The Romanian fintech market has good potential. Fintechs are one of the highest earners in the country, with a 31.8% share in overall start-up turnover. Plus, Romania is seeing a rise in fintech funding.
In light of its thriving fintech sector, Romania has been strengthening its AML (Anti-Money Laundering) regulations. Accordingly, in 2019 and 2020, the country transposed the EU’s anti-money laundering directives into national legislation.
Sumsub prepared this article to help businesses operating in Romania (or seeking to enter the Romanian market) navigate the AML compliance process.
- Who’s affected
- What are the AML regulations in Romania?
- What constitutes the crime of money laundering in Romania?
- How to get compliant
- KYC requirements in Romania
- Ongoing monitoring
- Key takeaway
The businesses that fall under Romanian AML regulations include:
- credit institutions;
- financial institutions;
- insurance companies;
- e-money institutions and payment institutions;
- exchanges of virtual currencies and fiat currencies;
- digital wallet providers;
- gambling service providers.
The full list of regulated entities is provided in Chapter II of Law no. 129/2019.
What are the AML regulations in Romania?
In 2020, some of the principles of the European Fifth AML Directive were implemented by Emergency Ordinance no. 111, which amended Law No. 129/2019 to subject Romanian crypto businesses to AML obligations.
Currently, the most notable Romanian AML regulations include:
- Law no. 129/2019 to prevent and combat money laundering and terrorism financing (“the AML Law”) and its amendments;
- Emergency Ordinance no. 111 of July 1, 2020 on amending and supplementing Law no. 129/2019 (“the Ordinance no. 111) and its amendments;
- National Bank of Romania Regulation No. 2/2019 on the prevention and sanctioning of money laundering and terrorism financing;
- Decision no. 564/2021 for the approval of the norms regarding the regulation, recognition, approval or acceptance of the procedure for identifying the person remotely using video means.
Also, on March 9th, 2021, Romania issued the Norms for the application of the AML Law clarifying the obligations of regulated businesses.
What constitutes the crime of money laundering in Romania?
According to the AML Law, a person acts unlawfully if they knowingly commit one of the following crimes:
- Exchanging or transferring criminal proceeds with intent to conceal or disguise their illicit origin;
- Hiding the true nature, source, location, provision, movement or ownership of criminal proceeds;
- Acquiring, possessing or using criminal proceeds.
The supervising authorities that mitigate the risks of money laundering in Romania are the National Office for Prevention and Control of Money Laundering (“the NOPCML”), the National Bank of Romania, the Financial Supervisory Authority, and the National Office for Gambling.
How to get compliant
Customer Due Diligence
Customer Due Diligence (CDD) is the process of collecting and verifying information about a customer during onboarding. Under AML Law, businesses in Romania are required to conduct standard CDD for their clients when:
1. Establishing a business relationship;
2. Carrying out an occasional transaction equal to or exceeding:
- €15,000 (or equivalent in RON), carried out as one or several connected operations;
- €1,000 for transfers at least partially carried out by electronic means;
3. Carrying out occasional cash transactions equal to or exceeding €10,000 (or equivalent in RON);
4. Receiving remittances or transfering funds equal to or exceeding €2,000 (or equivalent in RON) through a single operation.
For all above-mentioned cases (except in the case of electronic transfers), businesses must report to the NOPCML no later than within 3 working days.
Romanian AML Law also describes cases when businesses may not apply CDD measures, such as electronic money transfers occurring under the following conditions:
- the payment instrument isn’t rechargeable/has a maximum limit of €150 for monthly payment transactions, which can only be used in Romania;
- the maximum amount stored electronically doesn’t exceed €150;
- the payment instrument is used exclusively to purchase goods or services;
- the payment instrument can’t be financed with anonymous electronic money.
Also, CDD isn’t required when the issuer of the payment instrument performs transaction monitoring.
Enhanced Due diligence
Businesses in Romania must apply Enhanced Due Diligence (EDD) in situations with a high risk of money laundering. This includes business relationships and transactions with:
- persons from countries included in the FATF NCCT list;
- publicly exposed persons (PEPs) or clients whose real beneficiaries are PEPs;
- persons established in third countries identified by the European Commission as high-risk third countries.
Correspondent relations with financial institutions in other EEA member states or third states must also imply EDD measures.
The AML Law specifies the EDD measures to be applied in cases of correspondent relations as well as during the onboarding of persons on PEP lists.
EDD measures for PEPs
If there are occasional transactions or business relationships with PEPs or legal persons who have PEPs as their beneficial owners, businesses must apply the following measures in addition to standard CDD:
- obtaining the approval of senior management for establishing or continuing business relations;
- taking appropriate measures to establish the source of the wealth and funds involved in business relations or transactions;
- carrying out increased monitoring of the business relationship on a permanent basis.
These measures must also apply to family members or persons known to be close associates of PEPs.
EDD measures for correspondent relations
In case of correspondent relations with financial institutions of other EU member states or third states, businesses must apply the following additional measures:
- obtaining information about the respondent institution on the nature of its activity and its reputation;
- obtaining sufficient information on the quality of supervision to which the respondent institution is subject;
- assessing the AML/CFT mechanisms implemented by the respondent institution;
- obtaining the approval of senior management before establishing each new correspondent relationship;
- establishing responsibilities of each party.
Businesses must ensure that the respondent institution applies KYC measures on an ongoing basis if the correspondent account is directly accessible to the customer.
KYC requirements in Romania
Know Your Customer (KYC) is the process of identifying and verifying customers. Businesses need to follow KYC requirements when working with their customers.
Identification of natural persons
For the identification of natural persons, Romanian businesses must obtain the following information:
- name and surname;
- date and place of birth;
- personal numerical code or another similar unique identifier;
- address and the legal status;
- occupation and the name of their employer or the nature of their activity;
- telephone number, fax, e-mail address, if applicable;
- source of funds.
Also, information on the purpose and nature of the business relationship with the customer must be obtained.
Identification of legal persons
For the identification of legal entities, Romanian businesses must inquire for information about beneficial owners.
Determining the beneficial owner
Under Romanian AML Law, the beneficial owner of a company can be direct or indirect.
A direct beneficial owner is a natural person who exercises ownership or control over a company by one of the following criteria:
- holding 25% + one* of shares;
- participating in more than 25% of a company’s capital;
An indirect beneficial owner is a natural person who owns or controls a foreign company that holds 25% + one of shares* of a Romanian company or participates in more than 25% over a Romanian company’s capital.
If there are no persons matching above mentioned criteria, the beneficial owner is a natural person who holds a senior management position; for example, the director/directors or the members of the board of directors/supervisory board.
*meaning amount of shares must exceed, but not be equal to 25%
The minimum information obtained about the beneficial owner must include:
- basis of beneficial ownership;
- name and surname;
- date and place of birth;
- their personal numerical code or another similar unique identifier;
- the country in which they live;
- the nature of their activity.
Businesses in Romania must implement ongoing verification of the accuracy of obtained KYC data. This is crucial to ensure that the client’s established risk profiles are correct and that the monitoring process is efficient.
If businesses fail to comply with the obligations prescribed by the AML Law, they may be subject to fines of up to 150,000 RON (app. €30,000) or imprisonment from 3 to 10 years.
Romania’s AML regulations have broad implications for traditional and crypto businesses, both domestic and foreign. We’ll continue to track AML changes in Romania and will update this article on an ongoing basis. Save it to your reading list so you don’t miss any important news.