Fintech 2024 Comparisons

Considered one of the countries in Europe with the highest economic growth rate, the interest of foreign companies in the fintech Romanian market has increased. An important role in this development process has also been played by Romanian consumers, who have discovered the benefits of financial technologies, becoming frequent users of the services. Therefore, Romania has experienced strong technological development in the past several years, being boosted by the remote work of the COVID-19 pandemic.

For the next 12 months, the authors believe that the following legal issues might have an impact on the fintech market:

• following the entry into force of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cyber security throughout the Union (the “NIS 2 Directive”), Romania will integrate it into national legislation from October 2024, according to the timetable of the General Cabinet of the Romanian government;
• Law No 296/2023 on fiscal-budgetary measures to ensure Romania’s long-term financial sustainability, introduced on 1 January 2024 the national invoicing system, “E-invoice”, which requires all economic operators to transmit in electronic format the invoices issued in B2B relations to the financial administration. In this respect, it is worth monitoring how fintechs will integrate this service to facilitate the use of it by operators;
• on 28 June 2023, a plan to amend the Second Payment Services (PSD2) Directive, namely PSD3, was proposed by the European Commission at the EC level. It aims to combat and reduce payment fraud and improve consumer rights, the conditions of competition between banks and the non-bank sector, the functioning of open banking services, cash availability in shops and ATMs, as well as improving the payments compliance enforcements; and
• regarding markets in crypto assets regulation – deadlines are set for digital assets service providers, which will typically come into force by December 2024, unless the government uses a derogatory period of a maximum of 18 months.

Among the fintech business models, digital payment and digital wallet services are the predominant and increasingly used, considering the ease of making payments via POS, directly from a mobile phone/smartwatch, or online payments.

Other frequently-used services include:

• wealth management, personal finance, investments through web/mobile applications that allow users to facilitate the management and administration of their incomes;
• crowdfunding services which are developing at national level, with more and more players entering the market and obtaining the necessary authorisations from the FSA;
• lending, representing an accessible alternative for obtaining loans, without having to deal with traditional institutions or intermediaries; and
• crypto investments (managed or discretionary), decentralised finance (DeFi) and centralised finance (CeFi) transactions with digital assets, and some timid initial token offerings in the past 24 months.

All these services are used in B2C, B2B, peer-to-peer (P2P) and other types of business relations.

Moreover, even traditional players are choosing to use these types of business models and new servicing to keep pace by creating mobile applications (eg, online banking) that facilitate access to banking services and ensure their security through biometric authentication/two-step verifications. Neo-banking and payment service providers are very much used, with one major EU player describing Romania as among their top three markets worldwide.

As a general rule, the Romanian regulation does not contain regulatory regimes that expressly refer to and apply to fintech companies. It is preferable to consider the business model of the fintech company and the activity carried out. The legislation applicable to traditional players in the sector seems to have an impact on fintech companies as well, mainly represented by EU regulations and national laws aimed at transposing EU directives. To the extent that the services of fintech companies fall within the scope of authorised activities such as digital payment services, e-money activities, banking, financial investment services and lending, then regulatory compliance should be implemented by fintech companies.

As an exception, crowdfunding has a distinct regulation from other services. In addition to the application of the EU Regulation 2020/1503, at national level is the Law No 244/2022 on measures to implement the above-mentioned regulation.

Providing specific services of fintech businesses may lead, especially in B2C relations, to the application of national consumer protection law. According to the Government Ordinance No 21/1992 on consumer protection, the consumer is defined as any natural person purchasing a service for personal, non-commercial purposes. Therefore, fintech companies providing services should comply with the legal requirements regarding the information provided to the customer about the price applied, the method of payment and the risks. Likewise, directives integrated into national legislation, such as PSD2 Directive, require pre-contractual information.

The authors are not aware of any pre-established compensation models whereby customers are charged, as these are an expression of contractual freedom. Therefore, models such as one-off payments at the beginning of the collaboration, monthly payments based on services provided, but also constant payments in the form of commissions for any operation performed/intermediated are identified. There as also been an increase in new models, such as buy-now-pay-later in the consumer goods area/e-commerce space, whereas the compensation model relies mostly on the business model of the e-commerce platform.

The statements in 2.2 Regulatory Regime remain applicable. Due to the fact that in Romania there is no particular legislation regarding fintech companies, they operate in accordance with the legislation applicable to traditional players, without having any specific waivers regarding operation/authorisation.

Even though at the national level, regulators have not approved the establishment of a regulatory sandbox, the National Bank of Romania (NBR) and Financial Supervisory Authority (FSA), the main regulators in the banking and non-banking sector, created the Fintech Innovation Hub and the Fintech Hub. These are designed to encourage and support regulated entities or other interested companies or individuals to develop market innovative financial products and services.

Thus, those interested will have to submit a project presentation form and the ones showing potential will be reviewed. Thereafter, meetings will take place with the authorities’ representatives to provide guidance and counselling for the implementation of innovative solutions and project development. However, simply making the submission through these hubs does not imply approval of the project by the regulators.

Romania does not have a single regulatory authority for industry participants. Depending on the business model of each fintech company, the following main regulatory authorities exist.

• The NBR, which is responsible for the authorisation, regulation and supervision of credit institutions, payment systems, electronic money issuers, online banking and other areas of financial banking, with the aim of ensuring financial stability.
• The FSA, which contributes to the development of an integrated framework for the functioning and supervision of non-banking financial markets, participants and operations in these markets (eg, investment services, wealth management, insurance, crowdfunding).

In some cases, conducting business involves intersecting with other non-financial legislation regulators. Among these are the following (for more details see 2.10 Implications of Additional, Non-financial Services Regulations):

• National Supervisory Authority for Personal Data Protection;
• National Authority for Consumer Protection;
• National Cyber Security Authority; and
• The Anti-Money Laundering Authority.

Outsourcing fintech means that companies hire external service providers to handle a segment of their activities that would otherwise be taken over by the company itself. The aim is to reduce the workload in non-core activities and save money for fintech companies that can be reinvested in their core functionalities.

As a general rule, outsourcing is allowed as long as it does not affect the mandatory requirements for licensing, authorisation and operation of financial institutions. Depending on the main field of activity, there might be legal limitations at both local and European level. For example, payment institutions or e-money institutions have to comply with the provisions imposed by the NBR Regulation No 4/2019 on payment institutions and the EBA outsourcing guidelines. On the other hand, investment and credit institutions may be subject to the application of European Securities and Markets Authority (ESMA) guidelines on outsourcing to cloud service providers and Authority for Financial Surveillance (ASF) internal rules No 21/2021, applying ESMA guidelines.

They establish an obligation on regulated firms to assess the outsourcing service provider and make the necessary checks for suitability, assess the risks associated with outsourcing and implement measures to manage them, paying particular attention to critical or important functions that have been outsourced. They shall monitor business performance, security measures and the outsourcing provider’s compliance with agreed service levels.

Where core functions specific to the regulated activities are outsourced, the outsourcing service provider must also hold the necessary authorisations from the regulator for those activities.

It is essential that these obligations be respected, as the occurrence of any incidents will make the outsourcing financial institution subject to liability.

The implementation of the Digital Market Act on 2 May 2023, marks a significant shift in regulating online platforms, introducing the concept of “gatekeepers”. These influential entities, spanning online search engines, app stores, and social networks, are subject to specific criteria to be classified as gatekeepers:

• demonstrating a robust economic position, significant impact on the internal market, and activity across multiple EU countries;
• holding a strong intermediary position by connecting a substantial user base with numerous businesses; and
• maintaining a consolidated and sustainable market position over the last three financial years.

Gatekeepers now bear additional responsibilities to ensure a fair online environment for businesses and consumers. The legislation mandates specific obligations, both affirmative and restrictive, to guide gatekeeper behaviour.

Among the affirmative obligations:

• enabling easy uninstallation of pre-installed apps or changing default settings;
• allowing the installation of third-party apps or app stores;
• facilitating user unsubscribing from core platform services; and
• encouraging third-party interoperability and business user promotion outside the platform.

Conversely, the legislation restricts gatekeepers from:

• using business users’ data when competing with them on the platform;
• favouring the gatekeeper’s products over third-party offerings; and
• tracking end users for targeted advertising without effective consent.

Non-compliance with these regulations exposes gatekeepers to significant penalties, including fines of up to 10% of their total worldwide annual turnover, escalating to 20% for repeated infringements.

Fintech companies must be responsible in carrying out their activities, and it is necessary to ensure the protection and security of data, information about participants and their activities. There is a need to ensure and verify all actions carried out to be compliant with local and European legislation. The main risk in this area is represented by illegal money laundering activities and the providers have an obligation to prevent and report them. Not respecting these obligations by providers shall result in application of the aforementioned sanctions.

Regarding participants in the fintech industry, the authors could not identify any particular significant enforcement actions issued by regulators. It is considered that general sanctions issued by the NBR and the FSA could be applicable as well, being mainly written warnings, fines, as well as action plans to remedy the violations found.

Furthermore, in accordance with Law No 129/2018 and the General Data Protection Regulation No 216/679, the National Supervisory Authority for Personal Data Processing (ANSPDCP) possesses the authority to levy fines, taking into account the gravity of the breaches and their adverse effects on individuals’ fundamental rights. Additionally, ANSPDCP has the power to prohibit particular activities or entirely dissolve entities found guilty of severe data protection violations. In cases of repeated or serious violations, the authority may mandate heightened monitoring of the responsible entities’ activities to ensure adherence to regulatory standards.

As an illustration of Enforcement Actions, two recent cases involving the aforementioned ANSPDCP are highlighted here. In 2022, Banca Transilvania, a bank ranked among the top 300 in the 2023 edition of the Brand Finance Banking 500, was penalised with a fine of EUR100,000 for breaching Article 32, paragraphs (1) and (2), in conjunction with Article 5, paragraph (1) (f) of the GDPR. Moreover, in 2023, the same regulatory authority conducted an investigation into Rompetrol Downstream SRL, a company that is part of the KMG International Group, uncovering breaches of data protection regulations under Article 32, paragraph (4) of the GDPR. The company faced a fine of approximately EUR110,000 for unauthorised access and use of customers’ personal data. In this regard, the authority highlighted the company’s failure to implement adequate measures, emphasising the lack of technical and organisational safeguards for data security in relation to processing risks.

Specific regulations in non-financial services may also apply to participants in the fintech industry, as a result of the way they operate their business, without being different from traditional players. In summary, the following is applicable.       

General Corporate Law

In general, fintech companies are mostly private entities with legal personality. In this sense, they are registered and operate in compliance with the Law of companies No 31/1990.

Consumer Protection

Fintech industry players that offer B2C services must comply with the rules of consumer protection legislation, as long as the buyer is a natural person using the service for personal and non-commercial purposes. These rules include conditions for granting safe loans for consumers, protection against unlawful contract terms, the way in which the relationship between the professional and the consumer is carried out, as well as obligations to inform the consumer about the benefits and risks of the service offered.

In addition, companies will also have to consider the entry into force in February 2024 of the EU Digital Services Act (DSA), which applies to a wide range of intermediary services provided in the EU. These services encompass online marketplaces, web-hosting services, cloud services, search engines, and social media platforms.

The DSA introduces information requirements that complement existing obligations. Specifically, these requirements entail providing information about:

• the types of content that users are prohibited from uploading to the digital service, such as online platforms, or the circumstances under which content may be removed from the service; and
• the policies, procedures, measures, and tools employed for content moderation purposes, which may include both algorithmic decision-making and human review.

Data Protection

In cases where fintech business models interact with the personal data of individual users as part of their activities, such as in an investment/personal finance service where banking data, personal identification data may be provided, then the provisions of the GDPR Regulation, and Law No 128/2018 implementing the Regulation shall apply. Data such as names, unique identification numbers, specific elements of physical, psychological, economic nature will be able to be collected, processed, used in the company’s activity, only in compliance with the conditions expressly provided by law (in most cases the express consent of the person is required). By way of exception, the Regulation allows certain cases where operations on personal data may be carried out without the consent of the individuals.

Cybersecurity

Law No 362/2018 on ensuring a high common level of security of networks and information systems, applies to essential services at national level. These include economic services or services that are carried out on a large scale in society through networks/information systems, in addition to banking and non-banking financial services carried out through the fintech industry. Thus, companies shall fulfil the technical requirements developed by the National Centre of Cybersecurity and the suitable and proportionate technical and organisational measures to meet minimum security requirements. Failure to comply with these obligations attracts sanctions in the form of warnings and fines.

eIDAS Regulation

By providing a legal framework for electronic identification and trust services, the fintech industry is influenced to take steps to comply with it. This regulation helps businesses and citizens to engage in safe and secure electronic interactions and has the potential to increase security and trust in services such as digital financial transactions.       

As mentioned in 2.6 Jurisdiction of Regulators, the examination of industry participants is carried out by regulators to verify compliance with licensing and operating requirements. In addition, examinations may also be carried out by private third parties, internal/external audit firms, consultancy firms in various fields like legal or technology, which provide checks and reports on the company’s situation in order to protect the interests of clients and to develop the fintech company. If a threshold is achieved, then joint stock fintech companies must be audited by law, but this is not necessarily a specific feature of fintech businesses (which can operate as joint stock or limited liability companies).        

Fintech industry players may combine the provision of both non-regulated and regulated services, unless they exceed the scope of activity for which they have been authorised. This practice is quite common among fintech companies seeking to offer a range of banking or non-banking financial services.

The structure through which these products and services are offered can differ. Some fintech companies provide them through the same legal entity, under the same brand or platform. In this case, the company must comply with the specific rules and regulations for each type of service offered. In other cases, companies may create separate legal entities to manage the different types of products and services, each operating under its own regulations and authorisations.   

More specifically, for example, in the case of payment service providers, exclusions and exemptions apply based on the PSD2 directive and its implementation via national legislation (eg, the commercial agent exclusion, or the limited network exception, or the average value of the payment transactions).

For crypto-assets service providers, Markets in Crypto-Assets Regulation (MiCAR) introduces a new array of requirements for licensing. However, MiCAR does not wish to impose excessively on the new projects, which are not regarded as crypto-asset service providers, and use tokens within their Web3 business models. Hence a Web3 start-up that develops its tokenomics based on the utility token model, does not require a licence, unless its token qualifies as e-money, or as a financial instrument as per Markets in Financial Instruments Directive II (MiFID II) and ESMA’s guidance on the topic. 

Passporting is an important EU instrument for free provision of services, however, as a general rule, exceptions and exclusions do not “travel” across the EU.

Fintech companies are not subject to specific regulations (see 2.3 Compensation Models), but are subject to existing laws and regulations for traditional players, depending on their specific activity. AML rules have an impact on the fintech industry when the services provided are specific to institutions that are required to be authorised by regulators. Fintech players carrying out activities that are not even subject to the authorisation regime under the traditional player’s legislation may need to pay more attention to prevent behaviours that could encourage money laundering.

The main AML legislation is Law No 129/2019 and GEO No 111/2021, which transpose the relevant European AML Directives. These laws, in addition to implementing provisions issued by regulators and supervisors, such as NBR Regulation No 9/2019 and FSA Regulation No 13/2019, determine the rules’ application framework. In conclusion, AML legislation applies to fintech companies operating in areas such as insurance, investment funds, investment firms, credit institutions, payment institutions and e-money issuers.

The AML rules also involve measures of digital customer identification as part of the KYC process, through means such as remote video identification and trust services. This has the effect of requiring regulated institutions to also comply with the provisions of the eIDAS Regulation. Therefore, fintech companies involved in regulated activities should have KYC procedures and apply KYC measures in relation to their customers.

Robo-advisers are not specifically regulated in Romania, with the software operating mostly in financial investment services companies. In this sense, robo-advisers do not generate a new type of business model that requires different conditions for the authorisation of investment firms. They represent the technological innovation element of these firms, which replaces classical business conduct through individual advisers with actual algorithms.

In this sense, the applicable law will be determined by the main business model and the product provided, and not by the way it is obtained. Any entity using robo-advisers in the provision of regulated financial services, such as investment advice or portfolio management, may be subject to the requirements set out in the Romanian legislation derived from MiFID II, including Law 126/2018 on Markets in Financial Instruments and related legislation.

For traditional players, the presence of robo-advisers generates competition. Looking ahead, the eventual adoption of automated or AI-supported financial and investment advice is inevitable. Therefore, traditional players are increasingly exploring ways to incorporate robo-advice applications into their own offerings or to collaborate with start-ups and specialist service providers. One example is provided by some long-established banking institutions in Romania, which have created their own online banking applications, which include chatbots, to provide help to customers, including helping them apply for a loan.

As mentioned in 3.1 Requirement for Different Business Models, there does not seem to be a regulatory difference between traditional investment firms and those using robo-advisers. Therefore, the legal framework does not change, so the obligations and conditions for executing trades regarding the customer, as well as the sanctions for non-compliance will remain under the MiFID II Directive and the implementing Law No 126/2018.

In Romania, there are significant differences in the business and regulation of loans to individuals, small businesses, and others.

Lending to individuals is subject to consumer protection regulations, such as the law on consumer loans, in order to ensure fair and transparent lending practices.

For online lending, there are additional stipulations, such as consumer data privacy and KYC procedures.

There are specific regulations related to small business lending, including restrictions on credit activities to the benefit of directors and officers, as well as particular requirements for dealing with borrowers that fall behind with their payments.

Moreover, the NBR has also made environmental, social, and governance (ESG) considerations part of the loan origination process. This means that credit institutions are required to include ESG factors and related risks in their policies and procedures.

In Romania, underwriting processes for the financial industry are influenced by both national legislation and EU regulations. As a member state of the EU, Romania’s regulatory framework is based on EU directives and regulations, such as Directive 2013/36/EU and the AML Directive, transposed into Romanian legislation through Law No 129/2019.

The NBR is responsible for regulating and supervising the banking sector in the country. It has issued various regulations and guidelines to ensure compliance with EU directives and to maintain a stable financial system. For example, the NBR has issued regulations regarding credit institutions, capital adequacy, and own funds of credit institutions and investment firms.

Sources of funding for loans in Romania include credit institutions, non-banking financial institutions licensed by the National Bank of Romania and payment institutions to provide credit activities and payment services within the territory of Romania according to Article 28 of the Directive (EU) 2015/2366.

In Romania, syndicated loan facilities are accessible, especially for large companies, or large transactions – joint-ventures. Nevertheless, the process of concluding such loans does not currently take place through online channels.

In Romania, payment processors have the option to utilise established payment rails or innovate by creating and implementing new ones.

Existing systems are governed by Law No 253/2004 on settlement finality in payment and securities settlement systems, aligned with Directive 98/26/EC. These encompass the ReGIS system, facilitating real-time settlement for substantial or urgent payment instructions initiated by banks and credit institutions.

Additionally, the SENT system functions as an electronic clearing system for small-value payment instructions exchanged between credit institutions and the State Treasury.

TARGET2-Romania, part of the Eurosystem, provides a real-time gross settlement system for euro payments. Although connecting to TARGET2 is mandatory upon joining the euro area, the NBR chose to establish this connection before euro adoption.

Conversely, newer payment rails like instant payments and blockchain transfers have surfaced, offering payment processors the flexibility to choose between existing and innovative systems.

The regulation of cross-border payments and remittances in Romania is influenced by EU directives and domestic laws. The EU has instituted measures to standardise fees for cross-border payments in euros and their equivalents in national currencies.

The adoption of the PSD2 by the European Commission aimed at establishing an efficient and unified market for payment services, ensuring consistent regulation of cross-border payments and remittances across the EU. In Romania, the enactment of Law No 209/2019 reflects the implementation of the PSD2.

Furthermore, Regulation (EU) 2021/1230, endorsed by the European Parliament and the Council on 14 July 2021, delineates guidelines on fees associated with cross-border payments and enhances transparency regarding currency conversion charges within the EU.

Regulatory oversight is applied to fund administrators in Romania. The regulation of fund administrators depends on their activities and the type of funds they manage.

Law No 74/2015 delineates the regulatory framework for marketing endeavours carried out by both EU and non-EU Alternative Investment Fund Managers (AIFMs) in Romania. It specifies the parameters for offering or placing units of an Alternative Investment Fund (AIF) managed by them to investors domiciled or headquartered in a member state.

Law No 243/2019 establishes the legal groundwork for the formation, authorisation, and operation of AIFs. This legislation introduces distinct frameworks for two types of entities created under its purview: AIFs catering to professional investors and AIFs tailored for retail investors. It also sets forth specific conditions governing the distribution of AIFs to retail investors.

Furthermore, the FSA plays an important role in the regulation of fund administrators in Romania. This encompasses the licensing and ongoing supervision of these administrators. The FSA also ensures compliance with the relevant EU directives and regulations, such as the UCITS Directive and the Alternative Investment Fund Managers Directive (AIFMD). 

In Romania, contractual terms imposed by fund advisers on fund administrators are influenced by a combination of regulation and industry customs.

Certain general and statutory requirements are in place to ensure the integrity and security of outsourced functions. In the EU, including Romania, these requirements are often outlined in directives and regulations such as the AIFMD.

In line with the provisions of Law No 129/2019 and Law 126/2018, Romania allows various categories of marketplaces and trading platforms.

• securities exchanges;
• multilateral trading facilities (MTFs);
• organised trading facilities (OTFs); and
• cryptocurrency exchanges.

For securities exchanges, MTFs, and OTFs, obtaining authorisation from the FSA is a requisite step. Cryptocurrency exchanges operate under the obligation of registering with the National Office for Prevention and Control of Money Laundering (ONPCSB), but do not require at present a specific crypto licence, as in many other EU countries. MiCAR will change that.

Different asset classes in Romania may be subject to distinct regulatory regimes. The regulatory framework may vary based on the type of assets involved.

For example, the FSA oversees securities and regulates related investment services under Law No. 126/2018, which incorporates MiFID II regulations into Romanian law. On the other hand, cryptocurrencies are subject to distinct regulations, overseen by the ONPCSB, which manages the issuance and trading of cryptocurrencies.

In Romania, akin to various EU jurisdictions, cryptocurrencies do not hold the status of legal tender; instead, they are acknowledged as digital assets, encompassing variations like utility tokens, e-money tokens, and asset-referenced tokens as defined under MiCA.

In terms of anti-money laundering efforts, the Romanian government introduced Law No 129/2019 to prevent and combat money laundering and terrorism financing. This law places stringent obligations on financial institutions, including cryptocurrency trading platforms, requiring thorough customer identity verification and reporting of suspicious transactions under its provisions.

In Romania, the standards for listing are overseen by Law No 24/2017 concerning issuers of financial instruments and market operations, with primary regulation falling under the jurisdiction of the FSA. The FSA establishes detailed conditions and criteria that companies must satisfy to secure listing on the Bucharest Stock Exchange (BVB).

In Romania, regulations governing order handling are in force. These rules are incorporated into Law No 126/2018, aligning with MiFID II in Romanian legislation, as well as the Market Abuse Regulation (MAR). Directives on transaction reporting, maintaining order records, and ensuring clock synchronisation under MiFID II serve as guidance for investment firms and trading venues.

While the popularity of P2P platforms for crypto-assets is on the rise, Romanian legislation has not experienced significant changes in response to this trend, as DEXes – by their nature are decentralised from an operational standpoint. Regulations are expected to target the central command of a DEX rather than its specific transactions.

It remains to be seen how authorities may address the implications and challenges posed by the increasing use of P2P platforms in the realm of crypto-assets.

Ensuring best execution of customer trades in Romania is an important aspect governed by regulatory frameworks, primarily influenced by the implementation of the MiFID II through Law No 126/2018. In pursuit of this goal, special attention should be given to the following criteria:

• the financial instrument’s price;
• costs linked to order execution;
• transaction timing considerations;
• the likelihood of transaction execution and subsequent settlement; and
• the order’s size and inherent characteristics.

The lack of specific local regulations on payments for order flow means that European regulations influence this type of operation. Even if there is not an express prohibition of these types of payments, the requirements of MiFID II regarding prevention of conflicts of interest and the pursuit of activities in the best conditions for clients generate conflict. Therefore, investment firms using payments for order flow will be acting on their own responsibility and may be subject to sanctions for failure to comply with the conditions set out in MiFID II.

In this regard, ESMA also expressed its opinion stating that “payment for order flow” activity incentivises the firm to choose the third party that offers the highest payment rather than the best possible outcome for its customers when executing their orders.

Trading in Romania is governed by fundamental principles of market integrity and the prevention of market abuse in order to ensure fair and transparent financial markets.

The primary regulations focused on ensuring market integrity and preventing market abuse in Romania encompass Law No 126/2018, incorporating MiFID II regulations into national law, and the MAR.

Law No 126/2018 includes provisions dedicated to protecting market integrity and preventing abuse, while MAR specifically targets practices like insider dealing, unlawful disclosure of inside information, and market manipulation.

In our jurisdiction, high-frequency and algorithmic trading mechanisms are only provided for in relation to financial investment services companies. There are additional requirements for operation under the conditions provided by Law 126/2018 on markets in financial instruments, which transposes the MiFID II Directive. We also identify structural requirements for these firms in the EU Delegated Regulation 2017/589 on organisational requirements for investment firms engaged in algorithmic trading.

Thus, they establish an obligation for the service provider to meet certain requirements such as the existence of systems and mechanisms to prevent the risk existing in the activity carried out in order to carry out the activity in optimal conditions, which do not generate market failures, requirements regarding the competence of the staff, the existence of a methodology and mechanisms for testing, use and control of the algorithms. In addition, market operators should ensure that activity through algorithmic trading systems cannot create conditions that affect the normal functioning of the market.

Moreover, Law No 24/2017 on issuers of financial instruments and market operations makes a general reference to high-frequency and algorithmic trading in the section about how activities through these systems represent a form of market manipulation.

Investment firms involved in algorithmic trading activities in Romania are mandated to notify the FSA and must adhere to supplementary obligations outlined in Law 126/2018. When employing algorithmic trading for a market-making strategy, these firms must comply with various requisites stipulated by MiFID II.

Primarily, the execution of the market-making strategy necessitates continuous activity throughout a specified proportion of the trading venue’s operating hours, with exceptions only for extraordinary circumstances. This continuous involvement is intended to ensure a consistent and predictable provision of liquidity to the trading venue.

Moreover, the investment firm undertaking algorithmic trading for a market-making strategy is obliged to establish a binding written agreement with the respective trading venue. This agreement, at a minimum, delineates the firm’s obligations in line with the previously mentioned requirement for the uninterrupted provision of liquidity. The written agreement functions as a formal commitment, outlining specific responsibilities within the context of market-making activities.

Additionally, the investment firm is compelled to institute effective systems and controls. These mechanisms play a crucial role in guaranteeing the firm’s adherence to the obligations specified in the agreement with the trading venue. The implementation of robust systems and controls ensures the active and reliable fulfilment of commitments related to the market-making strategy, aligning with MiFID II regulations.

According to the applicable law (see 8.1 Creation and Usage Regulations), high-frequency and algorithmic trading services are provided to investment firms as defined and regulated. There is no distinction between funds and dealers who engage in the same type of activities and are subject to the same conditions.

Programmers who develop and create trading algorithms and other electronic trading tools do not seem to be subject of any regulation. Equally, there is no specific regulation when algorithms are the internal product of the investment firm. However, depending each case, the lack of limitation of responsibility through a company might create the appearance of an unlimited responsibility on the creation and put into use of a business model based on a software product (eg, a trading algorithm, a DEX, or a layer one or two DLT crypto currency).

Currently, DeFi activities or systems are not specifically defined or targeted by regulation. However, individuals and entities engaging in DeFi activities are subject to taxation under the Romanian tax system. Therefore, income from DeFi activities is taxable, with the specific tax regime depending on factors like the entity involved and the nature of the income.

While there are no specific tax exemptions for DeFi in Romania, deductions and allowances may apply under existing tax legislation. ANAF oversees tax matters in Romania, providing guidance and ensuring compliance.

Romania has also signed double tax treaties with several countries, which may impact DeFi taxation, particularly regarding issues like avoiding double taxation. Overall, while DeFi platforms are not directly regulated, tax considerations remain important for those involved in DeFi activities in Romania.

Providing an investment research service or a financial analysis service may be classified as an ancillary service under MiFID II. Platforms which provide only ancillary services do not appear to be subject to any registration requirements except where they also provide additional investment services.

Without distinguishing on regulatory status, investment firms providing investment research or financial analysis services are obliged to comply with the requirements set out in the European Commission Delegated Regulation 2017/565. The purpose of this regulation is to highlight the importance of delivering clear, accurate and non-misleading information to the public at all times. At the same time, these companies must be vigilant in complying with Article 12 of the EU MAR, which strictly prohibits the dissemination of unverified information. Breaches of these obligations may lead to the enforcement of administrative and/or criminal sanctions.

Curating conversations involves implementing robust moderation and compliance measures:

• automated filters – utilise automated filters and algorithms to detect suspicious or potentially harmful content. These filters can flag keywords associated with pump and dump schemes, insider trading, or other illicit activities;
• manual moderation – employ a team of moderators to manually review user-generated content. These moderators can quickly identify and remove posts that violate platform guidelines or regulations;
• community guidelines – clearly outline community guidelines and rules of conduct for users. Educate users on what constitutes acceptable behaviour and the consequences of engaging in prohibited activities;
• reporting mechanisms – implement reporting mechanisms that allow users to flag inappropriate content. Promptly investigate and take action on reported posts to maintain the integrity of the platform;
• user verification – require users to verify their identities and provide accurate information when registering for the platform. This can help deter fraudulent behaviour and ensure accountability among users;
• education and awareness – offer educational resources and training materials to help users understand the risks associated with certain behaviours, such as pump and dump schemes or insider trading. Raise awareness about regulatory requirements and the importance of compliance; and
• compliance tools – integrate compliance tools and features into the platform to monitor for suspicious activity and ensure adherence to relevant regulations, such as AML Law and KYC requirements.

Industry participants in sectors like insurance, finance, and lending employ diverse underwriting processes tailored to their specific needs and risk assessment criteria. These processes involve evaluating applicants’ financial backgrounds, creditworthiness, and other relevant factors to determine their eligibility for insurance coverage, loans, or investment opportunities.

Underwriting practices are typically guided by industry standards, best practices, and the risk appetite of individual firms. They may incorporate quantitative analysis, such as credit scoring models and financial ratio assessments, as well as qualitative assessments based on individual circumstances and subjective judgement.

In accordance with the directives outlined in Directive 2009/138/EC, insurance undertakings authorised by competent authorities of member states are permitted to engage directly in insurance business within Romania under the right to provide services. This is subject to a notification procedure, wherein the competent authorities notify the FSA. The notification encompasses details such as the undertakings which authorised to underwrite insurance classes, risks to be underwritten, commitments to be assumed, and evidence of meeting Solvency Capital Requirement (SCR) and Minimum Capital Requirement (MCR) criteria. Additionally, any intended collaborations with third parties within Romanian territory must be disclosed. Conditions for underwriting risks from class ten are also specified, and the FSA collaborates with competent authorities of other member states to gather further information on the notified entities. Furthermore, FSA may request necessary information and data from management agents for the supervisory process, as per the stipulations of Rule No 22/2021 on the distribution of insurance.

Treatment by Industry Participants

• Life insurance and annuities – industry participants tend to approach life insurance and annuities with a focus on long-term financial planning and risk management. These products are often marketed as retirement planning tools and financial protection for beneficiaries in case of the policyholder’s death.
• Property and casualty insurance – industry participants view property and casualty insurance as providing coverage for tangible assets and liabilities against various risks, such as damage to property, liability claims, and legal expenses. These products are typically designed to address short-term risks and provide financial protection against unexpected events.

Treatment by Regulators

Regulators differentiate between mandatory and optional insurances. Mandatory insurances, like compulsory home insurance and motor third-party liability insurance (RCA), are legally required and must be obtained by individuals or entities. They are closely regulated to ensure compliance with legal mandates and protect policyholders. In contrast, optional insurances, such as optional home insurance, comprehensive car insurance (CASCO), health insurance, travel insurance, and life insurance, are not compulsory but offer additional protection beyond mandatory coverage.

In Romania, there is currently no specific regulatory framework governing regtech providers. However, regtech firms are subject to regulations based on the nature of their activities, such as financial services, data protection, and technology sectors. These regulations vary depending on the services offered, potentially including compliance with financial regulations like MiFID II Law or AML Law.

Additionally, regtech providers are subject to the same corporate regulations as any other Romanian provider. They must adhere to standard corporate governance requirements, taxation laws, and other relevant regulations applicable to businesses operating in Romania.

Furthermore, regtech providers often leverage electronic identification and trust services regulated under the eIDAS (Electronic Identification, Authentication and Trust Services) Regulation. This framework provides a harmonised approach to electronic identification and trust services across the EU, enabling regtech solutions to facilitate secure electronic transactions and identity verification processes. By leveraging eIDAS-compliant solutions, regtech firms can enhance security, streamline compliance processes, and ensure regulatory compliance within the EU.

Financial services firms impose contractual terms on technology providers to ensure performance and mitigate risks. These terms, such as service level agreements, data security measures, and regulatory compliance obligations, aim to safeguard operations and reputation. Indemnification clauses protect against financial losses, while audit rights and change management procedures ensure accountability and smooth operations. Termination clauses address transitions if necessary. While some terms stem from regulation, many reflect industry customs and risk management needs. Careful negotiation and documentation are vital to align terms with business objectives, risk tolerance, and regulatory obligations, ensuring a mutually beneficial partnership between financial firms and regtech providers.

In recent years, Romania has embraced a multitude of innovative initiatives, spanning from initial coin offerings (ICOs) and initial exchange offerings (IEOs) to non-fungible tokens (NFTs), marketplaces, exchange service providers, and cross-chain platforms.

From a general perspective, Romania boasts many strong attributes in relation to crypto-adoption namely:

• according to the 2021 Crypto-Ready Index, Romania holds the 33rd position worldwide in a crypto-readiness index while being ranked among the top ten countries with reported crypto ATMs. At the same time, Romania takes the lead with a notable annual increase of 331.3% in crypto searches, showcasing the highest growth in online searches related to cryptocurrencies. This suggests a growing interest and engagement with cryptocurrencies in the country. Greece follows with 226.0%, and Canada comes next with 213.1%; and
• in 2022, another survey targeting Romanian citizens revealed that a significant 96% of Romanian adults aged 18 to 55, with internet access, are now knowledgeable about cryptocurrencies. Moreover, among those acquainted with cryptocurrencies, around 40% have either held or currently hold these digital assets, and an additional 80% are considering future cryptocurrency acquisitions. Notably, individuals holding cryptocurrencies often report monthly incomes surpassing EUR1,130.60.

The legal landscape for cryptocurrencies has been substantially clarified by both MiCA and Transfer of Funds Regulation (TFR), which hold direct applicability across all EU member states. It is important to mention that there is no specific terminology in the Romanian legislation that would create conflicting interpretations with MiCA. 

Moreover, Romania’s regulatory framework is also strengthened by the transposition of the 5AMLD and MiFID II Directives through national law: Law No 129/2019 on Anti-Money Laundering (“AML Law)” and Law No 126/2018 regarding financial instrument markets (“MiFID II Law”).

Principal Regulators

National Agency of Fiscal Administration (ANAF)

The ANAF actively monitors cryptocurrency transactions in compliance with the AML Law by utilising information to track and correlate cryptocurrency transactions with individuals’ KYC details, identifying any inconsistencies.

In 2022, ANAF conducted an audit on 300 “large taxpayers” with gains revealing EUR111 million in collective unreported wealth. Moreover, between 24 and 29 April 2023, the General Directorate of Fiscal Anti-Fraud conducted nationwide operations to combat tax evasion. In the first two days, 378 businesses were inspected, resulting in 329 sanctions totalling RON1,647,721. This included fines of RON1,607,000, confiscations valued at RON40,721, and estimated additional taxes of RON34,865.

Moreover, ANAF’s strategic approach, outlined in the 2023–2025 Strategy for Increasing Voluntary Compliance in the Field of Personal Income Tax includes specific actions related to cryptocurrency income. ANAF has consistently communicated results and collected sums from verifications and controls on individuals who have gained profits from cryptocurrencies, emphasising the authority’s active involvement in regulating and enforcing tax compliance in the cryptocurrency domain.

ASF

ASF protects the interests of actors in the financial markets and is responsible for supervising financial products, the information published by companies, and financial service providers ASF relies entirely on the guidelines issued by the ESMA with respect to the risks inherent in ICOs.

ASF seems to apply the EU principles of transferable security and financial instruments as defined in MiFID II also in the area of tokens that have the characteristics of transferable securities. In Romania, issuing or acquiring security tokens is strictly forbidden without obtaining the prior approval of the Romanian Financial Supervisory Authority.

NBR

NBR is responsible for overseeing individual financial institutions (eg, credit institutions, investment firms, payment institutions, non-banking financial institutions and electronic money institutions) and the proper functioning of the financial system as a whole.

In Romania, there is not specific national legislation expressly categorising blockchain assets. However, various laws indirectly contribute to their classification. Financial regulated instruments fall under MiFID Law, while virtual currencies are regulated by AML Law.

Similar to many EU jurisdictions, cryptocurrencies are not recognised as legal tender but are regarded as digital assets with a limited role as a form of currency (referred to as “e-money tokens” in MiCA, along other two crypto-asset categories: asset-referenced tokens and utility tokens).

The regulations governing blockchain assets depend on their specific features, and issuers must adhere to applicable laws. MiCA obligations, which are directly applied through the member states, serve as the main source of legislation in this context.

Providers offering exchange services between virtual and fiat currencies, as well as digital wallet services are obligated to obtain authorisation from the Foreign Exchange Licensing Commission under the Ministry of Public Finance. This authorisation process does not involve tacit approval.

Additionally, the Romanian Digitalisation Authority issues a technical opinion for these providers, subject to a fee.

It is important to note that apart from compliance with the AML Law (and/or MiFID II Law if applicable), there are no specific national regulations governing trading platforms for blockchain assets or secondary market trading of blockchain assets in Romania.

However, MiCA provides further regulatory oversight in this area, complementing existing legislation.

Regarding funds that invest in blockchain assets in Romania, there is currently no specific regulation tailored to their activity.

However, foreign direct investments and new investments in Romania are subject to examination and approval by the Commission for the Examination of Foreign Direct Investments (CEISD) under certain conditions. These conditions include investments that relate to specific areas of activity defined in the Decision of the Supreme Council of National Defence and exceed a value threshold of EUR2 million. Exceptions to this rule include investments below the threshold that may still be subject to examination if they pose risks to public security or public order, as determined by criteria outlined in EU regulations.

Virtual currency is considered as one category of blockchain assets.

Under the scope of the AML Law, “a virtual currency” is defined as a digital representation of value not issued or guaranteed by a central bank or public authority. It is not inherently tied to a legally established currency, lacks the legal status of currency or money, yet is acknowledged by individuals or entities as a medium of exchange.

In terms of implementation, virtual currency transactions, including cryptocurrencies, are regulated and considered legal for possession, trade, and taxation under Law No 227/2015.

In Romania, DeFi activities and platforms are not specifically defined or targeted by regulation.

However, the ESMA recently released draft guidelines on reverse solicitation under MiCA. These guidelines aim to clarify situations where clients initiate services from non-EU firms on their own initiative. A summary of the key points follows.

• Broad interpretation of solicitation – ESMA advises National Competent Authorities (NCAs) to interpret solicitation broadly, encompassing various means such as online advertising and affiliate marketing. This is aimed at regulating online marketing tactics commonly used by crypto firms.
• Geo-blocking and website language – ESMA considers geo-blocking as an indicator that a firm is not soliciting EU clients. Websites in EU languages not customary in finance may be seen as targeting EU clients.
• Affiliate marketing – celebrities, influencers, or affiliates directing audiences to a firm’s website are considered to be soliciting clients. Third-country firms must monitor and control affiliate marketing activities to comply with the guidelines.
• Exemptions for reverse solicitation – exemptions are narrow and strictly limited to cases initiated exclusively by the client. Contracts and disclaimers cannot override this requirement.

The “ICI Decentralised Services”, an NFT trading platform, was launched by Romania’s National Institute for Research and Development in Informatics (ICI”. Officially inaugurated on 26 April 2023, the platform debuted with a selection of NFT collections featuring Romanian sports teams, athletes, and libraries available for purchase. Operating on decentralised blockchain and Web3 technologies, its primary aim is to facilitate transactions in the digital asset ecosystem.

From a tax perspective, individuals who obtain income from the sale of content in the form of digital files (NFT) on specialised platforms under the terms of Law No 8/1996 on copyright and related rights, are required to declare this income, regardless of whether this income is earned in Romania or abroad, in the single declaration on income tax and social contributions due by individuals, in compliance with the provisions of Articles 71 and 72¹ or Article 73, as appropriate. If the content creator obtains, after the initial sale, income from recurring/repeated sales (NFT royalties), they are also obliged to declare this income in the single declaration on income tax and social contributions due by individuals, in the same category of income.

Law No 209/2019 primarily reflects the provisions of PSD2 and creates an environment for open payment services in Romania.

TPPs

Three types of third-party providers (TPPs) are regulated: Payment Initiation Service Providers (PISP), Account Information Service Providers (AISP), and Card-Based Payment Instrument Issuers (CBPII).

PISPs can simplify transactions by initiating bank transfers directly from the payer’s account to the merchant’s account.

AISPs aggregate information from multiple accounts held by users at different banks.

CBPII issue card-based payment instruments to execute payments from a user’s account at a bank.

Liability Sharing for PISP Transactions

Banks are responsible for compensating users for unexecuted or incorrectly executed payment transactions initiated by a PISP. Banks can then seek compensation from the PISP if it is responsible for the loss.

Strong Customer Authentication

Law No 209/2019 introduces Strong Customer Authentication (SCA) to enhance payment security, requiring the use of two or more elements from the categories of knowledge, possession, and inherence.

Banks and technology providers are grappling with data privacy and security concerns brought about by open banking. The influx of detailed financial data made accessible through APIs has raised significant apprehensions regarding the misuse and exploitation of personal information. While open banking presents opportunities for innovation and improved financial services, stringent regulations such as the GDPR impose strict compliance requirements. In Romania, GDPR directly applies, adding an additional layer of complexity and accountability for organisations handling financial data. Compliance with GDPR entails implementing robust data protection measures, including data minimisation, lawful processing, and ensuring explicit consent for data usage. Despite the potential benefits of open banking, a significant portion of consumers are hesitant to share their financial data due to growing concerns about data privacy breaches and misuse.

Elements of fraud concerning financial services and fintech typically include:

• identity theft;
• payment fraud;
• phishing and social engineering;
• account takeover (ATO);
• investment scams;
• data breaches and information security breaches;
• market manipulation; and
• insider fraud.

The primary AML obligations upon relevant entities cover the following.

• Reporting obligations.
1. Immediate submission of reports on suspicious transactions to the ONPCSB.
2. Reporting of non-suspicious transactions equivalent to or exceeding EUR10,000 to ONPCSB.
• Customer Due Diligence and KYC Checks.
• Reporting of Ultimate Beneficial Owners.
1. Entities are required to possess the requisite technological infrastructure for electronic identification and verification.
• Information Sharing Obligations.
1. Entities are mandated to aggregate, store, and synthesise internal information to facilitate prompt retrieval as needed or requested by authorities.

It is imperative to highlight, particularly from the year 2023 onward, that any CASP seeking authorisation under the MiCA must furnish a comprehensive description of the internal control mechanisms, policies, and procedures of the applicant crypto-asset service provider. This description should specifically address the identification, assessment, and management of risks, encompassing those related to money laundering and terrorist financing.