How to Onboard Users in Eastern Europe and Central Asia (2026)

Eastern Europe and Central Asia make up one of the world’s largest regions, offering significant opportunities for businesses. While the Commonwealth of Independent States (CIS) plays a major role in shaping the market, influential non-CIS countries like Ukraine and Georgia continue to drive innovation and regional development. Yet, companies risk facing regulatory sanctions if they don’t consider local specifics when onboarding users. Penalties may include hundreds of thousands of dollars in fines or total seizure of business activity.

Since the beginning of the Russo-Ukraine crisis, the US, UK, and the EU, as well as a number of other jurisdictions, have imposed a wide range of sanctions on Russian entities and elites. In addition to Russia, several entities and individuals in Belarus have also been sanctioned. Moreover, the EU sanctions extend to banks in Kazakhstan, Kyrgyzstan, and Tajikistan due to their links with Russian payment and messaging systems. As a result, thorough user and corporate verification has become essential for businesses seeking to onboard customers from CIS countries.

The CIS is an intergovernmental organization that oversees economic and political cooperation between the following Eastern European & Central Asian republics: Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan (associate member), and Uzbekistan. This article provides best practices for performing KYC and other checks on CIS customers, which can help avoid sanctions and fraud.

We’ll also cover Ukraine and Georgia, former CIS members.

AML and data protection in Eastern Europe, Central Asia, and CIS

Businesses onboarding customers in Eastern Europe and Central Asia (including CIS countries) must consider both AML and data protection requirements in the jurisdictions where they operate. The specific obligations depend on whether the company is legally established in the region.

If a business has a legal entity in a CIS member state, it is required to comply fully with that country’s local laws. By contrast, companies without a regional presence are generally subject only to data protection rules and any applicable international sanctions.

In most cases, providing financial services in a CIS country requires local registration. Even when registration is not mandatory, companies must still meet the applicable data protection standards. Additionally, if the organization belongs to a corporate group with entities subject to operational restrictions, sanctions compliance must be carefully assessed to prevent violations.

Think local: Compliance risks to watch in 2026

International businesses may be tempted to apply a unified onboarding process across Eastern Europe and Central Asia—it can be faster, more cost-efficient, and ensures a consistent global user experience. 

However, regulatory requirements and cultural expectations differ significantly across jurisdictions, making a one-size-fits-all approach risky. Ignoring local rules can lead to regulatory penalties, operational disruption, and, in some cases, criminal liability.

For instance, in Uzbekistan, unlawful data processing leads to the seizure of business activity. In Belarus, penalties include three years' imprisonment. Kazakhstan can also impose penalties of up to three years’ imprisonment for data protection breaches, while the Kyrgyz Republic can sentence offenders to correctional labor from one to three years, or up to five years’ imprisonment.

High fraud rates and sanctions imposed on CIS individuals and entities are other serious risks businesses should be aware of. Let’s explore them.

Onboarding customers in Eastern Europe and Central Asia: Regional specifics and risks in 2026

AML regulations across CIS countries and wider Eastern Europe and Central Asia require businesses to identify and verify their customers. Both remote and in-person verification are permitted throughout the region. However, there are no unified standards, and acceptable methods can vary by jurisdiction. Electronic data sources are generally well developed in CIS countries and can enhance both security and reliability during verification.

To mitigate risks at the onboarding stage, businesses should consider the five regional specifics outlined below.

1. High fraud risk. Proper KYC checks are a must in the CIS due to the high level of fraudulent activity in the region. Common fraud schemes in CIS countries include the concealment of funds abroad and the use of payment systems that permit unauthorized transfers.

Overall, according to Sumsub’s Fraud Index 2025, CIS countries are among the least protected from fraud, with Armenia ranked 100th and Azerbaijan ranked 104th out of 112 countries analyzed in the study (where 1 indicates the most protected and 112 the least protected).

2. Sanctioned countries. Sanctions screening of CIS customers must be a priority for businesses, as the EU, the US, and several other countries have sanctioned numerous individuals from these jurisdictions.

The EU has sanctioned multiple Belarusian officials, including two deputy heads of the Main Department for Combating Organised Crime and Corruption of the Ministry of Internal Affairs, for their role in the ongoing internal repression and human rights violations in Belarus. 

Apart from Belarus, Russia is the most sanctioned country in Eastern Europe. Evading sanctions on Russia is a serious offense that governments actively enforce. Businesses involved can face major fines, criminal charges, loss of access to key financial systems, and severe reputational damage. In extreme cases, sanctions evasion can shut down a company and lead to imprisonment for responsible individuals.

3. Limited coverage by AML providers. While database coverage is substantial in many countries in the region, many international AML providers don’t have access to local databases. Therefore, businesses should ensure that their KYC and AML provider has the necessary access.

4. Unique data protection obligations. Businesses must store the personal information of users from Kazakhstan, Russia, and Uzbekistan on servers located in these countries. For instance, a UK-based company onboarding customers from Uzbekistan should develop data processing activities to keep their data only in Uzbekistan.

5. Non-Latin writing systems. The majority of CIS countries use non-Latin writing systems, including Cyrillic (Belarus, Ukraine, etc.), Georgian, and Armenian scripts. Therefore, businesses must employ user verification technology with OCR (Optical Character Recognition) that can process and convert documents written in non-Latin characters.

Suggested read: OCR: How To Extract Information From IDs

Onboarding Russian users after 2022

After February 24, 2022, governments in the US, UK, and the EU have imposed targeted sanctions and export-control measures that restrict services to designated Russian persons, entities, and activities. In addition, countries such as Canada, Japan, Australia, Switzerland, Norway, New Zealand, South Korea, Singapore, and Taiwan have also introduced their own sanctions and banking restrictions against Russia, further tightening global compliance requirements.

These measures, combined with banks’ and fintechs’ risk-based de-risking policies, mean that many Russian-linked individuals or businesses may be refused onboarding or services, particularly for regulated financial products. However, the legal restrictions are targeted rather than nationality-wide, so not every Russian national is automatically ineligible. Each case depends on sanctions listings, residency, the product, and the provider’s compliance policy.

Know Your Customer (KYC) and Enhanced Due Diligence (EDD) checks are therefore essential for any new or existing customer with potential ties to Russia to identify individuals or entities linked to sanctioned parties or restricted sectors.

Now, let’s assess which Eastern European countries present the lowest and the highest risk from an AML perspective.

Assessing AML and sanctions risk across Eastern European and Central Asian countries: Country rating (2026)

Below is a ranking of Eastern European and CIS jurisdictions, from more reliable to more restricted/high-risk from an AML and sanctions perspective.

1️⃣ Kazakhstan

• Stronger AML reforms and FIU cooperation in recent years
• Not under broad international sanctions, but still exposed to Russia sanctions evasion risks

2️⃣ Georgia (not a CIS member)

• Pro-EU regulatory alignment, improving AML standards
• Elevated risk due to sanctioned individuals using Georgia as a transit route

3️⃣ Moldova

• EU candidate status driving AML reforms and beneficial-ownership transparency
• However, institutional capacity and corruption vulnerabilities remain concerns

4️⃣ Azerbaijan

• AML system developing, but still limited transparency
• Lower direct sanctions exposure

5️⃣ Ukraine (not a CIS member)

• Very strong sanctions enforcement as an EU-aligned state
• War-related corruption and document fraud risks remain high

6️⃣ Armenia

• Moderate AML controls
• Increased sanctions-evasion concerns due to trade and migration flows linked to Russia

7️⃣ Uzbekistan

• Rapid reforms, but AML effectiveness still in transition
• Weak oversight in fintech-related areas

8️⃣ Kyrgyzstan

• Higher document-fraud and money-laundering vulnerabilities
• Growing exposure to illicit trade and crypto-related risks

9️⃣ Turkmenistan

• One of the weakest AML frameworks in the region
• High opacity, limited FIU transparency, and minimal cooperation with international partners

🔟 Tajikistan

• Weak supervision and high corruption
• Elevated financial crime risks

1️⃣1️⃣ Belarus

• Very high sanctions exposure (second only to Russia in the region)
• Severe restrictions from the US/EU + high risk of illicit workaround schemes

1️⃣2️⃣ Russia

• Highest-risk profile globally among major economies:
  • Extreme sanctions
  • Limited cooperation with Western financial regulators
  • High illicit finance risks

How to check documents across Eastern Europe and Central Asia, including CIS countries

To onboard CIS users, businesses should be prepared to deal with unique types of identity documents. For instance, in Belarus, there are both internal passports and travel passports—a system that dates back to the Soviet period. Other specific documents include the seafarers’ identity document of Ukraine. Kazakhstan, Uzbekistan, and other Central Asian countries have adopted a single national ID card for domestic use and a separate travel passport for international travel. Some have modernized ID systems significantly.

To ensure high conversion rates, businesses should be able to process the following document types:

1. Internal passports
2. Travel passports
3. Driving licenses
4. ID cards
5. Military ID documents

Some ID documents (e.g., old Ukrainian passports) have low security and can easily be forged. Here are some tips that can help detect altered documents:

• Compare documents with official templates. Use templates of official documents to ensure that all elements of a user’s document are in the right place. Check out PRADO’s website for official templates of CIS travel passports.

_{Template of an Uzbek travel passport}

• Check security features. Since the human eye can’t always detect tampering, we recommend using AI-powered systems to screen user profiles and identify security features on documents, such as watermarks, holograms, and seals.

• Validate MRZs (Machine-Readable Zones). An MRZ is a codified element of an identity document that facilitates automated scanning of personal data. However, older ID documents usually don’t contain MRZs, which makes them less secure and requires businesses to pay more attention to screening.
• Cross-check against official databases. Where legally allowed, verify document and identity information against trusted government databases (e.g., civil registries, watchlists, and document validity databases). This helps confirm whether the document is genuine, valid, and issued to the correct person.

How to check CIS users against databases

Database coverage varies across the CIS, which can make identity verification and due diligence checks challenging. Some countries (such as Moldova and Uzbekistan) are considered to offer relatively complete and good-quality data, while others, such as the Kyrgyz Republic and Tajikistan, compare poorly against international standards.

Open Data Watch offers regular assessments of countries’ data coverage, looking at how comprehensive their data is (‘coverage’) and how well that data compares to international standards for accessibility and usability (‘openness’). This can help to indicate how good each country’s data coverage is for AML/CTF and anti-fraud compliance checks.

CIS database coverage by country

Country	Coverage	Openness	Overall Score	Global Ranking
Armenia	63%	59%	61%	78th (joint)
Azerbaijan	62%	61%	61%	78th (joint)
Belarus	No data	No data	No data	No data
Kazakhstan	74%	70%	72%	44th (joint)
Kyrgyz Republic	67%	53%	59%	87th (joint)
Moldova	67%	88%	79%	17th (joint)
Russia	59%	64%	62%	72nd (joint)
Tajikistan	54%	57%	56%	96th (joint)
Uzbekistan	78%	87%	83%	11th (joint)

Source: Open Data Inventory 2024 Global Rankings

Here are the two types of databases that businesses can acquire:

1. AML databases (global watchlists, PEP, and sanctions lists, adverse media, etc.). Although PEPs and sanctions screening in the CIS region is a must (given the large number of corrupt officials), it’s extremely difficult to find domestic PEPs and sanctions lists. Therefore, businesses should rely on international AML lists and adverse media checks for verifying CIS users.
2. Databases for identity verification (credit bureaus, governmental, and consumer databases). Although some CIS countries (Armenia, Belarus, Russia, and Moldova) allow identifying persons solely through governmental databases, this doesn’t provide the necessary protection from fraud.

Fraud via databases

All in all, verifying identities through credit bureau databases also poses significant risks. Let’s take a look at a popular fraud scheme that illustrates the vulnerabilities of these databases:

Yet, database screening can be a useful additional step for verifying CIS users—but businesses shouldn’t solely rely on it.

Acquiring a database in the region can be a lengthy and expensive process. The expenses are not due to check costs, but rather the need to set up a legal entity in the country in order to use governmental databases. Therefore, it can be more cost- and time-saving to reach out to a provider.

How to safely onboard users in the Eastern European and Central Asian (including CIS) countries in 2026

Sophisticated fraudsters don’t only rely on falsified documents. Many use genuine stolen or purchased documents, sometimes obtained on illicit markets. In such cases, even strong document checks may not detect fraud because the document itself hasn’t been altered. Therefore, businesses must combine multiple verification methods to ensure that the person presenting the document is its rightful holder, and continue monitoring them throughout their lifecycle.

Here’s Sumsub’s recommended approach to secure and efficient onboarding:

Automated document screening. Use technology capable of detecting document tampering and validating security features, including support for Cyrillic, Armenian, and Georgian scripts. Automated solutions enable faster verification, aligning with increasing digitization and user expectations across the region.

Database checks. Screen against government sources where available, along with sanctions lists, PEP databases, and internal blocklists. Given heightened fraud risks and the circulation of stolen or illegally obtained IDs in the region, database checks provide an essential additional layer of security.

Facial biometrics. Apply AI-powered liveness detection and face matching to confirm that the actual document holder is present during verification. This prevents impersonation attempts involving masks, deepfakes, or synthetic identities.

AI-powered transaction monitoring. Identity fraud is only one dimension of risk. Ongoing transaction monitoring is necessary to detect suspicious payments, money laundering patterns, account takeovers, and other post-onboarding threats. Machine learning models can adapt to new fraud schemes faster than manual rule-based systems.

Ongoing monitoring. Continue screening customers after onboarding for sanctions updates, PEP status changes, and new risk indicators. Even legitimate users can become high-risk over time, so periodic reviews and automatic alerts are crucial to regulatory compliance.

NFC verification. Modern CIS passports, including those issued in Uzbekistan, Kazakhstan, Armenia, and Russia, contain biometric NFC chips. Using NFC verification enables businesses to instantly confirm chip authenticity and match biometric data with document information, ensuring a higher level of assurance against forgery and the use of stolen IDs.

By combining strong onboarding checks with continuous monitoring, businesses can maintain a secure environment while still providing fast, seamless access to services for legitimate customers in CIS countries.

_{Best approach to user onboarding in the CIS region}

All in all, a secure onboarding process should include a multi-layered approach.

How to store user data in CIS countries

To recap, businesses must store the personal information of users from Kazakhstan, Russia, and Uzbekistan locally. So, if a business has Uzbek customers, it must only keep their data in Uzbekistan. Businesses shouldn’t neglect this requirement since non-compliance can result in enormous fines.

To store data locally, businesses can rent servers in the relevant country. CIS states other than Kazakhstan, Uzbekistan, and Russia do not require local data storage—all that matters is that personal data is kept securely.

Cross-border transfers of personal data are possible but require consent from users in written form. However, there are a number of countries that businesses can transfer data to without prior consent. These include Germany, the UK, and other states that belong to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Key takeaways

Businesses can build unified onboarding flows for users in the CIS and elsewhere, as there are no unique requirements for remote verification in this region.

To avoid regulatory sanctions, businesses should ensure that their onboarding process is fully compliant, paying extra attention to data protection obligations, as breaches can result in the seizure of business activity and extremely large fines.

Given the widespread risks in the CIS, it’s best to take an onboarding approach that includes not only document verification but also sanctions screening, biometric checks, as well as NFC verification and ongoing monitoring.

Following these principles, companies will be able to expand into the CIS market, acquiring more customers and staying protected from fraud and AML risks.