Banking Regulation 2025 Comparisons

Principal Laws and Regulations

The banking regulations system in Ukraine consists of the laws that are promulgated by the Parliament of Ukraine and respective by-laws introduced by supervising authorities. The principal laws and regulations governing the Ukrainian banking sector are as follows.

• The Law of Ukraine On Banks and Banking Activity dated 7 December 2000 (the “Banking Law”). The Banking Law stipulates the structure of the Ukrainian banking system as well as the general organisational, legal and economical requirements for the creation, operation and liquidation of banks.
• The Law of Ukraine On Joint Stock Companies dated 27 July 2022. The Law sets the procedure for creation, operation, reorganisation of joint stock companies as well as rights and obligations of shareholders. A joint stock company is the primary legal form banks use for their creation in Ukraine.
• The Law of Ukraine On Financial Services and Financial Companies dated 14 December 2021. The Law establishes the high-level regulation for the:
1. functioning of the financial market;
2. activities of financial and/or ancillary services providers; and
3. state regulation and supervision over financial services providers etc.
• The Law of Ukraine On Prevention and Counteraction to Legalisation (Laundering) of Criminal Proceeds, Terrorist Financing and Financing of Proliferation of Weapons of Mass Destruction dated 6 December 2019 (the “AML Law”). The AML Law establishes a legal mechanism for counteracting and combating laundering of illicit proceeds, terrorism financing and financing with proliferation of weapons of mass destruction (“anti-money laundering”) by determining the subjects of anti-money laundering combating and their rights and obligations. Ukrainian banks as primary subjects of anti-money laundering combating have to comply with this Law.
• The Law of Ukraine On Currency and Currency Transactions dated 21 June 2018. The Law stipulates general foreign exchange regulations, including the possibility of introducing necessary restrictions ranging from restrictions on transfer of funds from Ukraine to export-import transactions supervision. Under the Law, banks are declared as the main authorised subjects that have to make sure that the payments they facilitate do not violate the currency control regulation. Nine foreign exchange regulations have been issued by the National Bank of Ukraine (the “NBU”) to address the foreign exchange regulation in detail. 
• The Regulation on Work of the Banking System During the Martial Law, approved by the Management of the National Bank of Ukraine No 18 dated 24 February 2022 (the “Martial Law Regulation”). The Martial Law Regulation sets the foreign exchange restrictions that apply in Ukraine for the period of the martial law and overrules all other regulations issued by the NBU.
• Instruction on the Procedure of Regulating Banking Activity in Ukraine. This was approved by the Decree of the Management of the National Bank of Ukraine No 368 dated 28 August 2001, setting economical and financial requirements banks must comply with.
• Regulation on Licensing of Banks. This was approved by the Decree of the Management of the National Bank of Ukraine No 149 dated 22 December 2018 (the “Licensing Regulation”), stipulating the:
1. detailed procedure for creation, liquidation of banks;
2. banking licence application procedure; and
3. requirements for shareholders or potential buyers of a bank, etc.
• Others.

Banking Sector Regulators

The main state regulator and supervisor of banks is the NBU. In general, the NBU:

• issues and revokes bank licences;
• provides banks with the necessary financing, including acts as the lender of last resort;
• qualifies bank’s purchasers or current shareholders with permission to acquire or increase their shareholding in a bank respectively; and
• is responsible for prudential supervision etc.

Another important regulator is the Deposit Guarantee Fund which is responsible for securing functioning of the deposit guarantee system in Ukraine, liquidating insolvent banks and repaying amounts to creditors, including guaranteed amounts to individuals.

Authorisation Requirement

Under the law, legal entities are prohibited from carrying out banking activities, unless they have obtained a banking licence. Banking activities include:

• deposit services (attracting funds and bank metals from an unlimited number of persons with an obligation to return them);
• bank account services (opening and managing bank accounts for clients); and
• credit services (lending funds that were attracted as deposits).

A person carrying out banking activities without a licence can be held liable according to the law. A person carrying out banking activities without the respective licence can be specifically held liable under Article 1668 of the Code of Ukraine on Administrative Offenses that sets a fine ranging from UAH1,700 (approximately USD40) to UAH51,000 (approximately USD1,200). Depending on the particular case, a person that carried out banking activities without a licence can also be held liable under civil and/or criminal charges.

Authorisation Process

The NBU is the main regulator that issues banking licences to applicants in Ukraine. A newly established bank will apply for a banking licence within a year of its registration as a legal entity.

Before the state registration of a bank as a legal entity, shareholders of the bank or their representatives will apply to the NBU for the approval of the bank’s charter. Simultaneously, an authorised representative of a future bank must file documents regarding the bank’s shareholders. In general, the package of documents include:

• banking licence application;
• corporate decisions establishing a bank;
• bank’s charter;
• shareholders’ identification/business reputation documents/information;
• confirmation of the full payment of the charter capital;
• information regarding affiliated entities/persons;
• strategy and business plan;
• approval of the Antimonopoly Committee of Ukraine (if applicable); and
• others.

All documents/information will be submitted to the NBU simultaneously. The NBU reserves the right to request any additional documents/information that it considers necessary for decision making. The NBU has three months upon receiving the full package of documents to decide to issue a banking licence or refuse to. The overall application fees to be paid by a future bank to the NBU total UAH229,000 (approximately USD5,500).

Banking and Ancillary Activities

Activities that are allowed or prohibited to be carried out by Ukrainian banks are listed in Articles 47 and 48 of the Banking Law.

Banks are allowed to provide banking and other financial services, except for insurance services, under a banking licence. Banking services include:

• deposit services (attracting funds and bank metals from an unlimited number of persons with an obligation to return them);
• bank account services (opening and managing bank accounts of clients); and
• credit services (lending funds that were attracted as deposits).

Banking services can only be provided by banks.

Other financial services that can be provided by banks are:

• financial leasing;
• factoring;
• issuance of guarantees;
• currency trading;
• financial payment services;
• financial instruments trading (either direct purchase sale or organisation of this trading);
• clearing services;
• depository services;
• asset management;
• management and financing of real estate construction; and
• administration of non-state pension funds.

Specific services can be provided by banks subject to obtaining the respective licence from the National Security and Exchange Commission.

Banks can also carry out other specific activities, other than providing banking and financial services. Specifically, banks can provide custodian services or offer individual bank safes, as well as render operations with cash, provide cash delivery services and provide consultation and information services regarding banking and other financial services. Finally, banks can also act as an administrator for the purposes of the issuing of bonds.

Ukrainian law directly forbids banks from engaging in risky activities that undermine interests of depositors or other creditors of a bank. In addition, banks cannot engage in material production, trade and insurance.

Banks can own real estate up to 25% of the equity capital of the bank. The threshold does not apply to:

• premises that are used for banking operations;
• enforced real estate;
• real estate assets acquired by a bank to avoid damages subject to the sale of the assets within a year from the moment of the acquisition; and
• assets owned by a bank based on the trust ownership.

A person intending to acquire or increase control over a bank must notify the NBU about the acquisition or increase if the acquisition or increase triggers the substantial control threshold requirement. The substantial control thresholds are set at 10, 25, 50, 75 and more per cent of the charter capital of a bank. The law directly forbids acquiring or increasing substantial control over a bank without the NBU’s consent. At the same time, the notification requirement also applies if a shareholder decreases its control in a bank so that substantial control thresholds are triggered.

A bank will notify the NBU within three working days of the moment they have become aware of the acquisition, increase or decrease of the substantial control over a bank.

A shareholder acquiring or increasing the substantial control over a bank will apply to the NBU for respective approval. The shareholder will apply for an approval no later than two months before the anticipated acquisition or increase. An applicant will file documents and information that will allow the NBU to consider the following issues:

• ownership structure showing the structure after acquisition or increase of the substantial control;
• approval or consent of the Antimonopoly Committee of Ukraine (if applicable);
• business reputation of an applicant;
• financial position of an applicant; and
• others.

There are no direct restrictions on the foreign ownership of Ukrainian banks, except for individuals or legal entities residing or registered in a state conducting aggression against Ukraine and subject to the applicable sanction requirements of Ukraine.

Applicable Regulation

Since Ukrainian banks are established and exist as joint stock companies, the Law of Ukraine On Joint-Stock Companies No 2465-IX dated 27 July 2022 applies to them. The Law specifies the general requirements for the corporate governance structure and directors duties of joint stock companies. The corporate governance structure of banks is subject to more detailed requirements which are contained in the Banking Law and the Licensing Requirements. 

Governing Bodies

A shareholders’ meeting is the highest management body in a bank. It is responsible for the general management of a bank. This includes:

• defining the main areas of its activity;
• amending the management structure;
• issuance or cancellation of shares; and
• approval of regulations applying to the activity of the shareholders’ meetings, management board and supervisory board etc.

The management board is responsible for the day-to-day management of a bank. It has to create the following mandatory committees as a minimum:

• credit committee; and
• assets and obligations committee.

The management board is headed by a CEO who is personally liable for the bank’s business. There will be no less than three members in a bank’s management board. The tenor of the management board’s members’ service will not exceed three years. After expiration or this term they may be reappointed for a new term.

Banks have to have a supervisory board which will be responsible for supervising the management board activity and protecting the interests of depositors, other creditors of a bank and the bank’s shareholders. Under the law a bank must have at least five members on its supervisory board. Members of the supervisory board are forbidden from holding any other positions in the bank.

Banks have to have risk management, compliance and internal audit departments. These departments represent an integral part of the compliance and risk management system of a bank. The NBU sets out special qualification requirements for the heads of these departments. The dismissal of the heads of the risk management, compliance and internal audit departments will be approved by the NBU, unless the head is dismissed based on their voluntary decision or based on the mutual agreement between the head and a bank or due to the expiration of a labour agreement.

Ethical and Diversity Requirements

Each bank will incorporate a code of conduct (ethical code). The ethical code must be approved by the supervisory board of a bank. The approved ethical code is mandatory for the bank’s employees.

No diversity requirements apply to the corporate governance of Ukrainian banks.

A person falls under the “senior manager” definition if they hold any of the following positions in a bank:

• the head, deputy head or member of the management board;
• the head, deputy head or member of the supervisory board; and
• the chief accountant.

The appointment of senior managers of a bank must be approved by the bank according to the procedure defined in the Licensing Regulation. The head of the management board, chief accountant and members of the supervisory board can only commence their duties after the NBU’s approval.

In general, senior managers will have to comply with qualification requirements that consist of professional suitability and business reputation.

The business reputation must be impeccable. In order to prove the professional suitability of a senior manager, a bank must file documents proving education, professional and management experience of the respective person.

Under the law a senior manager must have a specific number of years of experience before holding a specific position. For example, a head of the management board must have at least five years of experience in banking and finance and at least three years of experience of management positions in a bank. Other members of the management board will have to have at least three years experience of a management position in a bank.

No less than half of members of the supervisory board of a bank, including the head of the supervisory board, must have at least three years of experience in the banking industry. The law requires the chief accountant to have at least five years of experience. Meanwhile, the deputy to the chief accountant will have to have at least two years of experience to hold the position.

A bank must inform the NBU about the appointment of a senior manager within three days from the appointment and file all documents to the NBU within a month for the appointment to be approved. The NBU will inform the bank about its decision within 45 calendar days of receiving the full package of documents from a bank. A bank may also receive pre-appointment approval from the NBU. In this case, no further approval by the NBU is needed if the bank appoints the respective senior manager within six months from the date of the pre-appointment approval.

Applicable Regulation

The NBU has introduced the Regulation On the Remuneration Policy in a Bank No 153 dated 30 November 2020 (the “Remuneration Regulation”) for the purpose of setting the requirements for the internal remuneration policies or regulations of banks and the respective reports. The requirements stipulated in the Remuneration Regulation are minimum requirements and a bank has to set other detailed requirements considering the bank’ size, particularities, risk profile, banking offering and financial services etc.

A bank must implement a specific remuneration regulation for members of the management board and persons whose professional conduct has a significant effect on the bank’s risk profile in line with the remuneration policy.

Individuals Subject to the Remuneration Requirements

The requirements of the Remuneration Regulation generally apply to:

• members of the management board;
• members of the supervisory board; and
• persons whose professional conduct has a significant effect on the bank’s risk profile (the “Significant Professional Person”).

A bank’s employee falls under the Significant Professional Person definition if they satisfy one of the quantitative or qualitative criterion listed in the Remuneration Regulation or the bank’s remuneration policy. For example a person:

• is a head of a department;
• is a chief accountant of a bank;
• holds the position that entitles them to introduce new banking products or veto decisions on implementation of new banking products;
• is an employee who has a salary in excess of EUR70,000; and
• others.

Remuneration Principles

The remuneration policy of a bank will:

• secure sustainable development, comply with the bank’s strategy and facilitate functioning of the risk management;
• be gender neutral and be based on the principle of equal remuneration of male and female employees; and
• be precise, documented, transparent and written in plain language.

Applicable Regulation

The primary legal acts addressing AML and CFT issues are the Law of Ukraine On Prevention and Counteraction to Legalisation (Laundering) of Criminal Proceeds, Terrorist Financing and Financing of Proliferation of Weapons of Mass Destruction No 361-IX dated 6 December 2019 (the “AML Law”) and the Regulation of the NBU on Conducting of the Financial Monitoring by Banks No 65 dated 19 May 2020.

General Rule

Under the AML Law, banks are declared the subjects of primary financial monitoring, ie, a subject that analyses, reports, suspends, terminates and/or blocks (as the case may be) financial transactions or bank accounts of its clients according to the procedure stipulated in the AML legislation.

Customer Due Diligence

Banks as subjects of the primary financing monitoring have to conduct proper due diligence of their clients. The proper due diligence of a client includes various actions such as identification and verification of the client, determining an ultimate beneficiary owner(s) of a client (including an ownership structure), clarifying the aim and character of the client’s financial transactions and business relationships as well as conducting permanent monitoring of these transactions or relationships and securing the documents that are relevant to the client.

Identification or verification of a client must be done before establishing business relationships with the client. A bank has a right to request information/documents/explanations from its clients to perform its obligations under the AML legislation and a client has to address the respective enquiry.

While performing their obligations, banks must use a risk-oriented approach. This means that depending on the client’s risk/financial transaction’s suspiciousness assessment, the bank must conduct a thorough strictness and depth analysis. Specifically, where the risk is low, a bank can conduct simplified proper due diligence while where the risk is high, the enhanced due diligence must be rendered.

Banks also have to update the client’s due diligence portfolio from time to time. The frequency of the update depends on the client’s risk level and can vary from once in five years (in the case of low-risk clients) to once a year (in the case of high-risk clients).

Reporting

Banks have to report suspicious and threshold financial transactions exceeding UAH400,000 (approximately USD9,500) as well as on the discrepancies between the information on the ultimate beneficiary owner(s) of a client in the State Register of Legal Entities of Ukraine and the information filed by a client. Suspicious transactions are ones that in a bank’s view can be connected to money laundering or terrorism financing. All reports must be filed with the State Financial Monitoring Service of Ukraine, the main state body executing financing intelligence powers in Ukraine.

Internal Controls and Procedures

The AML legislation obliges banks to implement robust and sound internal policies, control and procedures. A bank will secure a three-level AML security structure, create a separate AML division to be led by an authorised person approved by the NBU, introduce internal AML policies/procedures and secure regular reporting to the board of directors.

General

Under the Law of Ukraine On the Individuals’ Deposit Guarantee System No 4452-VI dated 23 February 2012 (the “Deposit Guarantee Law”), all banks have to be members of the Deposit Guarantee Fund and they become members upon receiving a banking licence from the NBU.

Administrator of the Scheme

The Deposit Guarantee Fund is a special government agency responsible for the administration of the individuals’ deposit guarantee system, removing insolvent banks from the Ukrainian banking system and liquidating banks.

Entitled Persons

The Deposit Guarantee Fund only guarantees deposits of individuals and individual entrepreneurs that are held by a bank based on the banking account agreement and/or banking deposit agreement, including interests accrued on these amounts.

Guaranteed Amount

The Deposit Guarantee Law states that the guaranteed deposit amount is limited to UAH200,000 (approximately USD4,700. However, following the imposition of martial law and three months after it is terminated no limits apply to the amounts that will be returned to individuals and individual entrepreneurs. Depositors are therefore entitled to receive the full amount of funds deposited with the bank. After the termination of the current martial law that came into effect on 24 February 2022, the guaranteed amount will be increased to UAH600,000 (approximately USD14,000).

Funding

The Deposit Guarantee Fund is funded via the following main sources.

• Initial fees. Newly licensed banks have to pay a fee to the Deposit Guarantee Fund which is equivalent to 1% of the bank’s charter capital within 30 calendar days from the day the licence is issued.
• Regular fees. Banks have to pay regular fees on the last working day of each quarter. The fees are calculated based on the accrual basis for calculating the regular fee which is the arithmetic average of the daily balances on deposit accounts.
• Funds received from the investment activity of the Deposit Guarantee Fund. The Deposit Guarantee Fund can invest its funds into state treasuries or bonds of international finance institutions.

The Deposit Guarantee Fund is also actively tracing assets of insolvent banks and their beneficiaries. Specifically, the fund initiated numerous court and enforcement proceedings against banks and their beneficiaries who went insolvent between 2015 and 2017. During this period approximately 90 banks went into insolvency. Most of these were liquidated.

Applicable Regulation

The capital, liquidity and related financial ratio requirements are set by the Instruction on the Regulation of Banking Activity in Ukraine, which was introduced by Regulation No 368 dated 28 August 2001 (the “Instructions”).

Basel III standards have not been implemented in Ukraine so far. However, over the course of the last few years the NBU has been updating the Instructions to implement EU banking features and Basel requirements. The further implementation of the EU and Basel requirements will continue due to the integration course Ukraine has embarked on with the EU.

Risk Management

Banks must create comprehensive, robust and effective internal control management systems that include risk management and internal audits. The risk management system of a bank will secure detection, evaluation, monitoring, control, reporting and reduction of all material risks in a bank’s activity. When developing the risks management system, a bank must consider its size, volume, type and features of a bank’s transactions. Risk management and compliance departments are mandatory departments in the bank’s organisational structure.

Charter Capital

The charter capital of a bank will not be less than UAH200 million (approximately USD4.7 million). Meanwhile, the NBU may set a higher charter capital amount threshold for specific banks.

Regulatory Capital Adequacy

The NBU requires banks to have regulatory capital adequacy at the level of 8.5% of the total risk exposure (total amount of assets + minimum amount of operational risk x 10 + minimum amount of market risk x 10 + total amount of differences that occur due to the transfers into banking or trade books (uncovered credit risk)). However, banks expect an increase in the regulatory capital adequacy requirements this year. The increase is expected on 30 June 2025 and banks will have a regulatory capital adequacy ratio set at 9.25%.

Capital Buffers

Conservation buffer

Banks will have a conservation buffer amounting to 2.5% of the total risk exposure.

Countercyclical buffer

The NBU obliges banks to create a countercyclical buffer in case of excessive growth of lending or other signs that indicate an increase in systemic risks. The amount of the buffer can be 0% to 2.5% of the total risk exposure.

Systemically important bank buffer

The buffer only applies to systemically important banks. As of December 2024, there are 15 systemically important banks. Depending on the category of the systemically important bank, the buffer requirement can be 1% (for the first category), 1.5% (for the second category) or 2% (for the third category) of the total risk exposure.

Systemic risk buffer

If systemic risks (other than those that have been considered for the countercyclical buffer) occur, the NBU can introduce the systemic risk buffer ranging from 0% to 3% of the total risk exposure.

Liquidity requirements

Banks have to have enough liquidity assets to cover 100% of funds outflows for 30 calendar days under the stress scenario.

General

The resolution procedure of a failing bank is regulated by the Banking Law and the Deposit Guarantee Law. The regulators who are responsible for dealing with a failing bank are the NBU and the Fund. The National Bank of Ukraine supervises banks and can declare a bank problematic, insolvent or initiate a liquidation procedure. The Fund meanwhile manages a failing bank through an administrator as well as sending proposals to the NBU regarding the liquidation of a bank. The NBU is obliged to execute the proposal.

A failing bank can specifically be subject to three failure statuses:

• problematic bank;
• insolvent bank; and
• bank in liquidation.

Problematic Bank

The NBU may declare a bank problematic if it does not comply with the minimum legally required capital adequacy or illiquidity requirements for 30 calendar days or the systematically submits and/or publishes falls information or reports with a purpose to conceal the real financial conditions of the bank. A bank has 120 calendar days to remedy the situation and comply with the requirements. Upon the expiration of the term, the NBU either declares the bank compliant or insolvent.

Insolvent Bank

The removal of an insolvent bank from the banking market will be initiated upon declaring the bank insolvent. The removal of an insolvent bank from the banking market cannot be stopped.

The NBU can declare the bank insolvent if:

• the bank’s capital adequacy ratios decreased by 50 or more per cent from the minimum required amounts;
• the grounds on which the NBU declared the bank problematic recur within 60 days of the moment the NBU declares the bank compliant;
• the bank has not performed its obligations before creditors (including depositors) in a timely manner due to the lack of funds;
• the problematic bank has not cured its financial ratios for 30 days;
• the problematic bank executes agreements that trigger an increase of obligations to individuals within the guarantee deposit amount;
• the problematic bank has failed to execute the NBU’s directives, decisions and/or requirements within the stipulated timeframe; or
• the problematic bank refuses to provide the bank examiners with access.

The Fund establishes an interim administration of an insolvent bank no later than the next working day after receiving the official decision of the NBU on the declaration of the bank as insolvent. The interim administration manages the bank. During the interim administration period, the Fund will approve a resolution plan for the bank. The possible resolution options include:

• liquidation;
• bridge bank;
• asset separation;
• sale of a bank to an investor; and
• bail-in.

Liquidation

Bank can be liquidated if:

• the option is stipulated in the resolution plan;
• the resolution plan has not been executed within the term;
• a bank submitted false information when it applied for the banking licence;
• a bank has not performed any transaction within a year; and
• a bank has systematically violated the AML Law.

Once it is commenced, the liquidation procedure cannot be stopped. The liquidation is managed by the Fund and is completed upon approval of the liquidation balance sheet. The information about the liquidation will be reflected in the Banking Register and the Unified Register of Legal Entities.

Repayment Preference Rules

Each depositor will get repaid the guaranteed deposit amount. Amounts that exceed the guaranteed deposit amount will get repaid according to the repayment preference rule stated in the Deposit Guarantee Law. Funds received as a result of the liquidation and sale of bank’s assets or investment of bank’s funds will specifically be used by the Fund to repay the creditors’ claim in the following preference order:

• life harm or health injuries claims;
• the salary claims of bank employees;
• the Fund’s claims;
• claims of depositors that have not been covered by the guarantee amount;
• the NBU’s claims;
• claims of individuals in connection with the blocked transactions;
• claims of other individuals;
• other claims, except for the subordinated debt;
• claims of affiliated persons;
• claims of the subordinated debt; and
• claims under write-off or conversion terms.

There are no specific banking regulatory requirements related to ESG matters. However, over the course of the last few years, the NBU has been addressing the ESG issue constantly.

In 2021, the NBU introduced the Policy on the Sustainable Financing Until 2025 (the “ESG Policy”) that aims to establish the general vision of the main principles of sustainable financing in Ukraine and respective actions of the NBU to implement the sustainable financing. The NBU policies are not generally mandatory but proclaim the overall vision of the regulatory body and the direction in the specific matter instead.

The ESG Policy stipulated the following actions to be taken by the NBU to implement ESG management and standards in the financial market. All of the necessary steps should have been completed by 2025. The necessary steps included:

• the improvement of the corporate governance procedures related to ESG;
• the development of ESG disclosure standards;
• the development of ESG risk management requirements;
• the introduction of the evaluation and selection criteria for sustainable financing;
• the securing of the disclosure of information related to the sustainable financing;
• the integration of climate aspects into the system of securing the financial stability; and
• the implementation of measures to increase the level of financial awareness of economic entities in the development of sustainable financing in Ukraine.

However, due to the commencement of the full-scale invasion of Ukraine by the Russian Federation, the implementation of the ESG Policy has been suspended. In 2024, the NBU released the Policy on the Development of the Sustainable Financing (the “Sustainable Financing Policy”). The Sustainable Financing Policy stated that:

• the implementation of the ESG Policy has been suspended due to the ongoing war;
• the ESG Policy does not comply with updated EU legislation; and
• the ESG Policy does not address the new challenges that the financial community and the NBU currently face.

Under the Sustainable Financing Policy, the development and implementation of the Sustainable Financing Policy is going to be implemented in three stages. These are as follows.

• In the first stage, the NBU will introduce a White Book on the ESG policy that will:
1. propose the unified terminology;
2. adopt the unified questionnaire for banks’ clients; and
3. systematise the experience in preparing ESG policies and strategies for banks.
• In the second stage, the NBU will adopt the ESG policy addressing recommendation for ESG risks management and disclosure.
• In the third stage, the ESG policy will be applied to non-banking institutions as well.

The Digital Operational Resilience Act (DORA) is the EU regulation that came into force in January 2025 and is aimed at increasing the cybersecurity resilience of financial services providers and ensure proper resistance, response and recovery from disruptions. Ukraine is not an EU member yet and DORA does not apply to local banks.

However, the NBU has introduced specific local regulations addressing cybersecurity and information and communications technology-related issues.

The Regulation of the NBU on the Organization of Measures to Ensure Information Security in the Banking System of Ukraine No 95 dated 28 September 2017 setting the minimal organisational measures to be taken by local banks to secure information security and cybersecurity as well as requirements for the information systems of banks.

In 2022 the NBU also introduced the Regulation on the Organization of Cybersecurity in the Banking System of Ukraine No 178 dated 12 August 2022 prescribing the main principles of the cybersecurity system, detailed cybersecurity measures of banks and information exchange procedures between banks and the NBU.

Finally, the Regulation of the NBU on Supervision over Compliance of Banks with Information Security, Cybersecurity and Electronic Trust Services Legislation No 4 dated 16 January 2021 specifies the NBU’s mandate to supervise banks in connection with compliance with cybersecurity legislation. It also obliges banks to conduct self-assessment of their information security and cybersecurity systems.

In 2024, the NBU introduced draft amendments to these regulations that are intended to make them more compliant with the EU legislation, including DORA. The draft amendments have been circulated for public consultation and this consultation window has closed. They are expected to be approved and introduced at some point in 2025.

Foreign Exchange Restrictions

Upon the commencement of the Russian Federation’s full-scale invasion of Ukraine, the NBU introduced the strict foreign exchange regulations by way of adopting the Regulation of the NBU on the Operation of the Banking System during the Martial Law No 18 dated 24 February 2022 (the “Regulation No 18”). The Regulation No 18 overrules all other NBU foreign exchange regulations and is the main legal act addressing, inter alia the cases when local companies, including banks, can transfer funds from Ukraine abroad, buy foreign currency, restrictions for companies having Russian/Belorussian beneficiaries, the amount limits for card payments, currency exchange peculiarities etc. Banks are authorised entities and have to analyse their client’s transactions and make sure that requirements under the Regulation No 18 are met and clients do not circumvent them.

Upon the introduction of the Regulation No 18, the NBU stated that the restrictions are temporary and will be eased periodically but taking the financial condition of Ukraine and the foreign financial aid into account. Over the course of three years, the NBU introduced numerous relaxations and exceptions. In 2025, more relaxations and exceptions will be introduced considering that business highlighted the importance of reaching the EUR1 million quarter threshold for interest repayments under loan agreements with non-residents of Ukraine and to allow repayments of debts under import transactions conducted before 23 February 2022.

The NBU never provides advance notification about amendments before putting them into effect. Upon the introduction of new amendments to the Regulation No 18, local banks will have to adapt to the requirements and make sure that clients are conducting transactions in line with the law.

Russian/Belorussian Software

Before the full-scale invasion, it was market practice for most Ukrainian banks (including the ones with foreign investments) to use Russian/Belorussian software. However, last year the NBU approached local banks demanding they inform them of the types of Russian/Belorussian software they use. The NBU obliged banks to develop a plan to refuse to use the software. They will continue to supervise this issue and enforce the substitution of the Russian/Belorussian software with other software. It is expected that the Parliament of Ukraine will adopt amendments to the Law of Ukraine On Sanctions No 1644-VII dated 14 August 2014 in 2025 that will allow the National Security Council of Ukraine to declare sectorial sanctions against Russian/Belorrussian software.

Capital Adequacy Requirements

In 2024, the NBU approved a new capital structure to bring the Ukrainian requirements closer to the EU legislation under the Regulation on Amendment of Certain Legal Acts and Approving Transitional Provisions Regarding Introduction of Update Capital Requirements for Banks No 65 dated 7 June 2024 (the “Capital Requirements Regulation”).

The Capital Requirements Regulation applies a phased schedule for achieving the minimum regulatory capital adequacy ratio. The new phase commences on 1 July 2025 and obliges banks to have a minimum regulatory capital adequacy ratio of 10%. All banks must therefore make sure they comply with the new capital adequacy ratios.

The new requirements can be substantial for smaller banks. They usually comply with the capital adequacy ratios with small margins and have less capital available (including from their shareholders). They can therefore be pressured by the new requirements and decreased numbers of these banks must not be excluded.