Russian authorities are advancing legislation that mandates banks to verify customer financial transactions via the state-controlled messaging platform, Max. This initiative, referred to as “Antifraud 2.0,” is currently poised for its second reading in the State Duma, as reported by Kommersant and The Moscow Times on March 24.
Proposed Regulations and Industry Concerns
The draft law stipulates that confirmation through the government messenger will be necessary for all “significant actions” executed remotely by clients. However, the legislation lacks clarity on what constitutes a significant action, leaving banks and customers in a state of uncertainty.
Opposition to the initiative has surfaced from representatives of the National Financial Market Council (NSFR), who describe the proposal as “legally excessive and unjustifiably costly.” This stance was articulated in a letter addressed to the Russian government and the Central Bank, which was reviewed by Kommersant.
Banks have expressed concerns that the requirement to confirm transactions through Max overlooks other verification methods that may offer superior protection. Market participants have also highlighted potential information security risks associated with the mandatory use of the state messenger. NSFR head Andrey Emelin warned, “Any serious technical failure or computer incident, such as a DDoS attack on the national messenger, could lead to an indefinite suspension of all legally significant online activity in the country, including banking operations and transactions.”
Furthermore, Emelin pointed out the current technical limitations that prevent legal entities from sending messages through Max to private individuals without prior initiation from the client.
Expert Opinions on Security and Effectiveness
Experts in the IT and financial security sectors have raised questions regarding the effectiveness of the proposed regulations. Mikhail Sergeev, lead engineer at CorpSoft24, noted that push notifications within banking applications provide a more secure alternative than messages sent via Max, as they are not reliant on mobile network availability.
Denis Kalemberg, CEO of SafeTech, echoed these sentiments, arguing that additional confirmation codes do not inherently enhance customer protection. He cautioned that such codes are susceptible to interception during transmission. Kalemberg also pointed out that the proposed scheme contradicts existing Central Bank requirements, which advocate for the use of cryptographic tools to secure transactions.
In a related context, users of the Max platform have reported being automatically subscribed to pro-war and propaganda channels without their consent. Complaints surfaced on the Russian online forum Pikabu, where users noted the sudden appearance of unfamiliar channels in their chat lists. One user shared a video demonstrating repeated attempts to unsubscribe from a channel linked to pro-Kremlin propagandist Vladimir Solovyov, only to find the channel reappearing despite multiple efforts.
Other users echoed similar frustrations, particularly with the desktop version of the application, where attempts to leave unknown channels often failed. Reports indicate that Russian officials are opting to use separate phones and SIM cards to install Max, suggesting a lack of confidence in the platform among government employees, lawmakers, and executives of state-owned enterprises.
