Kuwait’s Central Bank Builds a National eKYC Platform: What Exchange Houses and Payment Firms Must Do Now

The Central Bank of Kuwait (CBK) is establishing a national electronic “Know Your Customer” (eKYC) platform, “Iʿraf ʻAmilak” (“Know Your Customer”). The platform is owned by CBK and operated by Ci-Net, the Kuwait Credit Information Network Company. According to a CBK circular reported on 23 June 2026, the platform will unify and authenticate customer data held by CBK-supervised entities and strengthen the verification of the identity and core attributes of customers, both individuals and companies, against standards adopted by CBK, with Ci-Net acting as the technical operator. The circular is addressed to exchange companies, payment-service providers, electronic-money issuers and operators of electronic payment systems. Ci-Net will contact these firms to run project workshops and share the technical and operational requirements, and the firms are required to cooperate and complete the linkage and integration with the platform. The detailed frameworks and instructions are to be announced later.

Why this matters

A national eKYC utility is a structural change, not a procedural tweak. Today each regulated firm runs its own onboarding and customer due diligence; a shared, CBK-owned platform centralises identity verification and customer “core attributes,” promising faster onboarding, fewer duplicated documents and more consistent anti-money-laundering controls across the sector. It also concentrates highly sensitive personal and corporate data in a single national utility — which raises the stakes around data protection, access control and the boundaries of permissible reliance. For exchange houses, payment-service providers and e-money issuers, integration is not optional: it is a supervisory expectation with a compliance deadline attached.

The legal backdrop

Kuwait’s KYC duties already flow from the Anti-Money Laundering and Combating the Financing of Terrorism Law No. 106 of 2013 and its executive regulations, reinforced by CBK instructions on customer due diligence, beneficial-owner identification and the risk-based approach, and by the expectations of the Kuwait Financial Intelligence Unit. The eKYC platform operationalises those duties on shared infrastructure — but it does not move the legal obligation. The duty to know the customer remains with each licensed firm; outsourcing the mechanics to a shared platform does not outsource liability. The initiative also carries a clear data-protection dimension: lawful basis and customer consent for data sharing, retention limits, information security, and the fact that the platform is CBK-owned and operated onshore by Ci-Net (Kuwait’s credit bureau). The move mirrors a wider regional trend — the UAE Central Bank is developing a comparable nationwide eKYC platform — and signals that shared regulatory data infrastructure is becoming the GCC norm.

What changes for regulated firms

Standing up to the new regime will engage several workstreams at once:

• Onboarding redesign — embedding the eKYC file into customer onboarding and periodic review, replacing or supplementing today’s manual document collection.

• Technical integration — building and testing connectivity to the platform and mapping customer “core attributes” to CBK’s data schema.

• Contracting with Ci-Net — agreeing data-processing terms, security standards, service levels, liability allocation and audit rights with the technical operator.

• Data protection and consent — refreshing customer notices and consents to cover sharing with, and reliance on, the national platform.

• Reliance and responsibility — clarifying when a firm may rely on platform-sourced verification and where its own due-diligence duty persists.

• Governance and records — updating AML policies, the MLRO’s procedures and record-keeping to reflect platform-sourced verification.

A practical readiness roadmap

A disciplined sequence reduces both time-to-integration and regulatory friction:

Nominate an owner — assign the project to compliance / the MLRO, with IT and legal support.

Join the workshops — engage Ci-Net early to capture the technical and operational requirements as they are released.

Gap-assess — map current onboarding and KYC against the platform’s data schema and obligations.

Negotiate the Ci-Net terms — data processing, security, SLAs, liability and audit rights.

Update policies and notices — the AML manual, due-diligence procedures, privacy notices and customer consents.

Build and test the integration — connectivity, data quality and fallback procedures.

Train and go live — staff training, periodic-update routines and monitoring once the platform is operational.

Key considerations and risks

Concentrating customer identity data in a single utility raises the cyber-security and operational-resilience stakes for every connected firm. Reliance boundaries must be set out explicitly to avoid a compliance gap if platform data is incomplete or stale. Consent and lawful-basis questions should be resolved before integration, not after. And because the framework is rolling out by circular — ahead of any published gazette instruction — affected firms have a short, valuable window to shape their readiness before timelines and technical mandates crystallise. Firms should watch closely for the detailed CBK instructions that will fix the integration deadlines.

How WEFAQ helps

WEFAQ’s banking, finance and regulatory team advises CBK-supervised firms across the full compliance lifecycle, AML/CFT frameworks, customer due diligence and beneficial-owner programmes, data-protection and outsourcing arrangements, and the negotiation of the Ci-Net integration and data-processing terms. We translate the eKYC mandate into a practical, defensible compliance programme, so that regulated firms meet the supervisory expectation without taking on unmanaged data or liability risk.

Source: Central Bank of Kuwait circular on the national “Know Your Customer” (eKYC) platform, as reported by Al-Anba (23 June 2026); governing framework: AML/CFT Law No. 106 of 2013 and CBK instructions. The official CBK instructions and technical requirements are pending publication; this note will be updated when the formal text issues.

Disclaimer: This article is provided for general information only and does not constitute legal advice. For advice specific to your circumstances, please contact WEFAQ Law Firm.