Romania

**DIICOT** (Direcția de Investigare a Infracțiunilor de Criminalitate Organizată și Terorism - Directorate for Investigating Organized Crime and Terrorism)

**International Cooperation:** Often involves the **US FBI**, **US Secret Service**, **Europol**, **Eurojust**, and law enforcement agencies from other European countries.

**Entity Targeted:** Organized criminal groups composed of multiple individuals (often Romanian citizens operating globally).

**Violation Type:** Organized crime, computer fraud, aggravated fraud, money laundering, setting up illegal financial investment schemes (Ponzi-like schemes using crypto). These groups typically lured victims into fake cryptocurrency investment platforms, promising high returns, only to steal their funds.

**Penalty Amount:** Not a single fine, but the *estimated damages/stolen funds* often run into **tens to hundreds of millions of USD/EUR** across various operations. Assets (properties, luxury cars, cryptocurrencies, cash) are seized during investigations. Individuals face lengthy prison sentences upon conviction.

**Date:** Ongoing investigations, arrests, and indictments primarily from **late 2022 through 2023 and into 2024**.

**Outcome:** Multiple individuals arrested, indicted, and facing criminal prosecution. Assets seized. Some cases are ongoing in court; others have led to convictions. These operations often dismantle sophisticated, internationally operating fraud rings.

**"Safir Project" and related schemes:** Several operations have targeted groups involved in large-scale crypto scams, often using fake trading platforms and social engineering tactics. One notable coordinated action in **October 2022** and subsequent follow-ups involved over 30 individuals.

**Source URL (DIICOT Press Release - October 2022):**

DIICOT Press Release - October 2022 - Organized Crime, Computer Fraud, Money Laundering

*Note: This is a direct link to a DIICOT press release detailing a significant operation targeting a crypto investment fraud group. While it doesn't mention "Safir Project" by name, it aligns with descriptions of these large-scale operations.*

**Source URL (DIICOT Press Release - January 2023 - follow-up):**

DIICOT Press Release - January 2023 - Organized Crime, Computer Fraud, Money Laundering (follow-up from 2022)

*Note: This press release details further actions and arrests related to similar crypto investment fraud schemes, indicating ongoing efforts.*

**Source URL (News Article - referencing FBI involvement and scope):**

AGERPRES - FBI worked with Romanian prosecutors to bust vast cryptocurrency fraud scheme

*Note: This provides additional context on the scale and international cooperation, confirming the significance.*

**Regulator/Enforcement Agency:** **ANAF** (Agenția Națională de Administrare Fiscală - National Agency for Fiscal Administration)

**Entity Targeted:** Individuals or, in some cases, businesses found to have undeclared income from cryptocurrency trading or mining.

**Violation Type:** Tax evasion (undeclared income from cryptocurrency transactions).

**Penalty Amount:** Varies significantly depending on the undeclared amounts. It includes back taxes, penalties (e.g., 0.02% per day of delay), and interest. Specific aggregated amounts for "significant" cases against *entities* are rarely publicized, but for individuals, it can reach hundreds of thousands of RON.

**Date:** Ongoing, but increased focus and public awareness from **2022 onwards**.

**Outcome:** Tax assessments issued, collection of back taxes, penalties, and interest. Criminal charges for severe cases of tax evasion.

**Source URL (ANAF Guidance on Crypto Taxation):**

ANAF - Tratamentul fiscal aplicabil tranzacțiilor cu monede virtuale

*Note: While not an "enforcement action" per se, this official guide from ANAF (published in 2022) signifies the increased attention and framework for taxing crypto, leading to subsequent enforcement against non-compliant taxpayers.*

**Source URL (News Article on ANAF's increased scrutiny):**

Economica.net - ANAF: Cum sunt impozitate veniturile din criptomonede

**Focus on AML/CFT Registration:** The primary regulatory requirement for VASPs in Romania is registration with ANAF for anti-money laundering and combating the financing of terrorism (AML/CFT) purposes, transposing EU directives. Breaches here might lead to administrative actions from ANAF or criminal investigations by DIICOT if money laundering is suspected.

**BNR's Role:** The National Bank of Romania primarily issues warnings regarding the risks of cryptocurrencies and does not directly license or supervise crypto exchanges in the same way it does banks.

**ASF's Role:** The Financial Supervisory Authority (ASF) regulates capital markets, insurance, and private pensions. Cryptocurrencies are generally not classified as financial instruments under their purview unless they meet specific criteria, which is rare for widely traded cryptos.

**Law No. 129/2019** for preventing and combating money laundering and terrorist financing, as subsequently amended and supplemented (Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative). This law transposed AMLD5/6 into Romanian national law.

**Oficiul Național de Prevenire și Combatere a Spălării Banilor (ONPCSB)** – The National Office for Prevention and Combatting Money Laundering. This is the primary authority for AML registration and supervision of VASPs.

**Banca Națională a României (BNR)** – The National Bank of Romania. This authority supervises traditional financial services. If a crypto entity also engages in regulated payment services or e-money activities, it would fall under BNR's supervision.

**Registration Regime (Current for most crypto-specific activities):** For activities purely related to virtual assets (e.g., crypto-to-crypto exchange, non-custodial wallets that don't touch fiat), Romania operates an AML **registration** regime overseen by the ONPCSB. This means providers must register with the ONPCSB and comply with AML/CTF obligations. It is NOT a full licensing regime like those for banks or traditional payment institutions.

**Licensing Regime (Applicable if traditional financial services are involved):** If a crypto provider offers services that fall under the scope of traditional financial legislation, such as:

Receiving or transferring fiat funds on behalf of clients.

Providing traditional payment services (e.g., merchant acquiring, fiat remittances).

**ONPCSB Registration:** Mandatory. Both fiat-to-crypto and crypto-to-crypto exchanges are considered VASPs and must register with the ONPCSB.

**BNR License (Potential):** If the exchange holds fiat funds for customers or facilitates direct fiat payment services (e.g., direct bank transfers for buying/selling crypto on an ongoing basis for a fee, processing fiat payments for merchants), it may require a **Payment Institution (PI) license** from the National Bank of Romania. Simple bank transfers initiated by the customer to a third-party payment processor might not trigger this, but direct handling of customer fiat funds on the platform likely would.

**ONPCSB Registration:** Mandatory. Entities providing services of safeguarding private cryptographic keys on behalf of clients, holding, storing, and transferring virtual currencies, are considered VASPs and must register with the ONPCSB.

**ONPCSB Registration:** If the payment processor deals *only* with virtual assets (e.g., processing crypto payments for merchants, converting crypto from one type to another without touching fiat), it would likely fall under the VASP definition for "exchange services between virtual currencies and fiat currencies or between one or more virtual currencies" or "transfer services of virtual currencies" and require ONPCSB registration.

**BNR License (High Probability):** If the payment processor converts crypto to fiat for merchants, processes fiat payments from customers to merchants, holds merchant fiat funds, or provides other traditional payment services related to the crypto transactions, it almost certainly requires a **Payment Institution (PI) license** from the National Bank of Romania. This is the most common scenario for crypto payment processors in practice.

Developing and implementing robust **AML/CTF policies, procedures, and internal controls** compliant with Law 129/2019.

Conducting **risk assessments** specific to the business model and customer base.

Implementing **Customer Due Diligence (CDD)** measures, including identity verification (KYC), beneficial ownership identification, and ongoing monitoring.

Implementing **Enhanced Due Diligence (EDD)** for higher-risk clients or transactions.

**Reporting suspicious transactions (STRs)** to the ONPCSB.

Maintaining records for at least 5 years.

**AML Officer:** Appointment of a designated AML officer (person in charge with the implementation of the AML/CTF policies) with adequate knowledge, experience, and authority. This person is often required to be based in Romania or easily accessible.

**Local Presence:** The entity must be legally established in Romania (e.g., as a Romanian company, SRL). This includes a registered office.

**Fit & Proper Requirements:** The management, beneficial owners, and key personnel involved in AML compliance will be assessed for their integrity, competence, and lack of criminal record.

**Business Plan:** Submission of a business plan outlining the activities, operational model, and target market.

**IT Security:** Demonstrating appropriate IT security measures and data protection protocols.

**No Specific Capital Requirements (for ONPCSB registration alone):** Unlike traditional financial licenses (like PI/EMI), there are generally **no specific minimum share capital requirements solely for ONPCSB AML registration**. However, if a BNR license (PI/EMI) is also required, then significant capital requirements will apply (e.g., for a PI, initial capital can range from EUR 20,000 to EUR 125,000 depending on services, plus ongoing capital requirements).

**Company Establishment:** Incorporate a legal entity in Romania (e.g., an SRL - limited liability company).

**Documentation Preparation:** Gather and prepare all required documents, which typically include:

Comprehensive AML/CTF policies, procedures, and internal controls manual.

CVs, identity documents, and declarations for management, beneficial owners, and the appointed AML officer.

Information on IT systems and security measures.

Internal regulations on data protection (GDPR compliance).

**Submission:** Submit the complete application package to the ONPCSB.

**Review and Assessment:** The ONPCSB will review the application, assess compliance with AML/CTF requirements, and may request additional information or clarifications. They will also conduct fit and proper checks on key personnel.

**Registration Decision:** Upon successful review, the ONPCSB will issue a decision granting registration and include the entity in its public register of VASPs.

**Ongoing Compliance:** Once registered, the VASP must continuously comply with all AML/CTF obligations, including regular reporting to the ONPCSB.

*Example search term (in Romanian):* "Legea nr. 129/2019 Monitorul Oficial"

*General portal for Romanian legislation:* http://legislatie.just.ro/ (search functionality available, typically in Romanian).

**ONPCSB (National Office for Prevention and Combatting Money Laundering):**

**BNR (National Bank of Romania):**

Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) and their service providers will apply from **30 June 2024**.

Rules for other crypto-assets and their service providers (including exchanges and custody providers for non-stablecoin crypto-assets) will apply from **30 December 2024**.

**Impact:** MiCA will introduce a harmonized **licensing regime** for Crypto-Asset Service Providers (CASPs) across the EU, requiring authorization from a national competent authority (which will likely be the Financial Supervisory Authority - ASF or BNR in Romania, depending on the asset and service). This will supersede many aspects of the national AML registration regimes and introduce new requirements related to capital, governance, operational resilience, consumer protection, market integrity, and transparency.

**Transferable securities:** Shares, bonds, other forms of securitised debt, and any other negotiable securities which confer the right to acquire or dispose of any such transferable securities.

Units in collective investment undertakings.

Options, futures, swaps, forward rate agreements, and any other derivative contracts relating to securities, currencies, interest rates or yields, emission allowances or other underlying assets, indices or measures.

**Equity Tokens:** Tokens that represent ownership stakes in a company, similar to traditional shares, granting rights such as voting rights, dividend payments, or a claim on the company's assets.

**Debt Tokens:** Tokens representing a debt instrument, such as a bond, which may offer interest payments or a claim on repayment of principal.

**Asset-Backed Tokens:** Tokens representing fractional ownership in real-world assets (e.g., real estate, art, commodities) or a pool of such assets, where the token confers specific rights or claims against these assets that align with traditional securities.

**Derivatives Tokens:** Tokens whose value is derived from an underlying asset, index, or rate, and which fit the characteristics of options, futures, or other derivative contracts under MiFID II.

**Units in Collective Investment Undertakings (Tokenised Funds):** Tokens representing units or shares in investment funds.

**Utility Tokens:** Tokens designed solely to provide access to a product or service offered by the issuer, without conveying investment rights or expectations. However, if a utility token is marketed with promises of future appreciation or if its primary purpose is speculative investment rather than functional access, it could potentially be reclassified as a security.

**Payment Tokens (Cryptocurrencies):** Tokens intended to be used as a medium of exchange (e.g., Bitcoin, Ether), generally not classified as securities unless they grant specific investment-like rights. MiCA will introduce specific regimes for e-money tokens and asset-referenced tokens.

**Prospectus Requirement:** Generally, any offer of securities to the public or admission to trading on a regulated market requires the publication of a prospectus. This prospectus must be approved by the **Romanian Financial Supervisory Authority (ASF)** or a competent authority in another EU Member State (with passporting rights). The prospectus provides detailed information about the issuer, the securities, and the risks involved.

**Exemptions:** The Prospectus Regulation provides several exemptions from the prospectus requirement, which may apply to certain token offerings:

Offers addressed solely to qualified investors.

Offers addressed to fewer than 150 natural or legal persons per EU Member State, other than qualified investors.

Offers with a total consideration in the EU of less than €1,000,000 over a 12-month period.

Offers with a total consideration below certain national thresholds (e.g., in Romania, often up to €8,000,000 over 12 months, which may require a simpler "offering document" rather than a full prospectus, depending on national implementation).

Admission to trading on a regulated market of securities representing less than 20% of the number of securities already admitted to trading on the same regulated market over a 12-month period.

**Regulated Markets/MTFs:** Secondary trading must generally occur on regulated markets (like the Bucharest Stock Exchange) or multilateral trading facilities (MTFs) or organised trading facilities (OTFs) authorized under MiFID II.

**Investment Firms:** Entities providing investment services (e.g., brokerage, portfolio management) related to these security tokens must be licensed by the ASF as MiFID II investment firms.

**Market Abuse Regulation (MAR):** Trading in security tokens would be subject to the EU Market Abuse Regulation (Regulation (EU) No 596/2014), prohibiting insider trading, market manipulation, and requiring disclosure of inside information.

**Investor Protection:** All MiFID II investor protection rules, including suitability and appropriateness assessments, best execution requirements, and client asset protection, would apply.

**Novelty:** The relatively new nature of crypto-assets meant that national regulators were still interpreting existing laws in this context.

**Focus on Scams/AML:** Many enforcement actions in the crypto space across the EU have focused on outright scams, pyramid schemes, money laundering, or unauthorised provision of services rather than specific securities classification issues of legitimate (but unregulated) projects.

**Lack of Clear Guidelines:** The absence of comprehensive, specific crypto-asset regulation before MiCA meant a less clear mandate for enforcement on classification.

**Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114:**

*Note: While MiCA regulates other crypto-assets, it explicitly states that crypto-assets qualifying as financial instruments under MiFID II remain subject to existing financial services legislation.*

**Markets in Financial Instruments Directive (MiFID II) 2014/65/EU:**

*Transposed into Romanian law, e.g., via Law No. 24/2017 regarding issuers of financial instruments and market operations.*

**Romanian Financial Supervisory Authority (ASF):**

*You would typically search their "Legislation" or "News/Press Releases" sections for specific norms, regulations, or guidance related to financial instruments or warnings about crypto-assets.*

**Regulatory Body:** The **National Office for Prevention and Control of Money Laundering (Oficiul Național de Prevenire și Combatere a Spălării Banilor - ONPCSB)** is the authority responsible for registering and supervising VASPs.

**Legal Basis:** Law no. 129/2019 for the prevention and combatting of money laundering and terrorism financing, as subsequently amended and supplemented (transposing AML V).

**Requirement:** Providers of exchange services between virtual currencies and fiat currencies, and **custodian wallet providers**, must register with the ONPCSB.

**Registration Process:** Applicants must provide information about their identity, legal form, operational details, internal AML/CFT procedures, risk assessment, and demonstrate that management and beneficial owners are fit and proper.

**Law no. 129/2019:** *Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative.*

**Article 4, point 11** defines "custodian wallet provider" (furnizor de portofele digitale de custodie).

**Article 5, paragraph (1), letter (i)** specifies the registration obligation.

**ONPCSB Website:** https://www.onpcsb.ro/ (Specific guidelines and forms for VASP registration are usually found here under relevant sections).

**Segregation of Client Assets Rules:**

Under current AML law (Law 129/2019), there are **no explicit technical mandates** for the segregation of client crypto assets from the firm's own assets.

However, general AML principles and good governance practices implicitly require firms to maintain clear accounting and operational distinctions between client funds/assets and company assets to prevent commingling and facilitate robust record-keeping, which is essential for AML compliance.

There are **no specific mandates** for insurance or bonding requirements for crypto custodians under current Romanian AML legislation.

Current Romanian law **does not impose specific requirements** regarding the use of cold storage for digital assets. Operational security measures, including hot/cold storage strategies, fall under the VASP's internal risk management framework, which is assessed during the registration process to ensure robust AML/CFT controls.

Law 129/2019 defines a "custodian wallet provider" as a natural or legal person that provides services to safeguard private cryptographic keys on behalf of its clients, to hold, store and transfer virtual currencies. This is the de facto "qualified custodian" definition in the current framework, meaning an entity legally permitted to provide custody services after registration with the ONPCSB. The law does not impose additional "qualification" criteria beyond the AML registration.

**Regulatory Body:** The **Financial Supervisory Authority (Autoritatea de Supraveghere Financiară - ASF)** will become the primary national competent authority for authorizing and supervising CASPs, including those offering custody services, in Romania.

**Requirement:** CASPs providing "custody and administration of crypto-assets on behalf of clients" will need to obtain an authorization from the ASF (or another EU national competent authority, which will be passportable across the EU). This is a more stringent requirement than the current ONPCSB registration.

**Authorization Process:** Requires a detailed application, including a program of operations, proof of prudential safeguards, governance arrangements, internal control mechanisms, IT systems and security protocols, and fit & proper assessment for management and shareholders.

**MiCA Regulation (Regulation (EU) 2023/1114):**

**Article 3(1) point 14:** Defines "custody and administration of crypto-assets on behalf of clients."

**Title V, Articles 59-71:** Governs the authorization and operating conditions for CASPs, including specific rules for custody services.

**EUR-Lex link to MiCA:** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**ASF Website:** https://www.asfromania.ro/ (Expected to publish specific guidance for MiCA implementation).

**MiCA explicitly mandates** the segregation of client assets.

**Article 68(1):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall make adequate arrangements to safeguard the ownership rights of clients over their crypto-assets and, where applicable, their rights over the funds, and to prevent the use of clients' crypto-assets and funds for its own account."

**Article 68(2):** "A crypto-asset service provider referred to in paragraph 1 shall keep records and accounts that enable it to distinguish crypto-assets held on behalf of clients from its own crypto-assets, and from crypto-assets held on behalf of other clients."

**MiCA introduces requirements for liability coverage.**

**Article 69(2):** A CASP providing custody services "shall have professional indemnity insurance or hold own funds that are sufficient to cover potential liabilities for negligence... In the absence of such insurance, the CASP shall hold own funds equivalent to the potential liabilities calculated in accordance with the regulatory technical standards... adopted by ESMA."

While MiCA doesn't explicitly mandate "cold storage," it requires CASPs to implement robust security measures.

**Article 66(1):** CASPs shall "act honestly, fairly and professionally in accordance with the best interests of their clients."

**Article 67(1):** CASPs "shall establish, maintain and implement sound prudential safeguards to ensure that crypto-assets are always recoverable and returnable." This implies robust IT security, operational resilience, and appropriate storage solutions, which would naturally include secure cold storage for a significant portion of assets.

**Article 68(3):** CASPs shall "put in place an internal policy that ensures the timely restitution of crypto-assets held on behalf of clients, including in the event of the CASP's insolvency."

Under MiCA, an entity offering "custody and administration of crypto-assets on behalf of clients" will be a formally authorized **Crypto-Asset Service Provider (CASP)**. This designation carries much more stringent requirements and oversight compared to the current AML registration, making it the definitive "qualified custodian" status within the EU.

**Current State (Pre-MiCA):** Regulation is focused on AML/CFT, requiring registration with the ONPCSB. Specific operational requirements for custody (segregation, insurance, cold storage) are largely absent, relying on general principles and internal risk management.

**Future State (Post-MiCA from December 2024):** A robust and comprehensive regulatory framework will be in place. CASPs offering custody services will need **authorization from the ASF**, face explicit mandates for **client asset segregation**, **liability coverage (insurance/own funds)**, and stringent requirements for **operational resilience and security** (implicitly covering secure storage solutions like cold storage).

**Transition:** Entities currently registered with ONPCSB will likely need to apply for authorization from the ASF under MiCA, and meet the new, more demanding requirements.

**No Ban:** There is no ban on owning, trading, or mining cryptocurrencies in Romania for individuals.

**VASP Regulation (Current):** Virtual Asset Service Providers (VASPs) operating in Romania are subject to AML/CTF obligations, including registration requirements and customer due diligence.

**Future (MiCA):** MiCA will introduce a much broader regulatory scope, covering authorization, operational requirements, market abuse rules, and consumer protection for various types of crypto-assets and services.

**National Office for Preventing and Combating Money Laundering (ONPCSB - Oficiul Național pentru Prevenirea și Combaterea Spălării Banilor):**

**Role:** The primary authority for enforcing AML/CTF legislation. It is responsible for supervising VASPs, receiving suspicious transaction reports, and maintaining the register of entities providing virtual asset services.

**Financial Supervisory Authority (ASF - Autoritatea de Supraveghere Financiară):**

**Role:** While currently focused on traditional financial markets (capital market, insurance, private pensions), the ASF is expected to become the primary national competent authority for licensing and supervising crypto-asset service providers (CASPs) under the MiCA Regulation in Romania.

**National Bank of Romania (BNR - Banca Națională a României):**

**Role:** The central bank of Romania, responsible for monetary policy and financial stability. It has issued warnings regarding the risks associated with cryptocurrencies but does not currently directly regulate crypto-assets. Under MiCA, it will have a role in the oversight of stablecoins (e-money tokens and asset-referenced tokens).

**National Agency for Fiscal Administration (ANAF - Agenția Națională de Administrare Fiscală):**

**Role:** Responsible for the taxation of cryptocurrency gains, which are generally treated as income from other sources and subject to income tax.

**Law no. 129/2019 regarding the prevention and combating of money laundering and terrorist financing, as well as for amending and supplementing certain normative acts (Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative):**

**Date:** July 11, 2019 (published in Official Gazette no. 589 of July 19, 2019)

**Key Provisions:** This law transposed the 5th EU Anti-Money Laundering Directive (AMLD5) into Romanian law. It defines virtual currencies and virtual asset service providers (VASPs) and mandates that VASPs must register with the ONPCSB and comply with AML/CTF obligations (customer due diligence, reporting suspicious transactions, etc.).

**Reference:** Available in the Official Gazette of Romania, typically found on legislative databases (e.g., Lege5).

**EU Legislation (Directly Applicable or Requiring Transposition):**

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA Regulation):**

**Date:** May 31, 2023 (published in the Official Journal of the European Union)

**Key Provisions:** This is the cornerstone of future crypto regulation in Romania and across the EU. It establishes a comprehensive framework for the issuance, offering, and admission to trading of crypto-assets and for the provision of crypto-asset services.

Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) apply from **30 June 2024**.

Rules for other crypto-assets and for crypto-asset service providers (CASPs) apply from **30 December 2024**.

**Reference:** EUR-Lex - MiCA Regulation (EU) 2023/1114

**Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (Transfer of Funds Regulation - TFR):**

**Key Provisions:** This regulation (often referred to as the "Travel Rule" for crypto) ensures that transfers of crypto-assets are traceable by requiring CASPs to collect and hold information on the originators and beneficiaries of crypto-asset transfers. It applies from **30 December 2024**.

**Reference:** EUR-Lex - TFR Regulation (EU) 2023/1113

**Permitted but Regulated:** Crypto trading and the operation of crypto exchanges (VASPs) are permitted in Romania, provided they comply with existing regulations.

**AML/CTF Compliance for VASPs:** Entities offering services such as exchange between virtual currencies and fiat currencies, exchange between one or more virtual currencies, transfer of virtual currencies, custody services, and participation in and provision of financial services related to the issuance/sale of virtual currencies are considered VASPs. They must:

**Register with ONPCSB:** Obtain registration and comply with ONPCSB requirements.

**Implement AML/CTF Measures:** Conduct customer due diligence (KYC), monitor transactions, report suspicious activities to ONPCSB, and maintain records.

**Future under MiCA:** From **December 30, 2024**, crypto exchanges and other CASPs wishing to operate in Romania (and across the EU) will need to obtain authorization from a national competent authority (expected to be the ASF in Romania) under the MiCA Regulation. This authorization will allow them to "passport" their services across all EU member states. The requirements for authorization are significantly more comprehensive than current AML/CTF registration.

**Consumer Protection:** While some basic consumer protection is implied through AML/CTF rules (e.g., identity verification), MiCA will introduce specific investor protection and market integrity rules, requiring transparent disclosures, fair trading practices, and clear information from CASPs.

**Taxation:** Individuals realizing capital gains from cryptocurrency trading are subject to income tax. The specific rates and reporting obligations are determined by ANAF.

**For General VASP AML/CFT Obligations (pre-Travel Rule specifics):** Romania's primary AML/CFT law, **Law No. 129/2019 on preventing and combating money laundering and terrorist financing, as well as for amending and supplementing certain normative acts (Legea nr. 129/2019)**, entered into force in **July 2019**. This law transposed the 5th EU AML Directive and brought "providers of exchange services between virtual currencies and fiat currencies" and "custodian wallet providers" under its scope, requiring their registration and general AML compliance.

**URL:** Legea 129/2019 - Monitorul Oficial (Note: This is often the starting point, but search for the latest consolidated version as it has been amended).

**For Specific Travel Rule Requirements (EU TFR):** The **Regulation (EU) 2023/1113 (TFR)**, which explicitly mandates the Travel Rule for crypto-asset transfers, will apply from **30 December 2024**. Some provisions of MiCA related to certain crypto-asset services will apply earlier (e.g., from 30 June 2024), but the full Travel Rule enforcement date is linked to the TFR.

**URL:** Regulation (EU) 2023/1113 (TFR) - EUR-Lex

**URL:** Regulation (EU) 2023/1114 (MiCA) - EUR-Lex

**For transfers between Crypto-Asset Service Providers (CASPs):**

**Zero threshold (€0):** All crypto-asset transfers, regardless of amount, when made between two CASPs, must be accompanied by full originator and beneficiary information.

**For transfers to or from self-hosted (unhosted) wallets:**

**€1,000 threshold:** When a CASP makes a transfer to or receives a transfer from a self-hosted wallet (not managed by another CASP), the CASP must collect and verify the originator/beneficiary information if the transaction amount exceeds **€1,000**.

For outgoing transfers to an unhosted wallet, the CASP must ensure the transfer can be identified and linked to the originator.

For incoming transfers from an unhosted wallet, the CASP must verify the ownership of the unhosted wallet by the originator/beneficiary.

Providers of exchange services between crypto-assets and fiat currency.

Providers of custodian wallets (custody and administration of crypto-assets on behalf of third parties).

Operation of a trading platform for crypto-assets.

Reception and transmission of orders for crypto-assets.

Providing transfer services for crypto-assets.

**Collect and Retain Information:** Securely collect and retain the required originator and beneficiary information (name, address, account number, unique transaction identifier, etc.).

**Transmit Information:** Transmit this information to the beneficiary CASP immediately and securely alongside the crypto-asset transfer.

**Verify Information:** Implement measures to verify the accuracy of the information received and transmitted, especially for transfers involving self-hosted wallets above the €1,000 threshold.

**Monitor and Identify Suspicious Activity:** Have systems in place to monitor transactions for unusual patterns or missing information that could indicate money laundering or terrorist financing.

**Data Protection:** Comply with the General Data Protection Regulation (GDPR) regarding the collection, storage, and processing of personal data.

**Administrative Fines (Contravention):** Significant fines can be imposed on legal entities for various breaches, such as:

Failure to register or obtain authorization.

Failure to apply customer due diligence measures.

Failure to report suspicious transactions.

Failure to implement internal policies and procedures.

The fines can range from thousands to hundreds of thousands of RON (Romanian Lei), depending on the severity and nature of the breach. For serious breaches, fines can reach up to 10% of the annual turnover for legal entities.

**Withdrawal of Authorization/Registration:** For repeated or severe non-compliance, the ONPCSB can withdraw the authorization or registration of the VASP.

**Criminal Penalties:** In cases where non-compliance facilitates money laundering or terrorist financing, individuals responsible (management, compliance officers) and the legal entity itself can face criminal charges, including imprisonment and much higher fines.