AML and CTF law and regulation in Romania

  • Law No. 129/2019 on the prevention and sanctioning of money laundering and terrorism financing, in force as of 21 July 2019 and with a deadline for implementation of 21 January 2020 (the “AML Law”);
  • Law No. 535/2004 on the prevention and sanctioning of terrorism financing (the “CTF Law”);
  • National Bank of Romania Regulation No. 2/2019 on the prevention and sanctioning of money laundering and terrorism financing, in force as of 9 September 2019 (the “NBR Regulation”);
  • Financial Supervisory Authority Regulation No. 13/2019 on the implementation of measures to prevent and sanction money laundering and terrorism financing through financial sectors supervised by the Financial Supervisory Authority, in force as of 10 December 2019 (the “FSA Regulation”);
  • Norms for applying Law No. 129/2019 on the prevention and sanctioning of money laundering and terrorism financing, as well as for modifying and amending certain normative acts, for the reporting entities supervised and controlled by the National Office for Prevention and Control of Money Laundering, in force as of 3 February 2020 (the “AML Norms”).

2. Are the 4th AML Directive and the 5th AML implemented in your jurisdiction?

Only the provisions of the 4th AML Directive have been implemented through the adoption of the AML Law. At the time of writing, we are not aware of any draft bill on the implementation of the 5th AML Directive in Romania. For this reason, on 12 February 2020 the European Commission started a legal action against several Member States for failing to comply with their obligations under EU law. The Commission sent letters of formal notice to a number of countries including Romania for not having notified implementation measures in respect of the 5th AML Directive.

3. Which is the AML/CTF supervisory authority in your jurisdiction?

The National Office for Prevention and Control of Money Laundering (the “Romanian AML Office”) is the designated Financial Information Unit of Romania, which has authority to collect, store, investigate, analyse and disclose the conducted financial intelligence under the terms and procedures of the AML Law.

Other authorities authorised to monitor for compliance with the key obligations under the AML Law in certain sectors include the Romanian National Bank, the Financial Supervisory Authority, the National Office for Gambling. 

4. Who are the obliged/reporting entities in your jurisdiction? Are there any local derogations from the scope of the obliged entities as provided for in the 4th and 5th AML Directives? 

In Romania, there are no significant derogations from the scope of the obliged entities as provider for in the 4th AML Directive. The obliged/reporting entities under the AML Law include banks, financial institutions, insurance and reinsurance companies, gambling services providers. 

The KYC requirements in Romania broadly follow the requirements of the 4th AML Directive. However, we note that, for gambling services providers other than casinos, arguably the standard CDD obligation is only triggered when the client collects winnings of at least EUR 2,000, through a single transaction, as opposed to casinos which must also perform standard CDD when the client buys or exchanges chips of at least this amount. It is unclear whether this is a derogation intended by the lawmaker or an error in implementing the 4th AML Directive in national legislation. 

The reporting entities are obliged to disclose their UBOs in the central registries organised by the National Trade Registry Office (for companies), the Ministry of Justice (for associations and foundations) or the National Agency for Fiscal Administration (for trusts). 

Companies are obliged to file a declaration of beneficial owners: (i) when registering with the National Trade Registry Office; (ii) annually; and (iii) every time a modification regarding the beneficial owner occurs. Legal entities that are already established must file declarations of beneficial owners before 21 July 2020. Failure to meet this deadline may result in a fine between RON 5,000 and RON 10,000.

6. Is there any legislation in your country allowing for online/digital onboarding of customers? What are the restrictions, if any?

Yes, e.g. according to specific industry legislation, online gambling operators are allowed to use the digital onboarding of customers under strict conditions in line with the requirements for customer identification and customer verification under the AML Law. In this respect, on registration, the customer must provide his/her identification details (name, date of birth, home address, email address) and can deposit a maximum of EUR 200 in his/her gaming account unless he/she provides supporting documents for this information. Withdrawals are not permitted until this verification is performed and the gaming account will be closed if the supporting documents are not provided in 30 days as of the registration date. 

7. What are the other main obligations of the reporting entities? Do the obligations of some of them go beyond those required by the 4th and 5th AML Directives in terms of internal safeguards, KYC duties, reporting obligations, etc.?

The main obligations of reporting entities under the AML Law are in line with the 4th AML Directive. These include customer due diligence (CDD); reporting suspicious transactions and cash transactions of at least EUR 10,000 irrespective of their suspicious nature; document retention; performing a risk assessment regarding the reporting entity’s exposure to money laundering and terrorism financing; designating a money laundering responsible officer (MLRO).  

8. Is a National Risk Assessment adopted in your jurisdiction? If yes, what are the main identified risks?

Since the adoption of the AML Law, we are not aware of any National Risk Assessment having been issued by the Romanian AML Office.

9. What are the main CTF measures in your country?

As a Member State of the European Union, Romania enforces the sanctions imposed through Common Positions adopted within the Common Foreign and Security Policy. The sanctions include asset freezing, prohibition on making funds available, prohibition on certain financial actions, restrictions on services, restrictions on goods, and prohibition on arms procurement.

10. What are the criminal and/or regulatory and/or other risks for corporate bodies/directors/employees under your national law if failing to comply with AML/CTF legislation? Is there regular enforcement of the AML/CTF legislation in your country?

As a general rule, it should be noted that a simple failure to comply with AML/CTF legislation gives rise to administrative liability and not criminal liability of the individual/legal entity, unless the individual/legal entity participated in a crime either as an author, aider or abettor. 

For individuals, the administrative sanctions may consist of a warning or an administrative fine between RON10,000 (EUR 2,100) and RON 150,000 (EUR 31,000). 

For legal entities, the administrative sanctions may consist of a warning or an administrative fine of 10% of the total revenue declared for the previous fiscal period plus the aforementioned fine applicable to individuals. It should be noted that separate sanctions may also apply to the members of the management bodies or other individuals responsible for the breach.

In addition to the above financial sanction, entities that breach AML legislation may also be subject to one or more of the following complementary sanctions:

  1. confiscation of the assets resulting from the breach;
  2. suspension of the permit or authorisation to perform a certain activity or, as the case may be, suspension of the company’s activity for from one to six months;
  3. withdrawing the licence or permit for certain operations or for foreign trade activities for from one to six months;
  4. blocking the bank account for from ten days to one month;
  5. annulling the permit, approval or authorisation to perform a certain activity;
  6. closing the branch or another secondary headquarter;
  7. public statement identifying the individual or legal entity and the nature of the breach;
  8. issuing an order instructing the entity to cease the default;
  9. a temporary prohibition to exercise managerial functions in any reporting entity, issued against a person with managerial functions in the defaulting entity or any individual person that is responsible for the breach.
Cristina Popescu
Cristina Popescu
Senior Counsel and Head of CEE Insurance Practice Group
Anna Radnev
Ana Radnev