Following two (2) years of uncertainty, at the behest of the Romanian Government, the Ministry for Finance published the draft Government Decision for the approval of procedures for the authorisation and/or registration of providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers, on 12 May 2023. The Decision also included procedures for granting and withdrawing technical endorsements (the "Draft Decision").
The process began in 2019 when Law no. 129/2019 on the prevention and combating money laundering and terrorism-financing (the "RO AML Law") transposed Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD4). This
Directive set the European framework for AML and KYC. As a result of the progress experienced in the digital and tech industries concerning high-risk financial transactions, AMLD4 was amended by Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018, amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD5).
As AMLD5 was transposed into Romanian legislation through Government Emergency Ordinance no. 111/2020 on amending the RO AML Law, it supplemented the gaps in the existing European legislation by regulating commonly unregulated entities such as cryptocurrency exchange platforms and crypto-wallet providers (the "Providers"). These two categories were further defined through AML5, and the provision of such services in Member States was prohibited without an appropriate authorisation/registration.
Following the implementation of AMLD5, the RO AML Law concluded that the authorisation procedures and the technical endorsement from the Authority for the Digitalisation of Romania (the "ADR", Romanian: Autoritatea pentru Digitalizarea României) would be subsequently established through a Government Decision, which failed to materialise for almost two (2) years. The Romanian Government cited the difficult technical aspects of the guidelines and the novelty of crypto-assets as the reasons for why the implementation of the guidelines was heavily delayed. The RO AML Law also clearly states that the authorisation/registration of Providers would be carried out by the Ministry of Finance through the Commission for the authorisation of currency exchange activities (the "Commission").
The most important point of the Draft Decision is that Providers have a framework under which they can become regulated and provide services within the limits of the applicable legislation. Moreover, this allows for harmonisation with other Member States that already have systems in place whereby Providers can be authorised, and facilitates a broader provision of services throughout the European Union.
The Draft Decision establishes that Romanian Providers will be authorised by the Commission, while Providers established in another Member State (the "EU Providers") will receive a registration certificate by the Commission that would allow them to provide their services in Romania. The Draft Decision does not tackle the concept of third-country Providers and therefore it stands to reason that such entities are not allowed to be authorised/registered in Romania and/or to provide services.
Authorisation for Romanian Providers is valid for two (2) years upon issuance, while the registration certificate for EU Providers is valid until their respective authorisation or registration in another Member State has expired. The Draft Decision does not explicitly mention that the registration certificate will be withdrawn if the authorisation in another Member State is withdrawn itself, but that must be anticipated.
An uncomfortable point for EU Providers could be the obligation to empower an authorised representative to represent the company in Romania. The representative can be either a legal or natural person and must be domiciled or headquartered in Romania, among additional requirements. The main responsibilities of the representative should be representing the Provider before competent authorities regarding ongoing activities, registration procedures, and/or control and supervision endeavours.
The most important requirements for both Romanian and EU Providers, besides the ones involving shareholder/director/representative capacities, are the following:
• The digital platform held by the Provider should be connected to at least one internet domain registered in Romania;
• The Provider should hold at least one bank account opened in Romania in the fiat currency in which it will provide its services;
• The server of the digital platform should be located in Romania or in another EU Member State; and
• The Provider must have civil liability insurance against third-parties from damages arising from security incidents, worth at least 1% of the total value of the transactions in the previous year, but not less than the RON equivalent of EUR 100,000 (approximately RON 494,000) on the date of the signing of the policy.
The procedure for Romanian Providers is a bit more extensive as they need to be authorised directly by the Commission. As such, they must also have a scope of business that falls under CAEN code 6499 for other financial intermediation (Romanian: Alte intermedieri financiare n c a) and they must obtain the technical endorsement from the ADR, which further entails additional technical requirements for the digital platform.
As a novelty procedure, Providers can make the necessary documentation available to the Commission via e-mail, scanned and signed with a qualified electronic signature by the director/legal representative or the authorised representative. This might prove to be a useful addition to an already encumbered bureaucratic system, which could speed up the process for foreign institutions in particular. Nevertheless, in order to obtain the technical endorsement from the ADR, Romanian Providers can only use documents in an electronic format, signed with a qualified electronic signature. It is unclear why there are different requirements for obtaining the technical endorsement and why scanned documents are not explicitly mentioned. The expectation is that the document submittal procedure to the Commission and the ADR should not differ.
The technical endorsement is subject to an endorsement fee payable to the ADR, the amount of which is established by decision of the president of the ADR (no draft decision has been published and therefore we cannot anticipate the amount). The endorsement is valid for a period of two (2) years and is issued by the ADR within 45 calendar days after complete documentation has been provided.
The main rights and obligations of Providers under the Draft Decision are the following:
• Providers can freely establish the exchange rate between the virtual currency and the fiat currency;
• Romanian Providers must ensure safekeeping of data used on the digital platform and storage of backup data for a period of five (5) years;
• Romanian Providers must perform annual penetration tests on the digital platform to ensure the adequacy and security of the system, as required by the ADR;
• Providers must be properly established as legal entities in their country of incorporation and must own a digital platform with remote access where they provide their services;
• Providers must publish specific consumer-focused information, in Romanian, on their internet website, including details about their authorisation, consumer risks, terms and conditions for the use of the platform and more.
The provision of the above services without an authorisation/registration shall constitute a criminal offence and will be sanctioned in accordance with the provisions of the Romanian Criminal code. The Draft Decision also establishes the misdemeanours for failing to observe the provisions of the former, with penalties of up to RON 50,000 (approximately EUR 10,000).
By Catalin Sabau, Associate, Wolf Theiss