Ukraine -- Custody Regulations Regulatory Overview

Ukraine has made significant strides in legalizing and regulating virtual assets, with a framework in place that addresses, among other things, custody services. However, it's important to note that while the foundational law is enacted, many specific operational details are still in the process of being fully implemented through secondary legislation and regulatory acts, a process further complicated and slowed by the ongoing war.

Here's a breakdown of the cryptocurrency/digital asset custody regulations in Ukraine:

Key Legislation and Regulatory Bodies

1. Law of Ukraine "On Virtual Assets" (Закон України "Про віртуальні активи"): This is the primary law, adopted in September 2021 and signed into law by the President in March 2022. It establishes the legal framework for virtual assets in Ukraine, defines types of virtual assets, and outlines the activities of Virtual Asset Service Providers (VASPs).

   • Reference: Law of Ukraine "On Virtual Assets" (in Ukrainian)

2. Law of Ukraine "On Preventing and Counteracting Legalization (Laundering) of Criminal Proceeds, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction" (AML/CFT Law): This law was amended to include VASPs as subjects of primary financial monitoring, bringing them under the strict AML/CFT regime.

   • Reference: Law of Ukraine "On Preventing and Counteracting Legalization..." (in Ukrainian)

Regulatory Bodies:

• National Securities and Stock Market Commission (NSSMC - НКЦПФР): The primary regulator for virtual assets, especially those secured by currency, valuables, or property rights, and for most VASP activities.
• National Bank of Ukraine (NBU - НБУ): Regulates virtual assets secured by monetary values.
• State Financial Monitoring Service of Ukraine (SFMS - Держфінмоніторинг): Responsible for AML/CFT oversight and financial intelligence.
• Ministry of Digital Transformation (MinDigital): Responsible for developing state policy in the field of virtual assets.

Custodial License Requirements

• Mandate: The Law "On Virtual Assets" mandates that any entity providing virtual asset services, including custody services, must obtain a permit (дозвіл). This permit functions similarly to a license.
• Definition of VASP: Article 1 of the Law defines a "Virtual Asset Service Provider" (VASP) as a legal entity that, as part of its business activities, performs one or more of the following services for or on behalf of another natural or legal person:
  1. Exchange between virtual assets and assets that ensure value.
  2. Exchange between one or more forms of virtual assets.
  3. Transfer of virtual assets.
  4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets. (This directly covers custody).
  5. Participation in and provision of financial services related to the offer and/or sale of virtual assets by an issuer.
• Issuing Authority: The NSSMC is generally responsible for issuing these permits. For virtual assets secured by monetary values, the NBU would be the responsible authority.
• Specific Conditions: While the Law mandates permits, the specific conditions and procedures for obtaining these permits (e.g., capital requirements, personnel qualifications, technical requirements) are to be established by normative legal acts of the NSSMC and NBU. These specific acts are still largely in development or pending full implementation.
• AML/CFT Compliance: Obtaining a permit is intrinsically linked to strict adherence to the AML/CFT Law, including KYC procedures, transaction monitoring, and reporting suspicious activities.

Segregation of Client Assets Rules

• The Law "On Virtual Assets" (Article 16, Part 2, Point 2) requires VASPs to ensure the reliable and safe storage of virtual assets and/or instruments enabling control over them. While the law doesn't explicitly use the term "segregation" in the same way traditional finance does for client funds (e.g., separate bank accounts), the underlying principle of protecting client assets is implied through:
  • Separate Accounting: Article 12, Part 2, Point 2 requires VASPs to maintain separate accounting records for their own virtual assets and those of their clients. This is a foundational step towards ensuring client assets are not commingled with the VASP's proprietary assets.
  • Operational Requirements: The detailed operational requirements, which would likely include specific rules for asset segregation (e.g., distinct wallet addresses, clear identification of beneficial ownership), are expected to be elaborated in the secondary legislation and regulatory acts to be adopted by the NSSMC.

Insurance/Bonding Requirements

• The Law "On Virtual Assets" does not explicitly detail insurance or bonding requirements for VASPs.
• However, it is a common regulatory practice in other jurisdictions for financial service providers, especially custodians, to have sufficient capital, insurance, or bonding to cover potential losses due to cyber-attacks, operational failures, or fraud.
• It is highly probable that such requirements will be included in the specific licensing conditions and regulatory acts that the NSSMC and NBU are tasked with developing for VASPs. These would aim to ensure the financial stability of custodians and protect client interests.

Cold Storage Mandates

• The Law "On Virtual Assets" does not explicitly mandate "cold storage" for virtual assets.
• Instead, it generally requires VASPs to ensure the reliable and safe storage of virtual assets and/or instruments enabling control over them (Article 16, Part 2, Point 2).
• Specific technical requirements related to storage (e.g., hot vs. cold storage percentages, multi-signature protocols, physical security of hardware) are typically not found in primary legislation. They are usually part of technical standards, cybersecurity requirements, and operational guidelines developed by the regulator (NSSMC) in secondary normative acts.
• Given the industry's best practices, it is highly expected that any detailed security guidelines from the NSSMC will strongly recommend or even mandate the use of cold storage for a significant portion of client assets.

Qualified Custodian Definitions

• Ukraine's legislation defines a Virtual Asset Service Provider (VASP) that provides "safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets" as a custodian.
• A "qualified custodian" in the Ukrainian context would be a VASP that:
  1. Is a legal entity registered in Ukraine.
  2. Has obtained the necessary permit (license) from the NSSMC (or NBU, as applicable) to provide custody services.
  3. Complies with all provisions of the Law "On Virtual Assets", the AML/CFT Law, and all relevant normative legal acts and regulations issued by the NSSMC, NBU, and SFMS.
  4. Meets any specific capital requirements, technical standards, security protocols, and operational guidelines that are or will be established by the regulators.
• Essentially, any VASP legally authorized and compliant with the full regulatory framework to offer custody services would be considered a "qualified custodian."

Any Pending Custody Legislation

• The Law "On Virtual Assets" was designed as a framework law. Its full implementation is contingent upon several key actions:
  1. Amendments to the Tax Code: To establish taxation rules for virtual assets. This is critical for the practical operation of the market.
  2. Adoption of Secondary Legislation (Normative Legal Acts): The NSSMC and NBU are tasked with developing and adopting detailed regulations, including:
     • Specific licensing/permit conditions and procedures for VASPs, including custodians.
     • Operational requirements for VASPs, which will likely detail asset segregation, security standards (potentially including cold storage specifics), risk management, and internal control systems.
     • Reporting requirements for VASPs.
     • Supervisory procedures for regulatory bodies.
• Current Status: While the framework law is in force, the process of adopting these detailed secondary normative acts has been significantly impacted and slowed by the full-scale Russian invasion of Ukraine. Regulators are operating under wartime conditions, prioritizing essential functions. Therefore, many of the granular operational details for custody services are still pending or under development and are expected to be elaborated as the situation allows and the regulatory bodies proceed with their legislative mandates.

In summary, Ukraine has a progressive legal basis for virtual asset custody, but the fine print regarding operational requirements, specific security mandates, and full licensing conditions are still awaiting the complete adoption and implementation of secondary legislation by its financial regulators.