.svg)
The Regulation on Open Banking, part of a package of regulation published by the National Bank of Ukraine on July 25, 2025, establishes a comprehensive framework governing how banks, payment institutions and electronic money institutions (referred to collectively as payment service providers (PSPs)) manage third-party PSP access to user accounts and the provision of non-financial payment services. Prior to the open banking regulation, there was no dedicated open banking framework in place in the country.
Aimed at fostering secure, efficient and transparent data sharing, the regulation sets clear obligations for real-time account access, user consent, third-party authorisation checks and secure information exchange.
Effective as of August 1, 2025, the framework introduced strict requirements designed to protect users, clarify responsibilities between parties and ensure that Ukraine’s financial sector remains competitive and aligned with modern open banking practices.
The bigger picture
Previously, the financial sector operated under traditional banking regulation. The Law on Payment Services is the main legislative act governing PSPs, the provision of account information services and payment initiation services; however, the adoption of the Regulation on Authorisation Procedures for Non-Financial Payment Services Providers, the Regulation on the Use of Electronic Trust Services in PSP Access to User Accounts and the Open Banking Regulation has expanded the legislative landscape. Customer data is no longer governed solely by the Law on Payment Services, but by a broader set of rules designed to support open banking and data sharing.
The European Business Association emphasised open banking in Ukraine focuses on improving access to user data, to support the digitalisation of the economy and encourage a wave of competition and innovation in the financial sector.
At the centre of the open banking framework are the new categories of regulated entities: account information service providers (AISPs) and payment initiation service providers (PISPs). These players now have a formal basis to operate in Ukraine, provided they obtain authorisation from the National Bank of Ukraine (NBU). This marks a decisive shift, as for the first time non-bank providers can compete directly in offering innovative services built on secure access to customer accounts.
Open banking in Ukraine is, therefore, not only about data access but also about market access. By enabling AISPs to aggregate account data across multiple institutions and PISPs to initiate payments on a customer’s behalf, the regulation lowers entry barriers and increases the diversity of service providers available to consumers. In practical terms, this means clients considering entering or expanding in the Ukrainian market now have clarity on the authorisation procedures, conduct obligations and technical standards required to establish themselves as AISPs or PISPs.
The European Business Association acknowledges open banking in Ukraine as “a strong signal of the government’s commitment to modernising the financial system and creating a favourable business environment”.
Additionally, the implementation of open banking in Ukraine is expected to accelerate fintech growth by promoting closer collaboration between traditional banks, payment service providers (PSPs) and innovative financial technology firms. By enabling secure, consent-based data sharing through standardised application programming interfaces (APIs), open banking creates an environment where fintech companies can develop and deliver solutions such as automated budgeting tools, instant payment services and alternative lending platforms that depend on real-time access to account information.
This aligns with the objectives set out in the Strategy of Ukrainian Financial Sector Development, which focuses on aiding the development of open banking to help fintechs better meet customers’ needs. The development of new technologies, ranging from virtual servicing channels and personalised financial services to mobile solutions and closer cooperation between conventional financial institutions and fintech firms, reflects the shifting preferences of financial service consumers. These innovations not only enable banks and PSPs to better meet customer needs but also encourage regulators to adopt a more flexible and proactive approach to supervising a broader spectrum of financial market participants.
The National Bank of Ukraine also emphasised that this regulation will ensure the country fulfils the requirements for joining the Single Euro Payments Area and ultimately support Ukraine’s accession to the European Union.
Why should you care?
Payment service providers must pay close attention to the regulation due to the significant obligations and opportunities it places on them regarding third-party authorisation, user consent requirements in access and data sharing, cyber resilience during information exchanges and reporting requirements. The regulation establishes a framework that requires PSPs to provide information from a user’s account upon request to another PSP, given that it has received explicit consent from the user.
Key obligations under this regulation include:
- Contractual clarity: PSPs must include the conditions under which a third-party PSP can access the user’s account and the responsibilities of both the PSP and the user when such access is granted in the agreement with the user. These contractual terms ensure users are fully informed and that accountability is clearly allocated in the event of errors, unauthorised transactions or disputes.
- Authorisation and consent checks: The PSP must verify that the third-party PSP is authorised to provide the specific payment service requested. The PSP must obtain or verify the existence of active user consent for the provision of account information. Consent from natural persons must be obtained via the PSP’s payment application, or if unavailable, via another remote communication method.
- Secure data exchange: The PSP must ensure secure exchange and protection of information with third-party PSPs during all data transfers through specialised interfaces. Technical and procedural safeguards must be in place to prevent data breaches, unauthorised access and other cyber threats.
- Transaction and request monitoring: PSPs must implement processes to control and monitor payment transactions initiated via third-party payment initiation services and account information requests received via account information services. These monitoring activities should follow the PSP’s internal operational risk and information security management procedures to detect unauthorised, erroneous or fraudulent activities and take preventative measures.
- User-initiated blocking: The PSP must allow users to block third-party PSP access to their accounts upon request, using a blocking procedure developed and approved by the PSP. This ensures users can withdraw access at any time for security or personal reasons.
- Reporting requirements: PSPs must submit statistical reporting data on activities within open banking to the National Bank of Ukraine, in line with the Rules for the organisation of statistical reporting submitted to the National Bank of Ukraine. These rules set out the obligation to submit various types of statistical data, annually, monthly and weekly.
Next steps
PSPs should carry out the following:
- A review and update of contractual agreements is required to ensure user agreements explicitly cover third-party access conditions, responsibilities and the allocation of liability. Standard templates should be developed to be updated quickly per NBU guidance.
- Strengthening authorisation and consent procedures involves integrating real-time checks against the NBU register of authorised PSPs to verify third-party status. Staff training and updated customer support scripts are also necessary to address queries relating to third-party access and consent.
- Enhancement of secure data-exchange infrastructure should be achieved through penetration testing and independent cybersecurity audits to confirm safeguards against unauthorised access and data breaches. Tailored incident-response procedures must also be established for third-party data-sharing risks.
- Implementation of monitoring and risk-management processes requires updating operational risk frameworks to encompass third-party-initiated transactions and account information requests. Monitoring tools should be in place to detect unusual patterns or repeated access requests, with escalation and remediation procedures aligned to operational and information security policies.
Conclusion
The Regulation on Open Banking is not just a regulatory milestone, it is a decisive turning point for Ukraine’s financial sector. By embedding authorisation, consent and data principles directly into account access and data-sharing processes alongside EU alignment, the NBU has made it clear that open banking will move forward, but only on secure and accountable terms.
This regulation provides market participants with an opportunity to define their role in the next phase of the financial market. Those who act early will position themselves as trusted providers in a landscape where transparency is essential. Where customer data is exchanged between multiple parties, users will base their confidence on full traceability of data flows, visibility over consent history and clarity of process.
The introduction of the regulation allows non-bank providers to participate in financial innovation, where customer data was mainly controlled by banks previously. Faster-acting PSPs can become the first to use open data access to deliver a range of services, paired with personalised insights and streamlined payment-related experiences.
With the rules in force as of August 1, 2025, institutions cannot afford to wait. Those who move beyond minimum compliance and actively leverage open banking to build trust and expand service offerings will gain a more competitive advantage and secure long-term relevance in an increasingly competitive payments ecosystem.
