Ukraine to Create Register of “Bad” Clients of Financial Institutions: Who Will End Up on the “Black” List

Last week, the Verkhovna Rada registered a bill on the introduction of a “black” list of financial service users who transferred their bank cards and account management to third parties (so-called droppers). Entrepreneurs who accept payment for goods on a private card without paying taxes will also be included in it. “Minfin” together with lawyers analyzed the new document and found out what risks it poses to conscientious citizens and how they can be reduced.

The authorship of the bill, which regulates the creation and maintenance of a register of persons whose payment transactions require enhanced control, belongs to a group of deputies. Among them, in particular, is the Chairman of the parliamentary Committee on Finance, Tax and Customs Policy Danylo Hetmantsev and his Deputy Yaroslav Zhelezniak.

“This is a very important initiative that we have been working on for over a year together with the National Bank, the Committee and experts of the Temporary Special Commission of the Verkhovna Rada. Unfortunately, up to UAH 200 billion is currently passing through the drop system, and the losses for the budget amount to tens of billions.

This has become the main “financial artery” through which illegal alcohol, gambling, and tobacco are paid for. Moreover, “drops” are increasingly being used by outright criminals: from call centers to drug trafficking,” Zhelezniak commented.

However, it is obvious that one of the main motives for the war against drops is the desire to cover up tax evasion schemes. “Financial mules” have become the central link in many such schemes – from money laundering, circumvention of limits and tax restrictions to artificial division of business in order to save on the payroll and shadow entrepreneurship, when customers simply “throw” money for goods and services onto a private card.

According to the calculations of the Center for Socio-Economic Research CASE Ukraine, salaries in “envelopes” are the record holder among the largest schemes of the shadow economy of Ukraine: budget losses from such schemes amount to UAH 115-230 billion.

In order to reduce their use, the NBU and banks have begun to gradually limit the possibilities of transfers between private accounts in the past year. On October 1, 2024, the National Bank introduced a limit for card transfers between individuals in the amount of up to UAH 150,000 per month for outgoing payments on all accounts opened in one bank.

Already in December 2024, banks, on their own initiative, agreed to set limits for P2P transfers and gradually lowered the upper limit. From June 1, 2025, for clients with “medium” and “low risk”, the monthly limit for outgoing transfers was reduced to UAH 100,000, which, of course, creates a lot of inconvenience and risks for honest users of financial services.

In such a situation, the creation of the Register of Drops was presented as a beneficial step for them, which should protect against unjustified blocking and problems with transfers, since the data will be targeted and personalized.

Moreover, according to the Deputy Executive Director of the Independent Association of Banks of Ukraine Dmytro Hlinskyi, the Register of Drops and automated verification of client income will allow Ukrainian banks to relax restrictions on P2P transfers.

“That is, the initial establishment of relationships will be stricter and checks will be more frequent, a standardized reaction mechanism will appear in case of suspicion of drops or miscoding: limits/restrictions instead of complete disconnection from services, as well as a unified appeal procedure.

In practice, this will lead to fewer terminations of relationships with clients of payment service providers and more managed restrictions with a transparent mechanism for making changes in case of errors,” says Yuliia Litvinchuk, a lawyer of business support practice at Juscutum.

Still, will conscientious clients really benefit from the division into “bad” and “good”?

How division will occur, and what awaits “bad” clients

In general, all users of financial services need to be ready for increased monitoring, which may affect the processing time of client applications. This is how the majority of lawyers who studied the new draft law characterized the proposed changes.

At the same time, we are not talking only about banks.

“These rules also apply to all other payment service providers – payment systems, transfer services, e-wallets, financial institutions that make payments. That is, if you do not use a bank, but a convenient application for transfers, it will also have its responsibilities: to check, report, and limit. In general, digital control is now, like Wi-Fi, everywhere,” says Viktor Moroz, managing partner of the “Suprema Lex” Law Association.

According to Volodymyr Sytnik, a lawyer at KAC GROUP, the bill provides for the creation of a Register of Enhanced Control “by the hands” of banks and payment service providers: they will be obliged to enter information about their clients who fall under certain characteristics into it.

“This information includes information that constitutes banking secrecy or the secrecy of the payment service provider, depending on the context,” he specifies.

The client’s verification will be carried out at the following stages:

◉ establishing business relations (opening an account, concluding an agreement);

◉ changing the client’s personal or identification data;

◉ passing authentication from a new device;

◉ identifying signs of risky activity during financial monitoring;

◉ changing the types of activities of the merchant;

◉ in other cases, at the initiative of the payment service provider.

This list is not complete — it can also be expanded by the NBU.

“The main problem is that the draft law lacks clear criteria for what exactly is considered “signs of risky transactions.” Yes, in the future, this will be determined separately by the NBU, and the main thing here is that such conditions are written as simply and logically as possible, without vague concepts.

Otherwise, these norms may be abused, and the client will not be able to quickly unblock their own accounts. This, in turn, will create conditions for corruption,” says Mykhailo Mozhaiev, managing partner of the “Mozhaiev & Partners” Law Firm.

The Register will include the following information about clients:

◉ who transferred their account, card or electronic wallet to a third party;

◉ the merchant who accepts payments that do not correspond to the declared activity.

Yet, the lawyers say that conscientious users of financial services can easily become subjects of the “black” list, but the result will be total restriction and control.

“You can get into the register “just because.” For example, you transferred money to a relative, he transferred it to someone else, and the bank thought it was a scheme. And now you are no longer a random “uncle Vasyl”, but a “potential drop”. Transfers may be instilled upon you, you will be asked to explain every penny. Banks will now have more legal grounds for this. If the algorithm decides that you are risky, get ready to prove that you are not guilty”, says Viktor Moroz from Suprema Lex.

Other lawyers also speak about the possibility of erroneously entering clients into the Register.

“It is possible that a person may be included in the Register due to a technical error, incorrect identification or due to the actions of third parties that do not depend on honest users. Entry into the Register will automatically restrict the client from opening new accounts, cards or electronic wallets, even if previous transactions were legal.

In addition, being included in the Register can negatively affect the bank’s reputation and complicate interaction with other financial institutions,” explains Iryna Matsapura, a lawyer at KAC GROUP.

Among the unpleasant consequences of such an error, she names the disclosure of banking secrecy (or the secrecy of the payment service provider).

“After all, all payment service providers will have access to the Register. The Register will display the following data: full name, date of birth, tax number, passport data, unique entry number in the Unified Demographic Register, data of payment instruments and accounts for which violations were detected,” she adds.

How will those on the “black” list be able to protect their rights

First of all, let us note: inclusion in the Register and the draconian terms of using financial services will not last forever: the draft law limits the period of application of limits to 24 months, although the information about a specific user will be stored in the Register for 3 years.

Thus, if we take into account that in this case all financial service providers will have access to it, this is the period of time people on the “black” list will be watched.

The only good news is that the draft law clearly indicates that inclusion in the Register in itself cannot be a reason for refusing to provide services to a financial institution, and, even more so, for closing an account, if transactions are carried out within the new established limits and restrictions.

“However, if a person has exceeded the maximum number of accounts/wallets established by the NBU, they will be refused to open a new account,” clarifies Yuliia Litvinchuk from Juscutum.

It is important that the bill provides private and corporate clients with the opportunity to appeal the inclusion in the “black” list.

Daria Bronnikova, an advocate and a lawyer of business service, protection practice and banking law of Reliance, says that the document provides for a two-stage appeal mechanism – administrative (through the NBU and the financial institution) and judicial.

“In general, this is in line with the principles of protecting the rights of consumers of financial services. At the same time, the effectiveness of this mechanism in practice will depend on the promptness of the NBU’s response, the clarity of procedures and the accessibility of the application form for users,” she details.

First, the client has the right to receive information about whether information about them is included in the Register, as well as which institution did it. The NBU must provide such information free of charge within 10 days from the moment of receiving the relevant request.

It is important to clarify here: legislators do not oblige financial institutions to notify their clients that they are going to include them in the “black” list. The client should figure it out themselves, when the bank starts cutting their limits and making payments difficult. So, if this happens, you need to make a request for the availability of information about yourself in the Register.

Secondly, the draft law provides the right to appeal the entry into the Register directly to the financial institution and to the NBU. The regulator must send this complaint again within 5 working days to the financial institution that entered its client into the “black” list. The user is informed about the results of the application consideration within 5 working days from the moment of making the changes.

If the case cannot be settled in this way, there is an option to go to court. But in practice, the clients’ possibilities to defend themselves are quite unstable.

“In general, 15 working days allocated for consideration of a complaint is a very, very long time. Moreover, the draft law does not stipulate who and how will be responsible for the illegal (unfounded) blocking of accounts. This is extremely important.

Regarding the possibilities of protection, the review of the complaint is mainly entrusted to the same institutions that submitted the information, so its effectiveness is questionable and will depend on the practice of the NBU.

Judicial protection will generally be used in exceptional cases (as a last resort). Because it is usually long and expensive, and losses from blocked money, such as lost profits, losses from inflation, exchange rate fluctuations, etc., they are actually not compensated by anyone. Again, with large amounts of money in the accounts, it is a corruption pretext,” comments Mykhailo Mozhaiev, Mozhaiev & Partners.

He told “Minfin” that, for example, there is no such strict regulation in the US.

“There has been a law since 1970 that obliges financial institutions to maintain bookkeeping, keep records, report on cash transactions over $10,000 per day and submit reports on suspicious transactions.

This also applies to situations when individuals try to deceive the system and, say, split payments. But in this case, the system still automatically tracks this.

Even in this case, banks do not block accounts, but may request additional documents confirming the origin of the funds. Everyone strictly adheres to ​​the right to privacy and financial freedom, especially since state bodies and courts work differently in the US. In Ukraine, state bodies are afraid to violate the rights of citizens and legal entities, because they know that they will be held accountable for it, mostly in a financial sense,” says Mozhaiev.

How to avoid the financiers’ watchful eye under the new rules

Despite the obvious risks that the legislative initiative poses for thousands of honest users of financial services, many call it a light approach.

“We specifically chose a very conservative version for the first reading. No accounts will be closed immediately. On the contrary, they will help a person get information that their card is being used by criminals,” Yaroslav Zhelezniak wrote.

The Ukrainian Interbank Association of Payment Systems Members EMA has already criticized the bill for indecisiveness.

“We have read the bill on the register of “drops”, and we see not determination, but instructions for civilized coexistence with this type of crime. A system that does not fight, but only administers.

This is what needs to be done for it to truly work: introduce the sale of SIM cards only to identified subscribers. One number is appointed to one well-known person. Most drop schemes break down precisely on this. It is necessary to clearly prescribe in the Criminal Code of Ukraine responsibility for organizing droppers’ networks and participating in them. And money laundering through droppers is in 99% of cases a conscious act, when a person themselves shared the account, or deliberately directs criminals’ funds through it. Stories about “hacked accounts” in 1% of cases are a legend for those who do not want to see the obvious. Give banks the right and obligation not to set limits, but to block and notify law enforcement officers,” the EMA statement on its Facebook page reads.

Given the direction of movement in regulating the relations between financial institutions and their clients, it is becoming especially important not to give financiers unnecessary reason for doubt. “Minfin” asked the lawyers to give advice on how not to fall under the close supervision of bankers.

“To avoid possible negative consequences and minimize the risks of getting into the Register, you should refrain from transferring your payment instruments or access to your wallets to third parties, avoid simultaneous login to payment systems from multiple devices, use a limited number of authorized devices and regularly check their security,” recommends Volodymyr Sytnik, KAC GROUP.

Viktor Moroz, Suprema Lex, advises the following:

◉ Keep a clear “white” financial trail: confirm your income, have a legal activity, avoid card/account transfer schemes to other persons, participation in schemes that may look like “dropping”. This reduces the possibility that the client will be viewed as risky.

◉ Transferring the card or details to third parties may be a sign of a “dropping scheme”. Avoiding such practices is one of the preventive measures.

◉ Monitor your transactions and payment destinations: if the client makes non-standard transfers or receives transfers to their account, it is worth having documentation or an explanation of the origin/destination so that, in the event of a request from the bank/NBU, you have arguments.

◉ Clarify your risk category and service conditions with the bank: it is advisable for the client to find out what internal procedures the bank has for identifying risky clients, what its policy regarding “drops” is.

◉ Require transparency from the bank regarding the criteria and procedure: the client can ask the bank to explain on what grounds they are considered risky, how the risk is assessed, whether there is a possibility of changing the riskiness category.

◉ Active bookkeeping and archiving: keep confirmations of transactions (contracts, payments, destination) so that, in the event of a dispute, there is evidence that the transactions were legal.

Daria Bronnikova, Reliance, recommends that bank customers adhere to the following rules:

◉ do not transfer their cards, accounts, logins or access codes to third parties;

◉ activate notifications about transactions and two-factor authentication;

◉ regularly check transaction history and the number of active accounts;

◉ promptly notify the bank of any changes to contact details or login devices;

◉ carefully study the bank’s service agreements and risk management policies.

Source