Ukraine’s big step toward Open Banking: exclusive interview with the Association of Ukrainian Banks

Andriy Dubas, President of the Association of Ukrainian Banks, discusses Ukraine’s new Open Banking model and how it will drive competition, inclusion, and digital growth in finance.

Andriy, could you tell us more about your professional role, as well as about the mission and vision of the Association of Ukrainian Banks (NBU)?

As President of the Association of Ukrainian Banks, I represent the interests of Ukraine’s financial sector at both the national and international levels, coordinate initiatives on financial reforms, technological innovations, and the improvement of corporate governance standards.

The mission of the Association is to promote the stability and transparency of the financial sector, protect the rights of market participants and consumers of financial services, as well as foster the development of innovative solutions such as Open Banking.

Our vision is the creation of a modern, competitive, and digitally integrated banking ecosystem that meets European standards and the needs of Ukrainian citizens and businesses.

Could you describe the key elements of the NBU’s Open Banking model and explain why the financial sector in Ukraine needs its implementation right now?

The Open Banking model in Ukraine provides standardised third-party access to clients’ banking data with their consent through secure APIs. Key elements include:

• APIs for account information access;
• APIs for payment initiation;
• user authorisation mechanisms and strong authentication;
• regulatory requirements for ecosystem participants and data security.

The need to implement Open Banking has arisen due to the growing digitalisation of financial services, the development of fintech services, and the desire to ensure greater competition and financial inclusion for Ukrainian businesses and the population.

Who does this regulation apply to? Which market participants—banks, fintech companies, businesses, or consumers—will it affect?

The regulation applies to:

• Banks that provide access to clients’ accounts (ASPSP);
• Fintech companies and third-party providers (TPP) that access data or initiate payments;
• Businesses integrating financial services into their products;
• Consumers who provide consent for the use of their personal and financial data.

The regulation ensures a balance between fostering innovation and protecting user rights.

Does this regulation apply to all banks, or only large or small banks?

The regulation applies to all banks, regardless of size or scale of operations. At the same time, the NBU provides adaptive requirements for smaller banks to ensure gradual implementation without excessive burden.

What are the functions and responsibilities of Open Banking participants? What specific requirements are set for each of them?

Participants in Open Banking have clearly defined roles and responsibilities to ensure safe and efficient interaction between banks, third-party providers, and clients. Main categories and their functions:

• ASPSP (Account Servicing Payment Service Providers) – banks servicing accounts must ensure secure access to accounts via standardised APIs, comply with strong authentication rules (the main purpose being fraud prevention and protection against unauthorised account access), guarantee confidentiality and security of user data, verify TPP certificates, and control access rights.
• TPP (Third-Party Providers) – third-party financial service providers must obtain a license or registration with the NBU, ensure data security, comply with personal data processing requirements, guarantee correct payment execution and regulatory compliance, provide data aggregation and analysis for users and businesses, and initiate payments directly from the client’s bank account.
• Clients must provide informed consent for account access, use Open Banking services for financial management, payments, and business integration, confirm their identity via strong authentication, and use services only within the limits of their authorisation.

What services/use cases are offered within Open Banking? What innovations or new financial services can consumers, businesses, and fintech companies expect?

Services offered within Open Banking include:

• Account aggregation — viewing all bank accounts in a single app;
• Personal financial services — expense analysis, budget planning;
• Payment initiation through third-party apps (PISP) — paying for goods and services directly from an account;
• Analytics and credit scoring — basic tools for financial assessment.

Expected innovations and services:

• Business integration — automated payments and cash flow management in ERP/CRM systems;
• Advanced analytics — expense forecasting, personalised financial advice;
• Services for SMEs — marketplace integration, lending based on open data;
• Commercial APIs — extended payment and analytics services from banks for fintech companies.

How does the Ukrainian Open Banking model relate to the EU PSD2 Directive and SEPA requirements? Does it follow the same model?

The Ukrainian model is built taking into account PSD2 principles and SEPA standards, especially regarding payment security, strong authentication, and the role of TPPs. However, it is adapted to the local specifics of the financial market and NBU regulatory requirements, providing flexibility for Ukrainian financial market participants.

How does the process of registration and authorisation of Open Banking participants take place? What permits and safeguards must TPPs comply with?

TPPs submit a document package and register with the NBU, receiving an electronic certificate to access bank APIs.

Safeguards required from TPPs include:

• cybersecurity and personal data processing requirements;
• internal risk management and transaction monitoring procedures;
• compliance with strong user authentication rules before account data access or payment execution.

User authorisation via TPP includes:

• Client consent: the bank client (ASPSP) must provide informed consent for account access or payment initiation through a third-party service.
• Strong customer authentication (SCA): two- or three-factor authentication is required, e.g.

o    password + one-time SMS code/token generator;
o    biometrics + password;
o    other combinations meeting NBU requirements.

• Access token transmission: after client confirmation, the TPP receives a temporary access token for the bank API, limiting access rights only to the specific operation or data set.

ASPSP authorisation includes:

• verification of TPP certificates: banks accept TPP requests only with valid NBU-issued certificates;
• API request control: banks validate TPP requests for correctness and compliance with client access rights, blocking unauthenticated or excessive requests.

Could you elaborate on the types of APIs defined within this model, including basic and commercial APIs, as well as their availability and usage fees?

• Basic APIs: provide access to account information, transaction history, and data aggregation for analytics and financial planning.
• Commercial APIs: include extended payment initiation (batch payments, recurring debits), additional analytics services, business integrations, and innovative financial products from banks such as real-time credit scoring.

All APIs follow standardised formats and security protocols for third-party integration.

Is there a fee charged to TPPs for API access?

No fee is charged for basic APIs to encourage ecosystem development. For additional commercial services, banks may charge fees regulated by contracts between the bank and the TPP.

What are the key requirements regarding user consent and strong customer authentication?

• Clients must give informed and explicit consent for account access;
• Strong customer authentication (SCA) must be used — at least two independent verification factors: something the user knows, has, or is (e.g. password, token, biometrics);
• Data access or payment initiation is possible only after client confirmation.

What mechanisms ensure the security and confidentiality of user data?

• Data encryption during transmission and storage;
• Regular security audits and TPP certification;
• Logging and monitoring of transactions to detect suspicious activity;
• Data minimisation — TPPs receive only the data necessary for a specific operation.

What legal liability and potential risks exist for ASPSPs and TPPs?

ASPSPs (banks servicing accounts) are legally liable for:

• correct and secure account access via APIs;
• proper execution of payments initiated by TPPs or clients;
• protection of personal data in accordance with banking secrecy laws and GDPR (for international transactions).

Potential risks:

• unauthorised account access due to API vulnerabilities;
• payment execution errors leading to financial losses;
• reputational risks in case of data breaches or security violations.

TPPs (third-party financial service providers) are legally liable for:

• using access only with client consent and within authorised rights;
• complying with strong authentication and data security standards;
• ensuring correct payment execution and client transaction notifications.

Potential risks:

• leakage or misuse of client data;
• unauthorised payments or transaction errors;
• NBU regulatory sanctions, including administrative fines or license revocation;
• client financial claims for damages caused by non-compliance.

Risk mitigation mechanisms include:

• strong authentication (SCA) for all operations;
• encryption and logging of all transactions and accesses;
• regular security audits and access controls;
• legal regulation of ASPSP-TPP agreements, clear Service Level Agreements (SLAs), and liability policies.

What are the stages of implementing the Open Banking model? Is a transition period foreseen?

The implementation of the Open Banking model in Ukraine takes place in stages, with clear deadlines and requirements for financial market participants. Main stages:

• Approval of the Open Banking Regulation, effective August 1, 2025;
• Adaptation by ASPSPs (banks) by December 31, 2025 — including IT system upgrades, internal policy adjustments, and procedures for safe and stable interaction within Open Banking;
• Registration and licensing of TPPs by December 31, 2025 — to obtain required permits and NBU registration for service provision. From January 1, 2027, higher liability insurance requirements for TPPs, as part of EU Directive 2015/2366 (PSD2) implementation;
• Expansion of Open Banking functionality by 2027, including corporate account access and integration with other financial services.

Yes, a transition period is foreseen so that banks and TPPs can adapt to technical and regulatory requirements without risk to clients.

About the author

About The Association of Ukrainian Banks (AUB)

The Association of Ukrainian Banks (AUB) is the leading union of financial institutions in Ukraine, uniting banks and non-bank organisations to strengthen the country’s financial system and promote a competitive market. AUB serves as a key platform for dialogue with regulators, business, and society, while cooperating with the National Bank of Ukraine and parliament to shape effective legislation. Its mission is to foster transparency, stability, and trust in banking, guided by international best practices. AUB supports professional development through its Banking Academy, promotes ethical standards, protects members’ interests, and represents Ukraine’s banking sector internationally.