an internal information security policy, a designated officer who passes SGB attestation, mandatory certification of all protection tools, mandatory expert review and attestation of information systems, and mandatory connection to the SGB's central monitoring system (the state SOC). Backup retention must cover at least the last three months.
The statute itself doesn't set specific deadlines for incident notification or specific fine amounts — those have been pushed to other acts. Running in parallel are the Central Bank's information-security requirements for banks and payment organizations (Resolution of the CB Board of 24 April 2024, reg. no. 3513), which are considerably more granular and operate at the level of specific technological requirements.
Personal data
The Law on Personal Data (ZRU-547 of 2 July 2019) was relatively progressive at adoption — and two years later it acquired what remains one of the most discussed norms in the region. Article 27¹ (in force since 16 April 2021) requires any operator or owner processing the personal data of Uzbek citizens to collect, systematize, and store that data on technical systems physically located in Uzbekistan and registered in the State Register of Personal Data Bases.
This is data localization in its pure form. In spirit it's closer to Russia's 152-FZ than to GDPR. Financial companies operating in the Uzbek market must keep client data either on their own in-country servers or in local data centers (TAS-IX, Uzbek-registered private clouds). Using an AWS European region or Azure Singapore "the way you used to" is not an option.
From 2026, amendments come into force that soften the regime for international tech companies: only biometric, genetic, and telecommunications data remain subject to unconditional localization, while other categories of processing acquire more contractual and architectural flexibility. This is a shift away from the hard Russian-style model toward a more balanced approach — one that acknowledges that global services are already part of the infrastructure.
Liability for breaching the localization rule is the most aggressive in the region: it goes as far as restricting access to the offender's internet resource. That's a real-world risk for platforms that ignore the requirement, and a formal exposure for fintechs that rely on foreign SaaS solutions without a local gateway. The regulator is the State Personalization Center under the Ministry of Digital Technologies; the same body maintains the register of personal data bases. Registration is mandatory — and without it, lawful processing can't begin.
What new entrants need to know: opportunities and risks
Stepping back: today's Uzbek market has a few enduring characteristics worth internalizing before you step in.
Regulators are progressive and willing to negotiate
Both the Central Bank and NAPP will sit down at the table. When Apple Pay and Google Pay arrived, regulation adapted to the technology. When a fintech walks in with a BNPL model, an open-banking play, or a digital-bond funding structure, there's a structural channel for the conversation. The regulatory sandbox is a real tool. "No" is a rare answer — what you hear more often is "let's look at how this attaches to the existing framework."
Regulatory dynamism is both an advantage and a risk
All the major laws have been rewritten or substantially updated in the last five to seven years. That gives you a clean framework, free of 1990s archaisms — but the implementing regulations are still being actively built out. A player entering now lands in a moment of formation — and also a moment when the rules can shift six months after the first product registration.
Competition is brutal — especially in banking and payments
Uzbek customers are impatient and sensitive to UX detail. One wrong button can cost millions; +0.1% on deposit yield is reason enough to switch banks. The implication: your market-entry budget should be weighted more toward product than toward licensing.
CB-regulated sectors carry the hardest discipline
Stronger fines, more inspections, turnover-based penalties — that's the real trend of the last two years. A bank that breaches AML or banking secrecy isn't looking at a notice; it's looking at losing its license. Discipline in NAPP segments has historically been softer, but the trajectory of the last several months shows the approach there is moving toward tougher supervision too.
Insurance, securities, crypto — young markets with room
There's a lot of headroom for a new product. But the customer base is small and each customer is expensive to acquire. These markets reward strategies built around demand creation, not demand capture — entry plans should assume 2–3 years of audience building rather than rapid scale-up.
Banking secrecy is fintech's biggest brake
Criminal liability for disclosure forces banks toward maximum conservatism on data exchange. Any fintech in the CB-regulated space whose product assumes "free flow of data from banks" hits this wall first. There's no single working playbook for getting around it — some banks have developed their own approaches to partner integrations, but no universally accepted solution exists in the market today.
Cybersecurity is the fastest-rising compliance cost
Requirements have escalated sharply over the past two years and continue to rise. Any financial business in Uzbekistan in 2026 should budget materially more for information security than it did in 2022. AML, by contrast, is a medium-intensity regime — but mistakes there are punished quickly: the FIU moves fast, and errors in this part of the perimeter are the least forgiven on the market.
Where Uzbekistan is ahead of the global mainstream
A handful of places where the Uzbek framework is structurally more convenient or simply faster than what we see in most comparable jurisdictions.
Payment-organization licensing — 30 days. Materially faster than e-money licensing in most EU member states (3–6 months), comparable to Singapore, and well ahead of nearly every CIS jurisdiction.
The Central Bank's regulatory sandbox actually gets used. A statutory regime, three-year ceiling, with real product cycles running through it. Sandboxes exist on paper in Kazakhstan, Russia, and Georgia — but get used materially less.
Investment advisers operate on notification. Most jurisdictions globally license advisory work as a full professional activity. Uzbekistan settles for notification with staff qualification requirements — lowering the entry bar for independent advisers and open-finance models.
Exchange bonds — issuance without state registration, through the exchange itself. A streamlined channel for short-term debt funding, broadly analogous to STS-securitisations in Europe. First issuances can come to market several times faster than under the conventional procedure.
A stabilization clause for foreign investors is in the law itself. Most countries in the region offer this only via bilateral investment treaties; in Uzbekistan it's embedded in general legislation and applies automatically.
Electronic insurance policies are legally equivalent to paper. Still under debate in several European jurisdictions; in Uzbekistan, settled by statute.
The crypto exchange is the only fully transparent licensing regime in the region. Not a "tolerated zone," not an IT-Park exception — a fully fledged NAPP license with intelligible terms.
Independent directors are mandatory for public JSCs and state-controlled companies (>50% state ownership) — closer in design to the UK Corporate Governance Code than to most post-Soviet regimes.
A minority shareholders committee. Rare in the region as a formal tool — minorities can defend their rights collectively, with the right to petition the regulator.
The bottom line
Uzbekistan's financial regulation is the work of people who have seen how the world operates and of people who know their own country. That's an unusual pairing. Most post-Soviet jurisdictions either remain stuck in Soviet-style supervision or have copied European directives wholesale without thinking about how they land on local ground. Uzbekistan is one of the few cases where the regulators in both camps were reading Basel, FATF, and IOSCO simultaneously — and sitting in a room with ten bankers explaining what doesn't work in the current text.
The practical takeaway for any new entrant: you can talk to the regulator here. This isn't a country where rules are written "forever" and where the regulator will defend a decision at the market's expense. It's a country where the regulator is willing to listen, to update, to experiment. That doesn't mean it forgives mistakes — particularly in AML, banking secrecy, and cybersecurity. It means that if you arrive with a serious product, a sound legal foundation, and a willingness to discuss architecture before filing, you land in one of the most interesting financial markets in the region for the next five years.
We've worked on both sides of these conversations — with the Central Bank, with NAPP, with partner banks, with investors coming in from London, Dubai, and Singapore. That experience helps anticipate how the regulator frames its questions, what kind of answer it expects, and which format moves the dialogue forward faster. Some of that knowledge isn't written down in any statute — and it's hard to assemble from public sources alone.
Entering Uzbekistan's financial market? Let's talk.
Juris Advisory works with banks, payment organizations, microfinance institutions, insurers, crypto providers, investment funds, and foreign investors entering Uzbekistan — from the first regulator meeting to the first transaction going live.
Get in touch →