Why the New Draft Law Changes the Rules of the Game for Clients

Ukraine proposes to significantly strengthen the protection of people who have lost money because of online fraud involving bank cards and accounts. Draft law No. 15274 has been registered in the Verkhovna Rada, and it could change the very logic of how such cases are handled it is not the client who must prove their innocence, but the bank or another financial institution that must prove that the user deliberately contributed to the leakage of data. Time for Action analyzed the issue this initiative is important not only as an attempt to return money to people after fraudulent operations. It raises a broader question who should bear the main burden of risk in digital finance an ordinary client, who often becomes a victim of complex schemes, or a bank, which services the payment infrastructure, controls transactions, has technical protection systems and access to data on suspicious transactions. The draft law proposes a fairly strict mechanism for financial institutions. If an unauthorized or incorrectly executed payment transaction took place from a client’s account or card, the bank must immediately reimburse the full amount of losses. For a person, this means they should not wait for months for internal checks, prove the obvious and remain without money only because fraudsters managed to act faster than the system’s response.

A mandatory condition for compensation must be the client’s immediate appeal to the bank. The cardholder must report that they did not carry out and did not approve the transaction. After that, the financial institution must restore the account balance to the state it was in before the fraudulent transaction. The most important innovation is the limit of the client’s responsibility. If the money was stolen without the physical presentation of the payment card or without passing electronic identification, the citizen should not bear financial responsibility. The bank will be able to refuse to return the funds only if it proves in court that the user, through action or inaction, deliberately contributed to the transfer of the PIN code, passwords or one-time confirmation codes to third parties. This is a fundamental change. In many cases, victims of online fraud face a situation in which responsibility is effectively shifted onto them. A person is told that they may have followed a phishing link, shared a code, confirmed a transaction or lost control over their data. But not every case of fraud is the result of a gross mistake by the client. Criminals use increasingly sophisticated methods, apply psychological pressure, disguise themselves as banks, delivery services, government services, employers or familiar companies.

That is why the draft law shifts the center of responsibility to the financial institution. If a bank believes that the client is to blame for losing the money, it must not merely state this, but prove it in court. Such an approach could become a stronger safeguard against formal refusals and template responses that do not always take into account the real circumstances of fraud.

For banks, this would mean greater financial and legal pressure. They would be forced to respond faster to complaints, better record the digital traces of transactions, improve risk monitoring systems and more clearly distinguish real fraud from cases in which a client really deliberately transferred data. At the same time, the banking sector may have concerns about abuse, when dishonest users try to dispute their own transactions as fraudulent. That is why the court mechanism for proving the client’s guilt becomes a key element of balance. The emergence of such an initiative looks natural because of the changing nature of card fraud in Ukraine. In 2025, 256 thousand fraudulent operations with payment cards were recorded, in which clients suffered financial losses. This is 5% less than in 2024. At first glance, the situation might seem slightly better. But the details show otherwise.

Despite the decrease in the number of incidents, the total amount of losses increased by 24% and reached UAH 1.4 billion. The average amount of one illegal operation rose from UAH 4,247 in 2024 to UAH 5,536 in 2025. That is, there were fewer fraudulent operations, but each successful attack became more expensive on average for victims. This is an important signal for the entire financial market. Fraud is gradually shifting from a large number of small incidents to a smaller number of more costly attacks. For the client, this means a higher risk of significant loss. For the bank the need to identify dangerous transactions more accurately. For the state the need to update consumer protection rules. There were 27 fraudulent transactions per one million debit card operations, which is 14% less than a year earlier. But the level of losses amounted to UAH 198 per one million debit operations, and this is 14% more than in 2024. In other words, the system may be better at restraining part of the attacks, but the cases that get through cause greater financial losses.

At the same time, fully shifting the problem only onto banks would also be an oversimplification. A significant part of losses is still connected with users themselves violating basic safety rules during online payments. People may share confirmation codes, follow fake links, enter card data on phishing websites or trust calls from fake bank employees. Therefore, technological protection must work together with financial awareness.

The draft law does not cancel the user’s responsibility, but makes it evidence-based. If a person deliberately helped fraudsters gain access to money, the bank will be able to defend its position. But if there is no such proof, the client should not automatically remain without funds only because the fraudulent operation has already taken place. Separate attention should be paid to the statistics of criminal proceedings. In the first eight months of 2025, more than 35 thousand proceedings under the fraud article were opened in Ukraine. On average, about 4.5 thousand such cases are registered every month. Only 21% of proceedings reach court. The largest number of cases has been opened in Kyiv, Dnipropetrovsk and Kharkiv regions.

These data show that for victims, the path to justice often remains long and difficult. Even if a person turns to law enforcement, this does not guarantee a quick return of money. That is why the mechanism of immediate bank reimbursement may have practical significance it does not replace the investigation, but it does not leave the client waiting for the results for months. The political outlook of the draft law is still cautious. The document was submitted by an individual deputy, not by the Cabinet of Ministers or the relevant committee. Because of this, the chances of quick adoption are currently assessed as low. But the very appearance of such a draft law shows that the problem of card fraud has already gone beyond standard advice about passwords, PIN codes and attentiveness.

Financial fraud is becoming more expensive, more complex and more dangerous for people. Therefore, the rules for protecting clients must also change. If banks have the technical ability to analyze transactions, see suspicious actions, block risky payments and control access tools, then their responsibility cannot be limited only to warnings in a mobile application. At the same time, users must also understand no law will fully protect them if a person themselves transfers codes, passwords or access to an account. Therefore, the future model must combine two approaches: a stronger obligation for banks to protect clients and higher financial literacy among users themselves. Draft law No. 15274 may not pass through parliament quickly or in its current form. But it has already become an important part of the discussion about fairness in digital finance. Because when fraudsters steal money from a card, the victim should receive not only advice to be more careful, but a clear protection mechanism. And this very issue is now becoming increasingly important for banks, the state and millions of Ukrainians who use cashless payments every day.