Open Banking Launched in Ukraine: Legal Alert

As of 1 August 2025, the core provisions of Ukraine’s legal framework for open banking have entered into force. This milestone is expected to stimulate innovation by enabling more diverse and personalised services, while also enhancing competition in the financial sector. Importantly, the new regulatory framework has been developed with a view to aligning Ukraine’s payment infrastructure with the requirements for accession to the Single Euro Payments Area (SEPA) and supporting broader integration with the European Union.

Executive summary

The legal framework requires account-servicing payment service providers ("ASPSPs”), such as banks, to provide third-party payment service providers ("TPPs”) with real-time access to user accounts through specialised application programming interfaces ("APIs”). Two types of APIs are defined: basic APIs, which are mandatory, publicly available, and free of charge, and commercial APIs, which are optional and may be subject to fees.

Access to the user account is only permitted based on the user’s consent, which must be specific, revocable, and confirmed through strong customer authentication.

TPPs must meet a range of regulatory requirements and obtain authorisation from the National Bank of Ukraine (the "NBU") to provide services within the open banking framework. They are required to safeguard user data and maintain confidentiality.

ASPSPs and TPPs may involve technology operators to support technical operations in the open banking process.

Open banking in Ukraine is governed by multiple legal instruments. Most provisions took effect on 1 August 2025, although certain requirements under the NBU regulations will apply at a later stage.

What is open banking?

Formal definition

The NBU defines open banking as a structured and secure exchange of data between ASPSPs and TPPs through specialised interfaces, carried out with the user’s consent when a TPP accesses the user’s account in order to provide the user with non-financial payment services.

Plain explanation

Open banking enables the clients of payment institutions to share information from their accounts or initiate payments using third‑party applications they trust. For example, a fintech app can display the balances of a user’s accounts held in different banks or initiate a bill payment after the user authorises it. The user’s consent is central – without it, no data is shared.

Examples of open banking practical realisation

In its concept paper on open banking in Ukraine, the NBU provides several services and products that could emerge once open banking is implemented. These include (but are not limited to):

Parties involved in open banking

The open banking framework in Ukraine provides for the interaction of several categories of participants, each playing a distinct role in the data-sharing and service delivery ecosystem:

ASPSPs. These include banks and non-bank payment service providers where user accounts are held. ASPSPs are responsible for granting TPPs access to user account data via APIs, subject to the user’s explicit consent.

TPPs. TPPs may include both banks and other authorised non-bank payment service providers. They are authorised by the NBU to provide non-financial payment services and act on behalf of users. TPPs consist of two distinct categories:

PISPs – entities that initiate payment transactions from the user’s account upon the user’s instruction.

AISPs – entities that access and consolidate account information across one or more ASPSPs, providing the user with a unified view of their financial data.

Users. Individuals and legal entities who hold payment accounts with ASPSPs. Users grant consent to TPPs to access their account information or initiate payments on their behalf.

Technology operators. Legal entities authorised to provide operational, informational, and other technology-related services within the open banking ecosystem. Technology operators may be engaged by ASPSPs and/or TPPs to facilitate secure electronic interaction and data exchange via APIs.

Requirements for TPPs

As mentioned above, there are two types of TPPs: PISPs, who initiate payments on behalf of users, and AISPs, who provide account information. TPPs may be banks or other legal entities that obtain authorisation from the NBU. They are referred to collectively as non‑financial payment service providers because they do not hold client funds.

Eligibility requirements

To apply for authorisation, a legal entity must meet a number of conditions. Key regulatory requirements include:

We note that the requirements set out above under items 1–4, 6, and 8 do not apply to the applicants, which are banks.

Authorisation process

1. Submission of documents to the NBU. Applicants must file a package of documents, including the application for inclusion in the Payment Infrastructure Register (the "Register") and documents confirming the applicant’s compliance with the relevant regulatory requirements.

2. NBU review. The NBU reviews the application and documents for compliance with Ukrainian legislation. It decides whether to include the applicant in the Register or refuse authorisation within 60 business days. The period may be extended by up to 30 business days if additional verification is needed.

3. Obtaining the authorisation. If authorised, the NBU enters the applicant into the Register, publishes its name, unique identification code, list of services and date of authorisation on its website and sends a written notice and extract from the Register to the applicant. The date of inclusion in the Register is the date of authorisation and authorisation is of unlimited duration. It should be noted that a TPP’s failure to deliver non-financial payment services for a continuous period of more than 180 days constitutes grounds for the revocation of its authorisation.

4. Possible refusal. The grounds for the refusal of authorisation include instances where the provided information is false, the applicant or its owners/ managers do not meet legal requirements, deficiencies identified earlier are not corrected, or the applicant has been subject to regulatory sanctions within the previous year.

Relations between ASPSPs and TPPs

Access to accounts and APIs

ASPSPs must provide real‑time access to user accounts to TPPs via APIs. The legislation distinguishes between:

Basic APIs – mandatory, publicly available and free interfaces that allow authorised TPPs to initiate payments and access account balance/transaction history (up to 31 days from the request date). Provision of basic APIs does not require a contract.

Commercial APIs – optional interfaces through which ASPSPs can offer additional data or services (e.g., broader transaction history, premium features). Access to commercial APIs is provided under a contract between the ASPSP and the TPP and may involve fees.

Verification of TPPs

Before granting access, ASPSPs must verify that the TPP is authorised. They do so by checking the TPP’s qualified electronic seal or website certificate, authenticating the TPP via that seal/ certificate and comparing it with the entry in the Register. The NBU publishes and updates information about authorised TPPs and ASPSPs must download and update this list daily.

User consent

The ASPSP must grant access to the user’s account only if the user has given active consent (i.e., the consent is confirmed by strong authentication and is valid). The user’s consent must be specific: it must identify the particular TPP, the specific account, the non-financial payment service to be provided, and the exact scope of account and user information to be accessed. This consent may be transmitted to the ASPSP via the authorised TPP with whom the user has a contractual relationship.

Technology operators

Both ASPSPs and TPPs may engage technology operators to perform operational, informational and other technological functions to ensure API interaction. However, they remain responsible for the operator’s compliance with regulatory requirements.

Relations between TPPs and the users

TPPs must protect user data, ensure confidentiality, and comply with strong security and identification requirements. PISPs may not hold user funds or request unrelated information, and must transmit sensitive data only via secure channels. AISPs may access account data strictly for authorised purposes and must not alter or misrepresent the information. TPPs must also implement systems for managing user consents, which must be confirmed via strong authentication but easily revocable. All active consents must be displayed to the user. TPPs may charge users for their services in accordance with the terms of agreements concluded between the TPPs and the users.

Legal framework

Open banking in Ukraine is governed by a range of legal acts. These include:

Timeline

In general, the provisions of the Payment Services Law on open banking and the above NBU regulations entered into force on 1 August 2025. However, certain provisions of the NBU regulations will take effect at a later date. ASPSPs have five months from 1 August 2025 to align their operations with the Open Banking Regulation.