Reaching corporate account data inside Privat24 for business

Ukraine switched its open banking provisions on for the first time on 1 August 2025, and Privat24 for business sits squarely inside the data those rules now cover. The app is PrivatBank's interface for legal entities and sole proprietors (package ua.privatbank.cb, per its Google Play listing), and it carries a dense set of server-side records: multi-currency account statements, contractor payments, electronic invoices, currency-exchange operations, tax obligations fed from the State Tax Service, payroll runs, and corporate-card limits. That is exactly the kind of authenticated backend a treasury, accounting, or ERP team wants to mirror. This page maps what is reachable and the route we would take to deliver it.

The bottom line: most of what a third party would want here is read-side account information, and that maps cleanly onto either a consented AIS connection under the new NBU regime or the bank's own AutoClient corporate flow, which has carried statements and payment import for years. We would build the statement and balance sync first because it is the highest-value, lowest-friction surface, then layer payment initiation behind the SmartID signature where a client needs it.

How we reach the data

Three routes apply to this app. They are not equal, and the right mix depends on whether you need read-only sync or outgoing payments.

Consented account information under NBU open banking

Since 1 August 2025, account-servicing providers in Ukraine must expose account data to authorised AIS providers through standardised interfaces, with the account holder's consent, on a real-time and free-of-charge basis once the basic-interface window closes. For a regulated, durable read-side feed this is the cleanest path. What is reachable: balances, transaction history, and account identifiers in scope of the consent. We handle the AIS-side onboarding and consent plumbing with you as part of the build.

Authorized AutoClient and protocol work

PrivatBank's AutoClient corporate flow issues a merchant id and token from inside the Privat24 for business "Autoclient" menu and returns statements, balances and outgoing payment creation. It is free to the account holder and well understood in the field. Where a surface is not covered by AutoClient, we analyse the app's own authenticated traffic under your authorization to map the request and response shapes. This is the route that works today and does not wait on AIS accreditation. The legacy public p24api XML service was retired in mid-2023, so anything built against it needs rework — we account for that.

User-consented credential access

For a single business syncing its own data, a consented session against the account holder's own login is the most direct option for surfaces the corporate flow does not expose — for example reporting status or document exchange. Durability is lower because it tracks the app front end, so we treat it as a supplement, not the foundation of a long-running feed.

For most clients we would put the consented AIS or AutoClient statement feed at the centre and reserve credential-session work for the few surfaces those two do not reach. The reason is durability: the regulated and corporate channels are built to persist, the session route is not.

What the app actually holds

What we hand over

The deliverable is a working integration, not a report. For Privat24 for business that typically means:

• An OpenAPI/Swagger spec describing the statement, balance and payment endpoints as we implement them, normalised to clean field names.
• A protocol and auth-flow write-up covering the AutoClient id/token pair, the consented AIS handshake, and where the SmartID qualified signature gates write actions.
• Runnable source for the core surfaces in Python or Node.js — statement pull with paging, balance read, and payment creation behind the signing step.
• Automated tests against captured fixtures, including the multi-currency and paging edge cases.
• Interface documentation plus data-retention and consent-logging guidance shaped to Ukrainian data-protection practice.

A statement pull, sketched

This is the shape of the AutoClient statement read for a corporate account. Host, headers and field names reflect the AutoClient flow and are confirmed against a live account during the build, not assumed.

# Privat24 for business — corporate statement read (illustrative)
# id + token are taken from the in-app "Autoclient" menu during onboarding
POST https://acp.privatbank.ua/api/statements/transactions
headers:
  id:    <ACP_MERCHANT_ID>
  token: <ACP_TOKEN>
  Content-Type: application/json
body:
  { "startDate": "01-05-2026", "endDate": "31-05-2026",
    "acc": "UA..." }            # omit acc to span all corporate accounts

# response (fields verified against the AutoClient flow during the build)
{ "status": "SUCCESS",
  "transactions": [
    { "AUT_MY_ACC": "UA..", "BPL_SUM": "1540.00", "CCY": "UAH",
      "DAT_OD": "2026-05-14", "OSND": "payment for invoice 118",
      "AUT_CNTR_NAM": "Counterparty LLC" } ],
  "exist_next_page": true,
  "next_page_id": "..." }       # cursor — loop until exist_next_page is false

# error handling: a non-SUCCESS status or empty token is retried with
# backoff; the next_page_id cursor is persisted so a restart resumes cleanly
      

Consent and the NBU rules

The governing framework is the National Bank of Ukraine's. Open banking entered force on 1 August 2025 through the Law of Ukraine "On Payment Services", with the NBU's Regulation on Open Banking adopted by Board Resolution No. 80 on 25 July 2025. Consent is the basis for access: an AIS provider reaches account data because the account holder authorised it, for a defined scope, with the right to revoke. The Payment Services regime also sets long data-retention duties on interaction records, which we design the logging around from day one.

Our posture is consent-first throughout. Access is authorized and logged, data pulled is minimised to what the use case needs, and an NDA covers the engagement where a client wants one. Outgoing payments and tax filings ride the SmartID qualified electronic signature, so we keep those write paths separate from read-only sync and never blur the two.

Build notes specific to this app

• AutoClient availability is tariff-linked — sole proprietors get it across plans, while legal entities have it on the Business Comfort and Business PRO tariffs, as PrivatBank describes the service. We scope the build to your tariff and sort access during onboarding.
• SmartID qualified electronic signature sits on every payment and report submission. We model that signing step as its own component so a read-only statement sync never touches it, and a payment integration carries a valid signature on each call.
• Accounts are multi-currency and the app runs live currency-exchange operations, so amounts and balances are normalised per currency code rather than summed blindly across an account.
• Because the public XML endpoint was retired in 2023 and the app front end evolves, we keep a re-check step in maintenance so a host move or a changed field name surfaces as a test failure instead of a silent gap in the feed.

Interface evidence

Screens from the Play listing, useful for mapping which surface backs which view. Select to enlarge.

How this map was put together

Checked in June 2026 against the app's Play Store listing and feature description, PrivatBank's own integration and AutoClient documentation, open-source AutoClient libraries, and primary coverage of the NBU open banking launch and Resolution No. 80. Sources opened:

• National Bank of Ukraine — Open Banking
• Open Banking to launch in Ukraine on 1 August 2025
• PrivatBank — Privat24 integration (AutoClient)
• Open-source Privat24 business statement client

Mapping reviewed June 2026 by the OpenBanking Studio integration desk.

Similar apps a unified feed would touch

Teams integrating Privat24 for business usually run accounts across several Ukrainian banks, so a normalised feed tends to span these neighbours. Listed for context, not ranked.

• monobank for business (FOP) — neobank corporate accounts with card and statement data behind an authenticated app session.
• PUMB Business: Online Banking — corporate accounts, payments and statements from one of the larger private-capital banks.
• UKRSIB business — UKRSIBBANK's app for entrepreneurs, holding account and payment records.
• Oschad 24/7 — the state Oschadbank channel, with business account and transaction history.
• Raiffeisen Business Online — Raiffeisen Bank's corporate banking with accounts, deposits and payments.
• Sense SuperApp — Sense Bank's app carrying account and card data for personal and business use.
• Термінал (Terminal) — a business finance app surfacing transaction and acquiring data.
• A-Bank — accounts, cards and payment records behind a consumer-and-SME app.

Questions integrators ask

Does Privat24 for business expose corporate statements in near real time, or only end of day?

Transactions read through the AutoClient flow are pulled by date range and returned page by page, so an integration can poll a short window every few minutes and stay close to real time rather than waiting for an end-of-day file. We design the sync window and paging cursor so nothing is missed or double-counted across polls.

Which Ukrainian regulator and scheme covers consented access to this account data?

The National Bank of Ukraine. Open banking provisions of the Law of Ukraine On Payment Services took effect on 1 August 2025, with the NBU Regulation on Open Banking adopted by Board Resolution No. 80 of 25 July 2025. Account information service (AIS) providers may reach a user's account data through standardised interfaces with the account holder's consent.

Can you initiate payments from Privat24 for business, or only read statements?

Both are in scope as separate tracks. A read-only sync stays within account-information scope. Outgoing payments depend on the SmartID qualified electronic signature the app uses to authorise transfers, so we model that signing step explicitly and keep it isolated from the read path.

Tax and reporting data is pulled from the State Tax Service inside the app — can that be synced too?

The app surfaces tax obligations, payment deadlines and report status drawn from the State Tax Service. That information rides the same authenticated session as statements, so it can be mirrored into an accounting or treasury system, with the caveat that tax-filing actions stay subject to the same qualified-signature step as payments.

One engagement runs on fixed delivery: we build the integration and you pay from $300 once the source is delivered and you are satisfied with it. The other is a hosted API you call and pay per call, with no upfront fee. Either way the cycle is 1–2 weeks, you give us the app name and what you need from its data, and we arrange access and compliance with you. Start the conversation at /contact.html.