At the end of August, at the initiative of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation (MinTsifry), a draft federal law entitled "On Amendments to Certain Legislative Acts of the Russian Federation" (with respect to Counteracting Offenses Committed Using Information and Telecommunications Technologies) was published on the Federal Portal of Draft Normative Legal Acts (Draft ID: 02/04/08-25/00159652) (the "Draft Law").
Previously, we examined in detail the amendments proposed to Federal Law "On Information, Information Technologies and Information Protection", Federal Law "On Personal Data", and Federal Law "On Communications". Concluding this series of reviews devoted to the above initiative, we now address the amendments introduced simultaneously to several federal laws, namely:
Amendments to "On the Establishment of a State Information System for Counteracting Offenses Committed Using Information and Telecommunications Technologies, and on Amendments to Certain Legislative Acts of the Russian Federation":
A unified register of subscriber numbers is introduced, containing subscriber numbers for which there are indications of use in unlawful activities.
Amendments to "On Electronic Signatures and Certification Authorities":
Amendments to "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism":
The taxpayer identification number (INN) has been added to the list of mandatory information required for client identification where settlements are carried out using an electronic means of payment (a bank card or an electronic wallet).
Amendments to "On the Central Bank of the Russian Federation (Bank of Russia)":
The scope of powers exercised by the Board of Directors of the Bank of Russia has been expanded. New powers include determining the deadlines by which credit institutions must ensure that clients are able to carry out funds transfers, as well as determining the Operator of the Unified Payment Card Accounting System. Where necessary, the Board of Directors may also establish the maximum number of payment cards that may be issued to an individual client by credit institutions, as well as determine the expiration dates of such cards.
Amendments to "On the National Payment System":
Amendments to "On the Identification and (or) Authentication of Individuals Using Biometric Personal Data, on Amendments to Certain Legislative Acts of the Russian Federation, and on the Invalidation of Certain Provisions of Legislative Acts of the Russian Federation":
Methods have been introduced enabling an individual to recover their account in the event of its restriction, including where the operator of the Unified Identification and Authentication System has determined that third parties have obtained unauthorized access to the individual’s account. Access may be restored using one of the following methods:
Most of the amendments enter into force on December 1, 2026. Provisions relating to the fee-based nature of security certificates enter into force on July 1, 2027, while provisions concerning the establishment of certificate fees enter into force on January 1, 2027.
Previously, we examined in detail the amendments proposed to Federal Law "On Information, Information Technologies and Information Protection", Federal Law "On Personal Data", and Federal Law "On Communications". Concluding this series of reviews devoted to the above initiative, we now address the amendments introduced simultaneously to several federal laws, namely:
- Federal Law "On the Establishment of a State Information System for Counteracting Offenses Committed Using Information and Telecommunications Technologies, and on Amendments to Certain Legislative Acts of the Russian Federation";
- Federal Law "On Electronic Signatures and Certification Authorities";
- Federal Law "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism";
- Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)";
- Federal Law "On the National Payment System";
- Federal Law "On the Identification and (or) Authentication of Individuals Using Biometric Personal Data, on Amendments to Certain Legislative Acts of the Russian Federation, and on the Invalidation of Certain Provisions of Legislative Acts of the Russian Federation."
Amendments to "On the Establishment of a State Information System for Counteracting Offenses Committed Using Information and Telecommunications Technologies, and on Amendments to Certain Legislative Acts of the Russian Federation":
A unified register of subscriber numbers is introduced, containing subscriber numbers for which there are indications of use in unlawful activities.
Amendments to "On Electronic Signatures and Certification Authorities":
- A new article has been introduced governing security certificates of the National Certification Authority used to ensure secure interaction with websites on the Internet, website authentication, and confirmation of website ownership. The requirements for such certificates, as well as the procedure for their issuance and revocation, are to be established by MinTsifry in coordination with the Federal Security Service of the Russian Federation (FSB) and the Federal Service for Technical and Export Control (FSTEC).
- Security certificates of the National Certification Authority are to be issued upon request, for a fee, except for requests submitted by state authorities, local self-government bodies, the Bank of Russia, and organizations included on a list to be approved by the Government of the Russian Federation.
Amendments to "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism":
The taxpayer identification number (INN) has been added to the list of mandatory information required for client identification where settlements are carried out using an electronic means of payment (a bank card or an electronic wallet).
Amendments to "On the Central Bank of the Russian Federation (Bank of Russia)":
The scope of powers exercised by the Board of Directors of the Bank of Russia has been expanded. New powers include determining the deadlines by which credit institutions must ensure that clients are able to carry out funds transfers, as well as determining the Operator of the Unified Payment Card Accounting System. Where necessary, the Board of Directors may also establish the maximum number of payment cards that may be issued to an individual client by credit institutions, as well as determine the expiration dates of such cards.
Amendments to "On the National Payment System":
- Money transfer operators are required, when verifying whether a funds transfer is being made without the client’s voluntary consent, to use information contained in the State Information System for Counteracting Offenses Committed Using Information and Telecommunications Technologies. If a client’s subscriber number is included in the unified register of subscriber numbers with indications of unlawful use, the operator is entitled to suspend the client’s use of an electronic means of payment for the period during which the number remains in the register. Where there is information indicating the impact of malicious software, the operator is entitled to refuse execution of the funds transfer. The client must be notified of any decisions taken;
- An obligation has been introduced for the operator servicing the payer to reimburse an individual client for a funds transfer or payment card transaction carried out without the client’s voluntary consent;
- Limits have been established on the number of payment cards that may be issued by a single money transfer operator to one individual client—no more than 5 (five) cards—and by all money transfer operators to one individual—no more than 20 (twenty) cards. Different limits may be established by the Board of Directors of the Bank of Russia;
- Money transfer operators are required to submit information on payment cards issued to individual clients to the Unified Payment Card Accounting System in accordance with the procedure established by the Bank of Russia;
- Money transfer operators are also required to submit data on their clients to the Bank of Russia for the purpose of forming and maintaining a unified database upon detection of attempts to transfer funds without the clients’ voluntary consent;
- The Bank of Russia is required to transmit to the State Information System for Counteracting Offenses Committed Using Information and Telecommunications Technologies information on clients’ subscriber numbers upon detection of attempts to transfer funds without voluntary consent, as well as subscriber numbers identifying the recipients of such payments.
Amendments to "On the Identification and (or) Authentication of Individuals Using Biometric Personal Data, on Amendments to Certain Legislative Acts of the Russian Federation, and on the Invalidation of Certain Provisions of Legislative Acts of the Russian Federation":
Methods have been introduced enabling an individual to recover their account in the event of its restriction, including where the operator of the Unified Identification and Authentication System has determined that third parties have obtained unauthorized access to the individual’s account. Access may be restored using one of the following methods:
- via the Unified Biometric System;
- via a bank’s official website or mobile banking application through which individuals may open accounts (deposits) and/or obtain loans denominated in rubles;
- using the individual’s enhanced qualified electronic signature, provided that a valid qualified signature verification certificate is available;
- through the individual’s personal appearance at a multifunctional public services center (MFC);
- through the individual’s personal appearance at authorities or organizations authorized to issue simple electronic signature keys for the provision of state and municipal services.
Most of the amendments enter into force on December 1, 2026. Provisions relating to the fee-based nature of security certificates enter into force on July 1, 2027, while provisions concerning the establishment of certificate fees enter into force on January 1, 2027.