ROMANIA: An Introduction to FinTech Legal

Overview of the Fintech (R)evolution

One of the fastest growing economies in Europe, Romania has attracted significant interest from foreign companies to its fintech market. Romanian consumers have played a key role in this development, increasingly adopting financial technologies and becoming regular users of these services. As a result, Romania has witnessed substantial technological growth in recent years, driven by a growing demand for digital solutions and innovation across industries.

Over the coming year, we consider that the following legal issues might have an impact on the fintech market:

• A recent amendment to the Fiscal Code, currently awaiting presidential promulgation, introduces a temporary exemption from the 10% income tax on cryptocurrency profits for individual taxpayers. The exemption applies to income derived from the difference between revenues generated through digital asset investments and realised earnings. It will remain in effect until 31 July 2025. Social contributions towards health insurance (CASS) will still apply to gains exceeding specific thresholds.

• Following the entry into force of Directive (EU) 2022/2555 on measures to achieve a high common level of cybersecurity across the Union (the “NIS2 Directive”), the Romanian National Directorate for Cybersecurity (DNSC) published a draft Government Emergency Ordinance (GEO) on 15 October 2024, for public consultation. The draft aims to transpose the provisions of the NIS2 Directive into national legislation and shall subsequently be submitted to Parliament for debate and approval.

• Starting on 15 January 2025, the Digital Operational Resilience Act (“DORA”) enhances ICT resilience in the EU financial sector by requiring solid risk management frameworks, regular resilience testing, and clear oversight of third-party ICT providers. It mandates business continuity plans, secure cyber threat intelligence sharing, and strong governance, with penalties for non-compliance. Applicable to crypto-asset service providers (CASPs) and other financial entities such as credit and payment institutions, investment firms, trading platforms, and insurance businesses, DORA complements Regulation (EU) 2023/1114 (the “Markets in Crypto-Assets Regulation” or MiCAR) by ensuring operational stability and consumer protection.

Predominant Business Models

The Romanian fintech sector is dominated by digital payment and wallet services, which offer streamlined point-of-sale transactions, mobile payments and online transactions. Other notable business models include wealth management, personal finance platforms and investment tools that provide users with efficient income administration. Crowdfunding services have seen growth, with multiple players securing authorisations from the Financial Supervisory Authority.

Lending platforms also provide an alternative to traditional financial institutions, while crypto investments, decentralised finance (“DeFi”), and centralised finance (“CeFi”) transactions are steadily gaining traction, albeit they are still at a nascent stage.

Regulatory Framework for Open Banking

Open banking in Romania operates under Law No 209/2019, aligning with Directive (EU) 2015/2366 (the “Revised Payment Services Directive” or PSD2). It regulates three categories of third-party providers:

• payment initiation service providers, who facilitate direct transfers from payer to merchant accounts;
• account information service providers, who consolidate data from various user accounts; and
• card-based payment instrument issuers, who enable transactions via card-based tools linked to user accounts.

Strong customer authentication is mandated, ensuring secure payments through knowledge, possession and inherence factors.

Yet, we expect the legislative framework for open banking to be subject to amendments with the implementation of the Third Payment Services Directive (PSD3), as an update to PSD2. Currently at the proposal stage, which it has been since 28 June 2023, the PSD3 proposal is under review by the European Parliament and Council. The final adoption of this legislative package is expected in 2025.

Limited Network Exclusion for e-Money Activities

To engage in e-money activities in Romania, compliance with two key laws is required. First, authorisation from the National Bank of Romania is mandatory under Law No 210/2019, which governs e-money issuance. Second, the provision of payment services is regulated by Law No 209/2019, which aligns with the EU’s PSD2 and outlines the conditions for payment service providers.

Nevertheless, e-money activities are subject to the “limited network exclusion” provisions set forth in the PSD2. Thus, services initiated through particular payment instruments are not considered as e-money issuance or payment service activities if their use is limited to:

• the purchase of a very limited range of goods or services;
• transactions carried out exclusively on the premises of the issuer; or
• a closed network of providers with direct commercial arrangements with the issuer.

Ensuring AML Compliance and Reporting

Law No 129/2019 for preventing and combating money laundering and terrorist financing (the “AML” Law) transposes EU directives and applies to fintechs in sectors like payments, insurance, and e-money issuance. Aside from compliance for MiCAR grandfathering provisions, key obligations include:

• reporting suspicious and high-value transactions to the National Office for Preventing and Combating Money Laundering (ONPCSB);
• performing KYC and ultimate beneficial owner checks; and
• complying with Regulation (EU) No 910/2014 (eIDAS) for digital identification.

Fintechs must maintain solid infrastructure for information storage, retrieval, and compliance with customer due diligence and regulatory reporting requirements.

Upcoming Romanian Legislative Changes for CASPs (Draft GEO 2024)

The Government Emergency Ordinance (“GEO”) Draft transposes Directive (EU) 2015/849 (the 4th EU Anti-Money Laundering Directive), concerning information accompanying transfers of funds and certain crypto-assets.

The GEO replaces the term “virtual currency” with “crypto-asset” and introduces “crypto-asset service providers” (CASPs) as new reporting entities, thereby repealing the categories of providers of exchange services between virtual currencies and fiat currencies and digital wallet providers. It also updates the definition of “correspondent relationships” to include crypto-asset transactions, reflecting their growing role in financial markets.

The GEO establishes the Financial Surveillance Authority and the National Bank of Romania as the national competent authorities for oversight of CASPs, with responsibilities divided based on the nature of the provider.

Furthermore, the GEO imposes enhanced obligations on CASPs, including new risk assessment and mitigation requirements, additional due diligence measures for cross-border relationships, and specific compliance obligations for providers from other EU member states operating in Romania. The new regime also introduces sanctions for non-compliance with the newly introduced obligations, effective 30 days after the GEO’s entry into force.

Overall, the GEO represents an update to Romania’s AML framework, aligning it with EU standards, addressing the unique risks associated with crypto-assets, and reinforcing the country’s commitment to financial integrity.

This GEO Draft is currently in the final signatory phase, pending opinions from other relevant authorities, prior to its formal adoption by the government. The GEO will take effect on 30 December 2024, and all affected entities must ensure full compliance by this date.

Regulatory opportunity for Romanian market prior to obtaining a MiCAR licence

ESMA has clarified, through a specific Q&A, aspects of the MiCA transitional regime (the grandfathering clause under Article 143(3). This provision allows CASPs compliant with AML national regulations by 30 December 2024, to continue operations until 1 July 2026, or until a formal MiCA authorisation application and subsequent decision is reached, whichever comes first. While member states had, until June 2024, the option to limit this transitional period if their national frameworks were less stringent than MiCA, Romania did not indicate any intent to do so, at least not publicly.