Banking Regulation 2026 Comparisons

Principal Laws and Regulations

The banking regulation system in Ukraine consists of laws that were promulgated by the Parliament of Ukraine and respective by-laws introduced by supervising authorities. Among the principal laws and regulations governing the Ukrainian banking sector are the following.

• The Law of Ukraine “On Banks and Banking Activity”, dated 7 December 2000 (the “Banking Law”). This Law stipulates the structure of the Ukrainian banking system as well as the general organisational, legal and economic requirements for the creation, operation and liquidation of banks.
• The Law of Ukraine “On Joint Stock Companies”, dated 27 July 2022 (the “Joint Stock Companies Law”). This Law sets the procedure for creation, operation and reorganisation of joint stock companies as well as the rights and obligations of shareholders. A joint stock company is the primary legal form that banks use in Ukraine.
• The Law of Ukraine “On Financial Services and Financial Companies”, dated 14 December 2021. This Law establishes high-level regulation for:
1. the functioning of the financial market;
2. the activities of financial and/or ancillary services providers; and
3. state regulation and supervision of financial services providers, etc.
• The Law of Ukraine “On Prevention and Counteraction to Legalisation (Laundering) of Criminal Proceeds, Terrorist Financing and Financing of Proliferation of Weapons of Mass Destruction”, dated 6 December 2019 (the “AML Law”). This Law establishes a legal mechanism for counteracting and combating laundering of illicit proceeds, terrorism financing and financing the proliferation of weapons of mass destruction (“anti-money laundering”, or AML) by determining the subjects of AML combating and their rights and obligations. Ukrainian banks, as primary subjects of AML combating, have to comply with this Law.
• The Law of Ukraine “On Currency and Currency Transactions”, dated 21 June 2018. This Law stipulates general foreign exchange regulations, including the possibility of introducing restrictions when necessary, ranging from restrictions on the transfer of funds from Ukraine to export-import transaction supervision. Under the Law, banks are declared as the main authorised subjects that have to make sure that the payments they facilitate do not violate the currency control regulations. Nine regulations have been issued by the National Bank of Ukraine (NBU) to address foreign exchange regulation in detail.
• Regulation No 18 on the Operation of the Banking System During Martial Law, approved by the Management of the NBU, dated 24 February 2022 (the “Martial Law Regulation”). The Martial Law Regulation sets the foreign exchange restrictions that apply in Ukraine for the period of martial law and overrules all other regulations issued by the NBU.
• Instruction No 368 on the Procedure of Regulating Banking Activity in Ukraine, approved by the Management of the NBU, dated 28 August 2001 (the “Banking Activity Instructions”). The Banking Activity Instructions set economic and financial requirements with which banks must comply.
• Regulation No 149 on Licensing of Banks, approved by the Management of the NBU, dated 22 December 2018 (the “Licensing Regulation”). The Licensing Regulation, among other things, stipulates:
1. the detailed procedure for the creation and liquidation of banks;
2. the banking licence application procedure; and
3. the requirements for shareholders or potential buyers of a bank.

Banking Sector Regulators

The main state regulator and supervisor of banks is the NBU. In general, the NBU:

• issues and revokes bank licences;
• provides banks with the necessary financing, including acting as the lender of last resort;
• gives a bank’s purchasers or its current shareholders permission to acquire or increase their shareholdings in the bank respectively; and
• is responsible for prudential supervision.

Another important regulator is the Deposit Guarantee Fund (the “Fund”), which is responsible for ensuring the functioning of the deposit guarantee system in Ukraine, liquidating insolvent banks and repaying amounts to creditors, including guaranteed amounts to individuals.

Authorisation Requirement

Under the law, legal entities are prohibited from carrying out banking activities unless they have obtained a banking licence. Banking activities include:

• deposit services (attracting funds and bank metals from an unlimited number of persons with an obligation to return them);
• bank account services (opening and managing bank accounts for clients); and
• credit services (lending funds that were attracted as deposits).

A person carrying out banking activities without a licence can be held liable according to the law. Specifically, a person carrying out banking activities without the respective licence can be held liable under Article 1668 of the Code of Ukraine on Administrative Offences, which sets a fine ranging from UAH1,700 (approximately USD40) to UAH51,000 (approximately USD1,200). Depending on the particular case, a person that carried out banking activities without a licence can also be held liable under civil and/or criminal charges.

Authorisation Process

The NBU is the main regulator that issues banking licences to applicants in Ukraine. A newly established bank must apply for a banking licence within a year of its registration as a legal entity.

Before the state registration of a bank as a legal entity, shareholders of the bank or their representatives must apply to the NBU for approval of the bank’s charter. At the same time, an authorised representative of the future bank must file documents regarding its shareholders. In general, the package of documents includes:

• banking licence application;
• corporate decisions establishing the bank;
• the bank’s charter;
• shareholders’ identification/business reputation documents/information;
• confirmation of the full payment of the charter capital;
• information regarding affiliated entities/persons;
• strategy and business plan;
• approval of the Antimonopoly Committee of Ukraine (if applicable); and
• other documents.

All documents/information should be submitted to the NBU at the same time. The NBU reserves the right to request any additional documents/information that it considers necessary for decision-making. The NBU has three months upon receiving the full package of documents to decide whether to issue a banking licence or refuse. The overall application fees to be paid by a future bank to the NBU total UAH229,000 (approximately USD5,500).

Banking and Ancillary Activities

The activities that are allowed to be or prohibited from being carried out by Ukrainian banks are listed in Articles 47 and 48 of the Banking Law.

Banks are allowed to provide banking and other financial services, except for insurance services, under a banking licence. Banking services include:

• deposit services (attracting funds and bank metals from an unlimited number of persons with an obligation to return them);
• bank account services (opening and managing bank accounts of clients); and
• credit services (lending funds that were attracted as deposits).

Banking services can only be provided by banks.

Other financial services that can be provided by banks are:

• financial leasing;
• factoring;
• issuance of guarantees;
• currency trading;
• financial payment services;
• financial instruments trading (either direct purchase sale or organisation of this trading);
• clearing services;
• depository services;
• asset management;
• management and financing of real estate construction; and
• administration of non-state pension funds.

Banks can also carry out specific activities other than providing banking and financial services. Specifically, banks can provide custodian services or offer individual bank safes, as well as rendering operations with cash, providing cash delivery services and providing consultation and information services regarding banking and other financial services. Finally, banks can act as an administrator for the purposes of the issuing of bonds.

Specific services can be provided by banks subject to obtaining the respective licence from the National Security and Exchange Commission.

Ukrainian law directly forbids banks from engaging in risky activities that undermine the interests of depositors or other creditors of a bank. In addition, banks cannot engage in material production, trade or insurance.

Banks can own real estate up to 25% of their equity capital. The threshold does not apply to:

• premises that are used for banking operations;
• enforced real estate;
• real estate assets acquired by a bank to avoid damages subject to the sale of the assets within a year from the date of the acquisition; or
• assets owned by a bank based on the trust ownership.

A person intending to acquire or increase control over a bank must notify the NBU about the proposed acquisition or increase if the acquisition or increase triggers the substantial control threshold requirement. The substantial control thresholds are set at 10%, 25%, 50% and 75% or more of the charter capital of a bank. The law directly forbids acquiring or increasing substantial control over a bank without the NBU’s consent. At the same time, the notification requirement also applies if a shareholder decreases its control in a bank so that the substantial control thresholds are triggered.

A bank must notify the NBU within three working days of the date it became aware of the acquisition, increase or decrease of substantial control over the bank.

A shareholder that intends to acquire or increase its substantial control over a bank must apply to the NBU for respective approval. The shareholder must apply for approval no later than two months before the anticipated acquisition or increase. The applicant must file documents and information that will allow the NBU to consider the following issues:

• the ownership structure after the acquisition or increase of substantial control;
• approval or consent of the Antimonopoly Committee of Ukraine (if applicable);
• the business reputation of the applicant;
• the financial position of the applicant; and
• other issues.

There are no direct restrictions on the foreign ownership of Ukrainian banks, except for individuals or legal entities residing or registered in a state conducting aggression against Ukraine and subject to the applicable sanctions requirements of Ukraine.

Applicable Regulation

Since Ukrainian banks are established and exist as joint stock companies, the Joint Stock Companies Law applies to them. The Law specifies the general requirements for the corporate governance structure and directors’ duties of joint stock companies. The corporate governance structure of banks is subject to more detailed requirements that are contained in the Banking Law and the Licensing Regulation.

Governing Bodies

A shareholders’ meeting is the highest management body in a bank. It is responsible for the general management of the bank. This includes:

• defining the main areas of its activity;
• amending the management structure;
• issuance or cancellation of shares; and
• approval of regulations applying to the activity of the shareholders’ meetings, management board and supervisory board, etc.

The management board is responsible for the day-to-day management of the bank. It has to create the following mandatory committees as a minimum:

• credit committee; and
• assets and obligations committee.

The management board is headed by a CEO, who is personally liable for the bank’s business. There must be no fewer than three members on a bank’s management board. The tenor of the management board’s members’ service must not exceed three years. After the expiration of this term, they may be reappointed for a new term.

Banks are obliged to have a supervisory board, which will be responsible for supervising the management board’s activity and protecting the interests of depositors, the other creditors of the bank and the bank’s shareholders. Under the law, a bank must have at least five members on its supervisory board. Members of the supervisory board are forbidden from holding any other positions in the bank.

Banks are obliged to have risk management, compliance and internal audit departments. These departments represent an integral part of the compliance and risk management system of a bank. The NBU sets out special qualification requirements for the heads of these departments. The dismissal of the heads of the risk management, compliance and internal audit departments must be approved by the NBU, unless the head is dismissed based on their voluntary decision or based on mutual agreement between the head and the bank or due to the expiration of a labour agreement.

Ethical and Diversity Requirements

Each bank must incorporate a code of conduct (ethical code). The ethical code must be approved by the supervisory board of the bank. The approved ethical code is mandatory for the bank’s employees.

No diversity requirements apply to the corporate governance of Ukrainian banks.

A person falls under the definition of “senior manager” if they hold any of the following positions in a bank:

• head, deputy head or member of the management board;
• head, deputy head or member of the supervisory board; or
• chief accountant.

The appointment of senior managers of a bank must be approved by the bank according to the procedure defined in the Licensing Regulation. The head of the management board, the chief accountant and the members of the supervisory board can only commence their duties after the NBU’s approval.

In general, senior managers must comply with qualification requirements that relate to professional suitability and business reputation.

Their business reputation must be impeccable. In order to prove the professional suitability of a senior manager, a bank must file documents proving the person’s educational, professional and management experience.

Under the law, a senior manager must have a specific number of years of experience before holding a specific position. For example, the head of a management board must have at least five years of experience in banking and finance and at least three years of experience of management positions in a bank. Other members of the management board must have at least three years’ experience of a management position in a bank.

No fewer than half of the members of the supervisory board of a bank, including the head of the supervisory board, must have at least three years of experience in the banking industry. The law requires the chief accountant to have at least five years of experience. Meanwhile, the deputy to the chief accountant must have at least two years of experience to hold the position.

A bank must inform the NBU about the appointment of a senior manager within three days from the appointment and file all documents to the NBU within a month for the appointment to be approved. The NBU must inform the bank of its decision within 45 calendar days of receiving the full package of documents from the bank. A bank may also receive pre-appointment approval from the NBU. In this case, no further approval by the NBU is needed if the bank appoints the respective senior manager within six months from the date of the pre-appointment approval.

Applicable Regulation

The NBU has introduced Regulation No 153 on the Remuneration Policy in a Bank, dated 30 November 2020 (the “Remuneration Regulation”), which sets the requirements for the internal remuneration policies or regulations of banks and the respective reports. The requirements stipulated in the Remuneration Regulation are minimum requirements, and a bank has to set other detailed requirements considering the bank’s size, particularities, risk profile, banking and financial services offering, etc.

A bank must implement a specific remuneration regulation for members of the management board and persons whose professional conduct has a significant effect on the bank’s risk profile in line with the remuneration policy.

Individuals Subject to the Remuneration Requirements

The requirements of the Remuneration Regulation generally apply to:

• members of the management board;
• members of the supervisory board; and
• persons whose professional conduct has a significant effect on the bank’s risk profile (“Significant Professional Persons”).

A bank’s employee falls under the definition of “Significant Professional Person” if they satisfy one of the quantitative or qualitative criteria listed in the Remuneration Regulation or the bank’s remuneration policy; for example, the person:

• is head of a department;
• is the chief accountant of the bank;
• holds a position that entitles them to introduce new banking products or veto decisions on implementation of new banking products; or
• has a salary in excess of EUR70,000.

Remuneration Principles

The remuneration policy of a bank must:

• ensure sustainable development, comply with the bank’s strategy and facilitate functioning of the risk management;
• be gender neutral and be based on the principle of equal remuneration of male and female employees; and
• be precise, documented, transparent and written in plain language.

Applicable Regulation

The primary legal acts addressing AML and CFT issues are the AML Law and Regulation No 65 of the NBU on the Conducting of Financial Monitoring by Banks, dated 19 May 2020.

General Rule

Under the AML Law, banks are declared the subjects of primary financial monitoring, ie, subjects that analyse, report, suspend, terminate and/or block (as the case may be) financial transactions or bank accounts of their clients according to the procedures stipulated in the AML legislation.

Customer Due Diligence

Banks as subjects of primary financial monitoring have to conduct proper due diligence of their clients. The proper due diligence of a client includes various actions such as verifying the identity of the client, determining the ultimate beneficiary owner(s) of the client (including the ownership structure), and clarifying the aim and character of the client’s financial transactions and business relationships, as well as conducting permanent monitoring of these transactions or relationships and securing the documents that are relevant to the client.

Identification or verification of a client must be done before establishing business relationships with the client. A bank has a right to request information/documents/explanations from the client to perform its obligations under the AML legislation, and the client has to address the respective enquiry.

While performing their obligations, banks must use a risk-oriented approach. This means that the strictness and depth of any analysis depends on the client’s risk assessment or the financial transaction’s suspiciousness assessment. Specifically, where the risk is low, the bank can conduct simplified proper due diligence, while where the risk is high, enhanced due diligence must be conducted.

Banks also have to update the client’s due diligence portfolio from time to time. The frequency of the update depends on the client’s risk level and can vary from once in five years (in the case of low-risk clients) to once a year (in the case of high-risk clients).

Reporting

Banks have to report suspicious and threshold financial transactions exceeding UAH400,000 (approximately USD9,500) as well as on any discrepancies between the information on the ultimate beneficiary owner(s) of a client in the State Register of Legal Entities of Ukraine and the information filed by a client. Suspicious transactions are ones that in a bank’s view may be connected to money laundering or terrorism financing. All reports must be filed with the State Financial Monitoring Service of Ukraine, the main state body executing financial intelligence powers in Ukraine.

Internal Controls and Procedures

The AML legislation obliges banks to implement robust and sound internal policies, control and procedures. A bank must establish a three-level AML security structure, create a separate AML division to be led by an authorised person approved by the NBU, introduce internal AML policies/procedures and ensure regular reporting to the board of directors.

General

Under the Law of Ukraine “On the Individuals’ Deposit Guarantee System”, dated 23 February 2012 (the “Deposit Guarantee Law”), all banks have to be members of the Fund and they become members upon receiving a banking licence from the NBU.

Administrator of the Scheme

The Fund is a special government agency responsible for the administration of the individuals’ deposit guarantee system, removing insolvent banks from the Ukrainian banking system and liquidating banks.

Entitled Persons

The Fund only guarantees deposits of individuals and individual entrepreneurs that are held by a bank based on the banking account agreement and/or banking deposit agreement, including interest accrued on these amounts.

Guaranteed Amount

The Deposit Guarantee Law states that the guaranteed deposit amount is limited to UAH200,000 (approximately USD4,700). However, between the imposition of martial law and three months after it is terminated, no limits apply to the amounts that must be returned to individuals and individual entrepreneurs. Depositors are therefore entitled to receive the full amount of funds deposited with the bank. After the termination of the current period of martial law that came into effect on 24 February 2022, the guaranteed amount will be increased to UAH600,000 (approximately USD14,000).

Funding

The Fund is funded via the following main sources.

• Initial fees: Newly licensed banks have to pay a fee to the Fund that is equivalent to 1% of the bank’s charter capital within 30 calendar days from the day the licence is issued.
• Regular fees: Banks have to pay regular fees on the last working day of each quarter. The fees are calculated based on the accrual basis for calculating the regular fee, which is the arithmetic average of the daily balances on deposit accounts.
• Funds received from the investment activity of the Fund: The Fund can invest its funds into state treasuries or bonds of international finance institutions.

The Fund also actively traces assets of insolvent banks and their beneficiaries. Specifically, the Fund initiated numerous court and enforcement proceedings against banks and their beneficiaries that went insolvent between 2015 and 2017. During this period, approximately 90 banks went into insolvency. Most of these were liquidated.

Applicable Regulation

The capital, liquidity and related financial ratio requirements are set by the Banking Activity Instructions.

Basel III standards have not been implemented in Ukraine so far. However, over the course of the last few years, the NBU has been updating the Banking Activity Instructions to implement EU banking features and Basel requirements. The further implementation of the EU and Basel requirements will continue due to the integration course Ukraine has embarked on with the EU.

Risk Management

Banks must create comprehensive, robust and effective internal control management systems that include risk management and internal audits. The risk management system of a bank must ensure the detection, evaluation, monitoring, control, reporting and reduction of all material risks in the bank’s activity. When developing the risk management system, the bank must consider its size and the volume, types and features of the bank’s transactions. Risk management and compliance departments are mandatory in the bank’s organisational structure.

Charter Capital

The charter capital of a bank must not be less than UAH200 million (approximately USD4.7 million). The NBU may set a higher charter capital amount threshold for specific banks.

Regulatory Capital Adequacy

The NBU requires banks to have regulatory capital adequacy at the level of 10% of the total risk exposure (total amount of assets + minimum amount of operational risk x 10 + minimum amount of market risk x 10 + total amount of differences that occur due to the transfers into banking or trade books (uncovered credit risk)).

However, a different ratio applies to newly established banks. For the first 12 months of its operation (commencing on the date of obtaining the banking licence), a newly established bank must comply with a 15% ratio of the total risk exposure. Thereafter, they must comply with a 12% ratio for the second year of their activity and, ultimately, with the 10% ratio from the third year onwards.

Capital Buffers

Conservation buffer

Banks must have a conservation buffer amounting to 2.5% of the total risk exposure.

Countercyclical buffer

The NBU obliges banks to create a countercyclical buffer in case of excessive growth of lending or other signs that indicate an increase in systemic risk. The amount of the buffer can be 0% to 2.5% of the total risk exposure.

Systemically important bank buffer

This buffer only applies to systemically important banks. As of June 2025, there are 16 systemically important banks. Depending on the category of the systemically important bank, the buffer requirement can be 1% (for the first category), 1.5% (for the second category) or 2% (for the third category) of the total risk exposure.

Systemic risk buffer

If systemic risks (other than those that have been considered for the countercyclical buffer) occur, the NBU can introduce a systemic risk buffer ranging from 0% to 3% of the total risk exposure.

Liquidity requirements

Banks must have enough liquidity assets to cover 100% of funds outflows for 30 calendar days under the stress scenario.

General

The procedure for resolution of a failing bank is regulated by the Banking Law and the Deposit Guarantee Law. The regulators that are responsible for dealing with a failing bank are the NBU and the Fund. The NBU supervises banks and can declare a bank problematic or insolvent or initiate a liquidation procedure. The Fund, meanwhile, manages a failing bank through an administrator as well as sending proposals to the NBU regarding the bank’s liquidation. The NBU is obliged to execute such proposals.

A failing bank can specifically be subject to three failure statuses:

• problematic bank;
• insolvent bank; or
• bank in liquidation.

Problematic Bank

The NBU may declare a bank problematic if it does not comply with the minimum legally required capital adequacy or liquidity requirements for 30 calendar days or if it systematically submits and/or publishes false information or reports with the purpose of concealing the real financial condition of the bank. The bank has 120 calendar days to remedy the situation and comply with the requirements. Upon the expiration of this term, the NBU declares the bank either compliant or insolvent.

Insolvent Bank

The removal of an insolvent bank from the banking market must be initiated upon the bank being declared insolvent. The removal of an insolvent bank from the banking market cannot be stopped.

The NBU can declare the bank insolvent if:

• the bank’s capital adequacy ratios have decreased by 50% or more from the minimum required amounts;
• the grounds on which the NBU declared the bank problematic recur within 60 days of the NBU declaring the bank compliant;
• the bank has not performed its obligations before creditors (including depositors) in a timely manner due to the lack of funds;
• the problematic bank has not cured its financial ratios for 30 days;
• the problematic bank executes agreements that trigger an increase of obligations to individuals within the guaranteed deposit amount;
• the problematic bank has failed to execute the NBU’s directives, decisions and/or requirements within the stipulated timeframe; or
• the problematic bank refuses to provide examiners with access.

The Fund establishes an interim administration of an insolvent bank no later than the next working day after receiving the official decision of the NBU on the declaration of the bank as insolvent. The interim administration manages the bank. During the interim administration period, the Fund will approve a resolution plan for the bank. The possible resolution options include:

• liquidation;
• bridge bank;
• asset separation;
• sale of the bank to an investor; and
• bail-in.

Liquidation

Bank can be liquidated if:

• the option is stipulated in the resolution plan;
• the resolution plan has not been executed within the term;
• the bank submitted false information when it applied for the banking licence;
• the bank has not performed any transaction within a year; and
• the bank has systematically violated the AML Law.

Once it is commenced, the liquidation procedure cannot be stopped. The liquidation is managed by the Fund and is completed upon approval of the liquidation balance sheet. The information about the liquidation must be reflected in the Banking Register and the Unified Register of Legal Entities.

Repayment Preference Rules

Each depositor will get repaid the guaranteed deposit amount. Amounts that exceed the guaranteed deposit amount will be repaid according to the repayment preference rule stated in the Deposit Guarantee Law. Specifically, funds received as a result of the liquidation and sale of the bank’s assets or the investment of the bank’s funds must be used by the Fund to repay the creditors’ claims in the following preference order:

• life harm or health injuries claims;
• the salary claims of bank employees;
• the Fund’s claims;
• claims of depositors that have not been covered by the guaranteed amount;
• the NBU’s claims;
• claims of individuals in connection with blocked transactions;
• claims of other individuals;
• other claims, except for the subordinated debt;
• claims of affiliated persons;
• claims of the subordinated debt; and
• claims under write-off or conversion terms.

There are no specific banking regulatory requirements relating to ESG matters. However, over the course of the last few years, the NBU has been addressing the ESG issue constantly.

In 2021, the NBU introduced the Policy on Sustainable Financing Until 2025 (the “ESG Policy”), which aimed to establish the general vision of the main principles of sustainable financing in Ukraine and the respective actions of the NBU to implement sustainable financing. However, due to the commencement of the full-scale invasion of Ukraine by the Russian Federation, the implementation of the ESG Policy has been suspended, since it no longer reflected the current challenges that the financial community and the NBU face.

In 2024, the NBU released the Policy on the Development of Sustainable Financing (the “Sustainable Financing Policy”), which stipulates three stages of implementation:

• Introduction of a White Book on ESG policy that:
1. proposes a unified terminology;
2. adopts a unified questionnaire for banks’ clients; and
3. systematises the experience in preparing ESG policies and strategies for banks.
• Adoption of the ESG policy addressing recommendations for ESG risk management and disclosure.
• Application of the ESG policy to non-banking institutions.

In June 2025, the NBU approved the White Book on Managing Environmental, Social and Governance Risks in the Financial Sector, which discloses the essence of ESG risks, and the state and prospects of ESG regulation in Ukraine.

In the upcoming future, the NBU plans to provide recommendations to banks on the organisation of corporate governance, including the preparation of strategic documents on ESG risk management. In 2026, the same is planned for non-bank financial institutions.

The NBU also plans to prepare and discuss draft regulations on ESG risk management with:

• the banking market – during the first quarter of 2026; and
• the non-banking market – during the first quarter of 2027.

Thus, so far, the NBU has successfully completed the first stage of the Sustainable Financing Policy implementation and is gradually moving towards the second stage.

The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January 2025 and is aimed at increasing the cybersecurity resilience of financial services providers and ensure proper resistance and response to and recovery from disruptions. Ukraine is not an EU member yet, and DORA does not apply to local banks.

However, the NBU has introduced specific local regulations addressing cybersecurity and information and communications technology-related issues.

Regulation No 95 of the NBU on the Organisation of Measures to Ensure Information Security in the Banking System of Ukraine, dated 28 September 2017, sets the minimal organisational measures to be taken by local banks to ensure information security and cybersecurity as well as requirements for the information systems of banks.

In 2022, the NBU also introduced Regulation No 178 on the Organisation of Cybersecurity in the Banking System of Ukraine, dated 12 August 2022, prescribing the main principles of the cybersecurity system, detailed cybersecurity measures of banks, and information exchange procedures between banks and the NBU.

Regulation No 4 of the NBU on Supervision over Compliance of Banks with Information Security, Cybersecurity and Electronic Trust Services Legislation, dated 16 January 2021 (the “Supervision Regulation”), specifies the NBU’s mandate to supervise banks in connection with compliance with cybersecurity legislation. It also obliges banks to conduct self-assessment of their information security and cybersecurity systems.

In 2025, the Supervision Regulation was supplemented by new reporting requirements. They require each bank to inform the NBU of any significant changes in the information security and cyber protection organisation related to:

• dismissal or transfer to another position/appointment of the chief information security officer;
• changes in the distribution of functions, duties and powers of the bank’s management and control bodies in terms of information security and cyber protection;
• changes in the organisational structure of the bank in terms of divisions whose functions include ensuring information security and cyber protection of the bank;
• making a decision on the introduction of a new product or significant changes in the bank’s activities that will have an impact on the organisation of information security and cyber protection of the bank; and
• making a decision on outsourcing the bank’s information security/cybersecurity functions or changing the provider of such services.

Thus, the NBU is actively working to strengthen control over cyber resilience, information security and digital operational resilience, in particular taking into account EU legislation on digital operational resilience in the financial sector.

Foreign Exchange Restrictions

Upon the commencement of the Russian Federation’s full-scale invasion of Ukraine, the NBU introduced strict foreign exchange regulations by way of adopting the Martial Law Regulation. The Regulation overrules all other NBU foreign exchange regulations and is the main legal act addressing, among other things, the cases when local companies, including banks, can transfer funds from Ukraine abroad or buy foreign currency, restrictions for companies having Russian/Belarusian beneficiaries, the limits for card payment amounts, currency exchange peculiarities, etc. Banks are authorised entities and have to analyse their clients’ transactions and make sure that the requirements under the Martial Law Regulation are met and that clients do not circumvent them.

Over the course of the last four years, the NBU has introduced numerous relaxations and exceptions. In 2026, more relaxations and exceptions will be introduced by the NBU provided that the macroeconomic situation does not deteriorate.

Open Banking

The NBU is known for its active part in the introduction of technical innovations in the financial sector. In recent years, steps have been taken to develop public key infrastructure and electronic trust services, remote identification for obtaining financial services, etc.

Besides this, the NBU has been actively progressing towards the adoption of open banking, having first approved the Open Banking Concept and then adopted Regulation No 80 on Open Banking, dated 25 July 2025 (the “Open Banking Regulation”). Open banking allows banks to exchange information with third-party service providers subject to a client’s consent.

Hence, the Open Banking Regulation addresses, among other things:

• the procedure and conditions for the provision of open banking services;
• the procedure for the granting and withdrawing of a client’s consent;
• principles of interaction between open banking participants; and
• principles of use and classification of specialised interfaces used in open banking.

Thus, the NBU is bringing Ukrainian legislation closer to European standards and is ensuring the fulfilment of the requirements for Ukraine’s accession to the Single Euro Payments Area and the EU.

Inclusive Banks

The full-scale invasion by the Russian Federation caused a number of significant problems, including restricted access to financial services for inhabitants of particular regions near the front line and de-occupied regions.

Inclusive banks are intended to address this issue by ensuring unimpeded access to financial services in areas where the normal operation of banking institutions is hindered or not feasible at all.

The new type of licence will give an opportunity for retail and postal companies to provide services to their large number of customers. The licence will have a limited scope. To provide services, the company will have to create a separate branch in the form of a joint stock company – a bank of financial inclusion. After receiving the licence, the branch will be able to use existing infrastructure to provide financial services to the population and small businesses.