Cybersecurity at the ATM: How Russia Plans to Stop Fraud at the Cash Machine

Starting in September 2025, Russian banks will introduce limits on ATM cash withdrawals without additional verification. Regular clients will be capped at 50,000 rubles within a 48-hour period, while suspected fraud-linked accounts (known as 'drops') will face a 100,000-ruble ceiling. In parallel, banks will roll out a unified database to track suspicious transactions and fraudulent schemes. A broader anti-fraud infrastructure is expected to go live across Russia’s financial system in 2026.

New ATM Withdrawal Limits Tied to Identity Verification

Currently, there are no legal restrictions preventing the use of ATMs to withdraw funds, even in cases of card theft or fraud. Bad actors exploit this regulatory gap by gaining access to victims’ cards or persuading them to hand over credentials.

Under the new framework, banks will be empowered to flag and temporarily block ATM withdrawals if fraud is suspected. Any sign that funds are being cashed out without the cardholder’s consent can trigger an automated restriction. For consumers, this offers added protection and reduced financial losses. For the country, it could enhance trust in its banking infrastructure and bolster the credibility of its fintech solutions. Globally, the initiative aligns with prevailing cybersecurity trends, although its isolated effect on international financial security may be limited.

Monitoring and Fraud Prevention Systems

Russia’s domestic monitoring tools are also positioned for export. A homegrown anti-fraud system could be adapted for use in CIS countries and emerging markets, with turnkey offers for foreign banks built on Russian fintech technology.

One can only hope that major banks will not only meet the law’s technical requirements, but also implement responsive services to help clients quickly unlock their accounts. For example, a dedicated hotline for users impacted by ATM withdrawal restrictions would be a step in the right direction

Artem Kopylov

attorney and partner at Pen & Paper law firm

Domestically, the system is set to integrate with law enforcement, the central bank, and mobile banking apps. Planned upgrades include AI-driven analytics and potential expansion into online payments and peer-to-peer transfers.

The Evolution of Fraud Defense in Russian Banking

In 2021, some banks began placing caps on card transactions to combat unauthorized withdrawals. For instance, Sber restricted SoftPOS mobile payments to 1,000 rubles. Alfa-Bank restructured its card authorization process, reducing reliance on SMS and push notifications.

From 2022 to 2023, banks deployed AI-based transaction monitoring. Sber’s fraud-detection AI began analyzing over 10 billion transactions monthly, identifying customers under possible manipulation and blocking risky operations. The system boasted an accuracy rate of 99.6%.

By 2024, the industry trend shifted toward API integration — similar to Europe’s PSD2 directive — enabling financial institutions to open APIs and facilitate fintech innovation. By early 2026, Russia will launch a nationwide system consolidating suspicious transaction data, fraud methods, and entities involved in illicit schemes.

Balancing Security and User Experience

A secure financial ecosystem will require modernization of verification mechanisms and stronger transaction protection. Russian banks, regulators and government entities are working toward a unified, secure digital platform. These controls aim to sharply reduce successful fraud attempts, rebuild public trust, and elevate the appeal of Russian cybersecurity products abroad.

However, overly strict cash withdrawal limits may frustrate users. Striking a balance between robust security and customer convenience will be essential.