Kazakhstan’s leading fintech platforms Kaspi, Halyk Bank’s Homebank, and Freedom SuperApp have evolved into all-in-one super-apps offering banking, payments, shopping, and even eGov services. They provide great convenience, but also concentrate vast amounts of personal data. This raises data privacy and security risks that deserves a clear look and a set of practical safeguards that keep users protected.
Sayan Katrenov.
Kazakhstan has already faced several breaches and fraud cases. Freedom Finance admitted in 2020 that hackers stole tens of thousands of client records after a phishing attack, exposing full names, passport details, bank accounts and even employee credentials. Kaspi.kz has faced repeated public concern: a nationwide outage in 2020 triggered fears of a hack, and in 2025 dozens of customers reported loans issued in their names without consent, with investigations pointing to stolen personal data and possible insider collusion. Halyk Bank has also faced public concern in 2020, from a rumored leak of 80,000 records to waves of complaints about unauthorized withdrawals. Together, these cases show how quickly problems can escalate when so much financial and personal data is concentrated in a few platforms, and how hard it can be for official reassurances to match the level of public concern.
Super-apps have not struggled in Western markets by accident. In the European Union, stringent data protection rules like the GDPR make it difficult for any company to merge identity, payments, shopping behavior and credit data into one ecosystem without explicit, narrowly defined consent. Firms must justify every form of data processing, minimize what they collect, and risk substantial fines if they violate the limits. These rules were designed precisely to prevent the kind of unchecked data blending that gives super-apps their power. Competition regulators in Brussels add another layer: they view concentrated digital ecosystems as potential “gatekeepers,” and routinely intervene to stop any platform from becoming the default interface for too many essential services.
In the United States the constraints are different but the outcome is similar. Consumer regulators watch how platforms repurpose sensitive data and warn against approaches that go further than users might expect. Cultural expectations also matter: American and European users tend to prefer separating banking, communications and shopping, partly because previous tech scandals have made them wary of giving one corporation such a broad window into their lives.
Kazakhstan, by contrast, has allowed super-apps to grow quickly with fewer regulatory constraints. This openness has fuelled competition and delivered real gains in speed, convenience and digital inclusion. But it also means that far more personal and financial data now sits inside a small number of deeply integrated ecosystems, increasing the stakes when something goes wrong. As these platforms continue to expand, the question is no longer whether Kazakhstan should regulate them, but how to do so in a way that strengthens trust without slowing innovation. Many of the classic tools of financial oversight are already in place, yet the most meaningful progress now lies in measures that ordinary users can actually see and feel. Two practical steps in particular would have a real impact, especially if paired with a clearer role for users themselves.
First, super-apps should be required to offer simple, in-app privacy and security dashboards. Today, most people have only a vague idea of what data their favourite app collects, which parts of the ecosystem can see it, and how it is used. A dashboard should allow users to see, in one place, what information is stored about them, which services have access to it, and for what purpose. It should also make it easy to switch off non-essential access to their data, disable certain types of profiling, and review recent security events.
Second, Kazakhstan needs clear breach notification rules with real consequences. When something goes wrong, users should not find out from rumours or social media. Fintech companies should be legally obliged to inform regulators and affected customers within a fixed time frame after a significant data leak, explaining what happened, what information was exposed, and what steps people can take to protect themselves. Meaningful penalties for late disclosure or concealment would signal that data protection is a board-level responsibility.
Finally, there is a role for citizens. Regulators and companies can build safer systems, but users can also adopt basic digital hygiene: using strong authentication, regularly checking account activity, being cautious with links and calls, and periodically reviewing app permissions. Public campaigns and in-app prompts can nudge people toward these habits.
Kazakhstan’s digital finance sector has moved fast, and now trust will shape its next stage. By addressing data concentration risks early, the country can strengthen user confidence and avoid disruptions that could slow progress. The payoff is clear: continued growth built on a foundation of safety and transparency. In an age when data is as valuable as currency, combining innovation with strong protections will allow Kazakhstan to set a regional standard for secure, sustainable fintech development.
The author is Sayan Katrenov, a graduate student of the Nazarbayev University Graduate School of Public Policy.
Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the position of The Astana Times.
