On 1 May 2025, the National Bank of Ukraine (NBU) released a long-awaited draft of the Regulation on Open Banking for public consultation. The Regulation is expected to take effect on 1 August 2025 and will mark a significant milestone in the development of Ukraine’s digital financial ecosystem. Stakeholders can submit proposals and ideas on open banking in Ukraine to the NBU as it completes the final version of the Regulation.
Background
Open banking was first introduced in Ukraine as a regulatory concept in 2023, aligned with the revised Law of Ukraine “On Payment Services”. The draft Regulation now proposes a comprehensive legal and technical framework to enable secure data sharing between banks and authorised third parties with the users’ consent.
At its core, open banking allows third-party payment service providers (TPPs), such as account information and payment initiation service providers, to access bank account data of users and initiate payments via standardised digital interfaces, known as specialised interfaces.
Key provisions
The draft Regulation sets out rules governing the relationship between the following participants in the open banking ecosystem:
- Account servicing payment service providers (ASPSPs), including banks and non-bank PSPs;
- Third-party PSPs providing non-financial payment services;
- Payment service technology operators;
- Users of payment services.
The Regulation establishes:
- Procedures for access: It defines the conditions under which TPPs can access user accounts and the requirements for obtaining user consent.
- Types of interfaces: Specialised interfaces will be classified as either basic (i.e. free and mandatory) or commercial (i.e. fee-based by agreement).
- Consent management: Users’ consent must be obtained and can be withdrawn through designated remote channels. For account information services, consent can be valid for up to 180 calendar days.
- Real-time access: ASPSPs must ensure real-time access to account data and payment initiation services.
- Security and authorisation: Robust authentication and authorisation processes must be implemented, including the use of qualified electronic trust services.
Compliance obligations
- Both ASPSPs and TPPs will face substantial compliance obligations, including:
- Ensuring secure and uninterrupted access through specialised interfaces;
- Monitoring for fraudulent or unauthorised activities;
- Storing user interaction and transaction data for at least five years;
- Submitting statistical reports to the NBU;
- Adopting internal procedures for incident management and user compensation;
- Ensuring transparency in the use and classification of interfaces.
Next steps
The introduction of open banking in Ukraine is a transformative step toward greater innovation, competition, and consumer empowerment in the financial sector. Law-Now will continue monitoring developments and provide updates as the Regulation evolves. Stakeholders wishing to provide proposals to the NBU on this Regulation can do so by contacting CMS.
