Fintech 2022 Comparisons

The Romanian fintech market has followed the strong global expansion trend and has experienced important growth over recent years.

The restrictions triggered by the pandemic kept customers moving towards digital channels. Traditional companies in the financial sector as well as local and international start-ups have responded by speeding up digital or digitally enhanced offerings, which raised competition in the local fintech market and created business partnership opportunities between traditional players and innovative newcomers.

While traditional financial companies still dominate the local fintech sector, the fintech offerings from new actors keep on growing, also targeting the regulated environment, to take full benefit of the opportunities of the open banking era under Directive (EU) 2015/2366 (the "Second Payment Services Directive", or PSD 2). Last year’s Fintech mapping endeavours showcased over 60 projects in the local market, from local actors to international companies with a local presence, active in areas such as personal finance, payments and wallets, financial infrastructure, investments and wealth management, crowdfunding, blockchain and cryptocurrencies; please see more details on the local market verticals in 2.1 Predominant Business Models.

The strong IT capabilities of Romania, with highly skilled human resources, contributed to the rise of the local tech industry and raised the appetite of several investors, including business angels and venture capitalists, which helped Romania to reach the top 20 European countries ranked by the number of fintech funding rounds. The listing on the NYSE in April 2021 of the USD35 billion Romanian software technology unicorn UiPath, a leader in robotic process automation, also constituted a landmark in Romania’s tech innovation history.

Other opportunities in Romania for the accelerated development of this industry include:

• support schemes through state tax relief (for example, revenue relief for IT specialists or support for setting up new development centres for companies);
• Romania having one of the fastest internet connections in Europe (third place in the world on broadband internet for 2022);
• increasing public investments in the digitalisation and implementation of electronic payments, including by means of the National Recovery and Resilience Plan adopted in October 2021; and
• the existence of state aid schemes addressed to supporting young entrepreneurs and SMEs.

The Romanian Fintech Association, set up in early 2020 as the first fintech professional association, has continued to expand over the past 12 months and attracted new actors in the industry to support fintech companies in accessing markets, capital and financing resources, as well as human resources.

The local fintech sector is still expected to thrive in the future. There are several important business accelerators that support this growth path of start-ups, and local venture capitalists have expressed their investment appetite in this field. More mature companies target the regulated environment of the fintech industry; the authors are aware of several payment licence applications that are in progress with the National Bank of Romania (NBR). Legacy players are expected to enhance their fintech offerings and keep contributing to the growth of the phenomenon, including by giving tech companies opportunities to test new ideas and build partnerships.

In March 2022, the NBR authorised the takeover of control of a Romanian e-money institution by Elrond, the most important Romanian developer of a blockchain ecosystem, thus indirectly acknowledging the involvement of such technology in the future of financial services.

Future Developments for Fintech in Romania

Among the matters that are expected to have a major impact in the next 12 months are:

• the crowdfunding law to be adopted by the Romanian authorities, establishing national norms for the direct application of Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the "EU Crowdfunding Regulation") in view of allowing the interested parties in such sector to carry out the authorisation formalities to become a licensed crowdfunding service provider; and
• potential issues raised by performing KYC at a distance, and by electronical means, as the relevant piece of legislation regulating this process entered into force on 24 December 2021 and sets forth a transition period of 240 days for the providers of such services to comply with their obligations, including to obtain the relevant endorsement from the Authority for the Digitalization of Romania following the filing of the relevant documentation.

The new norms for long-distance video identification as a form of electronic identification defined under Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions (the "eIDAS Regulation") mean the providers of such services authorised in another EU member state interested in providing such services for Romanian citizens or on the territory of Romania will need to comply with a series of obligations set forth in the recently enacted Romanian legislation, including some level of interaction with the Authority for the Digitalization of Romania.

The predominant B2C offerings in the Romanian fintech market cover payments and wallets (eg, mobile app-based solutions, bulk payment solutions and peer-to-peer money transfers) as well as personal finances (web or mobile-based, products providing cash flow analysis and forecasting, income and expenses monitoring, and similar functions). Online lending is also well represented, with “buy now, pay later” solutions and online platforms for invoice trading and factoring, while crowdfunding offerings are limited, but have an important exponent in the local market. Only a few local companies are exploring wealth management, but distributed ledger technology (DLT) products and associated services are gaining popularity. However, DLT is yet to be explored by the traditional actors in the financial services industry.

The local fintech ecosystem also has a strong B2B component that includes several financial infrastructure providers and financial enablers, some of them managing to export their solutions to other EU countries recently. Solutions in this area vary from those related to open banking application programming interfaces (APIs) (such as API aggregators/hubs and testing tools for PSD 2 APIs), authentication (including biometric) tools (such as typing biometrics authentication) and full-process onboarding platforms and chatbots, to platforms that enable banks and insurers (as insurtech solutions) to create end-to-end digital customer journeys. Despite the relatively limited local offerings in this sector, the use cases of regtech in the mid- and back-office internal processes of regulated entities to facilitate, amongst others, compliance, risk compliance, fraud detection and regulatory reporting are on a growth path.

While most of the above business models focus on regulated sectors (see 2.2 Regulatory Regime), few fintech companies carry out regulated activities, and legacy players still dominate the regulated banking, payment and investment services sectors. Only one local fintech company obtained a licence as a payment institution in 2021 and few others are expected to follow in 2022. However, most of the local fintechs operate as unregulated entities, either as outsourcing fintechs (eg, financial infrastructure providers and financial enablers) or by partnering with traditional players that ultimately carry out the regulated activities. Traditional players, in turn, contribute to the growth of the fintech ecosystem by developing dedicated business incubators and acceleration programmes.

The Romanian legal framework does not set forth a particular regime dedicated to fintech companies, except in relation to crowdfunding services, which are regulated under the EU Crowdfunding Regulation, directly applicable in Romania as of 10 November 2021.

Other activities carried out by industry participants may fall under the licensing regime applicable to banking and financial services, which generally stems from EU legislation such as PSD 2, the E-money Directive, the Second Markets in Financial Instruments Directive (MiFID II) and the Solvency II Directive, but also from domestic laws and regulations, such as those related to local lending monopolies, including Law 93/2009 on non-banking financial institutions, as subsequently amended.

Further registration requirements apply for fintech companies providing long-distance video identification services as a form of electronic identification defined under the eIDAS Regulation, based on the local regulation in force since December 2021 issued by the Authority for the Digitalization of Romania via Decision 564/2021 published in the Official Gazette of Romania on 24 November 2021.

Payment and E-money Services

Payment and e-money services are regulated under the domestic laws implementing PSD 2 and the E-money Directive, and may be provided within the territory of Romania subject to the licensing regime set forth thereunder. In particular, the payment services legal framework distinguishes eight categories of payment services and sets the licensing requirements for the provision of such payment services. The authorisation as "payment institutions" is, in principle, required for companies that are not already authorised as credit institutions or e-money institutions, or are otherwise excluded from the authorisation requirements. However, companies that plan to provide only account information services do not necessarily need a "payment institution" authorisation and may carry out their business as registered account information service providers, subject to a dedicated registration process with the NBR.

The conditions for authorisation, the relevant steps, and the information to be provided for authorisation follow the rules and guidelines set out at EU level, including the European Banking Authority (EBA) Guidelines on authorisation and registration under PSD2 (EBA/GL/2017/09) on the information to be provided for the authorisation of payment institutions and e-money institutions, and for the registration of account information service providers, with no substantial deviations. The regulatory regime is complemented by local regulations that implement closely the relevant EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), as well as the EBA Guidelines on major incidents reporting under PSD2 (EBA/GL/2021/03).

The legal framework above provides for the most relevant licensing and regulatory regime for the largest segment of the local fintech offerings: payment-related solutions.

The payments licensing regime may also be relevant for fintech companies that do not intend to carry out a payment-related business and that primarily fall under a different regulatory regime; eg, for crowdfunding service providers, depending on the flow of payments involved in the provision of crowdfunding services. An authorisation to provide crowdfunding services under the EU Crowdfunding Regulation will not equate to an authorisation to provide payment services.

Lending Services

In Romania, lending activity on a professional basis is subject to the monopoly of regulated financial institutions – namely, credit institutions and non banking financial institutions – covered by the domestic legislation on non-banking financial institutions. The applicable legal framework requires a non-banking financial institution licence for entities that carry out lending activities and that are not authorised as credit institutions or that provide lending services in accordance with the legal framework implementing PSD 2. Non-licensed entities providing lending services on a professional basis is considered usury and is criminally sanctioned under the Criminal Code.

The regime detailed above is particularly relevant for online lending, including factoring and invoice discounting, and has been a major hurdle for lending-based crowdfunding services. The EU Crowdfunding Regulation, however, changed the regulatory status of lending-based crowdfunding services, which raised the interest of actors in various sectors.

Investment Services and Regulated Trading Venues

The local regime regulating the provision of investment services in financial instruments and investment firms, and the operation of traditional stock exchanges and alternative trading venues, is provided for by the national laws and regulation implementing MiFID II, as well as the Markets in Financial Instruments Regulation (MiFIR), directly applicable in Romania.

The authorisation and conduct of business requirements for the provision of investment services in financial instruments and the operation of trading platforms set forth under the above-mentioned regime is equally applicable to legacy players as well as fintech companies (see 3. Robo-Advisers, 7. Marketplaces, Exchanges and Trading Platforms and 8. High-Frequency and Algorithmic Trading). 

The regulatory framework on investment services and regulated trading venues also needs to be considered by other types of fintech verticals, such as crowdfunding services (see below) and crypto-asset-related services.

In relation to crypto-asset services, to the extent that the relevant crypto-assets qualify as financial instruments, there are several related activities likely to qualify as investment services/activities, such as placing, dealing on own account, operating a multilateral trading facility (MTF) or organised trading facility (OTF), or providing investment advice.

Crowdfunding

As of 10 November 2021, the EU Crowdfunding Regulation has created a new category of regulated services: crowdfunding services. The provision of such services is now subject to dedicated licensing requirements and crowdfunding service providers licensed under the new regime benefit from the European passporting regime.

In-scope services include:

• lending-based crowdfunding services (the facilitation of granting peer-to-business and B2B loans peer-to-peer); and
• investment-based crowdfunding services (placing without a firm commitment basis and the receipt and transmission of client orders in relation to transferable securities, and a new category of instruments representing admitted instruments for crowdfunding purposes).

Until 10 November 2023, the EU Crowdfunding Regulation applies in Romania to crowdfunding offers with a consideration of up to EUR1 million calculated over a period of 12 months. As of 10 November 2023, the threshold will increase to EUR5 million.

Local companies still expect to take full benefit of the new regime, which requires further input and actions from the Romanian lawmakers and authorities to become fully effective. While the relevant implementation deadlines have expired, national legislative measures to, amongst others, (i) designate competent authorities, (ii) accommodate investment-based crowdfunding services with national laws implementing MiFID II, (iii) accommodate the lending-based crowdfunding model with the national rules regulating professional lending activity, or (iv) clarify the novel concept of admitted instruments for crowdfunding purposes by reference to the national concepts are yet to be implemented.

As such, the regulatory regime applicable to industry participants needs to be assessed on a case-by-case basis and depends on the business model of the industry participants and the targeted financial sector.

The compensation models that industry participants use to charge customers depend on their business model, and the applicable limitations vary depending on whether the relevant services are regulated services and whether the customers fall under the consumer protection rules.

The most common charging models in the predominant regulated fintech vertical (payments/wallets and online lending) include per-transaction fees (fixed or variable) and periodical fees (charged throughout the duration of the agreement/loan), or a combination thereof.

B2C offerings dedicated to consumers fall under several pre-contractual pricing disclosure requirements under pieces of regulation such as the local laws implementing the Distance Marketing of Financial Services Directive, the Consumers Credit Directive, PSD 2 and the EU Payment Accounts Directive.

Except as set out in 2.2 Regulatory Regime, fintech offerings do not benefit from a dedicated legal regime. The same regulatory framework applies to the provision of regulated services by legacy players and fintech newcomers. Unlike other jurisdictions, the Romanian legal framework does not provide for a lighter authorisation procedure for small fintech companies (eg, in the payments sector), which is one of the reasons why certain local companies, particularly targeting the payments market, structure their business outside the regulatory perimeter by partnering with legacy players that ultimately carry out the regulated activities.

Operating outside the regulated financial services perimeters does not exclude fintech companies from additional non-financial regulation that may become applicable depending on their activities and business model; see 2.10 Implications of Additional, Non-financial Services Regulations.

Romanian regulators in the banking and non-banking financial sector, the NBR and the Financial Supervisory Authority (FSA) recognise the importance of fintech and seek to leverage on the benefits thereof to support innovation in their fields of supervision. The NBR and the FSA developed dedicated fintech hubs to encourage dialogue with interested parties and create a favourable environment for the development of innovative products and services; namely, the FinTech Innovation Hub (NBR) and the Fintech Hub and the InsurTech Hub (FSA). At the end of 2020, the NBR engaged in discussions with experts from the Development Facility for the European Fund for Southeast Europe to explore the implementation of a fintech regulatory sandbox. The FSA appears to also be considering the opportunity of developing a regulatory sandbox as part of its Strategy for 2021–2023.

Under Romanian law, there is no single regulatory and supervisory authority for Fintech companies.

The provision of regulated services may fall under the jurisdiction of the NBR (with regard to payments, e-money, lending or banking business) or the FSA (for investment services, the operation of trading venues (regulated markets, MTFs or OTFs), or insurance business). With regard to crowdfunding services, national laws designating the competent authorities are yet to be implemented. Under the draft law aimed at the EU Crowdfunding Regulation available at this stage, the FSA appears to be the competent authority in relation to investment-based as well as lending-based crowdfunding activities, but the final law may be expected to divide the jurisdiction between the FSA and the NBR.

The jurisdiction of other (non-financial) authorities may become relevant depending on the business models of the industry participants; see 2.10 Implications of Additional, Non-financial Services Regulations. Examples include the National Office for Prevention and Control of Money Laundering for activities that fall under the AML and international sanctions regime, the National Agency for Fiscal Administration in relation to international sanctions, and the National Consumer Protection Authority for fintech offerings targeting consumers.

Data privacy matters fall under the National Supervisory Authority for Personal Data Processing, and, as regards cybersecurity matters, companies are supervised by CERT-RO.

With regard to providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers (relevant services for crypto-assets), the registration process in accordance with the local AML law is subject to the scrutiny of the Authority for the Digitalization of Romania and the Ministry of Public Finance.

Regulated firms are permitted to outsource certain operational functions to third-party service providers. While the extent of the legal requirements applicable to outsourcing arrangements varies depending on the regulated activities carried out by industry participants (ie, payments, lending or banking activity under the supervision of the NBR, or investment services, insurance or other activities under the supervision of the FSA), the following general principle applies throughout the regulated sector: outsourcing should not alter the capability of the regulated entity to comply with the regulatory obligations applicable to it, nor the ability of the competent authorities to supervise compliance with regulatory requirements. The regulated entity will retain full responsibility towards its clients for the provision of the regulated services.

In general, regulated entities should evaluate and address the operational risks triggered by arrangements with third-party service providers, independent of whether the relevant arrangement qualifies as outsourcing.

With regard to outsourcing, and, in particular, outsourcing of important or critical functions, particular requirements apply and local regulators expect compliance with the relevant guidelines on outsourcing at EU level, namely the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) or the European Securities and Markets Authority (ESMA) Guidelines on outsourcing to cloud service providers (ESMA50-157-2403), as applicable.

With regard to payment institutions, for example, the relevant requirements include:

• due diligence on the third-party service provider;
• a risk assessment of the outsourcing arrangement;
• a written outsourcing policy and other documentation requirements;
• proper integration of the outsourcing arrangements into the internal governance agreements; and
• adapted business continuity plans, and dedicated exit management strategies.

The outsourcing arrangement needs to include several mandatory provisions (in principle, to reflect contractually all conditions imposed on the regulated entity itself), with a particular focus on the audit rights of the competent authority as well as data privacy, and the security of data and systems.

In addition to the requirements on outsourcing, providers of payment services are subject to specific obligations to address their ICT and security risk, including in relation to third-party service providers (independent of whether the service qualifies as outsourcing). The local regulations setting out these additional requirements follow the EBA Guidelines on ICT and security risk management and, among others, set forth mandatory provisions to be included in the third-party contracts and service level agreements.

The main “gatekeeper” liability applicable to fintech providers stems from the local AML legal framework (see 2.13 Impact of AML Rules) and the international sanctions regime, applicable to most banking and financial service providers.

Payment service providers have additional obligations to report major operational and security incidents and provide statistical data on fraud related to different means of payment, in accordance with the local laws and regulations implementing PSD 2 and the relevant EBA guidelines.

The authors are not aware of major enforcement actions of the local regulators towards fintech industry participants. Most of the NBR's enforcement actions are written warnings. The FSA is more active with regard to enforcement activity (also due to the specifics of the supervised sectors). However, in both cases, based on the public information identified, the relevant enforcement has not involved the fintech industry. This situation could change in the context of the development of the applicable regulatory framework.

Fintech industry participants may be subject to additional non-financial services regulations. The applicability and implications of these non-financial pieces of legislation/regimes depend on the services provided and business model, with no difference between new actors and legacy players.

Data Protection

All fintech companies that process personal data must comply with the EU's General Data Protection Regulation (GDPR). In addition, there are national requirements that must be observed; for example, conducting a data protection impact assessment when large-scale processing of personal data is conducted by using innovative technological solutions, particularly where such operations limit the ability of data subjects to exercise their rights, which may be the case for a vast number of fintech companies. Also, Law No 190/2018 on the measures for the application of the GDPR defines the concept of a national identification number as a sensitive category of personal data encompassing the personal identification number, the number of the identity document, passport number, driving licence number, social health insurance number, etc. The processing thereof is subject to particular requirements if it is based on the controller’s legitimate interest.

Cybersecurity

According to the Romanian Cybersecurity Law, all essential service operators (including a wide array of essential services, such as digital infrastructure, banking and financial market infrastructures) are required to comply with specific obligations, including the obligations to:

• notify CERT-RO in order to be included in the Registry of Essential Service Operators; and
• comply with the technical norms on the minimum requirements for ensuring the security of computer networks and systems.

Consumer Protection Legislation

Where B2C fintech offerings target consumers, the service providers should carefully consider the local framework on consumer protection, which includes several pieces of legislation that implement EU directives – such as the Distance Marketing of Financial Services Directive, the Unfair Contract Terms Directive and the Consumer Credit Directive – but occasionally includes more stringent provisions than the European standard.

General Corporate and Business Legislation

Apart from the special legislation above, the activity of a fintech company is subject to the general legislation applicable to companies, including the Civil Code, Company Law No 31/1990 and the legislation on e-commerce and prohibiting unfair practices.

Please also see 2.13 Impact of AML Rules.

Entities in the regulated sectors targeted by the fintech market are subject to mandatory audit requirements in relation to their financial statements. In addition to the financial audit, independent third-party examinations and certifications have an important role for regulated entities demonstrating compliance with regulatory requirements (eg, security of data and systems, ICT risk management) or relevant industry standards for the purpose of accessing certain markets.

Third-party certifications and attestations are equally important to non-regulated fintech companies (outsourcing fintechs, in particular), which need to demonstrate to their contractual counterparties compliance with the highest industry standards, including on data and security; see 2.7 Outsourcing of Regulated Functions.

Most regulated entities may engage in the offering of unregulated products and services. However, the range of unregulated products and services and the conditions in which their offering may be carried out differ depending on the licence held by the regulated entity (ie, the financial sector in which it operates).

As an example, other than the regulated banking services (as provided for by Capital Requirements Directive IV), credit institutions may engage in a limited range of services (ancillary or strictly related to the banking services) and only as set out in its banking licence issued by the NBR. Payment institutions may generally engage in any business activities other than the provision of payment services (and not necessarily closely related or ancillary to payment services). However, the NRB may require the establishment of a separate entity for a payment services business, where the non-payment services activities of the payment institution impair, or are likely to impair, the financial soundness of the payment institution or the ability of the NBR to monitor the payment institution’s compliance with its obligations.

Payment services, e-money and, more generally, banking and financial services businesses are also subject to Romanian AML legislation, consisting mainly of Law 129/2019, as subsequently amended, including by Government Emergency Ordinance 111/2021, transposing under Romanian law the Fourth Anti-Money Laundering Directive, as well as the Fifth Anti-Money Laundering Directive. The related secondary legislation includes the dedicated regulation applicable to credit institutions, payment institutions, e-money institutions and non-banking financial institutions also qualifying as payment institutions – namely, NBR Regulation 2/2019 – as well as that applicable to regulated entities under FSA supervision, including insurers, investment funds, alternative investment fund managers (AIFMs) and investment firms; namely, FSA Regulation 13/2019. The implementation norms to Law 129/2019 adopted by the National Office for Prevention and Control of Money Laundering apply, inter alia, to providers engaged in exchange services between virtual currencies and fiat currencies, and custodian wallet providers. Essentially, all such reporting entities should have KYC procedures in place and apply KYC measures in relation to their clients.

The recent amendment of Law 129/2019 under Government Emergency Ordinance 111/2021, transposing the Sixth Anti-Money Laundering Directive with effect from July 2020, is relevant to the development of fintech activities in Romania, allowing now for the identification and verification of a client’s identity based on documents, data and information obtained from secure and independent sources, including, if available, a means of electronic identification and relevant trust services regulated under the eIDAS Regulation or via any other secure identification process at a distance or electronically, regulated, recognised, approved or accepted at a national level by the Authority for the Digitalization of Romania. Theoretically, this amendment regulates the digital identification of reporting entities’ clients as part of the KYC process, encouraging the development of online businesses.

In furtherance of this amendment, in February 2021, the Authority for the Digitalization of Romania submitted to public consultation a draft emergency ordinance regarding the identification of a person at a distance by video means. The draft ordinance was aborted due to numerous criticisms in the market and instead the field was regulated via Decision No 564/2021, published in the Official Gazette of Romania on 24 November 2021 and in force since 24 December 2021. According to this enactment, applicable in connection with the identification of Romanian citizens or on the territory of Romania, a series of obligations should be complied with by the relevant provider of the electronic identification in the meaning of the eIDAS Regulation.

Separately, one should closely monitor the legislative developments related to the AML package proposed by the European Commission in July 2021 (including the proposal to create a single AML authority; a draft AML regulation with directly applicable rules, including in respect of customer due diligence; a draft sixth AML directive, including rules to be transposed under national law, such as rules on national supervisors and financial intelligence units; and a revised regulation on transfer of funds aimed at tracing transfers of crypto-assets).

Finally, reporting entities subject to AML legislation should also comply with international sanctions legislation, consisting in Romania of the relevant European regulations and Government Emergency Ordinance 202/2008, as subsequently amended, and its application norms enacted under Government Decision 603/2011, as amended under Government Decision 292/2021.       

Robo-Advisory Concept

In accordance with various publications of EU regulatory bodies, a robo-adviser is a piece of software that is operated by a financial intermediary or an automated financial tool (human intervention being replaced by an automated process, such as algorithms or decision trees) that the consumer can access directly.

Robo-Advisers in Romania

However, robo-advisers are not regulated per se under Romanian law, which follows the principles of MiFID II with regard to the concept of technology neutrality. Therefore, legal requirements will not differ depending on the human advice, robo-advice or hybrid system (robo-advice with partial human interaction) being used, but rather on the financial product being offered.

Thus, any entity using robo-advisers when providing regulated financial services (such as investment advice or portfolio management) will fall under the requirements included under the Romanian law transposing MiFID II, including Law 126/2018 on markets in financial instruments and secondary legislation.

Future EU Regulation

According to a report issued in September 2021 by EIT (the European Institute of Innovation and Technology) Urban Mobility on AI mobility in the EU, fintech is leading in terms of the industries in which AI is making an impact. In this context, a proposal for a regulation laying down harmonised rules on AI was published by the European Commission in April 2021 (the draft proposal is undergoing the EU legislative procedure, and was under discussion within the Council of the European Union from October 2021). While Romania does not have dedicated legislation regarding AI, in September 2021, the Romanian Senate enacted Decision 110/2021 regarding the aforementioned draft regulation, acknowledging that this:

• is compliant with the principles of subsidiarity and proportionality, and has a balanced and proportional horizontal approach limited to the minimum requirements useful to address AI-related risks and issues without limiting or prohibiting without justification technological development, and raising the market entry cost for AI-related solutions; and
• ensures a robust and flexible legal framework.

This topic should be closely followed by fintech industry participants as while AI is a topic that is much wider than the concept of robo-advisory and the proposal does not fully apply to robo-advisers in its current form, once enacted, the principles set out in future regulation should also be considered when applying the requirements under MiFID II to robo-advisers.

While the pandemic provided the context for the use of robotic processes by legacy players, the local market is still under development with regard to robo-advice services and few robo-advisers are identified on the Romanian market according to publicly available data (Better Finance robo-advice report, 2020 edition).

For example, Optimus Fintech, a local fintech entity, has contemplated the use of robo-advice as an automatic wealth management solution for retail investors, but it does not appear to be operational yet, its licence being suspended by the FSA at its own request.

The requirement of best execution of customer trades under MiFID II and Romanian Law No 126/2018 transposing its provisions applies in the same way for legacy players and robo-advisers. An entity using robo-advisers has the same obligations under the applicable law as one using human consultants.

Loans to Consumers versus Corporate Loans

Loans granted to individuals are subject to more restrictive regulations compared to those granted to corporate clients (including small businesses), as individuals will be considered consumers. In such cases, in line with the corresponding European consumer protection directives (although the Romanian legal framework is even more restrictive on certain topics than the corresponding European acts), lenders shall have various obligations to furnish pre-contractual information before the conclusion of an agreement, such as the obligation to inform the consumer in an accurate and complete manner and in due time on specific matters (eg, the identity of the provider, the financial service offered by the provider, dispute resolution mechanisms) and the contractual obligations of the agreement, as well as various rules for setting up the fees and interest applicable. In the case of online lending, additional requirements apply with regard to data privacy and the processing of personal data of consumers, financial contracts concluded at a distance, KYC and the right of the consumer to withdraw.

Crowdfunding

The EU Crowdfunding Regulation has been directly applicable in Romania provides the legal background for lending-based crowdfunding services; the facilitation of granting peer-to-business and business-to-business loans, peer-to-peer consumer lending and donation/reward-based crowdfunding being out of scope (see 2.2 Regulatory Regime).

However, the draft law issued in public consultation by the Romanian Ministry of Public Finance establishing national norms for the direct application of such EU regulation is not yet approved/no final form is available; thus, crowdfunding is still a grey area in this jurisdiction, considering that Romanian law provides that credit activity on a professional basis is a regulated activity that may only be carried out by authorised entities.

Usually, lenders are subject to various conditions and legal requirements with regard to AML compliance, the reimbursement capacity of their clients, their creditworthiness, etc.

With regard to loans granted to consumers, and crowdfunding, see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.

Carrying out lending activity on a professional basis is a regulated activity in Romania and it may only be carried out by a limited number of entities; namely:

• credit institutions;
• payment institutions providing ancillary credit activities in connection with certain payment services; and
• non-banking financial institutions.

Thus, the source of funds depends on the nature of the lender. Usually, lenders grant loans from own funds or from taking deposits; however, only credit institutions may provide loans from taking deposits.

With regard to crowdfunding, see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.

There is no market practice for syndicating online loans in Romania. Usually, syndication is conducted by banks in the case of loans granted to large corporate borrowers and such loans are not concluded online.

The following main payment systems operate in Romania:

• a system for high-value payments in lei (ReGIS), operated by the NBR;
• a system for high-value payments in euros (TARGET2-Romania), operated by the NBR; and
• the settlement system SENT, operated by Transfond SA.

Such systems fall under the scope of Law No 253/2004 on settlement finality in payment and securities settlement systems, implementing Directive 98/26/EC.

In theory, additional private payment systems may be created that do not fall under Law No 253/2004 on settlement finality in payment and securities settlement systems. However, for the prevention of systemic risk, the NBR may designate such private systems as falling under the aforementioned law.

EEA-licensed fintech companies that carry out EU regulated activities (as mentioned above) may enter the Romanian fintech market based on the EU passporting regime (eg, on the basis of the Romanian legislation implementing PSD 2 or the EU Crowdfunding Regulation).

Non-EEA-based companies with the same (regulated) business models targeting the local market will need to pass the relevant licensing test before the NBR or the FSA, depending on the type of regulated activity intended to be performed.

Foreign fintech companies that carry out non-licensed businesses that may cross/overlap with EU regulated activities (eg, crowdfunding platforms) based on specific endorsements from local foreign authorities face risks triggered by the scarce regulatory framework in Romania.

Business models will need to be ultimately assessed by the NBR and/or the FSA, as applicable, for activities carried out in Romania.

There are no particular rules to access the Romanian market for foreign fintechs that do not carry out regulated activities (such as infrastructure providers/enabler fintechs); general business rules apply. However, several local fintechs have already crossed borders with their solutions (eg, FintechOS), targeting the EU market.

Types of Regulated Entities

In Romania, investment funds/alternative investment funds, management companies/AIFMs and depositories are regulated based on the applicable Romanian laws transposing the Alternative Investment Fund Managers Directive (AIFMD) and the Undertakings for the Collective Investment in Transferable Securities (UCITS) Directive.

Management companies (in the case of a UCITS licence) and alternative investment fund managers (in the case of an AIFM licence) may perform other administrative activities, such as accounting and legal services, and evidence keeping, subject to the conditions provided under the applicable laws.

The contractual terms of agreements are not regulated as such, but must consider the conduct of the management companies/AIFMs, as such is set forth under the applicable Romanian laws transposing the relevant EU financial legislation (eg, the AIFMD and MiFID II).

If any such functions are delegated to third parties, the rules on outsourcing must be complied with.

The activities undertaken by management companies/AIFMs may be outsourced to third parties under the strict conditions provided in the Romanian law transposing the AIFMD and MiFID II.

Under Romanian Law No 126/2018 transposing MiFID II, there are three types of trading venues:

• regulated markets;
• MTFs; and
• OTFs.

These are subject to the regulatory regime imposed by MiFID II, including the authorisation of operators of such trading platforms by the FSA, as well as transparency obligations (including under the Romanian legislation implementing the Transparency Directive).

Regulated markets and MTFs are the most common types of trading venues in Romania (ie, the regulated market operated by the Bucharest Stock Exchange and the MTF named AeRo operated by the Bucharest Stock Exchange).

All asset classes traded on the trading venues outlined above are subject to the same core regulatory regime; eg, to the restrictions imposed by Regulation (EU) No 596/2014 on market abuse (the "Market Abuse Regulation", or MAR). However, a different regime may be applicable depending on the trading platform on which they are listed (ie, a regulated market, an MTF or an OTF).

An OTF may list certain classes of assets (bonds, structured finance products, emission allowances or derivatives).

Similar to the status of the EU legislation, there is no specific financial regulatory regime dedicated to crypto-assets under Romanian law. In line with the Fifth Anti-Money Laundering Directive, the Romanian legal framework defines the concept of cryptocurrency and digital wallet providers related to virtual currencies, and the fiscal legislation regulates the rules applicable to income tax generated by transfers of virtual currency.

Also, for the purpose of implementing the EU's Non-Cash Directive, a draft law is undergoing the legislative process for the purposes of amending the Criminal Code to cover sanctions related to the fraudulent use of cryptocurrency and e-money.

As such, digital wallet providers and cryptocurrency exchanges qualify as reporting entities under the Romanian AML legislation and are also subject to authorisation/registration requirements of the Commission for the Authorisation of Foreign Exchange Activity within the Ministry of Public Finance, and the requirement to obtain a technical endorsement from the Authority for the Digitalization of Romania, but are not regulated as such (eg, no specific conduct of business rules, organisational requirements being applicable).

The application norms regulating the procedure for obtaining authorisation/registration with the Ministry of Public Finance and the endorsement of the Authority for the Digitalization of Romania have not been adopted and, consequently, there is no entity authorised/registered as a digital wallet provider or cryptocurrency exchange in Romania. Providing such services without authorisation/registration may trigger criminal liability.

Considering the lack of a dedicated legal framework on crypto-assets, the FSA issued another warning in 2021 restating that crypto-assets are extremely risky and speculative, and that the majority of such assets do not qualify as financial instruments, leaving investors without the corresponding legal protection. The NBR has issued similar warnings over the years in connection with the risks of financial losses posed by investments in certain crypto-assets (ie, virtual currencies). However, the latest warning issued in April 2021 indicates that the NBR is ready to view more favourably certain types of activities connected with crypto-assets. Specifically, compared to its initial warnings, which expressly discouraged credit institutions from providing banking services to entities involved in the cryptocurrency business, the latest warning expressly confirms that there is no legal provision prohibiting banks from offering account services to cryptocurrency exchanges or custodian wallet providers, if the AML legislation is complied with. The authors also note, however, the joint warning issued by the European authorities on 17 March 2022 on the risks for consumers of crypto-assets.

In the absence of any local initiatives to address the risks and clarify the legal regime of crypto-assets, the use of cryptocurrencies as payment means and the financing opportunities for fintech start-ups through initial coin offerings (ICOs) and blockchain-based capital markets infrastructure is expected to reach its full potential once the EU regulations on crypto-assets are enacted.

General listing standards applicable to transferable securities are regulated by Law No 24/2017 on issuers of financial instruments and market operations, the FSA's implementing norms and the code of the Bucharest Stock Exchange.

While there are no listing rules for trading platforms regarding crypto-assets, rules may apply depending on the characteristics of the crypto-assets, where the assets enter into the perimeter of regulated activities (eg, listing requirements for securities in consideration of Prospectus Regulation No 2017/1129 and Law No 24/2017 on issuers of financial instruments and market operations); please see 12.3 Classification of Blockchain Assets.

The rules for handling clients’ orders for the purchase or sale of financial instruments are included in Law No 126/2018, transposing MiFID II under Romanian law.

For this purpose, investment firms must have in place a policy for the execution of such orders, containing information such as the execution venues of client orders and the reasons determining the choice of the execution venue.

While peer-to-peer platforms on crypto-assets are becoming more popular, there has been no further impact on Romanian legislation yet; see also 7.1 Permissible Trading Platforms and 12.5 Regulation of Blockchain Asset Trading Platforms.

With regard to crowdfunding, the implementation of legislation adopted in view of the adaptation of the EU Crowdfunding Regulation to the existing Romanian legal framework is expected to bring more clarity in terms of the regulation of peer-to-peer platforms based on the crowdfunding model.

The duties of investment firms with regard to best execution of customer trades are provided under Law No 126/2018.

Thus, investment firms must take sufficient measures to obtain the best results when executing client orders, taking into account the price, costs, speed, probability of execution and settlement, size, nature of the order or any other aspect regarding the execution of the order. In relation to a retail client, the best possible result is to determine, on the basis of the total price, the price of the financial instrument and the costs associated with its execution, which include, in turn, all expenses incurred by the customer directly related to the execution of the order, including trading venue fees, clearing and settlement fees, and other charges paid to third parties involved in the execution of the order.

In accordance with MiFID II requirements and the Romanian law transposing it, investment firms are subject, inter alia, to strict requirements with regard to conflict of interest and best execution obligations.

Also, the ESMA emphasised in a statement issued on 13 July 2021 that investment firms shall be solely driven by the aim of obtaining the best possible result for their clients when choosing a third party and not by the amount of the “payment for order flow” that a third party is willing to pay for order routing. In practice, it is likely that the FSA considers such ESMA statements in conducting its regulatory and supervisory duties.

At the same time, the European Commission has proposed a directive amending MiFIR, which introduces targeted amendments related to the points raised by the ESMA in the above-mentioned statement, concluding that it should be incompatible with the principle of best execution that a financial intermediary receives a payment from a trading counterpart in exchange for routing client orders for execution. The proposed directive is undergoing the legislative procedure, and has been under discussion within the Council of the European Union since November 2021.

The basic principles of market integrity and market abuse in Romania originate in the MAR, which is directly applicable in Romania and aims to increase market integrity. This regulation prohibits insider dealing, unlawful disclosure of inside information and market manipulation, and contains provisions to prevent and detect these, as well as provisions related to sanctioning such conducts.

The creation and use of high-frequency and algorithmic trading is regulated under Law No 126/2018 regarding the financial instruments markets, transposing MiFID II.

Under Romanian law, high-frequency and algorithmic trading thus refers only to financial instruments as defined under the Romanian law transposing MiFID II.

Also, investment firms engaging in algorithmic trading have to satisfy various requirements with regard to efficient systems and risk mechanism control to guarantee that their trading systems are compliant with the applicable law. Such entities also have to notify the FSA in connection with such trading.

Investment firms using algorithmic trading targeting a market-making strategy must satisfy specific requirements under Law No 126/2018:

• they must perform market-making activities continuously, during a specified segment of the trading venue programme, except in exceptional circumstances, thus ensuring, on a regular and predictable basis, liquidity within the respective trading venue;
• they must enter into a binding written agreement with the trading venue, specifying at least the obligations of the investment firm; and
• they must have efficient control systems and mechanisms in place to ensure that they can fulfil, at any time, their obligations under the agreement referred to above.

An investment firm that performs algorithmic transactions aims at applying a market formation strategy if, as a member or participant in one or more trading venues, in the case of own trading, its strategy involves the firm, simultaneous placement of bilateral quotations of comparable size, at competitive prices, relating to one or more financial instruments in a single trading venue or in several trading venues, resulting in the provision of liquidity, periodically and frequently, where the instrument(s) is/are being traded.

Also, investment firms engaging in algorithmic trading in Romania have an obligation to notify the FSA.

Only regulated entities such as investment firms are subject to the rules regarding high-frequency and algorithmic trading. No further distinction is made.

There are no further regulations concerning programmers who develop and create trading algorithms or other electronic trading tools.

Investment firms remain fully liable for all the obligations under Regulation (EU) 2017/589 with regard to regulatory technical standards specifying the organisational requirements of investment firms engaged in algorithmic trading (which is directly applicable in Romania) where they outsource or procure software or hardware used in algorithmic trading activities.

Where platforms and their participants do not provide any regulated services, such are not covered by registration/licensing requirements (eg, platforms providing only general recommendations).

If the content published on the platforms qualifies as recommendations under the MAR (dissemination of information that could qualify as an “investment recommendation” or “information recommending or suggesting an investment strategy”), the restrictions applicable under the MAR and its delegated regulations must be complied with (eg, Commission Delegated Regulation (EU) 2016/958 of 9 March 2016 supplementing Regulation (EU) No 596/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the technical arrangements for objective presentation of investment recommendations or other information recommending or suggesting an investment strategy and for disclosure of particular interests or indications of conflicts of interest).

Disseminating false or misleading information may lead to market manipulation, such conduct being prohibited under the MAR.

There is no specific regulation concerning the curation of conversation on financial research platforms. Any conversation posted on such platforms and its effects must be dealt with through the terms and conditions of the relevant platform.

However, as mentioned in 9.2 Regulation of Unverified Information, any dissemination of false or misleading information, as well as any insider dealing or unlawful disclosure of inside information, is prohibited under the MAR and the relevant platform may be held liable.

Technological innovation in the insurance market has recently become more visible as an increasing number of insurers have integrated fintech solutions in their activities to close the digital gap and hold on to, and increase, their customer base. Insurtech solutions aim to provide tailored insurance offerings and streamline the insurance process. These include telematics/usage-based insurance options, chatbots that facilitate interaction with customers and offer 24/7 assistance, online underwriting processes, digital-first notices of loss and end-to-end digital customer journeys (that cover quote and underwriting, policy issuance, payment and policy management processes). Insurance-dedicated solutions by fintech enablers include digital claims notification and processing, appointments of repair shops/selection of treatment facilities, and features to facilitate settlement invoices/claim completion.

The InsurTech Hub set up by the FSA aims to facilitate interaction between traditional players in the insurance markets (insurers, brokers) and tech innovators to explore further developments in this area.

The same rules apply for insurtechs and traditional insurance companies, as the applicable Romanian law does not make any difference in this respect. Nonetheless, for online/distance underwriting processes (telephone sales, online, etc), the information to be provided to customers qualifying as consumers in connection with the conclusion of the contract is set out under national and EU consumer protection legislation, including the Romanian legislation applicable to the distance marketing of consumer financial services, which implements Directive 2002/65/EC of the European Parliament and of the Council of 23 September 2002 concerning the distance marketing of consumer financial services.

Under Romanian law, an insurer may provide life insurance products or general insurance products (not both), the exception referring to:

• composite insurers (the ones that on 1 January 2007 and 1 January 2016 had authorisation to provide life and general insurance products); and
• insurers that had obtained authorisations to provide health and accidents insurance, including workplace accidents and occupational diseases, in addition to life insurance products.

A reinsurer may provide life insurance products, general insurance products or composite insurance products.

Each type of insurance (life, property, etc) is subject to its own set of regulation, including with respect to the minimum capital requirements of the relevant (re)insurance companies.

Regtech providers operate under the Romanian laws transposing various pieces of EU legislation by providing regulated players with services related to their compliance with the relevant laws.

As a matter of principle, such providers are not specifically regulated; it basically depends on their business models and whether part of such amounts to regulated activities. On an exceptional basis, entities that may be considered as regtech providers, such as electronic identification and trust service providers, fall under the scope of the eIDAS Regulation, which is directly applicable in Romania, and any related relevant national legislation.

If a regulated entity outsources or procures regtech services, such arrangements must comply with the general outsourcing rules provided in the applicable laws (depending on the type of the regulated entity).

In line with the global trend, the interest in crypto-assets and DLT-based technologies is widespread in Romania. Crypto-asset enthusiasts have access to several global crypto exchanges and trading platforms, as well as to locally developed exchange facilities, such as Tokero (formerly LDV). In terms of raising funds, ICOs/initial exchange offerings were used for accessing finance by locally founded (Restart Energy) or Romanian-based (Elrond) companies, the latter being the developer of the public blockchain ecosystem for various financial-related utilisations, including the Mayar wallet, for its eGold native crypto-asset.

Blockchain-based solutions have been developed for utilisations in several other fields, such as Sablier as a real-time payment in crypto. Local authorities such as the FSA appear to be exploring the use of this technology in the exercise of their supervisory powers, as a regtech solution, according to the FSA Strategy for 2021–2023.

Financial Supervisory Authority

With regard to crypto-assets, the FSA issued another warning in 2021 stating that crypto-assets are extremely risky and speculative, and that the majority of such assets do not qualify as financial instruments, leaving investors without the legal protection attached to transactions in financial services.

However, the FSA is exploring the use of blockchain in the exercise of its supervisory powers, from the perspective of regtech solutions.

National Bank of Romania

The NBR has issued similar warnings over the years in connection with the risks of financial losses involved with investment in certain crypto-assets (in particular, virtual currencies). However, the latest warning, issued in April 2021, indicated that the NBR is ready to view more favourably certain activities connected with crypto-assets; see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Moreover, the NBR recently approved the acquisition of Twispay, the owner of the first e-money licence in Romania, by the Romanian blockchain start-up Elrond in a landmark decision with potential implications for the evolution of digital finance in Europe. This move will allow Elrond to issue International Bank Account Number accounts and prepaid cards.

Other Authorities

In December 2021, the Special Telecommunications Service (STS) announced that it has become an active participant in the European Blockchain Services Infrastructure (EBSI), the platform that prepares and supports the launch of blockchain infrastructure IT applications in the digital market of the EU.

EBSI is the first blockchain infrastructure in the EU, managed by the European Commission and partner member states, an initiative developed by the European Blockchain Partnership and effected through a network of nodes distributed in Europe. The use of the blockchain infrastructure aims at sharing data between authorities, guaranteeing the authenticity and integrity of transactions, an example of which is the digital management of educational accreditations.

By joining the European blockchain platform, the STS contributes to the extension and consolidation of the security of the EBSI network, by installing and hosting a node in Romania, as an active part of the distributed infrastructure. The hardware and software components of the Romanian node are managed by STS specialists, who also provide cybersecurity measures.

According to the STS, in Romania the blockchain technology as first used in connection with the electoral procedure in 2020 was considered a success as regards the offering of transparency of all the data from the relevant IT systems and the guarantee that such data is not altered.

There are no specific rules or regulations dedicated to blockchain or blockchain assets under Romanian law.

Therefore, the qualification of a blockchain asset as a regulated financial instrument depends on its characteristics; eg, any blockchain assets qualifying as virtual currencies are regulated under Law No 129/2019 to prevent and combat money laundering and terrorism financing (the "AML Law"), transposing the Fifth Anti-Money Laundering Directive and the Romanian Criminal Code (potential sanctions in connection with virtual currencies were introduced in July 2021), while blockchain assets qualifying as financial instruments are regulated under Law No 126/2018 regarding the financial instruments markets.

The proposal of the European Commission for a regulation on markets in crypto-assets (MiCA) will bring new rules regarding crypto-assets not covered elsewhere in EU financial services legislation. However, such regulation is still undergoing the EU legislative procedure, and has been the subject of discussions within the Council of the European Union from January 2022.

Please see 12.3 Classification of Blockchain Assets. Depending on the characteristics of the blockchain assets, specific regulations may apply.

Providers engaged in exchange services between virtual currencies, fiat currencies and custodian wallet providers are required to obtain an authorisation with the Commission for the Authorization of Foreign Exchange Activity within the Ministry of Public Finance, as well as a technical endorsement from the Authority for the Digitalization of Romania, but are not regulated as such. For details related to crypto-asset exchanges, see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

Other than as mentioned above and to the extent that the assets subject to blockchain do not fall under the scope of regulated activities, blockchain asset-trading platforms, as well as secondary market trading in blockchain assets, remain unregulated.

There is no Romanian-specific legislation regulating funds that invest in blockchain assets (ie, regulation of crypto funds).

Investment funds subject to Romanian legislation must observe the legal and contractual investment restrictions and limits applicable to them, generally depending on the qualification of such investment fund and on the categories of investors targeted (eg, retail versus non-retail investment funds). In Romania, alternative investment funds have been recently regulated under Law No 243/2019 regulating alternative investment funds, and are subject to FSA supervision, including as regards investment requirements and limits.

Virtual currencies are regulated under the AML Law as being “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”.

Providers engaged in exchange services between virtual currencies, fiat currencies and custodian wallet providers are required to obtain an authorisation; see 12.5 Regulation of Blockchain Asset Trading Platforms.

DeFi is not a regulated concept under Romanian law.

A case-by-case analysis is required to determine whether a DeFi platform falls under the scope of regulated activities (generally, financial services regulated activities). Essentially, such analysis is made depending on the types of crypto-assets/tokens used on such DeFI platforms, the structuring and types of activities carried out.

As indicated above (see 12.5 Regulation of Blockchain Asset Trading Platforms and 7.3 Impact of the Emergence of Cryptocurrency Exchanges), providers engaged in exchange services between virtual currencies, fiat currencies and custodian wallet providers are required to obtain an authorisation.

NFTs and NFTs-to-crypto exchanges are not regulated under Romanian law.

However, this situation will most likely change once the proposed MiCA enters into force, which intends to cover crypto-assets not falling under other EU financial services legislation; NFTs will probably fall under the catch-all category of “other crypto assets”, while the platforms offering such types of crypto-assets will fall under the crypto-assets service providers category and its applicable requirements. Also, recent guidance issued by the Financial Action Task Force in October 2021 stated that while NFTs are not usually regarded as virtual assets, some NFTs may fall under the virtual assets definition if they are to be used for payment or investment purposes in practice.

To determine whether the NFTs and NFT platforms intended to be used by fintech companies fall under a regulated perimeter, a case-by-case analysis of the features of the NFTs must be undertaken (eg, to determine if such may qualify as unregulated utility tokens or if there is a risk that such qualify as financial or payment instruments).

Regulations in Romania

In Romania, PSD 2 is transposed via Law 209/2019 on payment services and for the amendment of certain regulatory acts (the "Payment Service Law").

The law sets forth the main principles of PSD 2 regarding the regulation and authorisation of payment institutions, and the registration of account information services providers (AISPs) and their supervision, while the technical conditions regarding the authorisation of payment institutions or the registration of AISPs and other similar matters, including from the relevant EBA guidelines, are mainly regulated by NBR Regulation 4/2019 on payment institutions and dedicated providers of account information services, with additional matters related essentially to security measures regulated by NBR Regulation 2/2020 regulating the security measures related to the operational and security risks and the reporting requirements for payment services.

E-money and e-money institutions are regulated by Law 210/2019 on e-money issuance activity, in force since November 2019 and implementing NBR Regulation 5/2019, in force since December 2019.

These regulations are supplemented by the relevant EBA guidelines adopted in furtherance of PSD 2, which are generally endorsed by the NBR in its implementing norms.

Actors in the Payment Services Market

Payment services can be performed in Romania by credit institutions, payment institutions – including third-party providers (TPPs) carrying out payment initiation services – and e-money institutions, all these players being subject to prior authorisation by the NBR, capital requirements and prudential supervision. Also, under the Payment Service Law, AISPs only exercising such payment services may provide these services in Romania subject to prior registration with the NBR (following consultation by such authority with the National Authority for Consumer Protection and other competent authorities, as the case may be) and compliance with certain conditions.

Authorisations with the NBR

The first authorisation of a TPP in Romania was obtained by a Romanian fintech company (Smart Fintech) only in April 2021, after a nine-month authorisation procedure. Smart FinTech is authorised by the NBR as a payment institution and an AISP, covering both segments of open banking. It is expected that subsequent authorisation procedures of TPPs will be smoother, with at least two other authorisation procedures pending with the NBR, to the best of the authors' knowledge.

When assessing the need for authorisation as a payment institution, fintech companies must consider whether the services to be provided amount to regulated payment services (including payment initiation services) or whether they could be assimilated only to technical services providers, which are exempted from the obligation of an authorisation in accordance with Article 4 (j) of the Payment Service Law (transposing Article 3 (j) of PSD 2).

There are Romanian fintech players already active in the non-regulated segment of open banking, such as Finqware, a Romanian start-up specialised in integration applications and open banking.

Open Banking in Romania

According to available public information, open banking imposed by PSD 2 was required to be finalised in Romania by 31 March 2021; the final deadline assumed by the NBR to the EBA being 30 April 2021. A few Romanian banks have adopted API systems created by a Romanian fintech company, allowing access to the account information of other leading Romanian credit institutions, thus taking advantage of the opportunity of open banking offered by PSD 2. Also, the Romanian fintech Finqware announced that it will very soon obtain its EU-wide open banking licence, and is in the last stages of receiving TPP authorisation, for both account information services and payment initiation services, and, thus, being ready to go live with AISP services in Romania and Croatia. According to recent data regarding the implementation of open banking in European states, in June 2021, Romania had one of the weakest rankings and is therefore ready for substantial improvement on this front.

Considering that open banking has seemed to be “a very low priority for Romanian regulators” (see 13.1 Regulation of Open Banking), the Romanian market is still at an incipient stage in analysing opportunities and concerns related to open banking. In any case, from a data privacy perspective, the GDPR is directly applicable in Romania and therefore its restrictions as regards personal data and the correlations between the GDPR and PSD 2 must be considered by traditional banks and fintech companies active in the open banking field.