May 20, 2022
5 min read

How to Comply with AML Regulations in Romania (Must Read for Fintech Start-ups)

Everything that businesses seeking to operate in Romania need to know about their AML obligations.

The Romanian fintech market has good potential. Fintechs are one of the highest earners in the country, with a 31.8% share in overall start-up turnover. Plus, Romania is seeing a rise in fintech funding.

In light of its thriving fintech sector, Romania has been strengthening its AML (Anti-Money Laundering) regulations. Accordingly, in 2019 and 2020, the country transposed the EU’s anti-money laundering directives into national legislation.

Sumsub prepared this article to help businesses operating in Romania (or seeking to enter the Romanian market) navigate the AML compliance process.

Who’s affected

The businesses that fall under Romanian AML regulations include:

  • credit institutions;
  • financial institutions;
  • insurance companies;
  • e-money institutions and payment institutions;
  • exchanges of virtual currencies and fiat currencies;
  • digital wallet providers;
  • gambling service providers.

The full list of regulated entities is provided in Chapter II of Law no. 129/2019.

Branches of financial, credit, e-money, and payment institutions from other member states of the EEA are also subject to AML obligations if they operate in Romania.

What are the AML regulations in Romania?

In 2019, Romania transposed the Fourth European AML Directive into Law No. 129/2019. The law defined the crime of “money laundering” and set the list of regulated businesses and their obligations.

In 2020, some of the principles of the European Fifth AML Directive were implemented by Emergency Ordinance no. 111, which amended Law No. 129/2019 to subject Romanian crypto businesses to AML obligations.

Currently, the most notable Romanian AML regulations include:

  1. Law no. 129/2019 to prevent and combat money laundering and terrorism financing (“the AML Law”) and its amendments;
  2. Emergency Ordinance no. 111 of July 1, 2020 on amending and supplementing Law no. 129/2019 (“the Ordinance no. 111) and its amendments;
  3. National Bank of Romania Regulation No. 2/2019 on the prevention and sanctioning of money laundering and terrorism financing;
  4. Decision no. 564/2021 for the approval of the norms regarding the regulation, recognition, approval or acceptance of the procedure for identifying the person remotely using video means.

Also, on March 9th, 2021, Romania issued the Norms for the application of the AML Law clarifying the obligations of regulated businesses.

What constitutes the crime of money laundering in Romania?

According to the AML Law, a person acts unlawfully if they knowingly commit one of the following crimes:

  1. Exchanging or transferring criminal proceeds with intent to conceal or disguise their illicit origin;
  2. Hiding the true nature, source, location, provision, movement or ownership of criminal proceeds;
  3. Acquiring, possessing or using criminal proceeds.

The supervising authorities that mitigate the risks of money laundering in Romania are the National Office for Prevention and Control of Money Laundering (“the NOPCML”), the National Bank of Romania, the Financial Supervisory Authority, and the National Office for Gambling.

How to get compliant

Customer Due Diligence

Customer Due Diligence (CDD) is the process of collecting and verifying information about a customer during onboarding. Under AML Law, businesses in Romania are required to conduct standard CDD for their clients when:

1. Establishing a business relationship;

2. Carrying out an occasional transaction equal to or exceeding:

  • €15,000 (or equivalent in RON), carried out as one or several connected operations;
  • €1,000 for transfers at least partially carried out by electronic means;

3. Carrying out occasional cash transactions equal to or exceeding €10,000 (or equivalent in RON);

4. Receiving remittances or transfering funds equal to or exceeding €2,000 (or equivalent in RON) through a single operation.

For all above-mentioned cases (except in the case of electronic transfers), businesses must report to the NOPCML no later than within 3 working days.

Romanian AML Law also describes cases when businesses may not apply CDD measures, such as electronic money transfers occurring under the following conditions:

  • the payment instrument isn’t rechargeable/has a maximum limit of €150 for monthly payment transactions, which can only be used in Romania;
  • the maximum amount stored electronically doesn’t exceed €150;
  • the payment instrument is used exclusively to purchase goods or services;
  • the payment instrument can’t be financed with anonymous electronic money.

Also, CDD isn’t required when the issuer of the payment instrument performs transaction monitoring.

Enhanced Due diligence

Businesses in Romania must apply Enhanced Due Diligence (EDD) in situations with a high risk of money laundering. This includes business relationships and transactions with:

Correspondent relations with financial institutions in other EEA member states or third states must also imply EDD measures.

The AML Law specifies the EDD measures to be applied in cases of correspondent relations as well as during the onboarding of persons on PEP lists.

EDD measures for PEPs

If there are occasional transactions or business relationships with PEPs or legal persons who have PEPs as their beneficial owners, businesses must apply the following measures in addition to standard CDD:

  1. obtaining the approval of senior management for establishing or continuing business relations;
  2. taking appropriate measures to establish the source of the wealth and funds involved in business relations or transactions;
  3. carrying out increased monitoring of the business relationship on a permanent basis.

These measures must also apply to family members or persons known to be close associates of PEPs.

EDD measures for correspondent relations

In case of correspondent relations with financial institutions of other EU member states or third states, businesses must apply the following additional measures:

  1. obtaining information about the respondent institution on the nature of its activity and its reputation;
  2. obtaining sufficient information on the quality of supervision to which the respondent institution is subject;
  3. assessing the AML/CFT mechanisms implemented by the respondent institution;
  4. obtaining the approval of senior management before establishing each new correspondent relationship;
  5. establishing responsibilities of each party.

Businesses must ensure that the respondent institution applies KYC measures on an ongoing basis if the correspondent account is directly accessible to the customer.

KYC requirements in Romania

Know Your Customer (KYC) is the process of identifying and verifying customers. Businesses need to follow KYC requirements when working with their customers.

Identification of natural persons

For the identification of natural persons, Romanian businesses must obtain the following information:

  • name and surname;
  • date and place of birth;
  • personal numerical code or another similar unique identifier;
  • address and the legal status;
  • citizenship;
  • occupation and the name of their employer or the nature of their activity;
  • telephone number, fax, e-mail address, if applicable;
  • source of funds.

Also, information on the purpose and nature of the business relationship with the customer must be obtained.

Identification of legal persons

For the identification of legal entities, Romanian businesses must inquire for information about beneficial owners.

Determining the beneficial owner

Under Romanian AML Law, the beneficial owner of a company can be direct or indirect.

A direct beneficial owner is a natural person who exercises ownership or control over a company by one of the following criteria:

  • holding 25% + one* of shares;
  • participating in more than 25% of a company’s capital;

An indirect beneficial owner is a natural person who owns or controls a foreign company that holds 25% + one of shares* of a Romanian company or participates in more than 25% over a Romanian company’s capital.

If there are no persons matching above mentioned criteria, the beneficial owner is a natural person who holds a senior management position; for example, the director/directors or the members of the board of directors/supervisory board.

*meaning amount of shares must exceed, but not be equal to 25%

The minimum information obtained about the beneficial owner must include:

  • basis of beneficial ownership;
  • name and surname;
  • date and place of birth;
  • their personal numerical code or another similar unique identifier;
  • the country in which they live;
  • citizenship;
  • the nature of their activity.

Detect high-risk users with Sumsub’s solutions for AML screening and ongoing monitoring against global watchlists, sanctions, PEP lists, and adverse media.

Ongoing monitoring

Businesses in Romania must implement ongoing verification of the accuracy of obtained KYC data. This is crucial to ensure that the client’s established risk profiles are correct and that the monitoring process is efficient.


If businesses fail to comply with the obligations prescribed by the AML Law, they may be subject to fines of up to 150,000 RON (app. €30,000) or imprisonment from 3 to 10 years.

Key takeaway

Romania’s AML regulations have broad implications for traditional and crypto businesses, both domestic and foreign. We’ll continue to track AML changes in Romania and will update this article on an ongoing basis. Save it to your reading list so you don’t miss any important news.

Let Sumsub help your company stay compliant with national KYC/AML requirements. Get in touch with us today.

AMLCDDEDDFinancial InstitutionsFintechGamblingKYCSanctionsVirtual Assets