Romania -- Licensing Requirements Regulatory Overview

**DIICOT** (Direcția de Investigare a Infracțiunilor de Criminalitate Organizată și Terorism - Directorate for Investigating Organized Crime and Terrorism)

**International Cooperation:** Often involves the **US FBI**, **US Secret Service**, **Europol**, **Eurojust**, and law enforcement agencies from other European countries.

**Entity Targeted:** Organized criminal groups composed of multiple individuals (often Romanian citizens operating globally).

**Violation Type:** Organized crime, computer fraud, aggravated fraud, money laundering, setting up illegal financial investment schemes (Ponzi-like schemes using crypto). These groups typically lured victims into fake cryptocurrency investment platforms, promising high returns, only to steal their funds.

**Penalty Amount:** Not a single fine, but the *estimated damages/stolen funds* often run into **tens to hundreds of millions of USD/EUR** across various operations. Assets (properties, luxury cars, cryptocurrencies, cash) are seized during investigations. Individuals face lengthy prison sentences upon conviction.

**Date:** Ongoing investigations, arrests, and indictments primarily from **late 2022 through 2023 and into 2024**.

**Outcome:** Multiple individuals arrested, indicted, and facing criminal prosecution. Assets seized. Some cases are ongoing in court; others have led to convictions. These operations often dismantle sophisticated, internationally operating fraud rings.

**"Safir Project" and related schemes:** Several operations have targeted groups involved in large-scale crypto scams, often using fake trading platforms and social engineering tactics. One notable coordinated action in **October 2022** and subsequent follow-ups involved over 30 individuals.

**Source URL (DIICOT Press Release - October 2022):**

DIICOT Press Release - October 2022 - Organized Crime, Computer Fraud, Money Laundering

*Note: This is a direct link to a DIICOT press release detailing a significant operation targeting a crypto investment fraud group. While it doesn't mention "Safir Project" by name, it aligns with descriptions of these large-scale operations.*

**Source URL (DIICOT Press Release - January 2023 - follow-up):**

DIICOT Press Release - January 2023 - Organized Crime, Computer Fraud, Money Laundering (follow-up from 2022)

*Note: This press release details further actions and arrests related to similar crypto investment fraud schemes, indicating ongoing efforts.*

**Source URL (News Article - referencing FBI involvement and scope):**

AGERPRES - FBI worked with Romanian prosecutors to bust vast cryptocurrency fraud scheme

*Note: This provides additional context on the scale and international cooperation, confirming the significance.*

**Regulator/Enforcement Agency:** **ANAF** (Agenția Națională de Administrare Fiscală - National Agency for Fiscal Administration)

**Entity Targeted:** Individuals or, in some cases, businesses found to have undeclared income from cryptocurrency trading or mining.

**Violation Type:** Tax evasion (undeclared income from cryptocurrency transactions).

**Penalty Amount:** Varies significantly depending on the undeclared amounts. It includes back taxes, penalties (e.g., 0.02% per day of delay), and interest. Specific aggregated amounts for "significant" cases against *entities* are rarely publicized, but for individuals, it can reach hundreds of thousands of RON.

**Date:** Ongoing, but increased focus and public awareness from **2022 onwards**.

**Outcome:** Tax assessments issued, collection of back taxes, penalties, and interest. Criminal charges for severe cases of tax evasion.

**Source URL (ANAF Guidance on Crypto Taxation):**

ANAF - Tratamentul fiscal aplicabil tranzacțiilor cu monede virtuale

*Note: While not an "enforcement action" per se, this official guide from ANAF (published in 2022) signifies the increased attention and framework for taxing crypto, leading to subsequent enforcement against non-compliant taxpayers.*

**Source URL (News Article on ANAF's increased scrutiny):**

Economica.net - ANAF: Cum sunt impozitate veniturile din criptomonede

**Focus on AML/CFT Registration:** The primary regulatory requirement for VASPs in Romania is registration with ANAF for anti-money laundering and combating the financing of terrorism (AML/CFT) purposes, transposing EU directives. Breaches here might lead to administrative actions from ANAF or criminal investigations by DIICOT if money laundering is suspected.

**BNR's Role:** The National Bank of Romania primarily issues warnings regarding the risks of cryptocurrencies and does not directly license or supervise crypto exchanges in the same way it does banks.

**ASF's Role:** The Financial Supervisory Authority (ASF) regulates capital markets, insurance, and private pensions. Cryptocurrencies are generally not classified as financial instruments under their purview unless they meet specific criteria, which is rare for widely traded cryptos.

**Law No. 129/2019** for preventing and combating money laundering and terrorist financing, as subsequently amended and supplemented (Legea nr. 129/2019 pentru prevenirea și combaterea spălării banilor și finanțării terorismului, precum și pentru modificarea și completarea unor acte normative). This law transposed AMLD5/6 into Romanian national law.

**Oficiul Național de Prevenire și Combatere a Spălării Banilor (ONPCSB)** – The National Office for Prevention and Combatting Money Laundering. This is the primary authority for AML registration and supervision of VASPs.

**Banca Națională a României (BNR)** – The National Bank of Romania. This authority supervises traditional financial services. If a crypto entity also engages in regulated payment services or e-money activities, it would fall under BNR's supervision.

**Registration Regime (Current for most crypto-specific activities):** For activities purely related to virtual assets (e.g., crypto-to-crypto exchange, non-custodial wallets that don't touch fiat), Romania operates an AML **registration** regime overseen by the ONPCSB. This means providers must register with the ONPCSB and comply with AML/CTF obligations. It is NOT a full licensing regime like those for banks or traditional payment institutions.

**Licensing Regime (Applicable if traditional financial services are involved):** If a crypto provider offers services that fall under the scope of traditional financial legislation, such as:

Receiving or transferring fiat funds on behalf of clients.

Providing traditional payment services (e.g., merchant acquiring, fiat remittances).

**ONPCSB Registration:** Mandatory. Both fiat-to-crypto and crypto-to-crypto exchanges are considered VASPs and must register with the ONPCSB.

**BNR License (Potential):** If the exchange holds fiat funds for customers or facilitates direct fiat payment services (e.g., direct bank transfers for buying/selling crypto on an ongoing basis for a fee, processing fiat payments for merchants), it may require a **Payment Institution (PI) license** from the National Bank of Romania. Simple bank transfers initiated by the customer to a third-party payment processor might not trigger this, but direct handling of customer fiat funds on the platform likely would.

**ONPCSB Registration:** Mandatory. Entities providing services of safeguarding private cryptographic keys on behalf of clients, holding, storing, and transferring virtual currencies, are considered VASPs and must register with the ONPCSB.

**ONPCSB Registration:** If the payment processor deals *only* with virtual assets (e.g., processing crypto payments for merchants, converting crypto from one type to another without touching fiat), it would likely fall under the VASP definition for "exchange services between virtual currencies and fiat currencies or between one or more virtual currencies" or "transfer services of virtual currencies" and require ONPCSB registration.

**BNR License (High Probability):** If the payment processor converts crypto to fiat for merchants, processes fiat payments from customers to merchants, holds merchant fiat funds, or provides other traditional payment services related to the crypto transactions, it almost certainly requires a **Payment Institution (PI) license** from the National Bank of Romania. This is the most common scenario for crypto payment processors in practice.

Developing and implementing robust **AML/CTF policies, procedures, and internal controls** compliant with Law 129/2019.

Conducting **risk assessments** specific to the business model and customer base.

Implementing **Customer Due Diligence (CDD)** measures, including identity verification (KYC), beneficial ownership identification, and ongoing monitoring.

Implementing **Enhanced Due Diligence (EDD)** for higher-risk clients or transactions.

**Reporting suspicious transactions (STRs)** to the ONPCSB.

Maintaining records for at least 5 years.

**AML Officer:** Appointment of a designated AML officer (person in charge with the implementation of the AML/CTF policies) with adequate knowledge, experience, and authority. This person is often required to be based in Romania or easily accessible.

**Local Presence:** The entity must be legally established in Romania (e.g., as a Romanian company, SRL). This includes a registered office.

**Fit & Proper Requirements:** The management, beneficial owners, and key personnel involved in AML compliance will be assessed for their integrity, competence, and lack of criminal record.

**Business Plan:** Submission of a business plan outlining the activities, operational model, and target market.

**IT Security:** Demonstrating appropriate IT security measures and data protection protocols.

**No Specific Capital Requirements (for ONPCSB registration alone):** Unlike traditional financial licenses (like PI/EMI), there are generally **no specific minimum share capital requirements solely for ONPCSB AML registration**. However, if a BNR license (PI/EMI) is also required, then significant capital requirements will apply (e.g., for a PI, initial capital can range from EUR 20,000 to EUR 125,000 depending on services, plus ongoing capital requirements).

**Company Establishment:** Incorporate a legal entity in Romania (e.g., an SRL - limited liability company).

**Documentation Preparation:** Gather and prepare all required documents, which typically include:

Comprehensive AML/CTF policies, procedures, and internal controls manual.

CVs, identity documents, and declarations for management, beneficial owners, and the appointed AML officer.

Information on IT systems and security measures.

Internal regulations on data protection (GDPR compliance).

**Submission:** Submit the complete application package to the ONPCSB.

**Review and Assessment:** The ONPCSB will review the application, assess compliance with AML/CTF requirements, and may request additional information or clarifications. They will also conduct fit and proper checks on key personnel.

**Registration Decision:** Upon successful review, the ONPCSB will issue a decision granting registration and include the entity in its public register of VASPs.

**Ongoing Compliance:** Once registered, the VASP must continuously comply with all AML/CTF obligations, including regular reporting to the ONPCSB.

*Example search term (in Romanian):* "Legea nr. 129/2019 Monitorul Oficial"

*General portal for Romanian legislation:* http://legislatie.just.ro/ (search functionality available, typically in Romanian).

**ONPCSB (National Office for Prevention and Combatting Money Laundering):**

**BNR (National Bank of Romania):**

Rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) and their service providers will apply from **30 June 2024**.

Rules for other crypto-assets and their service providers (including exchanges and custody providers for non-stablecoin crypto-assets) will apply from **30 December 2024**.

**Impact:** MiCA will introduce a harmonized **licensing regime** for Crypto-Asset Service Providers (CASPs) across the EU, requiring authorization from a national competent authority (which will likely be the Financial Supervisory Authority - ASF or BNR in Romania, depending on the asset and service). This will supersede many aspects of the national AML registration regimes and introduce new requirements related to capital, governance, operational resilience, consumer protection, market integrity, and transparency.

**Transferable securities:** Shares, bonds, other forms of securitised debt, and any other negotiable securities which confer the right to acquire or dispose of any such transferable securities.

Units in collective investment undertakings.

Options, futures, swaps, forward rate agreements, and any other derivative contracts relating to securities, currencies, interest rates or yields, emission allowances or other underlying assets, indices or measures.

**Equity Tokens:** Tokens that represent ownership stakes in a company, similar to traditional shares, granting rights such as voting rights, dividend payments, or a claim on the company's assets.

**Debt Tokens:** Tokens representing a debt instrument, such as a bond, which may offer interest payments or a claim on repayment of principal.

**Asset-Backed Tokens:** Tokens representing fractional ownership in real-world assets (e.g., real estate, art, commodities) or a pool of such assets, where the token confers specific rights or claims against these assets that align with traditional securities.

**Derivatives Tokens:** Tokens whose value is derived from an underlying asset, index, or rate, and which fit the characteristics of options, futures, or other derivative contracts under MiFID II.

**Units in Collective Investment Undertakings (Tokenised Funds):** Tokens representing units or shares in investment funds.

**Utility Tokens:** Tokens designed solely to provide access to a product or service offered by the issuer, without conveying investment rights or expectations. However, if a utility token is marketed with promises of future appreciation or if its primary purpose is speculative investment rather than functional access, it could potentially be reclassified as a security.

**Payment Tokens (Cryptocurrencies):** Tokens intended to be used as a medium of exchange (e.g., Bitcoin, Ether), generally not classified as securities unless they grant specific investment-like rights. MiCA will introduce specific regimes for e-money tokens and asset-referenced tokens.

**Prospectus Requirement:** Generally, any offer of securities to the public or admission to trading on a regulated market requires the publication of a prospectus. This prospectus must be approved by the **Romanian Financial Supervisory Authority (ASF)** or a competent authority in another EU Member State (with passporting rights). The prospectus provides detailed information about the issuer, the securities, and the risks involved.

**Exemptions:** The Prospectus Regulation provides several exemptions from the prospectus requirement, which may apply to certain token offerings:

Offers addressed solely to qualified investors.

Offers addressed to fewer than 150 natural or legal persons per EU Member State, other than qualified investors.

Offers with a total consideration in the EU of less than €1,000,000 over a 12-month period.

Offers with a total consideration below certain national thresholds (e.g., in Romania, often up to €8,000,000 over 12 months, which may require a simpler "offering document" rather than a full prospectus, depending on national implementation).

Admission to trading on a regulated market of securities representing less than 20% of the number of securities already admitted to trading on the same regulated market over a 12-month period.

**Regulated Markets/MTFs:** Secondary trading must generally occur on regulated markets (like the Bucharest Stock Exchange) or multilateral trading facilities (MTFs) or organised trading facilities (OTFs) authorized under MiFID II.

**Investment Firms:** Entities providing investment services (e.g., brokerage, portfolio management) related to these security tokens must be licensed by the ASF as MiFID II investment firms.

**Market Abuse Regulation (MAR):** Trading in security tokens would be subject to the EU Market Abuse Regulation (Regulation (EU) No 596/2014), prohibiting insider trading, market manipulation, and requiring disclosure of inside information.

**Investor Protection:** All MiFID II investor protection rules, including suitability and appropriateness assessments, best execution requirements, and client asset protection, would apply.

**Novelty:** The relatively new nature of crypto-assets meant that national regulators were still interpreting existing laws in this context.

**Focus on Scams/AML:** Many enforcement actions in the crypto space across the EU have focused on outright scams, pyramid schemes, money laundering, or unauthorised provision of services rather than specific securities classification issues of legitimate (but unregulated) projects.

**Lack of Clear Guidelines:** The absence of comprehensive, specific crypto-asset regulation before MiCA meant a less clear mandate for enforcement on classification.

**Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114:**

*Note: While MiCA regulates other crypto-assets, it explicitly states that crypto-assets qualifying as financial instruments under MiFID II remain subject to existing financial services legislation.*

**Markets in Financial Instruments Directive (MiFID II) 2014/65/EU:**

*Transposed into Romanian law, e.g., via Law No. 24/2017 regarding issuers of financial instruments and market operations.*

**Romanian Financial Supervisory Authority (ASF):**

*You would typically search their "Legislation" or "News/Press Releases" sections for specific norms, regulations, or guidance related to financial instruments or warnings about crypto-assets.*