Anti-money-laundering

Primary Financial Monitoring Entity: Who It Is and Its Duties

9 min read

Who is a primary financial monitoring entity under Ukraine's Law No. 361-IX, the duties (registration, CDD, reporting) and the penalties for breach.

“Am I even a financial monitoring entity at all?” — this question comes up every year for notaries, accountants, real-estate agents, auditors and business owners. And the cost of the wrong answer is not theoretical: behind it stand real inspections and fines. Primary financial monitoring is not an abstract function of the state but a concrete set of duties that the law places directly on a defined circle of private persons and institutions. Let us look at the substance: who belongs to that circle, what exactly an entity is required to do, and what triggers liability.

What primary financial monitoring is

In Ukraine, the system for countering money laundering and terrorist financing (AML/CFT) is established by the Law of Ukraine “On Preventing and Countering the Legalisation (Laundering) of Proceeds of Crime, the Financing of Terrorism and the Financing of the Proliferation of Weapons of Mass Destruction” No. 361-IX. The central body in this field and the national financial intelligence unit is the State Financial Monitoring Service of Ukraine (Derzhfinmonitoring).

The model is two-tier. Primary monitoring is carried out by private entities — a bank, a notary, a real-estate agent — who are on the front line, seeing clients’ transactions, checking them and reporting the risky ones. State monitoring is the analytical work of Derzhfinmonitoring and other state regulators, which accumulate these reports and, where grounds exist, pass consolidated materials to law-enforcement bodies — in particular the Bureau of Economic Security (BEB), the National Police and the SBU (Security Service of Ukraine). In other words, the primary financial monitoring entity (in Ukrainian, “субʼєкт первинного фінансового моніторингу”, or SPFM) is the link on whose diligence the whole system depends.

Who qualifies as a primary financial monitoring entity

The list of these entities is set out in Article 6 of Law No. 361-IX. They are conventionally split into two groups.

Financial institutions and those treated as such — for whom monitoring duties are core to what they do:

  • banks, insurers, credit unions, pawnshops and other financial institutions;
  • payment organisations, participants or members of payment systems, and postal operators in respect of their money-transfer services;
  • professional participants in capital markets and organised commodity markets (with certain exceptions);
  • providers of services connected with the turnover of virtual assets.

Specially designated entities — for whom monitoring is secondary to their main activity and “switches on” during certain transactions:

  • notaries;
  • attorneys, law firms and bar associations, and other providers of legal services;
  • auditors, audit firms and businesses providing accounting services;
  • businesses providing intermediary services in real-estate purchase and sale transactions (real-estate agents);
  • businesses trading for cash where the transaction amount is equal to or exceeds UAH 400,000;
  • businesses running lotteries and/or gambling (the gambling sector);
  • persons providing services for the creation, operation or management of legal entities.
CategoryWhen the duty arises
Banks, payment and insurance institutionsContinuously, within financial services
Virtual-asset service providersContinuously, within the activity
Notaries, attorneys, auditors, accountantsDuring client transactions defined by law
Real-estate agentsDuring real-estate transactions
Cash tradingFor transactions ≥ UAH 400,000
Gambling sectorDuring transactions defined by law

The key thing to grasp: entity status arises from the fact of the activity, not from registration in some separate register. If a notary certifies contracts, or a real-estate agent facilitates a purchase and sale, that person is already an entity — regardless of whether they have drawn up any internal documents.

Duties of a primary financial monitoring entity

The basic duties are set out in Article 8 of Law No. 361-IX. Three of them are “organisational”, and without them the rest simply does not work.

1. Registration with Derzhfinmonitoring

The entity must register with Derzhfinmonitoring within the periods set by law — for most, before or on the day of the first financial transaction; for notaries, attorneys and other specially designated entities, within the periods that follow the start of the relevant activity. This is not a formality: it is through the registration account that the entity later files its reports.

2. Appointing a responsible officer

The entity appoints a responsible officer for financial monitoring (the requirements for whom are detailed in Article 7). Entities operating single-handedly — for example, a private notary or a sole-trader accountant — perform the responsible-officer duties themselves. This person is responsible for organising monitoring, filing reports and liaising with Derzhfinmonitoring.

3. Drawing up internal AML/CFT rules

The entity develops and approves internal financial-monitoring documents — rules and programmes describing exactly how it identifies clients, assesses risks, detects threshold and suspicious transactions, and stores documents. This is not a “piece of paper for the inspection” but a working algorithm: during a review, the absence — or the merely formal nature — of these rules is one of the first breaches to be recorded.

Customer due diligence (CDD / KYC)

The heart of the whole system is customer due diligence (in Ukrainian, “належна перевірка клієнта”, NPK; internationally, KYC — “know your customer”). Its requirements are set by Article 11 of Law No. 361-IX. CDD comprises:

  1. Identification — establishing the client’s data (for an individual: full name, date of birth, registration data; for a legal entity: name, EDRPOU code, ownership structure).
  2. Verification — confirming that data against official documents or reliable sources, not “on the client’s word”.
  3. Establishing the ultimate beneficial owner (UBO) — the real individual who controls a corporate client, even where the client is formally registered to others.
  4. Ascertaining the purpose and nature of the business relationship — why the client needs this transaction and whether it fits their activity.

All of this works through a risk-based approach: the depth of the check must match the level of risk. A client with a simple, typical transaction needs standard checking; a high-risk client — a complex ownership structure, links to high-risk jurisdictions, the status of a politically exposed person (PEP) — needs enhanced checking. In my expert practice, it is precisely the superficial, one-size-fits-all check that most often becomes the entity’s weak point.

Reporting transactions and retaining documents

The entity must detect and report to Derzhfinmonitoring two types of transaction.

  • Threshold transactions — financial transactions of UAH 400,000 or more (for gambling operators and virtual-asset transactions the threshold is lower — from UAH 30,000) where at least one of the statutory features is present, such as cash settlements or a cross-border transfer to certain jurisdictions.
  • Suspicious transactions — regardless of amount, where there is a suspicion that the funds are connected with money laundering or terrorist financing, or where the transaction has no obvious economic sense.

Reports are filed electronically within the periods set by law. Separately, there is a duty to keep documents and information on the client and transactions for at least 5 years after the business relationship ends or the transaction is carried out. This is critical: without documents, the entity cannot prove that CDD was carried out at all.

When a notary or attorney is exempt from reporting

This is a sensitive issue, and the law resolves it in favour of attorney-client privilege and the right to legal assistance. Under Article 10 of Law No. 361-IX, notaries, attorneys, law firms and bar associations, other providers of legal services, auditors and accounting-service providers are not obliged to report their suspicions where the relevant information became known to them in circumstances that are the subject of professional (attorney-client) privilege, or in connection with performing the functions of defence or representation of a client in court proceedings or pre-trial dispute resolution, or when advising on such defence or representation.

However, this exemption is not unlimited: it does not apply when the attorney or notary is directly involved in a transaction such as managing a client’s funds, buying or selling real estate, or creating or managing a legal entity — that is, when acting as a “financial intermediary” rather than as a defender. The line here must be assessed by the nature of the specific action.

Liability for breach

Liability for breaching AML legislation is set by Article 32 of Law No. 361-IX. Sanctions are imposed by the relevant state financial-monitoring subject (the regulator): for banks — the National Bank of Ukraine; for notaries, attorneys and real-estate agents — the Ministry of Justice of Ukraine; for other categories — the relevant state regulator or Derzhfinmonitoring.

The size of fines depends on the entity and the gravity of the breach. For banks, sanctions can reach substantial figures. For specially designated entities (notaries, real-estate agents, accountants) the amounts are more moderate but quite tangible, and systematic breaches may carry other consequences too — up to measures affecting the right to carry on the activity. The exact limits of the sanction for a specific breach should be checked against the current wording of Article 32, since the legislator periodically revises these provisions.

Common mistakes from expert practice

Analysing entities’ documents, I most often encounter the following defects:

  • Missing or merely formal internal AML/CFT rules — the rules are either not drawn up at all or copied from a template and do not match the entity’s actual activity.
  • Formal client identification — data copied from a passport “to tick the box”, with no verification, no UBO established and no risk assessment.
  • Ignoring the risk-based approach — the same minimal level of checking for everyone, including obviously high-risk clients.
  • Missing threshold transactions — the entity does not track the UAH 400,000 threshold and does not file the mandatory reports.
  • Improper document retention — after a deal closes, materials are not kept for the full 5 years, and the entity cannot confirm that it met its duties.
  • Misunderstanding one’s own status — the belief that “my activity doesn’t fall under this”, whereas under Article 6 the entity should have registered long ago.

Each of these mistakes on its own looks like a trifle, but together they form a picture from which an inspection easily proves systematic non-fulfilment of duties.


Primary financial monitoring is not bureaucracy for its own sake but a zone of real responsibility, where a formal approach costs dearly. If you are unsure whether your activity falls under these requirements, or you want to assess in advance how correctly your internal rules and CDD procedures are built, a considered consultation and a professional expert assessment will help you build a position on facts rather than assumptions. Get in touch — I will consider your question within the scope of my expert competence.

Need a forensic economic examination or a consultation?

Maryna Rudaia is a qualified court expert in three specialties. Write or call to discuss your case.

Read also