A secret not for everyone: how bank clients may be threatened by the Enhanced Control Register
18 November 17:45
ANALYSIS FROM 
The attack on “drops”, i.e. persons through whose accounts dubious financial transactions are carried out, continues. And not only those who use such schemes may soon feel its impact, in part because it is planned to expand access to banking secrecy. Komersant found out how to minimize such consequences.
It’s been more than a year since the National Bank of Ukraine, with the assistance of banks, tried to officially take suspicious financial transactions under enhanced control. It all started with setting limits on card transfers. And it should continue with the creation of a special Register of persons through whose accounts such questionable financial transactions are carried out. As you know, the relevant draft law is already being considered by the Parliament.
The Register of persons whose payment transactions require enhanced control will be created and maintained by the National Bank of Ukraine. Payment service providers will be required to enter the relevant information into the Register. They will also have to apply to the Register for this information, for example, before establishing business relations with an individual user or a merchant. If the Register contains information about the user, banks will be obliged to apply payment transaction limits and other restrictions to such users, etc.
One of the initiators of the draft law, MP Yaroslav Zheleznyak, tried to reassure those who began to “try on” the possible actions of banks.
“Despite the myths, we specifically chose a very conservative version for the first reading. No one will close any accounts immediately. On the contrary, we will help people get information that their card is being used by criminals. And for everyone else, this is an opportunity to move away from general restrictions on p2p to a more targeted approach by banks for customers who are at risk,” the MP stated.
What the MP did not mention in his post was banking secrecy and what would happen to it.
Will banking secrecy be at risk?
The NBU started working on the launch of the Drops Register more than a year ago. In February of this year, in an interview with Forbes Ukraine, NBU Governor Andriy Pyshnyi admitted that the issue was more complicated than it was thought. And this complexity is connected, in particular, with issues related to banking secrecy. At the same time, the country’s chief banker outlined his attitude to the institution of banking secrecy.
Banking secrecy is one of the fundamental institutions of trust in banks and the financial system. The Civil Code clearly states that banks are guarantors of bank account secrecy. The NBU is ready to discuss the procedure and regulations, but cannot accept uncontrolled and unlimited extrajudicial access to bank secrecy for any body. The relevant procedure must be followed,” said Mr . Pyshnyi.
Given that the draft law on the special register has already been submitted to the parliament after many months of work, we can assume that the most difficult issues have been resolved. This draft law mentions banking secrecy and guarantees of its preservation, in particular, in the following wording:
- a bank shall enter information constituting banking secrecy into the Register of persons whose payment transactions require enhanced control;
- The National Bank of Ukraine has the right to provide payment service providers with access to information from the Register of Persons Whose Payment Transactions Require Enhanced Control that constitutes the payment service provider’s secret;
- the payment service provider is prohibited from transferring the information received from the Register of Enhanced Control to third parties;
- the National Bank of Ukraine and the payment service provider are prohibited from using information from the Enhanced Control Register for purposes other than those provided for by law.
In fact, I would like the parliament to assess whether such an expanded use of information constituting banking secrecy is acceptable and whether the procedure for its disclosure is sufficient and adequate.
Is the bank customer protected?
A bona fide bank customer is the one who, given the possibility of accidental inclusion in the Enhanced Control Register, needs enhanced protection of his or her rights and interests. And it is for them that sufficient protective mechanisms, clear and transparent procedures, and appeal rights should be provided. Ilya Kolesnyk, lawyer, bankruptcy and restructuring specialist at Prikhodko & Partners Law Firm, continues.
A bona fide client should be provided with the right to find out (for example, through a banking institution or the NBU) whether he/she is included in the Register and on what facts or signs. This is important for transparency and to avoid situations where a person is “listed” without their knowledge or adequate explanation. Unfortunately, the draft law does not currently contain sufficiently clear guarantees of this right. It is also important that the limits and other restrictions that will be applied to a person who is included in the Register do not create a disproportionate burden on a bona fide client simply because of suspicion. From a legal point of view, it is necessary to specify the maximum limits, the timeframe for applying measures, and the grounds for lifting restrictions,” the expert notes.
Also, according to him, it is necessary to clearly regulate who has access to the data, under what conditions and how it can be corrected or deleted after the grounds for inclusion in the Register have disappeared.
It should be provided by law that a person or company may be removed from the Register after the grounds for their inclusion have been eliminated. For example, access of third parties to the account has been terminated, the activity code has been changed to the appropriate one, an investigation has been conducted and legality has been proven,” the expert believes.
Lawyer Illya Kolesnyk also drew attention to the risks that entrepreneurs may face after the launch of the Enhanced Control Register and advised on how to avoid them.
Entrepreneurs may be included in the Register by mistake or due to formal signs that do not prove a violation. For example, there has been a change in the activity code, but the business is operating legally. Therefore, entrepreneurs need to exercise internal control over the change of activity codes, inform the bank about the changes, have proper documentary evidence of legal activities, and cooperate with the bank in case of inspections. And, of course, entrepreneurs should avoid schemes that look like “dropshipping” or “misdirection”, check bank accounts to make sure they are not used by third parties,” emphasizes lawyer Illya Kolesnyk.
He also believes that the law or bylaws should stipulate that banks are obliged to inform customers about their inclusion in the Register, their rights and further consequences – this would help avoid situations where the customer learns about being included in the Register too late or because of the blocking itself.
Are banks ready for innovations?
The register of “drops” will be created and maintained by The National Bank of Ukraine will create and maintain the register. But it will be filled with specific information by payment service providers, i.e. banks.
According to the Association of Ukrainian Banks, the introduction of such a register directly for banks will be technically feasible, as the basic IT infrastructure and regulatory requirements already exist. However, it will require the finalization of internal systems, compliance procedures, and additional resources.
The EBA sees the creation of such a register as a positive tool for increasing market transparency, provided that its implementation is carried out with a balance between control and protection of customer rights.
The effectiveness of such a mechanism is possible only if there are clear regulatory criteria for entering and removing persons from the register, as defined by the NBU in its bylaws; protection of the rights of participants and the availability of an appeal procedure in case of erroneous entry; unified technical standards for data exchange between banks and the NBU based on existing financial monitoring systems; as well as guarantees for the protection of personal data and prevention of reputational risks for bona fide customers, the Association of Ukrainian Banks emphasizes.
By the way, the introduction of the registry will not automatically lift the restrictions on card-to-card transfers imposed by banks. As explained by the NBU, before making such a decision, it is necessary to make sure that the registry is really working and that banks effectively detect various kinds of violations.
Author — Sergey Vasilevich
