Romania -- AML/CFT Compliance Regulatory Overview

**Regulatory Body:** The **National Office for Prevention and Control of Money Laundering (Oficiul Național de Prevenire și Combatere a Spălării Banilor - ONPCSB)** is the authority responsible for registering and supervising VASPs.

**Legal Basis:** Law no. 129/2019 for the prevention and combatting of money laundering and terrorism financing, as subsequently amended and supplemented (transposing AML V).

**Requirement:** Providers of exchange services between virtual currencies and fiat currencies, and **custodian wallet providers**, must register with the ONPCSB.

**Registration Process:** Applicants must provide information about their identity, legal form, operational details, internal AML/CFT procedures, risk assessment, and demonstrate that management and beneficial owners are fit and proper.

**Law no. 129/2019:** *Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative.*

**Article 4, point 11** defines "custodian wallet provider" (furnizor de portofele digitale de custodie).

**Article 5, paragraph (1), letter (i)** specifies the registration obligation.

**ONPCSB Website:** https://www.onpcsb.ro/ (Specific guidelines and forms for VASP registration are usually found here under relevant sections).

**Segregation of Client Assets Rules:**

Under current AML law (Law 129/2019), there are **no explicit technical mandates** for the segregation of client crypto assets from the firm's own assets.

However, general AML principles and good governance practices implicitly require firms to maintain clear accounting and operational distinctions between client funds/assets and company assets to prevent commingling and facilitate robust record-keeping, which is essential for AML compliance.

There are **no specific mandates** for insurance or bonding requirements for crypto custodians under current Romanian AML legislation.

Current Romanian law **does not impose specific requirements** regarding the use of cold storage for digital assets. Operational security measures, including hot/cold storage strategies, fall under the VASP's internal risk management framework, which is assessed during the registration process to ensure robust AML/CFT controls.

Law 129/2019 defines a "custodian wallet provider" as a natural or legal person that provides services to safeguard private cryptographic keys on behalf of its clients, to hold, store and transfer virtual currencies. This is the de facto "qualified custodian" definition in the current framework, meaning an entity legally permitted to provide custody services after registration with the ONPCSB. The law does not impose additional "qualification" criteria beyond the AML registration.

**Regulatory Body:** The **Financial Supervisory Authority (Autoritatea de Supraveghere Financiară - ASF)** will become the primary national competent authority for authorizing and supervising CASPs, including those offering custody services, in Romania.

**Requirement:** CASPs providing "custody and administration of crypto-assets on behalf of clients" will need to obtain an authorization from the ASF (or another EU national competent authority, which will be passportable across the EU). This is a more stringent requirement than the current ONPCSB registration.

**Authorization Process:** Requires a detailed application, including a program of operations, proof of prudential safeguards, governance arrangements, internal control mechanisms, IT systems and security protocols, and fit & proper assessment for management and shareholders.

**MiCA Regulation (Regulation (EU) 2023/1114):**

**Article 3(1) point 14:** Defines "custody and administration of crypto-assets on behalf of clients."

**Title V, Articles 59-71:** Governs the authorization and operating conditions for CASPs, including specific rules for custody services.

**EUR-Lex link to MiCA:** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**ASF Website:** https://www.asfromania.ro/ (Expected to publish specific guidance for MiCA implementation).

**MiCA explicitly mandates** the segregation of client assets.

**Article 68(1):** "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall make adequate arrangements to safeguard the ownership rights of clients over their crypto-assets and, where applicable, their rights over the funds, and to prevent the use of clients' crypto-assets and funds for its own account."

**Article 68(2):** "A crypto-asset service provider referred to in paragraph 1 shall keep records and accounts that enable it to distinguish crypto-assets held on behalf of clients from its own crypto-assets, and from crypto-assets held on behalf of other clients."

**MiCA introduces requirements for liability coverage.**

**Article 69(2):** A CASP providing custody services "shall have professional indemnity insurance or hold own funds that are sufficient to cover potential liabilities for negligence... In the absence of such insurance, the CASP shall hold own funds equivalent to the potential liabilities calculated in accordance with the regulatory technical standards... adopted by ESMA."

While MiCA doesn't explicitly mandate "cold storage," it requires CASPs to implement robust security measures.

**Article 66(1):** CASPs shall "act honestly, fairly and professionally in accordance with the best interests of their clients."

**Article 67(1):** CASPs "shall establish, maintain and implement sound prudential safeguards to ensure that crypto-assets are always recoverable and returnable." This implies robust IT security, operational resilience, and appropriate storage solutions, which would naturally include secure cold storage for a significant portion of assets.

**Article 68(3):** CASPs shall "put in place an internal policy that ensures the timely restitution of crypto-assets held on behalf of clients, including in the event of the CASP's insolvency."

Under MiCA, an entity offering "custody and administration of crypto-assets on behalf of clients" will be a formally authorized **Crypto-Asset Service Provider (CASP)**. This designation carries much more stringent requirements and oversight compared to the current AML registration, making it the definitive "qualified custodian" status within the EU.

**Current State (Pre-MiCA):** Regulation is focused on AML/CFT, requiring registration with the ONPCSB. Specific operational requirements for custody (segregation, insurance, cold storage) are largely absent, relying on general principles and internal risk management.

**Future State (Post-MiCA from December 2024):** A robust and comprehensive regulatory framework will be in place. CASPs offering custody services will need **authorization from the ASF**, face explicit mandates for **client asset segregation**, **liability coverage (insurance/own funds)**, and stringent requirements for **operational resilience and security** (implicitly covering secure storage solutions like cold storage).

**Transition:** Entities currently registered with ONPCSB will likely need to apply for authorization from the ASF under MiCA, and meet the new, more demanding requirements.

**No Ban:** There is no ban on owning, trading, or mining cryptocurrencies in Romania for individuals.

**VASP Regulation (Current):** Virtual Asset Service Providers (VASPs) operating in Romania are subject to AML/CTF obligations, including registration requirements and customer due diligence.

**Future (MiCA):** MiCA will introduce a much broader regulatory scope, covering authorization, operational requirements, market abuse rules, and consumer protection for various types of crypto-assets and services.

**National Office for Preventing and Combating Money Laundering (ONPCSB - Oficiul Național pentru Prevenirea și Combaterea Spălării Banilor):**

**Role:** The primary authority for enforcing AML/CTF legislation. It is responsible for supervising VASPs, receiving suspicious transaction reports, and maintaining the register of entities providing virtual asset services.

**Financial Supervisory Authority (ASF - Autoritatea de Supraveghere Financiară):**

**Role:** While currently focused on traditional financial markets (capital market, insurance, private pensions), the ASF is expected to become the primary national competent authority for licensing and supervising crypto-asset service providers (CASPs) under the MiCA Regulation in Romania.

**National Bank of Romania (BNR - Banca Națională a României):**

**Role:** The central bank of Romania, responsible for monetary policy and financial stability. It has issued warnings regarding the risks associated with cryptocurrencies but does not currently directly regulate crypto-assets. Under MiCA, it will have a role in the oversight of stablecoins (e-money tokens and asset-referenced tokens).

**National Agency for Fiscal Administration (ANAF - Agenția Națională de Administrare Fiscală):**

**Role:** Responsible for the taxation of cryptocurrency gains, which are generally treated as income from other sources and subject to income tax.

**Law no. 129/2019 regarding the prevention and combating of money laundering and terrorist financing, as well as for amending and supplementing certain normative acts (Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative):**

**Date:** July 11, 2019 (published in Official Gazette no. 589 of July 19, 2019)

**Key Provisions:** This law transposed the 5th EU Anti-Money Laundering Directive (AMLD5) into Romanian law. It defines virtual currencies and virtual asset service providers (VASPs) and mandates that VASPs must register with the ONPCSB and comply with AML/CTF obligations (customer due diligence, reporting suspicious transactions, etc.).

**Reference:** Available in the Official Gazette of Romania, typically found on legislative databases (e.g., Lege5).

**EU Legislation (Directly Applicable or Requiring Transposition):**

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA Regulation):**

**Date:** May 31, 2023 (published in the Official Journal of the European Union)

**Key Provisions:** This is the cornerstone of future crypto regulation in Romania and across the EU. It establishes a comprehensive framework for the issuance, offering, and admission to trading of crypto-assets and for the provision of crypto-asset services.

Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) apply from **30 June 2024**.

Rules for other crypto-assets and for crypto-asset service providers (CASPs) apply from **30 December 2024**.

**Reference:** EUR-Lex - MiCA Regulation (EU) 2023/1114

**Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (Transfer of Funds Regulation - TFR):**

**Key Provisions:** This regulation (often referred to as the "Travel Rule" for crypto) ensures that transfers of crypto-assets are traceable by requiring CASPs to collect and hold information on the originators and beneficiaries of crypto-asset transfers. It applies from **30 December 2024**.

**Reference:** EUR-Lex - TFR Regulation (EU) 2023/1113

**Permitted but Regulated:** Crypto trading and the operation of crypto exchanges (VASPs) are permitted in Romania, provided they comply with existing regulations.

**AML/CTF Compliance for VASPs:** Entities offering services such as exchange between virtual currencies and fiat currencies, exchange between one or more virtual currencies, transfer of virtual currencies, custody services, and participation in and provision of financial services related to the issuance/sale of virtual currencies are considered VASPs. They must:

**Register with ONPCSB:** Obtain registration and comply with ONPCSB requirements.

**Implement AML/CTF Measures:** Conduct customer due diligence (KYC), monitor transactions, report suspicious activities to ONPCSB, and maintain records.

**Future under MiCA:** From **December 30, 2024**, crypto exchanges and other CASPs wishing to operate in Romania (and across the EU) will need to obtain authorization from a national competent authority (expected to be the ASF in Romania) under the MiCA Regulation. This authorization will allow them to "passport" their services across all EU member states. The requirements for authorization are significantly more comprehensive than current AML/CTF registration.

**Consumer Protection:** While some basic consumer protection is implied through AML/CTF rules (e.g., identity verification), MiCA will introduce specific investor protection and market integrity rules, requiring transparent disclosures, fair trading practices, and clear information from CASPs.

**Taxation:** Individuals realizing capital gains from cryptocurrency trading are subject to income tax. The specific rates and reporting obligations are determined by ANAF.

**For General VASP AML/CFT Obligations (pre-Travel Rule specifics):** Romania's primary AML/CFT law, **Law No. 129/2019 on preventing and combating money laundering and terrorist financing, as well as for amending and supplementing certain normative acts (Legea nr. 129/2019)**, entered into force in **July 2019**. This law transposed the 5th EU AML Directive and brought "providers of exchange services between virtual currencies and fiat currencies" and "custodian wallet providers" under its scope, requiring their registration and general AML compliance.

**URL:** Legea 129/2019 - Monitorul Oficial (Note: This is often the starting point, but search for the latest consolidated version as it has been amended).

**For Specific Travel Rule Requirements (EU TFR):** The **Regulation (EU) 2023/1113 (TFR)**, which explicitly mandates the Travel Rule for crypto-asset transfers, will apply from **30 December 2024**. Some provisions of MiCA related to certain crypto-asset services will apply earlier (e.g., from 30 June 2024), but the full Travel Rule enforcement date is linked to the TFR.

**URL:** Regulation (EU) 2023/1113 (TFR) - EUR-Lex

**URL:** Regulation (EU) 2023/1114 (MiCA) - EUR-Lex

**For transfers between Crypto-Asset Service Providers (CASPs):**

**Zero threshold (€0):** All crypto-asset transfers, regardless of amount, when made between two CASPs, must be accompanied by full originator and beneficiary information.

**For transfers to or from self-hosted (unhosted) wallets:**

**€1,000 threshold:** When a CASP makes a transfer to or receives a transfer from a self-hosted wallet (not managed by another CASP), the CASP must collect and verify the originator/beneficiary information if the transaction amount exceeds **€1,000**.

For outgoing transfers to an unhosted wallet, the CASP must ensure the transfer can be identified and linked to the originator.

For incoming transfers from an unhosted wallet, the CASP must verify the ownership of the unhosted wallet by the originator/beneficiary.

Providers of exchange services between crypto-assets and fiat currency.

Providers of custodian wallets (custody and administration of crypto-assets on behalf of third parties).

Operation of a trading platform for crypto-assets.

Reception and transmission of orders for crypto-assets.

Providing transfer services for crypto-assets.

**Collect and Retain Information:** Securely collect and retain the required originator and beneficiary information (name, address, account number, unique transaction identifier, etc.).

**Transmit Information:** Transmit this information to the beneficiary CASP immediately and securely alongside the crypto-asset transfer.

**Verify Information:** Implement measures to verify the accuracy of the information received and transmitted, especially for transfers involving self-hosted wallets above the €1,000 threshold.

**Monitor and Identify Suspicious Activity:** Have systems in place to monitor transactions for unusual patterns or missing information that could indicate money laundering or terrorist financing.

**Data Protection:** Comply with the General Data Protection Regulation (GDPR) regarding the collection, storage, and processing of personal data.

**Administrative Fines (Contravention):** Significant fines can be imposed on legal entities for various breaches, such as:

Failure to register or obtain authorization.

Failure to apply customer due diligence measures.

Failure to report suspicious transactions.

Failure to implement internal policies and procedures.

The fines can range from thousands to hundreds of thousands of RON (Romanian Lei), depending on the severity and nature of the breach. For serious breaches, fines can reach up to 10% of the annual turnover for legal entities.

**Withdrawal of Authorization/Registration:** For repeated or severe non-compliance, the ONPCSB can withdraw the authorization or registration of the VASP.

**Criminal Penalties:** In cases where non-compliance facilitates money laundering or terrorist financing, individuals responsible (management, compliance officers) and the legal entity itself can face criminal charges, including imprisonment and much higher fines.