Ukraine -- AML/CFT Compliance Regulatory Overview

**Law of Ukraine No. 361-IX "On Preventing and Counteracting Legalization (Laundering) of Criminal Proceeds, Terrorist Financing and Financing the Proliferation of Weapons of Mass Destruction"** (dated December 6, 2019, with subsequent amendments).

This is the foundational AML/CFT law in Ukraine, bringing the country's framework closer to FATF recommendations and the EU's 4th and 5th AML Directives. It designates "virtual asset service providers" as "reporting entities" (subjects of primary financial monitoring).

**Law of Ukraine No. 2074-IX "On Virtual Assets"** (dated February 17, 2022).

This law defines virtual assets and virtual asset service providers (VASPs) in Ukraine. While its full implementation regarding licensing and specific regulatory oversight was initially delayed due to martial law, its principles establish the legal framework for virtual assets and clarify the roles of regulatory bodies. It reinforces that VASPs are subject to AML/CFT requirements under Law No. 361-IX.

Exchange between virtual assets and fiat currencies.

Exchange between one or more forms of virtual assets.

Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

**For Individuals:** Obtain and verify the customer's identity, including full name, date of birth, place of birth, address, identification number (where applicable), and details of the identity document (series, number, date of issue, issuing authority). Verification must be based on reliable, independent source documents, data, or information.

**For Legal Entities:** Obtain and verify the legal entity's name, registration number, legal form, legal address, contact details, and identify the management structure.

**Beneficial Owner (UBO) Identification:** Identify and take reasonable measures to verify the identity of the beneficial owner(s) of the customer. This is crucial for both individuals (e.g., if acting on behalf of another) and legal entities.

Understand the purpose and intended nature of the business relationship or transaction.

Conduct ongoing monitoring of the business relationship and transactions undertaken throughout the course of that relationship to ensure consistency with the VASP's knowledge of the customer, their business, and risk profile. This includes monitoring the source of funds and the destination of virtual assets.

Applied in situations presenting higher risks of money laundering or terrorist financing. This includes, but is not limited to:

Customers who are Politically Exposed Persons (PEPs), their family members, or closely associated persons.

Complex, unusually large, or unusual patterns of transactions that have no apparent economic or lawful purpose.

Non-face-to-face business relationships without adequate safeguards.

Transactions above specific thresholds (e.g., equivalent of UAH 400,000 for certain types of operations, though suspicion requires reporting even below this).

May be applied in situations identified as lower risk, but VASPs must still be able to demonstrate that the risk is genuinely lower and maintain sufficient information to identify the customer and beneficial owner. Given the inherent risks associated with virtual assets, SDD is often limited in this sector.

**Reporting Thresholds:** VASPs must report transactions that meet specific monetary thresholds (e.g., UAH 400,000 or more, approximately EUR 10,000 equivalent) if they have certain characteristics (e.g., complex or unusual transaction, linked to high-risk entities/jurisdictions, involving transfers to/from certain accounts).

**Suspicion Regardless of Threshold:** Even if a transaction does not meet a monetary threshold, if the VASP *suspects* or has reasonable grounds to suspect that funds are proceeds of criminal activity or are linked to terrorist financing, it *must* be reported.

**Reporting Authority:** All suspicious transaction reports are submitted to the **State Financial Monitoring Service of Ukraine (SFMS)**.

**No Tipping Off:** VASPs are prohibited from disclosing to the customer or any third party that a suspicious transaction report has been or will be made.

**Customer Identification Data:** All documents and data obtained during the CDD process (identification documents, verification records, UBO information).

**Transaction Records:** Records of all transactions, including virtual asset addresses, transaction hashes, amounts, dates, and parties involved.

**Business Correspondence:** Relevant correspondence concerning the customer relationship.

**STRs:** Copies of all suspicious transaction reports submitted.

**Retention Period:** All these records must be retained for at least **five years** after the termination of the business relationship or the date of an occasional transaction.

**State Financial Monitoring Service of Ukraine (SFMS):**

**Role:** The central executive body responsible for developing and implementing state policy in the field of preventing and counteracting money laundering and terrorist financing. All suspicious transaction reports are submitted to the SFMS.

**National Bank of Ukraine (NBU):**

**Role:** Designated by Law No. 2074-IX as a key regulator for certain types of VASPs, particularly those that engage in activities similar to traditional financial services or payment systems. It will set requirements for financial monitoring, supervision, and licensing for VASPs under its purview.

**National Securities and Stock Market Commission (NSSMC):**

**Role:** Designated as a regulator for virtual assets that qualify as "financial instruments" or "securities" under Ukrainian law. It will oversee VASPs dealing with such assets.

**Ministry of Digital Transformation (MDT):**

**Role:** Played a leading role in drafting the "On Virtual Assets" law and is generally responsible for developing state policy in the digital assets sector. It may also have oversight regarding technical standards and licensing processes for VASPs.

**Primary Legislation:** Law of Ukraine "On Prevention and Counteraction to Legalization (Laundering) of Criminal Proceeds, Financing of Terrorism and Financing the Proliferation of Weapons of Mass Destruction" (Закон України "Про запобігання та протидію легалізації (відмиванню) доходів, одержаних злочинним шляхом, фінансуванню тероризму та фінансуванню розповсюдження зброї масового знищення") **No. 361-IX**.

This law, significantly updated in 2019, specifically incorporated virtual assets and VASPs into the scope of financial monitoring.

**URL:** https://zakon.rada.gov.ua/laws/show/361-20#Text (Official Ukrainian text on Verkhovna Rada website)

**Supporting Legislation (Virtual Assets Law):** Law of Ukraine "On Virtual Assets" (Закон України "Про віртуальні активи") **No. 2074-IX**.

This law was passed on September 8, 2021, and signed by the President on March 15, 2022. While it defines the legal status of virtual assets and aims to create a regulatory framework for the market, its full implementation (especially regarding licensing and market regulation) has been delayed, partly due to the martial law. However, it reaffirms that VASPs are subject to AML/CFT legislation.

**URL:** https://zakon.rada.gov.ua/laws/show/2074-20#Text (Official Ukrainian text on Verkhovna Rada website)

Exchange between virtual assets and funds (fiat currencies);

**Required Information:** VASPs are required to collect and transmit:

**Originator Information:** Name, unique identifier (e.g., account number or wallet address), physical address, national identity number (if applicable), date and place of birth, and customer ID.

**Beneficiary Information:** Name, unique identifier (e.g., account number or wallet address), physical address, national identity number (if applicable), date and place of birth, and customer ID.

**Transmission:** This information must be securely transmitted to the beneficiary VASP (or collected when receiving funds from another VASP).

**Regulatory Guidance:** The National Bank of Ukraine (NBU) and the State Financial Monitoring Service of Ukraine (SFMS) are the key regulators for AML/CFT. While specific technical standards for Travel Rule protocols haven't been mandated by law, they may issue sub-regulatory guidance, recommendations, or best practices over time to ensure compliance. VASPs are generally expected to use robust, secure, and interoperable solutions.

**Fines:** Significant monetary penalties for both the legal entity and responsible officers.

For failure to provide information on financial transactions subject to monitoring (including Travel Rule data), fines can range up to **UAH 340,000** (approx. USD 9,000, as of late 2023/early 2024, subject to exchange rate fluctuations).

For systemic or repeated violations, especially regarding customer due diligence, reporting, or internal controls, the maximum fine for financial institutions (including VASPs) can be up to **UAH 135 million** (approx. USD 3.6 million).

**Suspension or Revocation of Licenses:** In case of serious or repeated violations, the regulatory body (e.g., NBU) can suspend or revoke the VASP's operating license or registration.

**Disqualification of Management:** Responsible individuals within the VASP's management may face disqualification.

**Criminal Liability:** In cases involving significant money laundering or terrorist financing activities, individuals may face criminal charges.