Cover account. How bank cardholders are recruited to launder money
Lawmakers want to tighten oversight of payment and banking transactions amid a rise in cases where they are used in shadow schemes, and to create a registry of so-called drops. This refers to situations where people hand over their payment details to third parties, who then use them for illegal activity.
The National Police are proposing to go even further and introduce legislative changes that would define the actions of "drops" as a separate criminal offence, with corresponding penalties.
WHY DO CRIMINALS NEED STUDENTS’ AND PENSIONERS’ BANK CARDS?
As the Cyber Police explain, drops, or money mules, are people who, in exchange for payment, give criminals full access to their payment instruments (bank cards, crypto wallets, and so on) for use in various schemes (drug trafficking, human trafficking, terrorism financing, and others). This can involve transfers between accounts, cash withdrawals at ATMs, topping up an account via payment terminals, and more.
The organizers of groups of drops (so-called drop handlers), once they have gained access to accounts and obtained all required details, use various software-and-hardware solutions to automate transfers, aggregate funds, and distribute money between accounts within their schemes.
The National Police also stress that in around 70% of cyber fraud cases, "drops’" payment instruments were used to receive, cash out, and launder criminal proceeds.
The Center for Financial Integrity, which has been looking into the issue, notes that money mules and drops are individuals who act as intermediaries through whom criminal groups move illegally obtained funds. The typical behaviour of such participants in criminal schemes mimics that of ordinary banking customers and resembles legitimate activity. And this is not a problem unique to Ukraine. The Financial Action Task Force (FATF), which sets global standards for anti-money laundering and counter-terrorist financing (AML/CTF), has identified money mules as a common tool used by organised crime in different countries to move and conceal illicit proceeds. Internationally, such people are often recruited through fake job ads, online fraud, and coercion.
In Ukraine, too, there are various ways of drawing people into illegal activity, but most potential "drops" or "money mules" are sought through job postings placed in Telegram channels, according to the Center for Financial Integrity’s executive director, Oksana Ihnatenko.
Such offers claim that a person will not have to make much effort to earn money. That is why young people often respond to them. "About half of the people who take part in these schemes and hand over their cards do not realise what is actually happening. We work with young people and explain that you must not hand over bank cards or give access to accounts. And I have had cases where young people came up to me and said they simply wanted to earn 2,000 hryvnias, so they gave away their bank card. They did not understand they were part of "drop" schemes," Ihnatenko says. "But there are also people who do it knowingly and understand there may be consequences."
In addition, recruiting young people very often works on a "spiderweb" principle. Participants in the schemes bring in their friends and acquaintances, who in turn pull in new people. Some of them think the card is being used simply for transfers and that there is nothing wrong with it, but in reality, they become part of this spiderweb network. In essence, they become tools for criminals and accomplices in the schemes. As a result, they pose a threat to the financial system and even to national security.
There are also cases where grandchildren borrow a bank card from a grandmother or grandfather, and older people, not understanding what will happen, agree to it.
Overall, risk groups include students, the unemployed, displaced people, and members of economically and socially vulnerable groups. Typical features of such job offers include vague job duties, online-only communication, a lack of official information about the employer, and requests for personal banking details.
And as the Cyber Police Department of the National Police of Ukraine told Censor.NET, the use of "money mules" is gaining momentum. For example, 2,194 were identified in 2020, while 26,700 were identified in the first nine months of this year.
At the same time, their services have become more expensive. A few years ago, this kind of service could be bought for 500 hryvnias, but now the average price is $50–$100 for a single set of payment details, a card or access to online banking. Law enforcement explains that this is because limits on card-to-card transfers are being reduced, so schemes involve a larger number of participants and pay them more.
The schemes themselves are also changing. "When we conducted our research, ‘drops’ mostly relied on P2P transactions, that is, card-to-card transfers. Now, given the restrictions introduced by the National Bank of Ukraine (NBU), scheme organizers have started to focus more on individual entrepreneurs. In other words, despite the limits imposed by the state, they still adapt," Oksana Ihnatenko explains.
Commenting on the trend of involving individual entrepreneurs in such schemes, banking sector representatives stress that these are people who are not entrepreneurs in any meaningful sense. "These are people who simply allow themselves to be used, sometimes by an employer to minimise taxes, sometimes by unrelated legal entities. Often by criminals seeking to launder funds," emphasises Anton Razumnyi, a member of PrivatBank’s management board responsible for compliance.
Oksana Ihnatenko also notes that one feature of money mules is that their transactions often resemble donations to the military, which makes monitoring more difficult for banks. That is because they are irregular, occur at different times of day, from different locations and IP addresses, and involve different amounts. "When the NBU began introducing restrictions on transfers between individuals, the issue of volunteers who receive significant amounts of money into their accounts for fundraising also came to the fore. The volunteer registry maintained by the State Tax Service can serve as one form of confirmation of volunteer activity and help banks understand the nature of such transactions during financial monitoring," she continues. Each bank also has its own systems and tools that enable monitoring. Banks do not disclose what exactly they use, as it is a commercial secret. But they do have such tools, and they are internal products."
Since autumn 2023, the National Bank of Ukraine has been recording an abnormal increase in the volume of P2P transfers in the system, as well as an increase in the number of cards used to make such transfers and in the average transfer amounts at certain issuing banks. "The scale of the problem of using ‘drops’ is now difficult to assess because they mimic the typical behaviour of an individual cardholder. The National Bank studied detailed statistics for nearly 700 unique customers who opened accounts in an anomalous manner and received 1.6 billion hryvnias into their accounts in 2023," NBU Governor Andrii Pyshnyi said at a meeting with journalists.
In response to the situation, the banking system began gradually introducing limits on the amounts and the number of outgoing transfers from an individual’s card.
In addition, in December last year, the National Bank of Ukraine hosted a meeting with the participation of the Association of Ukrainian Banks, the Independent Association of Banks of Ukraine, PrivatBank, Oschadbank, Raiffeisen Bank, and Universal Bank, at which a Memorandum on Ensuring Transparency of the Payment Services Market was signed. A number of other financial institutions later joined it. These joint efforts were aimed at countering "drop schemes," strengthening financial monitoring, and introducing unified standards for transaction transparency.
"The memorandum signed by Ukrainian banks on ensuring transparency in the payment services market is about fairness and de-shadowing that Ukrainian society needs. The key challenge is balancing financial monitoring with customer convenience. Banks are making efforts to ensure the new requirements do not create inconvenience for bona fide customers," said Anton Razumnyi, a member of PrivatBank’s management board responsible for compliance, answering a Censor.NET question about the results achieved after the document was signed. "The main trends in customers’ payment behaviour include growth in cashless transactions, with customers increasingly using cards and digital wallets to pay for goods. One clear figure: over the first 10 months of 2025, Ukrainians paid for purchases and services worth more than 1 trillion hryvnias via PrivatBank’s merchant acquiring ecosystem using bank cards and gadgets, 20% more than in the same period of 2024. The second notable trend is a drop in P2P transfer volumes to levels that are typical for the payment behaviour of 98% of customers, as a result of the restrictions introduced and the overall tightening of financial monitoring, while the overall trend in digital money transfers remained positive.
At the same time, the structure of transfers has changed: card-based P2P transactions have declined, while the share of payments made via IBAN has increased, making financial flows more controllable and predictable. This reflects customers’ adaptation to the new regulatory environment and stronger financial discipline."
– To build a more effective risk management system, payment service providers that are signatories to the Memorandum stress the need for systemic steps and cooperation with the National Bank of Ukraine and state authorities to give participants access to official information via Diia, the government’s online services platform, such as a customer’s income, court cases, and so on. Have banks obtained such access? How does this affect the financial monitoring process?
– Financial monitoring is a key priority for the bank and requires substantial investment in technology, process automation, and staff training. We view effective compliance not as a cost, but as an investment in the stability of the financial system and customer safety. We have invested millions of hryvnias in designing the system architecture, its ongoing maintenance, and hiring additional staff to ensure effective compliance with the requirements on the one hand, and on the other, to use every available opportunity, including digital government services, to provide a convenient service for customers. We are trying to make things as simple as possible for customers, including when it comes to meeting financial monitoring requirements. We make maximum use of information already available without requesting it from customers, and we invest in staff upskilling, because expertise in financial monitoring matters. We use automation to identify risks, and we use machine learning to avoid false positives that are later disproved.
Diia services are already available to banks. Other registries are available to banks on the same basis as to other market participants. In both cases, it comes down to integration into processes and automation.
– When people agree to cooperate with so-called drop handlers, they do not always realise the consequences. Could you explain what those consequences may be, beyond having an account blocked? Will such people be able to open new accounts in the future, take out loans, or use other banking services in Ukraine and abroad?
– The bank’s task is to understand what is happening with a customer’s transactions and make a balanced decision on whether there is a risk in a particular case. And the risk is not only to the bank, but to the customer as well. For example, we often see cases where a person has turnover of hundreds of thousands of hryvnias within a few weeks, a classic example of a "drop." And in such cases, it becomes a matter of that person’s safety. Because sometimes those funds may be used for unlawful acts, and the person may end up being held accountable not only to the bank, but also under the law.
At this stage, we are not talking about potential consequences outside Ukraine. At the same time, being listed in the "drops" registry will likely affect a person’s ability to open accounts, and I am confident it will also affect credit risk assessments.
– If a person is raising donations for the military but is not officially a volunteer, do they need to explain this to the bank in some way so they are not treated as a "drop"?
– The bank values openness in its interactions with customers. We have provided an option to raise limits for customers who have verified their income. Technologies have already been introduced to enable fast and secure income verification. This has helped avoid erroneous restrictions and strengthened the security of financial transactions. All of our customers who have verified incomes or engage in volunteer work make monthly transfers in amounts that exceed the limits.
Since limits were introduced at 150,000 hryvnias, more than 100,000 customers have contacted the bank to request a higher limit, and most of them received a positive decision.
We care about customers, so when they approach the set limit, the bank proactively notifies them via the mobile app or SMS when they reach 50%, 80%, or 100% of the limit. This allows customers to respond in time and avoid having transactions declined.
– Does the bank communicate with a customer about transactions it considers suspicious before blocking an account? What needs to be done to have it unblocked? Are these rules the same for all banks?
– Most customers are generally low-risk, salaried employees, pensioners, service members, students. To protect them, we are required to ask questions of the small percentage of customers who need closer scrutiny.
Suspicious transactions, from the bank’s perspective, are those the bank cannot explain using all available information about the customer. A customer should be prepared to explain transactions that raise questions for the bank. For example, if when updating their details a customer indicated an expected monthly transaction volume of 100,000 hryvnias but then processed several times more, say, 500,000 hryvnias, that will draw attention. This will require an explanation of the source of the funds and the nature of the relationship with the sender or senders. The bank may also have questions about the spending pattern. If, for instance, more than 80% of transactions are P2P transfers to other individuals, involving a large number of recipients, a logical question arises: who those recipients are and for what purpose the transfers are being made. Or if a customer withdraws a large share of incoming funds in cash and the cash amounts exceed what would be considered normal everyday needs, that will also raise flags.
Our advice to all customers is to stay in dialogue with the bank, not ignore requests, and, when necessary, provide explanations and documents confirming the transactions. Sometimes, even with customers who have a long history with the same bank, situations arise where the available information is not sufficient, and the bank needs to contact the customer and obtain additional explanations.
– How often does a customer need to update their details, and why? What problems can this help prevent?
– Most customers are low-risk, so under the law, the bank asks them to update their details only once every five years. Banks update part of the information automatically, including via Diia, while customers can submit the rest themselves. These processes are now as convenient as possible: with a smartphone, you can update your details anywhere, anytime. Our bank starts sending notifications and invitations to update details well in advance, 75 days before the deadline, and follows up with repeated reminders.
As part of the update process, the bank will ask for your expected income and monthly transaction volume. This information will be used by the bank and will help you avoid unnecessary questions in cases where your financial situation has changed, and this is reflected in account activity.
– If a bank does not block an account but asks a customer to provide information for financial monitoring and the customer refuses, what will the consequences be?
– People often take financial monitoring measures personally. But the financial monitoring system is designed to manage risks, protect honest customers, and safeguard the financial system as a whole. Financial literacy and responsibility are neither a formality nor a bank requirement. They are the foundation of trust on which a healthy economy and a stable banking system rest.
I would advise being as open as possible in responding to the bank’s requests, because this is about customer safety, especially when it comes to preventing fraud. We are talking about financial inclusion, not excluding people from the banking system. This requires shared responsibility, understanding why you need a bank, why you enter into a relationship with it, what responsibility you expect from the bank, and what responsibility you bear yourself. Financial monitoring does not involve that many questions for customers. The relationship between a customer and a bank is two-way. If it is a partnership, there cannot be a situation where there is no dialogue. We are aiming for long-term relationships that are transparent, reliable, and beneficial to both sides.
RESTRICTIONS WILL BECOME TARGETED
"From what I hear as I continue researching this issue, the memorandum between financial institutions needs to be revised, because ‘drops’ and the organisers of illegal schemes have adapted: they have shifted to using individual entrepreneurs and are doing everything possible to make an account look ‘alive,’" Oksana Ihnatenko says. "For example, such accounts are used to pay utility bills or buy groceries. This is done so that during a bank review, it appears to be an ordinary account used for personal needs, with friends occasionally transferring some money to it."
Lawmakers are now proposing to tighten oversight of payment transactions by creating a registry of individuals whose payments require enhanced scrutiny.
Under draft law No. 14161, the registry would be maintained by the National Bank of Ukraine.
The aim of the initiative, according to its authors, is to prevent financial abuse and the illegal use of accounts or electronic wallets, in particular in cases where citizens knowingly hand over their bank cards or grant third parties access to their accounts.
The introduction of such a system will allow a transition from general restrictions on transfers between cards to more targeted control, which will only apply to risky customers.
"The introduction of a ‘drops’ registry could, first and foremost, focus attention on users with elevated risk rather than create additional hurdles for bona fide customers. The growing number of detected cases involving individuals in such schemes shows that the drop problem remains relevant, and banks together with regulators (the NBU, the Financial Monitoring Service, and the State Tax Service) need to pay special attention to it," Anton Razumnyi believes. "If this draft law is adopted, the next logical step would be the development and adoption of NBU regulations. These should define the approaches to working with customers who are included in the drops registry. The use of such an information source as the registry is expected to be mandatory for financial institutions."
Law enforcement agencies also support the introduction of the registry. However, they stress that it is crucial to simultaneously amend the legislation so that people who engage in such actions are held accountable under the law, as other European countries did many years ago.
"At present, the Criminal Code does not clearly define liability for the actions that qualify someone as a ‘drop.’ This refers to handing over payment details to third parties to commit or conceal a crime," Yevhenii Dorohanov, deputy head of the Operational Response Directorate and head of the unit for combating crimes in computer systems at the Cyber Police Department of the National Police of Ukraine, told Censor.NET. "That is why we have drafted a bill to amend Article 200 of the Criminal Code of Ukraine, which provides that any person who hands over their payment details or grants access to online banking will bear criminal liability. Because it is not always bank cards that are handed over, often it is online banking."
In response to this legislative initiative, we received a flood of questions, such as: "What if I give my card to my wife and she withdraws cash from an ATM, does that mean prison for her too?" We explain that liability as a "drop" arises only if a third party has already committed a crime using that person’s payment details or access to online banking, and if the card or other payment credentials were used to facilitate or conceal that crime.
Let me give an example. A hypothetical student sells his card via an ad in a Telegram channel to someone he does not know at all. He receives some money once a week for letting the card be used, and he is happy with that. But that third party has created a phishing website through which, by deception, they gain access to an elderly woman’s online banking, drain her entire pension from her card, and transfer it to the "drop’s" card. In that case, we say there is a predicate crime, and there is a person who knowingly, for payment, handed over payment details to a third party who committed fraud. In other words, that person should have foreseen such consequences. Because if, for example, I decide to hand a gun to my friend, I should foresee that he could use it to commit an offence. The same applies here. If I give my card to my wife and she does not pass it on to third parties, whether for payment or free of charge, for the purpose of committing a crime using that card, no liability arises."
According to Yevhenii Dorohanov, some members of the relevant parliamentary committee supported the initiative, while others were categorically opposed, arguing that criminal prosecution of young people would ruin their lives. Yet young people who take part in such shadow schemes already bear responsibility for their actions. They will also receive convictions if it is proven that they acted as part of a criminal group. However, investigations take longer, and proving the intent of "drops" is much more difficult. Such legislative changes would also have a preventive effect to some extent. Because when you clearly understand that you are committing a criminal offence, you are more likely to consider the consequences.
"Criminal punishment does not always mean a ruined life or prison. It can be a fine or a suspended sentence. Everything depends on the actions committed. If a person sold a card once and it was used, but they repent and are willing to cooperate with the pre-trial investigation, they may receive a fine and understand that this is a criminally punishable act and not do it again.
I have studied the experience of other countries regarding liability for such crimes. In every European country, it is предусмотрено by law. In particular, the United Kingdom provides for imprisonment for a term of up to 12 years," Yevhenii Dorohanov notes.
The Cyber Police also said that an innovative Antifraud system is operating on a pilot basis in 12 regions, enabling faster investigations into online fraud cases involving "drops" and helping ensure the return of funds to victims.
"The Cyber Police Department does not have its own investigators, so we cannot register criminal proceedings, issue instructions to operational units, and so on," Dorohanov explains. "We are an operational unit ourselves and work either on the basis of an investigator’s instructions or through proactive investigative work. When a citizen submits a report regarding any crime, we forward it, in line with internal regulations, to the competent investigative unit based on territorial jurisdiction. That is why, when a fraud report is received through Antifraud, we are able to speed up the response."
Today, fraud schemes are no longer as simple as they were 10–15 years ago, when money was transferred directly to a fraudster’s card. Now, networks of money mules are being created, through which fraudsters move funds between different cards, banks, and accounts. Such schemes may involve cards issued by at least five different banks. At the same time, scheme organisers understand that any law enforcement agency operates strictly within the legal framework. And to obtain information from banks, court orders are required. This takes time. This system simplifies communication with banks and speeds up our work. It aggregates reports from different regions using the same identifiers. In other words, if we have a fraudster’s card but 20 victims across Ukraine, we do not have to wait three months for case files to be transferred, Antifraud responds to such cases within six hours."
The National Police stress that tightening liability for "drops" is primarily about protecting people who may fall victim to such schemes. It is not about spouses’ cards or those of other relatives. But will lawmakers listen to these arguments?
Tetiana Bodnia, Censor.NET
