...

Ukraine to Launch “Drop” Register to Curb Shadow Payments

by Roman Cheplyk
Wednesday, October 29, 2025
4 MIN
Ukraine to Launch “Drop” Register to Curb Shadow Payments
Innovations Legislation Technologies

New AML tool targets mule accounts and miscoding, enabling risk-based limits and cleaner rails for fintech and banks

Ukraine is moving to create a register of persons requiring enhanced control (“drop register”) to combat payment mules (“drops”)—individuals and merchants who rent cards, wallets, or misuse merchant category codes to move untaxed or illicit funds. The framework is set out in draft law No. 14161, co-developed with the National Bank of Ukraine (NBU). Once adopted, the regime would provide banks and payment providers a shared, closed database to detect, flag, and restrict high-risk users across the market.

Why It Matters ;for investor;

  • Cleaner rails, lower fraud loss: Shared intelligence reduces mule throughput, chargebacks, and AML enforcement risk.

  • Regulatory clarity: Centralized checks replace fragmented bank-by-bank blacklists, improving compliance efficiency.

  • Payments/fintech scalability: A market-level deterrent supports higher legitimate C2C and acquiring volumes with less blanket throttling.

  • Macro angle: Reduced shadow flows supports fiscal revenues and strengthens the case for EU-aligned financial supervision.

What Triggers Inclusion

Individuals / sole proprietors / professionals / legal entities may be listed for:

  • Third-party control of funds: Granting access to an account or e-money wallet, or transferring a payment instrument to others.

  • Merchant miscoding: Accepting card payments under incorrect activity category codes versus the acquiring agreement.

Detection: Banks, payment institutions, e-money institutions, and licensed financial companies are obliged to monitor and report suspected drops into the register. Failure to report or incomplete reporting exposes providers to NBU sanctions.

Mandatory Checks (Examples)

Payment providers must consult the register:

  • Before onboarding new clients.

  • Upon data changes or login from a new device.

  • During payment monitoring or inter-provider alerts.

  • When merchant activity categories are changed or added.
    The NBU may expand trigger events; providers may also check at their discretion.

Consequences for Listed Parties

  • Individuals: Limits on payment transactions; caps on the number of accounts, cards, and wallets with a given provider.

  • Merchants (FOPs, independents, legal entities): Limits on acquiring transaction volumes.

  • Access preserved: Not a full service ban; essential payments remain possible within limits.

  • Duration: Limits set by NBU for up to two years from the last register entry.

(Exact thresholds are to be defined by the NBU; exemptions for specific accounts/instruments may apply.)

Data Model & Privacy

  • Data stored: For individuals—name, date of birth, tax number (RNOKPP), passport data, demographic-register ID (if any).

  • Merchants: Above plus acquirer-assigned names, activity codes (before/at detection), provider identifiers (EDRPOU).

  • Access: Non-public, closed register. The NBU administers access; providers may not share data with third parties.

  • Retention: Three years from the last entry; erroneous entries must be corrected/removed, including self-identified errors.

  • Redress: Individuals/merchants can petition the NBU to remove erroneous entries; provider actions are subject to judicial appeal.

Interaction with Existing Limits

Past market-wide C2C caps (e.g., monthly limits of 50k–150k UAH under risk tiers) were broad tools to catch drops. With a functioning register and automated income checks, sector leaders expect narrower, risk-based controls to replace blanket limits over time.

Implementation Timeline

  • Legislative path: Two readings and potential amendments.

  • Go-live window: Provisions take effect one year after publication—allowing time to build systems, APIs, and governance.

Risks & Safeguards

  • Over-blocking risk: Mitigated by appeals, evidence standards, and time-bound entries.

  • Data security: Closed registry under NBU control; banking secrecy extended to register operations.

  • Operational load: Providers must upgrade KYC/KYB, device intelligence, and merchant-code validation; costs offset by lower fraud/AML losses.

Investor/Operator Checklist

  • Map touchpoints: Embed register checks at onboarding, device risk, and transaction-monitoring stages.

  • Update policies: Align AUP, merchant T&Cs, and dispute procedures with miscoding and third-party access prohibitions.

  • Build appeals flow: Customer-facing remediation, evidence intake, and NBU liaison protocols.

  • Quantify impact: Model reduced fraud/AML opex vs. integration costs; forecast potential uplift from relaxed blanket limits.

  • Coordinate with municipalities/markets: For high-risk sectors (e.g., gambling, cash-intensive retail), pre-empt miscoding via acquirer audits.

Bottom Line

The drop register introduces a market-wide, risk-based AML control that targets mule accounts and merchant miscoding without shutting users out of essential payments. For banks and fintechs, it promises lower fraud leakage, clearer compliance, and the potential to replace blunt transfer caps with smarter, EU-aligned supervision—supporting healthier growth in Ukraine’s digital payments ecosystem.

roman-cheplyk
Roman Cheplyk
You will be interested