Romania -- Travel Rule Implementation Regulatory Overview

Romania, as a Member State of the European Union, is subject to the EU's comprehensive anti-money laundering and counter-terrorist financing (AML/CFT) framework. The implementation of the FATF Travel Rule for crypto-asset transfers is primarily being harmonized across the EU through the Transfer of Funds Regulation (TFR 2023/1113), which complements the Markets in Crypto-Assets Regulation (MiCA).

Prior to the full application of TFR and MiCA, Romania had already transposed earlier EU AML Directives (notably 5AMLD) which brought Virtual Asset Service Providers (VASPs) under the scope of AML/CFT regulations, requiring their registration and adherence to general AML principles including customer due diligence (CDD) and suspicious transaction reporting (STR).

Here's a detailed breakdown of the FATF Travel Rule implementation in Romania:

Status of FATF Travel Rule Implementation in Romania

1. Whether Adopted: Yes

The Travel Rule, as defined by FATF Recommendation 16, is being implemented in Romania through the direct application of EU legislation, specifically the Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (TFR). This regulation directly applies in all EU Member States, including Romania, without requiring national transposition.

Before the TFR, Romanian national legislation (specifically Law 129/2019) brought VASPs under AML/CFT scope, but the granular requirements of the Travel Rule are explicitly detailed in the TFR.

2. Effective Date:

• For General VASP AML/CFT Obligations (pre-Travel Rule specifics): Romania's primary AML/CFT law, Law No. 129/2019 on preventing and combating money laundering and terrorist financing, as well as for amending and supplementing certain normative acts (Legea nr. 129/2019), entered into force in July 2019. This law transposed the 5th EU AML Directive and brought "providers of exchange services between virtual currencies and fiat currencies" and "custodian wallet providers" under its scope, requiring their registration and general AML compliance.

  • URL: Legea 129/2019 - Monitorul Oficial (Note: This is often the starting point, but search for the latest consolidated version as it has been amended).

• For Specific Travel Rule Requirements (EU TFR): The Regulation (EU) 2023/1113 (TFR), which explicitly mandates the Travel Rule for crypto-asset transfers, will apply from 30 December 2024. Some provisions of MiCA related to certain crypto-asset services will apply earlier (e.g., from 30 June 2024), but the full Travel Rule enforcement date is linked to the TFR.

  • URL: Regulation (EU) 2023/1113 (TFR) - EUR-Lex
  • URL: Regulation (EU) 2023/1114 (MiCA) - EUR-Lex

3. Threshold Amounts:

The EU TFR establishes the following thresholds for crypto-asset transfers:

• For transfers between Crypto-Asset Service Providers (CASPs):
  • Zero threshold (€0): All crypto-asset transfers, regardless of amount, when made between two CASPs, must be accompanied by full originator and beneficiary information.
• For transfers to or from self-hosted (unhosted) wallets:
  • €1,000 threshold: When a CASP makes a transfer to or receives a transfer from a self-hosted wallet (not managed by another CASP), the CASP must collect and verify the originator/beneficiary information if the transaction amount exceeds €1,000.
    • For outgoing transfers to an unhosted wallet, the CASP must ensure the transfer can be identified and linked to the originator.
    • For incoming transfers from an unhosted wallet, the CASP must verify the ownership of the unhosted wallet by the originator/beneficiary.

4. Which VASPs are Covered:

Under the TFR (and MiCA), the term "Virtual Asset Service Provider" (VASP) is replaced by "Crypto-Asset Service Provider" (CASP). The TFR covers any CASP authorized under MiCA that provides one or more crypto-asset services, specifically those involved in transferring crypto-assets. This broadly includes:

• Providers of exchange services between crypto-assets and fiat currency.
• Providers of exchange services between crypto-assets.
• Providers of custodian wallets (custody and administration of crypto-assets on behalf of third parties).
• Operation of a trading platform for crypto-assets.
• Reception and transmission of orders for crypto-assets.
• Placing of crypto-assets.
• Providing transfer services for crypto-assets.

In Romania, before MiCA/TFR, entities performing these services were typically subject to registration/authorization with the Oficiul Național de Prevenire și Combatere a Spălării Banilor (ONPCSB) – the Romanian Financial Intelligence Unit (FIU).

5. Technical Implementation Requirements:

The EU TFR does not prescribe specific technical protocols but requires CASPs to implement robust systems and procedures to comply with the Travel Rule. CASPs must be able to:

• Collect and Retain Information: Securely collect and retain the required originator and beneficiary information (name, address, account number, unique transaction identifier, etc.).
• Transmit Information: Transmit this information to the beneficiary CASP immediately and securely alongside the crypto-asset transfer.
• Verify Information: Implement measures to verify the accuracy of the information received and transmitted, especially for transfers involving self-hosted wallets above the €1,000 threshold.
• Monitor and Identify Suspicious Activity: Have systems in place to monitor transactions for unusual patterns or missing information that could indicate money laundering or terrorist financing.
• Data Protection: Comply with the General Data Protection Regulation (GDPR) regarding the collection, storage, and processing of personal data.

Industry solutions such as the InterVASP Messaging Standard (IVMS101) and various Travel Rule Protocol (TRP) solutions (e.g., OpenVASP, Travel Rule Universal Protocol - TRUP) are expected to be utilized by CASPs to meet these requirements.

6. Penalties for Non-Compliance:

Penalties for non-compliance with AML/CFT obligations in Romania, including those related to the Travel Rule, are outlined in Law No. 129/2019 and potentially in future national implementation acts related to MiCA/TFR. The supervising authorities are primarily the ONPCSB and the National Bank of Romania (BNR) for regulated financial entities.

General penalties under Law 129/2019 include:

• Administrative Fines (Contravention): Significant fines can be imposed on legal entities for various breaches, such as:
  • Failure to register or obtain authorization.
  • Failure to apply customer due diligence measures.
  • Failure to report suspicious transactions.
  • Failure to retain records.
  • Failure to implement internal policies and procedures.
  • The fines can range from thousands to hundreds of thousands of RON (Romanian Lei), depending on the severity and nature of the breach. For serious breaches, fines can reach up to 10% of the annual turnover for legal entities.
• Withdrawal of Authorization/Registration: For repeated or severe non-compliance, the ONPCSB can withdraw the authorization or registration of the VASP.
• Criminal Penalties: In cases where non-compliance facilitates money laundering or terrorist financing, individuals responsible (management, compliance officers) and the legal entity itself can face criminal charges, including imprisonment and much higher fines.

The TFR itself states that Member States shall lay down rules on penalties applicable to infringements of the Regulation and shall take all measures necessary to ensure that they are implemented. These penalties shall be effective, proportionate, and dissuasive.

In summary: Romania's AML/CFT framework, primarily through Law 129/2019, has covered VASPs since 2019. The specific, granular requirements of the FATF Travel Rule for crypto-asset transfers will be fully enforced from December 30, 2024, through the direct application of the EU's Transfer of Funds Regulation (TFR 2023/1113), with a zero-threshold for transfers between CASPs and a €1,000 threshold for transfers involving self-hosted wallets. Penalties for non-compliance are substantial under existing national AML legislation and will be reinforced by the TFR's requirements.