The National Bank of Ukraine is preparing changes to financial monitoring rules: banks will be required to create individual customer behavior profiles and automatically flag any deviations from normal patterns. A transfer larger than usual, an atypical payment geography, a new counterparty — all of this will fall under enhanced scrutiny.
The regulator's logic is clear. Ukraine is under pressure from the FATF and the EU regarding anti-money laundering standards. The full-scale war has added a separate dimension: shadow financing schemes, sanctions evasion, asset withdrawal. Anomaly detection is a tool that genuinely works under such conditions.
However, the system's architecture raises questions that the NBU has not yet publicly addressed.
First, the criteria for "atypicality." Who determines that a transfer of 50,000 hryvnia to a relative in another city is an anomaly rather than ordinary assistance? If the algorithm learns from average indicators, it will by definition penalize those whose behavior differs from the majority — freelancers, entrepreneurs, people with irregular income.
Second, the consequences of triggering the system. Blocking a transaction, requesting documents, delays — for a business with tight deadlines, this could mean real losses. The mechanism for appeals and review timelines are not detailed in the published materials.
Third, access to profiles. A "typical activity profile" is a structured array of personal financial data. The procedures for their storage, protection, and transfer to third parties, including law enforcement agencies, require a clear regulatory framework, which currently does not exist.
Similar behavioral analysis systems have long operated in EU banks — but they exist within a GDPR environment with clearly defined rights for data subjects, independent oversight, and judicial control. The Ukrainian version is currently an instrument without publicly defined limitations on its use.
The NBU has the right to take this step. But whether the mechanism for protecting customers from false alarms will be as much a priority as the surveillance mechanism itself will become clear when we see the final text of the regulatory act, not just its concept.