Romania -- Custody Regulations Regulatory Overview

Romania's regulatory framework for cryptocurrency and digital asset custody is currently primarily governed by its anti-money laundering (AML) legislation, which transposed the EU's 5th Anti-Money Laundering Directive (AML V). However, a significant shift is imminent with the implementation of the EU's Markets in Crypto-Assets (MiCA) Regulation, which will introduce comprehensive and harmonized rules across the EU, including Romania.

Here's a breakdown:

Current Custody Regulations in Romania (Pre-MiCA)

Under current Romanian law, the primary regulatory focus for virtual asset service providers (VASPs), including those offering custody services, is on AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) compliance.

1. Custodial License Requirements (Registration):

   • Regulatory Body: The National Office for Prevention and Control of Money Laundering (Oficiul Național de Prevenire și Combatere a Spălării Banilor - ONPCSB) is the authority responsible for registering and supervising VASPs.
   • Legal Basis: Law no. 129/2019 for the prevention and combatting of money laundering and terrorism financing, as subsequently amended and supplemented (transposing AML V).
   • Requirement: Providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, must register with the ONPCSB.
   • Registration Process: Applicants must provide information about their identity, legal form, operational details, internal AML/CFT procedures, risk assessment, and demonstrate that management and beneficial owners are fit and proper.
   • Regulatory Reference:
     • Law no. 129/2019: Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative.
     • Article 4, point 11 defines "custodian wallet provider" (furnizor de portofele digitale de custodie).
     • Article 5, paragraph (1), letter (i) specifies the registration obligation.
     • ONPCSB Website: https://www.onpcsb.ro/ (Specific guidelines and forms for VASP registration are usually found here under relevant sections).

2. Segregation of Client Assets Rules:

   • Under current AML law (Law 129/2019), there are no explicit technical mandates for the segregation of client crypto assets from the firm's own assets.
   • However, general AML principles and good governance practices implicitly require firms to maintain clear accounting and operational distinctions between client funds/assets and company assets to prevent commingling and facilitate robust record-keeping, which is essential for AML compliance.

3. Insurance/Bonding Requirements:

   • There are no specific mandates for insurance or bonding requirements for crypto custodians under current Romanian AML legislation.

4. Cold Storage Mandates:

   • Current Romanian law does not impose specific requirements regarding the use of cold storage for digital assets. Operational security measures, including hot/cold storage strategies, fall under the VASP's internal risk management framework, which is assessed during the registration process to ensure robust AML/CFT controls.

5. Qualified Custodian Definitions:

   • Law 129/2019 defines a "custodian wallet provider" as a natural or legal person that provides services to safeguard private cryptographic keys on behalf of its clients, to hold, store and transfer virtual currencies. This is the de facto "qualified custodian" definition in the current framework, meaning an entity legally permitted to provide custody services after registration with the ONPCSB. The law does not impose additional "qualification" criteria beyond the AML registration.

Pending Custody Legislation (MiCA - Markets in Crypto-Assets Regulation)

The EU's MiCA Regulation (Regulation (EU) 2023/1114) will fundamentally reshape crypto-asset regulation across the European Union, including Romania. It will directly apply in Romania (without national transposition) for provisions concerning crypto-asset service providers (CASPs) starting 30 December 2024.

MiCA introduces a comprehensive framework for "custody and administration of crypto-assets on behalf of clients" services.

1. Custodial License Requirements (Authorization):

   • Regulatory Body: The Financial Supervisory Authority (Autoritatea de Supraveghere Financiară - ASF) will become the primary national competent authority for authorizing and supervising CASPs, including those offering custody services, in Romania.
   • Requirement: CASPs providing "custody and administration of crypto-assets on behalf of clients" will need to obtain an authorization from the ASF (or another EU national competent authority, which will be passportable across the EU). This is a more stringent requirement than the current ONPCSB registration.
   • Authorization Process: Requires a detailed application, including a program of operations, proof of prudential safeguards, governance arrangements, internal control mechanisms, IT systems and security protocols, and fit & proper assessment for management and shareholders.
   • Regulatory Reference:
     • MiCA Regulation (Regulation (EU) 2023/1114):
       • Article 3(1) point 14: Defines "custody and administration of crypto-assets on behalf of clients."
       • Title V, Articles 59-71: Governs the authorization and operating conditions for CASPs, including specific rules for custody services.
     • EUR-Lex link to MiCA: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114
     • ASF Website: https://www.asfromania.ro/ (Expected to publish specific guidance for MiCA implementation).

2. Segregation of Client Assets Rules:

   • MiCA explicitly mandates the segregation of client assets.
   • Article 68(1): "A crypto-asset service provider authorised for the custody and administration of crypto-assets on behalf of clients shall make adequate arrangements to safeguard the ownership rights of clients over their crypto-assets and, where applicable, their rights over the funds, and to prevent the use of clients' crypto-assets and funds for its own account."
   • Article 68(2): "A crypto-asset service provider referred to in paragraph 1 shall keep records and accounts that enable it to distinguish crypto-assets held on behalf of clients from its own crypto-assets, and from crypto-assets held on behalf of other clients."

3. Insurance/Bonding Requirements:

   • MiCA introduces requirements for liability coverage.
   • Article 69(2): A CASP providing custody services "shall have professional indemnity insurance or hold own funds that are sufficient to cover potential liabilities for negligence... In the absence of such insurance, the CASP shall hold own funds equivalent to the potential liabilities calculated in accordance with the regulatory technical standards... adopted by ESMA."

4. Cold Storage Mandates:

   • While MiCA doesn't explicitly mandate "cold storage," it requires CASPs to implement robust security measures.
   • Article 66(1): CASPs shall "act honestly, fairly and professionally in accordance with the best interests of their clients."
   • Article 67(1): CASPs "shall establish, maintain and implement sound prudential safeguards to ensure that crypto-assets are always recoverable and returnable." This implies robust IT security, operational resilience, and appropriate storage solutions, which would naturally include secure cold storage for a significant portion of assets.
   • Article 68(3): CASPs shall "put in place an internal policy that ensures the timely restitution of crypto-assets held on behalf of clients, including in the event of the CASP's insolvency."

5. Qualified Custodian Definitions:

   • Under MiCA, an entity offering "custody and administration of crypto-assets on behalf of clients" will be a formally authorized Crypto-Asset Service Provider (CASP). This designation carries much more stringent requirements and oversight compared to the current AML registration, making it the definitive "qualified custodian" status within the EU.

Summary and Key Takeaways for Romania

• Current State (Pre-MiCA): Regulation is focused on AML/CFT, requiring registration with the ONPCSB. Specific operational requirements for custody (segregation, insurance, cold storage) are largely absent, relying on general principles and internal risk management.
• Future State (Post-MiCA from December 2024): A robust and comprehensive regulatory framework will be in place. CASPs offering custody services will need authorization from the ASF, face explicit mandates for client asset segregation, liability coverage (insurance/own funds), and stringent requirements for operational resilience and security (implicitly covering secure storage solutions like cold storage).
• Transition: Entities currently registered with ONPCSB will likely need to apply for authorization from the ASF under MiCA, and meet the new, more demanding requirements.

It is crucial for any entity operating or planning to operate crypto custody services in Romania to be fully aware of MiCA's requirements and prepare for its implementation by the end of 2024.

Disclaimer: This information is for general informational purposes only and does not constitute legal, financial, or investment advice. Regulatory landscapes can change rapidly, and specific legal advice should be sought from qualified professionals in Romania.