A general introduction to the regulation of virtual currencies in Romania

All questions

Introduction to the legal and regulatory framework

Cryptoassets have benefited from a context that led to a global phenomenon, as the main core functionalities of a blockchain – immutability and decentralisation – enhanced transactions without borders and institutional approvals. The legal regime of cryptocurrencies has been vastly clarified by the Markets in Cryptoassets Regulation (MICA) which has direct application across all EU Member States. In Romania, as in many EU jurisdictions, cryptocurrencies are not considered legal tender but rather digital assets bearing a limited role as currency (similar to e-money or ‘e-money tokens’ in MICA), nor do they aim to stabilise their value by referencing another value or right, or combination thereof, including one or several official currencies (asset-referenced tokens, also known as stablecoins) or having a utility role in a determined web3/web2 ecosystem (utility tokens,² which are intended to provide access to a good or a service supplied by its issuer).

This chapter aims to both describe the legal framework in Romania and provide clarity on potential operational and legal risks in the absence of guidance from relevant national authorities. The long-term absence of a dedicated regulatory framework in Romania has not necessarily been a drawback for the entrepreneurs running companies that deal with cryptocurrencies, crypto-exchanges, crypto ATMs, crypto-wallets. Initial coin offerings (ICOs) and initial exchange offers (IEO) led by Romanian teams have been coordinated in various friendly jurisdictions, other than Romania, where there has been more clarity on the legal liability. As a general view, Romania boasts many strong attributes in relation to crypto-adoption namely:

1. Romanians have the highest positive attitude towards the use of cryptocurrencies (44 per cent), followed by Poland and Spain;
2. Romania ranks 33rd worldwide in a crypto-readiness index;
3. Romania’s major cities are growing as top IT hubs in Europe;
4. various projects are being developed: crypto-exchanges, national leading payment processors, etc;³
5. a layer 1 original blockchain – Elrond (among the fastest transfer speed that exists) and their mobile application Maiar, as well as new layer 1 protocol, which is currently under-development;
6. various decentralised applications (Dapps) who are creating new ecosystems (such as for freelancing decentralised marketplaces, crypto trading bots), non-fungible tokens (NFT) online marketplaces, cryptoasset managers, as well as blockchain applications in the supply-chain sector;
7. the Romanian government uses blockchain in national elections as an underlying infrastructure;⁴ and
8. Romania’s National Institute for Research and Development in Informatics (ICI Bucharest) launched an institutional grade non-fungible token trading platform for Romanian companies and state agencies who wish to further the usage of NFTs in their activities.⁵

Securities and investment laws

i Financial market regulators

The growing popularity of cryptocurrencies has prompted increased regulatory scrutiny. In the EU, cryptocurrencies are currently mostly unregulated and Romania is no exception when it comes to specific cryptocurrency regulations. Romania has no specific securities regulations with respect to virtual currencies or their offering. The global financial market is regulated by the Financial Supervisory Authority (ASF)⁶ and the National Bank of Romania (NBR).⁷ ASF and NBR are in charge of supervising and monitoring banks and financial services companies operating in Romania. ASF regulates financial markets, and is responsible for supervising financial products, the information published by companies and the financial service providers; whereas NBR is responsible for overseeing individual financial institutions (e.g., credit institutions, investment firms, payment institutions, non-banking financial institutions and electronic money institutions) and the proper functioning of the financial system as a whole. ASF relies entirely on the guidelines issued by the European Securities and Markets Authority (ESMA) with respect to the risk of initial coin offerings.

ASF does not offer any particular rules pertaining to the prospectus, transparency, market abuse and markets in financial instruments law but rather tacitly adopts EU law, including the Prospectus Directive, the European Union Markets in Financial Instruments XDirective (MiFID II) and the Alternative Investment Fund Managers Directive. ASF seems to apply the EU principles of transferable security and financial instruments as defined in MiFID II. According to MiFID II, a decentralised cryptocurrency will not be a transferable security unlike a security token that is similar to a share or bond. ESMA recognises that the virtual currencies regulatory framework is not yet finalised.⁸

ii Prospectus regulation

The Prospectus Directive (PD)⁹ requires that adequate information is provided when seeking to raise funds from investors in the European Union. Before an ICO, the issuer must publish a prospectus in which it clearly outlines all information necessary for an investor to be able to evaluate the potential investment. The information must be presented in a clear, concise and intelligent manner.

iii Alternative Investment Funds Managers Directive

ASF has integrated the European Alternative Investment Fund Managers Directive (AIFMD), which lays down the rules for the authorisation, operation and permanent transparency of alternative investment managers (AIFM) that manage or market alternative investment funds (AIF), or both, in the EU. Depending on its structure, an ICO scheme could be qualified as an AIF, insofar as it is used to raise capital from a number of investors in order to invest in accordance with a defined investment policy. The companies involved in the ICO must therefore comply with the AIFMD rules, in particular the rules relating to capital, operations and organisation and transparency requirements.

iv The Regulation on pilot DLT market infrastructure

On 2 June 2022, Pilot DLT Market Infrastructure Regulation (PDMIR) was adopted. It is the first one of the Digital Finance Strategy Package, which also includes MICA and other pieces of legislation completing the puzzle for the finance of tomorrow. The European Regulation has been applicable since 23 March 2023.

The PDMIR is relevant for the new crypto platforms that may wish to change their business model. It is aimed at allowing capital markets supervisors to gain further knowledge on the use of DLTs into capital markets infrastructure. The PDMIR will be applicable within the MIFID II framework for financial instruments. This might bring the following policy considerations in:

1. the STO space;
2. the virtualisation and dematerialisation of shares and bonds; and
3. the Central Depositary and other multilateral trading facilities would need to adapt, as it is expected that EU-wide market infrastructure providers will be coming to Romania to claim a good share of the market based on an EU-wide financial passport.

Banking and money transmission

The European Central Bank’s (ECB) first approach towards the market’s advancements in the crypto-field was to state that ‘virtual currencies’ are ‘not scriptural, electronic, digital or virtual forms of a particular currency. They are something else, different from known currencies’, thus not being subject to the first Payment Services Directive (PSD1) (defined below) or the E-Money Directive (defined below).

This position was reiterated by both the European Banking Authority (EBA) and ESMA, as well as by NBR, which acknowledged cryptocurrencies as ‘highly volatile and extremely risky speculative assets’ edited on a more optimistic note in April 2021. The NBR’s opinion in April 2021 expressly stated:

The regulations administered by the National Bank of Romania do not prohibit credit institutions to offer account services to providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers . . . and in view of the risks they are exposed to as a result of providing payment account services to these undertakings, by adjusting internal risk policies and the risk management capacity on objective and proportional grounds.

The NBR’s position mentions the obligation of exchange and digital wallet service providers in this market to comply with the provisions of Law 129/2019 on preventing and combating money laundering and terrorist financing (the AML Law), updated by the Government Emergency Ordinance No. 111/2020 (GEO 111/2020).

i Decentralised finance

Decentralised finance (DeFi) projects aim to leverage distributed ledger technology to allow for peer-to-peer finance.

Crypto deposit interest rates are typically more attractive than with traditional banks, and the barrier to entry to borrow is low compared with that of a traditional system, as no personal credit risk is associated with the lending decision. In most cases, the only requirement to receive a DeFi loan is the ability to provide collateral with other owned cryptoassets (including NFTs).

ii E-money

‘Electronic money’ or ‘e-money’ is defined under the E-money Directive.¹⁰ If the definition is split into parts, the main characteristics of e-money are shown as follows:

1. it is stored electronically, including magnetically;
2. it is represented by a claim on the issuer;
3. it is issued on receipt of funds;
4. it is used for the purpose of making payment transactions; and
5. it is accepted by a natural or legal person other than the electronic money issuer.

E-money services are provided by private entities under the Romanian licensing regime, (which mirrors the E-Money Directive) or by other EU-licensed e-money institutions through passporting.

E-money tokens, according to MiCA, refer to a type of cryptoasset, the main purpose of which is to maintain a stable value by referencing the value of one official (fiat) currency. The function of such cryptoassets is very similar to the function of electronic money as defined in Directive 2009/110/EC. Like electronic money, such cryptoassets are electronic surrogates for coins and banknotes and are likely to be used for making payments.

They are issued on the receipt of funds for the purpose of making payment transactions and accepted by a natural or legal person other than the electronic money issuer.

iii Payment services

The digital payments landscape has evolved significantly during the past decade. Romanian Law No. 209/2019 on payment services implements PSD2¹¹ and creates an environment for open payment services. Regulations of payment services revolve around the use of legal currency or of funds. Virtual currencies are generally not considered funds under PSD2, nor being banknotes or scriptural money. However, two particular situations might arise:

1. integration of payment services by crypto exchanges to bank accounts. In this case, a licence as a payment institution authorisation might be required; and
2. holding e-money accounts (holding clients’ funds) or dealing with e-money tokens, in this case, specific authorisation would be required.

MICA provides a better understanding on the types of cryptoasset services that will need to be regulated.

Anti-money laundering

Regarding the measures implemented by Romania, on 18 July 2019, Law No. 129/2019 (the AML Law) for preventing and combating money laundering and terrorist financing was published in the Romanian Official Gazette. However, it did not fully transpose the 5th Anti-Money Laundering Directive (5AMLD), omitting categories of reporting entities, such as those in the field of cryptocurrencies. The non-transposition of 5AMLD led Romania to the Court of Justice of the European Union, for failing to adopt 5AMLD (‘failed to fulfil its obligations under Article 67 of Directive 2015/849’).¹²

To streamline the mechanism for preventing and combating money laundering up to the limit provided by the 5AMLD and to avoid financial consequences that may result from the infringement procedure, the Romanian government adopted an Emergency Ordinance on 1 July 2020, which also transposes the rest of 5AMLD into Romanian legislation:

1. virtual currency means a digital representation of the value that is not issued or guaranteed by a central bank or public authority, is not necessarily linked to a legally established currency and does not have the legal status of currency or money, but is accepted by natural or legal persons as a medium of exchange and may be transferred, stored and traded electronically; and
2. digital wallet provider means an entity that provides services for the secure storage of private cryptographic key services on behalf of its customers.

In this regard, digital wallet providers within the scope of the AML Law are custodial wallets (‘hot wallets’ or ‘providing custody and administration of cryptoassets on behalf of clients’ as per MICA).

The legislative developments regarding cryptoassets relate mainly to their continuing use for money laundering and terrorist financing, the massive growth of private tokens used to raise funds, and to the emergence of stablecoins and central bank digital currencies. Much recent research has highlighted that both lawful and unlawful crypto markets exist, where legal and illegal users operate.

The list of obliged entities under AML can be broadened, and the following blind spots should be addressed:

1. crypto exchanges (crypto to crypto);
2. financial service providers who are active in financial services related to an issuer’s offer or sale of a cryptoasset, or both; and
3. trading platforms.

Further legal determination is needed as to include or exclude issuers or offerors of cryptoassets into the list of obligated entities.¹³

Conversely, non-custodial wallet providers only provide the technical tools for others to use and typically do not function as an intermediary so it does not make much sense to target them for AML purposes. AML main obligations of the concerned entities are as follows:

1. reporting obligations:
   • suspicious transactions reports must be immediately sent to the National Office of Preventing and Combating Money Laundering (ONPCSB); and
   • non-suspicious transactions in equivalent of at least €10,000 must be reported to the ONPCSB;
2. customer due diligence, know your customer (KYC) checks;
3. reporting of ultimate beneficial owners; and
4. information sharing obligations – entities store information internally to enable data to be retrieved in a timely manner when needed or requested by authorities.

The important note here, as of 2023, is that any cryptoassets service provider (CASP) that needs an authorisation under MICA will need to provide a description of the applicant cryptoasset service provider’s internal control mechanisms, policies and procedures to identify, assess and manage risks, including money laundering and terrorist financing risks.

i Maintained in 2023 – the obligation to notify crypto activities

The AML reporting duties commence with the custodians or exchanges registration with the National Office for Prevention and Control of Money Laundering (OPCML), which issued an order in 2022 to notify the authorities. The registration is performed online and is within the responsibilities of the designated AML officer. The notification covers activities of exchange services between virtual currencies and fiat currencies and the reporting of suspicious activities, whereby the OPCML my request the freezing of crypto accounts linked to suspicious activities.¹⁴

ii The travel rule and its scope

The official publication of Regulation (EU) 2023/1113, known as the Transfer of Funds Regulation (EU TFR), marks a significant step in aligning the EU’s approach, through Directive 2015/849, with the Financial Action Task Force (FATF)’s recommendations on virtual assets. By transposing the established travel rule from conventional financial systems to the crypto realm, the regulation endeavours to harmonise the EU’s approach while adhering to the FATF standards.

MiCA has established a comprehensive regulatory framework for cryptoasset service providers which integrates the rules pertaining to the authorisation and operation of CASP across the EU, including activities on the Romanian territory. Thus, the EU TFR amends Directive (EU) 2015/849 to encompass all categories of CASPs, both Romanian and other EU originated, as defined under MiCA, incorporating them within the category of financial institutions. The EU TFR’s approved text was officially published in the EU Official Journal on 9 June 2023, coming into effect on 29 June 2023, and will be fully enforceable throughout the EU by 30 December 2024.

Under the EU TFR regime, the CASP of the party initiating the transfer will have to ensure that the transfer includes information on both the initiator and the beneficiary. The thresholds (from €1 or €1,000) will apply depending on whether the transfers occur between CASPs, between CASPs and third-party wallets, or between third-party wallets. The beneficiary’s CASP will then have to check whether the required information is included in the transferring message prior to executing the transfer. As stated in Article 2 Paragraph 1, the Regulation will apply to ‘transfers of cryptoassets, including transfers of cryptoassets executed by means of crypto-ATMs, where the cryptoasset service provider, or the intermediary cryptoasset service provider, of either the originator or the beneficiary has its registered office in the Union’. This does not apply, according to Article 4 of the EU TFR, to a transfer of cryptoassets where any of the following conditions is met:

1. both the originator and the beneficiary are cryptoasset service providers acting on their own behalf; and
2. the transfer constitutes a person-to-person transfer of cryptoassets carried out without the involvement of a cryptoasset service provider.

At the EU level, the supervising authorities entrusted with the task of ensuring compliance are determined by each Member State; in Romania, the authority that will most likely be the supervising body would be the OPCML or a shared mandate between OPCML, the National Bank of Romania and the Ministry of Finance.

iii Transfers that involve only CASPs

All CASPs will need to comply with the travel rule and share relevant originator and beneficiary information for all crypto transfers, with no minimum threshold. This goes beyond the FATF’s standards, which only require the travel rule on transfers over €1,000.

iv Transfers from CASPs to third-party wallets

In the case of a transfer of cryptoassets made to a self-hosted address, according to Article 14 Paragraph 5 and to Article 16 Paragraph 2 of the EU TFR, the CASPs shall obtain and hold the information and shall ensure that the transfer of cryptoassets can be individually identified. CASPs shall take adequate measures to assess whether the address is owned or controlled by the originator for an amount exceeding €1,000 to a self-hosted address. CASPs do not need to verify the self-hosted wallet owner data in transfers below €1,000.

v Transfers that involve only third-party wallets

The EU has backed away from a previous proposal to require that CASPs verify identities for all third-party wallet transfers. However, CASPs will still be required to verify whether the wallet is owned and controlled by their own customer for any transaction with a third-party wallet over €1,000.

vi Obligations on cryptoasset service providers Obligations on the cryptoasset service provider of the originator (hereinafter referred to as ‘CASP-O’)Information accompanying transfers of cryptoassets

According to Article 14 of the EU TFR, CASP-O shall ensure that transfers of cryptoassets are accompanied by the following information on the originator and beneficiary (thereafter ‘Information’):

1. the name of the originator/beneficiary;
2. the originator or beneficiary’s distributed ledger address;
3. the originator or beneficiary’s cryptoasset account number;
4. the originator or beneficiary’s official identity and address; and
5. the current LEI or any other available equivalent official identifier of the originator or beneficiary.

Compliance and security measures

The information shall be submitted in advance of, or simultaneously or concurrently with, the transfer of cryptoassets and in a secure manner.

The CASP-O shall ensure that the transfer of cryptoassets is accompanied by a unique transaction identifier.

Before transferring cryptoassets, the CASP-O shall verify the accuracy of the information.

The CASP-O shall not allow for the initiation, or execute any transfer, of cryptoassets before ensuring full compliance.

Obligations on cryptoasset service provider of the beneficiary (CASP-B)Detection of missing information on the originator or the beneficiary

In accordance with Article 16 of the EU TFR, the CASP-B shall implement effective procedures to detect whether the information is included in the transfer or batch file transfer of cryptoassets.

Before making the cryptoassets available to the beneficiary, the CASP-B shall verify the accuracy of the information.

Transfers of cryptoassets with missing or incomplete information

According to Article 17 of the EU TFR, the CASP-B shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject, return or suspend a transfer of cryptoassets lacking the required complete information. Where the CASP-B becomes aware that the information is missing or incomplete, that CASP shall, on a risk sensitive basis and without undue delay:

1. reject the transfer or return the transferred cryptoassets; or
2. request the information before making the cryptoassets available to the beneficiary.

Where a CASP repeatedly fails to provide the information, the CASP-B shall:

1. take appropriate steps before proceeding to a rejection; or
2. directly reject any future transfers of cryptoassets. The CASP-B shall report that failure to the competent authority.

vii Data protection

In accordance with Article 25 of the EU TFR, personal data shall be processed by CASPs on the basis of EU TFR only for the purposes of the prevention of money laundering and terrorist financing and not for commercial purposes. CASPs shall collect data pursuant to Article 13 of the EU’s General Data Protection Regulation (GDPR). That information shall be provided in a concise, transparent, intelligible and easily accessible form in and shall, in particular, include a general notice concerning the legal obligations CASPs under the EU TFR.

viii Due diligence for CASPs correspondent relationships with third-country entities in cryptoasset services

CASPs must undertake specific due diligence measures when establishing new correspondent relationships with entities in third countries. This process involves the identification and assessment of risk exposure associated with these entities, taking into account factors such as their reputation, the quality of supervision, and the effectiveness of their anti-money laundering and counter-terrorist financing (AML/CFT) controls. Subsequent to this assessment, correspondent CASPs should adopt suitable risk-mitigating measures. Particular attention should be directed towards the heightened risk of money laundering and terrorist financing.

To ensure consistent and effective implementation of due diligence practices, the EBA is expected to provide comprehensive guidance to CASPs. We recommend CASPs to be prepared and be proactive and start compliance implementation providers because compliance will be mandatory as soon as the regulation will be fully applicable (30 December 2024).

Regulation of exchanges

i The landscape

Romania has unrestricted access to global exchange platforms and e-money institutions that provide a fiat gateway and account management for digital assets using their passporting rights under EU law. There are a couple of domestic exchanges that have developed a local competitive advantage by providing crypto trading pairs linked to the Romanian national currency and by setting up physical exchange points and ATMs for crypto exchanges across Romania. We have seen interest in the local market for merchant payment solutions in crypto either from EU-based companies that benefit from passporting, as well as from local leading payment processors in the market that are taking the network of users and merchants in Romania to the next level. Romania has over 80 crypto ATMs¹⁵ currently active across the major. ATMs need to comply with the AML regulations.

ii 2023 New draft authorisation framework for crypto exchange services and digital wallet providersPreview

Crypto exchange services and digital wallet providers will soon see interesting advancements in the authorisation framework that governs their operations. The Romanian Ministry of Finance has put forth a draft government decision ‘approving the procedure for the authorisation and/or registration of virtual and fiat currency exchange service providers and of providers of digital wallets, as well as the procedure for granting and withdrawing technical authorisation’ (the Draft). In this context, our analysis endeavours to provide valuable insights into the potential impact on market dynamics, regulatory compliance standards and procedural ramifications of the proposed Draft.

General features of the procedure of authorisation and registration of providers

Annex No. 1 of the Draft represents the legal framework for the authorisation or registration and the operation of virtual and fiat currency exchange service providers and digital wallet providers by the following entities (providers):

1. providers of exchange services between virtual currencies and fiat currencies:
   • legal entities established in accordance with the legislation in force and meeting the conditions stipulated in this Decision; and
   • legal entities legally constituted and authorised/registered, where appropriate, to carry on such activities in a Member State.
2. digital wallet providers:
   • legal entities established in accordance with the legislation in force and meeting the conditions stipulated in this decision; and
   • providers of digital wallets who are legal entities legally constituted and authorised or registered, where applicable, to carry out these activities in a Member State.

Conditions for applying for an authorisation and registration certificate

In order to apply for authorisation or registration, providers must cumulatively fulfil a number of 10 conditions, of which we highlight the following:

1. own a digital platform with remote access for the provision of services of exchange between virtual currencies and fiat currencies and the provision of digital wallets connected to at least one internet domain registered in Romania;
2. hold at least one bank account in fiat currencies through which it carries out its operations, opened in Romania;
3. the remote access digital platform server is located in the territory of Romania or in the territory of another Member State; and
4. to submit the civil liability insurance policy to cover possible damages to third parties resulting from security incidents, in the amount of 1 per cent of the value of the transactions of the year preceding the request for the issuance of the technical approval and registration certificate, but not less than €100,000. The insurance policy must be valid for the entire period of validity of the registration certificate and technical approval.

In addition to the shared conditions that are applicable to both categories of providers, the Draft identifies a set of conditions unique to each respective category, contingent upon the nationality of the legal entity involved.

Obligations of providers

Providers must comply with a complex set of general obligations, of which we emphasise:

1. providers have to create a digital wallet, request the customer’s identification data provided in the documents attesting the identity of the natural person or in the act of establishment of the legal entity or unincorporated entity;
2. providers must keep an electronic register of electronic wallet holders; and
3. providers must allocate a unique identification number for each registered transaction or provided digital wallet.

Providers are required to inform the Commission of any changes to the data and information taken into account at the time of authorisation and registration within a maximum of 10 working days from the date on which the change occurred. Providers who are legal entities operating in another Member State must expressly appoint an authorised representative.

Providers’ liability

Providers are liabile for carrying out the activity in Romania. Thus, the legislative authority places the liability on providers by expressly stating that the liability is ‘entirely’ theirs.

Prohibitions and limitations

Providers are not allowed to offer exchange services between virtual and fiat currencies via crypto ATM machines to persons other than those for whom the customer awareness procedure has been completed on the remote access digital platform.

The Draft limits the scope of participants and makes the provision of exchange services between virtual currencies and fiat currencies or digital wallets, where applicable, on the territory of Romania conditional upon the providers obtaining an authorisation and registration certificate. However, Article 12 of Annex No. 1 of the Draft states that providers are at liberty to determine the exchange rates between virtual and fiat currencies, both buying and selling rates, as appropriate.

Revocation of authorisation and registration certificateOrder of revocation

The Commission may order the revocation of the authorisation or registration certificate issued to the Provider, depending on the seriousness of the facts established and the consequences arising therefrom, in any of the following situations:

1. where it is found that the applicant has supplied incorrect or inaccurate information at the time of grant which, had it been known, would have led to the authorisation or registration certificate not being granted;
2. the non-fulfilment of payment of fiscal and revenue obligations towards the state with a delay of more than 30 calendar days from the date on which the respective obligations are due;
3. the Provider has been convicted domestically or internationally for money laundering or terrorist financing offences;
4. the Provider has been declared bankrupt by a final court decision;
5. failure to comply with any of the conditions for authorisation or registration;
6. at the request of the Provider;
7. continuation of the activity after the suspension measure has been ordered;
8. at the time of the establishment of a situation giving rise to the imposition of a suspension measure, if the Provider has already had their authorisation or registration certificate suspended twice in the previous 12 months;
9. at the motivated request of ONPCSB, the National Authority of Fiscal Administration or the National Authority of Consumer Protection; and
10. following Romania’s Digitalization Authority notification informing the Commission of the withdrawal of the technical approval granted to the providers, legal entities under Romanian law.

Admissibility of a new application

A Provider sanctioned with the revocation of the authorisation or registration certificate for the reasons referred to in points (a) or (c) above, may uphold a new application for authorisation or registration certificate only after a 5-year period.

A Provider sanctioned with the revocation of the authorisation or registration certificate, as the case may be, for the reasons set out in points (b), (e) and (g) to (j) above, may uphold a new application for authorisation or registration certificate, as the case may be, only after a 12-months period.

To conclude, the proposed draft government decision holds significant implications for exchange service and digital wallet providers in Romania.

iii Additional potential regulated activities

There is a layer of complexity when classifying tokens and coins as financial instruments. Virtual assets may qualify as securities under MiFID II and the local transposing legislation would require a licence as a security service provider under MiFID II and MiFIR rules, given that buying securities amount to making a regulated investment that can be offered only by regulated investment service providers.

iv Cybersecurity and consumer protection

As the crypto space grows, particular attention should be paid to cybersecurity. Fortunately, there has not been any publicly known hacking of a Romanian-based crypto exchange. Players should be ready, and even if specific regulation to comply with cybersecurity has not been enacted for crypto exchanges, a strict standard for compliance should be self-imposed, especially the protection of keys for custodial wallets.¹⁶

v Crypto exchanges and NFTs

While in practice, virtual currencies have mostly a fungible nature (which from a strict legalistic point of view might be a bit different), NFTs are not fungible. Apart from that characteristic, NFTs have the same other characteristics that classify them as virtual assets. As such, if a trading platform offers NFTs for exchange against fiat currency (via sale or lending against NFT collateral), the rules for crypto-to-fiat exchanges would automatically apply as a matter of principle:

When a trading platform facilitates the exchange and/or transfer of virtual assets, or another financial activity involving virtual assets, including by purchasing virtual assets from a seller (when transactions or bids and offers are matched on the trading platform) and selling them to a buyer, then that trading platform qualifies as a virtual asset service provider conducting exchange and/or transfer activity as a business on behalf of its customers.¹⁷

MiCA acknowledges the distinct nature of certain cryptoassets, such as NFTs, which serve as representations of digital art or collectibles and cannot be easily exchanged with other assets. MiCA proposes an exemption for these unique and non-fungible cryptoassets from regulatory requirements. The exemption specifically applies to cryptoassets that represent intellectual property rights, product guarantees, or certified authenticity of physical assets like art or real estate. However, it does not extend to fractional portions of unique and non-fungible cryptoassets or to cryptoassets issued in a large series or collection that can be considered fungible. MiCA clarifies that the exemption for unique and non-fungible cryptoassets from regulation does not prevent them from being potentially classified as financial instruments. Consequently, NFTs may fall under the scope of financial regulation if their characteristics or applications render them fungible or not genuinely unique. ESMA will provide guidelines in 2024 to determine when NFTs might be categorised as financial instruments or non-fungible assets. Currently, the definition of cryptoasset service providers under the MiCA Regulation excludes NFT platforms, as long as they do not offer services related to fungible and non-unique cryptoassets.

The EU legislators are advancing amendments to the upcoming EU anti-money laundering bill, specifically to clarify that the regulatory jurisdiction includes both NFT platforms and businesses that offer NFT-related services. This suggested amendment to the anti-money laundering norms addresses an existing gap in MiCA regulation that currently excludes NFTs from its scope. In July 2021, the European Commission unveiled an aggressive suite of legislative proposals intended to bolster the union’s anti-money laundering and counter financing of terrorism norms and the establishment of a novel entity to combat money laundering, known as the Anti-Money Laundering Authority (AMLA), which will provide a closer oversight of NFTs. NFTs are highly volatile and speculative, and as a result there will be an increased regulatory scrutiny to protect consumers from fraud, misrepresentation and other risks. From a tax perspective, NFTs could potentially be subject to capital gains tax, similar to other forms of property. As NFTs often involve digital art or other forms of creative content, there could be legal and regulatory questions around copyright, royalties and other intellectual property rights and there may be concerns about privacy and data protection, especially under regulations such as the EU’s GDPR.

Regulation of miners

Virtual currency miners are not subject to any specific regulation or licensing requirements in Romania, although general business rules will apply to virtual currency miners for their business operations. Mining activities are typically not considered illegal in Romania as long as miners gain legal access to the power grid. Any person or legal entity that earns money from mining activities, such as sale or lease of mining rigs or mining services, may be subject to Romanian tax law and may be required to pay personal or corporate income taxes.

Staking

Staking is not currently within the scope of MICA CASP regulated services, as long as staking as a service does not qualify within one of the regulated activities. The EBA May 2022 Recommendation states that the emerging activities of cryptoasset staking and lending should be subject to close monitoring and their impact should be clearly understood.

Regulation of issuers and sponsors

Romania has no specific laws with respect to cryptocurrency issuers or sponsors. Issuers will be subject to the existing rules and regulations with respect to securities. An issuer must submit a prospectus to ASF prior to offering a cryptocurrency if the offering is not exempt as per the European Prospectus Directive and only if the cryptocurrency is considered to be a security.

i Initial coin offeringsand cryptoasset issuances

In line with the general and direct applicability effect from the EU Regulation MiCA, the requirements outlined in its provisions apply to both Romanian and non-Romanian companies conducting their activities on Romanian territory.

White paper regulationDrafting procedure

To ensure the drafting of a comprehensive white paper, it is crucial to give careful consideration to both the content and the form:

1. Detailed information: the white paper must provide a thorough description of the information about:
   • the offeror;
   • the issuer, if different from the offeror;
   • the operator of the trading platform in cases where it draws up the cryptoasset white paper;
   • the cryptoasset project;
   • the offer to the public of the cryptoasset;
   • the cryptoasset
   • the rights and obligations attached to the cryptoasset;
   • the underlying technology;
   • the risks; and
   • the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue the cryptoasset.
2. Clear presentation: all information in the white paper must be fair, clear and not misleading. For utility tokens, the duration of the public offer described in the white paper should not exceed 12 months.
3. Responsibility statement: the white paper must include a statement confirming that the offeror is solely responsible for its content and that no competent authority has reviewed or approved it.
4. Future value assertions: assertions on the future value of the cryptoassets, other than a guaranteed statement, should not be included unless the offeror can ensure such future value.
5. Risk disclosures: the white paper must clearly state the potential risks associated with the offeror, the cryptoassets, the public offering, and the project’s implementation. It should highlight that cryptoassets: (1) may lose value; (2) have limitations on transferability and liquidity; (3) are not covered by investor compensation schemes and deposit guarantee schemes; and that (4) utility tokens may not be exchangeable in case of project failure or discontinuation.
6. Management body statement: a statement from the offeror’s management body should confirm compliance with the requirements and the accuracy of the information in the white paper.
7. Summary: a non-technical summary should provide key information about the cryptoasset offering.
8. Date and language: the white paper must be dated and prepared in an official language of the home Member State or a customary language in international finance.
9. Machine readable format: the white paper should be available in machine-readable formats.

Notification of the white paper and marketing communications

The key aspects to be considered are as follows:

1. Ex ante approval: competent authorities shall not require prior approval of a cryptoasset white paper or any related marketing communications before their publication.
2. Explanation of classification: the notification of the cryptoasset white paper should clarify why the cryptoasset described in the white paper should not be considered a MiCA excluded cryptoasset, an e-money token or an asset-referenced token.
3. Notification process: offerors of cryptoassets (excluding asset-referenced tokens or e-money tokens) must notify their cryptoasset white papers and explanation of classification to the competent authority of their home Member State at least 20 working days before publication.
4. List of host member states: offerors must provide the competent authority of their home Member State with a list of host Member States where they intend to offer their cryptoassets to the public. They should also inform their home Member State of the intended start date for the public offer.

Publication of the white paper and marketing communications

Article 9 of MiCA addresses the publication requirements for cryptoasset white papers as follows:

1. Publication on offeror’s website: offerors of cryptoassets (excluding asset-referenced tokens or e-money tokens) must publish their cryptoasset white paper and marketing communications on their publicly accessible website no later than the starting date of the public offer.
2. Consistency with notified version: the published cryptoasset white paper and marketing communications must be identical to the version that was notified to the relevant competent authority in accordance.

Permission to offer cryptoassets to the public

It can be concluded that after publishing a cryptoasset white paper, offerors of cryptoassets, other than asset-referenced tokens or e-money tokens, may offer their cryptoassets throughout the European Union.

Right of withdrawal

Consumers have a 14-day period to withdraw their agreement to purchase these cryptoassets without any cost or need for justification. The withdrawal period begins from the date of the agreement of the retail holder to purchase those cryptoassets.

Liability of offerors regarded the information provided in the white paper

Article 15 of MiCA aims to promote accuracy and transparency in the cryptoasset market, focusing on:

1. Liability for incomplete or misleading information: offerors can be held accountable if they provide incomplete, unfair or misleading information in the white paper. Holders of cryptoassets have the right to claim damages.
2. Burden of proof on holders: cryptoasset holders must provide evidence of the offeror’s infringement and demonstrate the impact on their decision to invest, buy, sell or exchange the cryptoassets. It places the onus on individual investors to gather evidence and establish the wrongdoing, which may require significant effort and resources.
3. Limitations on summary information: claims for damages cannot solely be based on the summary section of the white paper, unless it is misleading, inaccurate or fails to provide key information for informed decision-making.
4. Preservation of national civil liability claims: MiCA does not prevent holders from pursuing additional civil liability claims under national laws.

Excepted cases

There are exceptions to certain requirements for cryptoassets regarding the aforementioned drafting and publishing procedure of the white paper:

1. offering the cryptoassets for free;
2. cryptoassets created through mining as a reward for maintaining distributed ledger technology (DLT) or validating transactions;
3. offering the cryptoassets to fewer than 150 individuals per Member State, who are acting on their own account;
4. the total consideration of a public offer not exceeding €1 million within a 12-month period;
5. the offer concerns a utility token providing access to a good or service that exists or is in operation;
6. the holder of the cryptoasset has the right to use it only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror; and
7. limiting the offer to qualified investors, and the cryptoassets being held exclusively by such qualified investors.

Highly diligent professional standards

Article 14 of MiCA establishes high-diligence professional standards for offerors of specific cryptoassets, excluding asset-referenced tokens or e-money tokens:

1. acting in an honest, fair, and professional manner;
2. maintaining clear and transparent communication with cryptoasset holders;
3. identifying and addressing any conflicts of interest that may arise; and
4. meeting appropriate EU standards for system maintenance and security access protocols. ESMA, in collaboration with the EBA, will develop guidelines to specify these standards.

Offerors are obliged to prioritise the best interests of cryptoasset holders and ensure equal treatment, unless any preferential treatment is disclosed in the cryptoasset white paper or marketing communications. In the event that an offer of these cryptoassets to the public is canceled, offerors must promptly return any funds collected from purchasers or potential purchasers no later than 25 calendar days after the date of cancellation.

Marketing communications

In addition to the regulations on white papers, marketing communications on a public offering of cryptoassets must adhere to the following requirements:

1. marketing communications must be clearly identified as such;
2. information provided in the marketing communications must be fair, clear and not misleading;
3. the information presented in the marketing communications should align with the required information contained in the cryptoasset white paper;
4. the marketing communications must explicitly state that a cryptoasset white paper has been published and provide the website address of the offeror offering the cryptoassets; and
5. the marketing communications must include a statement confirming that the offeror is solely responsible for its content and that no competent authority has reviewed or approved it.

Additional mechanisms Passporting mechanism

MiCA introduces a crypto passporting mechanism, similar to the existing European Union passporting framework. Under Article 16 of MiCA, an issuer’s authorisation to offer the asset-referenced tokens granted by the competent authority of their home Member State is valid throughout the entire European Union.

Prevention of market abuse

Additionally, MiCA includes provisions in Article 86 and onwards, prohibiting insider trading, market abuse and the disclosure of insider information related to cryptoassets. To ensure compliance, MiCA grants the EBA enforcement powers, including the ability to impose fines and periodic penalty payments.

Preparation for MiCA Companies authorised as financial institutions

Existing financial institutions generally do not require additional authorisation under MiCA. However, they must fulfill certain disclosure requirements and inform their competent authorities about the cryptoasset-related services they intend to offer.

Companies which issue cryptoassets within the EU and are not currently authorised Asset-referenced tokens (ARTs) issuers

Issuers of ARTs must be both established and authorised within the EU. Non-EU firms intending to continue issuing ARTs in the EU should take prompt action to establish an entity in an appropriate Member State and obtain the necessary authorisation.

Other cryptoasset issuers Issuers based in the European Union (including Romanian Companies)

Companies should evaluate the scope of their activities within the framework of MiCA to ascertain the level of applicability. This evaluation aids in identifying relevant restrictions and informing decision-making processes. It may prove beneficial for these issuers to pursue authorisation in their respective home member state or another suitable member state prior to the implementation of MiCA.

Issuers that are not based in the European Union

MiCA regulation emphasises the importance of cooperation between competent authorities of Member States and supervisory authorities in third countries. These cooperation arrangements aim to facilitate the exchange of information and enforcement of obligations under MiCA.

MiCA final implications

MiCA regulation significantly impacts ICOs by introducing provisions related to white papers, offerors’ liability, marketing communications, crypto passporting, consumer rights and prohibitions on insider trading and market abuse. Even if ICOs will continue to be less regulated than IPOs, this regulatory framework seeks to establish legal certainty, promote responsible practices and foster innovation in the ICO spaces within both Romania and EU.

Local authority delegation

The European Commission has delegated to each local authority the responsibility on how to regulate these tokens. According to the new legislation, security tokens issued using DLT will be subject to MiFID II and, as a consequence, other financial market regulations will apply as well. Specific laws will apply depending on the country of each issuer and on the countries where the issuer intends to offer the tokenised contract. There are several types of security tokens, including: tokenisation of a stock corporation, tokenised subordinated loans, tokenisation of real estate assets and precious metals.

ii Exclusion of transferable securities from the scope of MiCA Regulation

MiCA regulation presents a comprehensive framework for the evolving digital asset landscape. However, it is crucial to examine the legal provisions governing the regulation to determine the scope of its coverage. Specifically, when considering transferable securities, it becomes apparent that they fall outside the purview of MiCA. Consequently, as transferable securities fall within the scope of financial instruments defined in Directive 2014/65/EU, they do not fall within the ambit of MiCA regulation. It can be concluded that the MiFID II was effectively transposed into Romanian national law through Law No. 126/2018 on markets in financial instruments. This law explicitly mentions that a financial instrument encompasses the concept of ‘transferable security’. By incorporating these provisions, Romania aims to ensure compliance with European Union standards and promote a transparent and well-regulated financial market environment.

In conclusion, transferable securities, being a distinct class of financial instruments both in EU and Romanian national law, do not come under the regulatory oversight of MiCA.

Criminal and civil fraud and enforcement

The use and transfer of virtual currencies are completely legal in Romania. The Romanian Criminal Code (RCC) protects crypto owners from theft, embezzlement and fraud as much as it protects any owners of movable goods or other victims of criminal deeds against trust. However, a legal debate on the nature of virtual currencies as movable goods is trending in the Romanian legal world. The RCC provides for general rules related to fraud committed through informatic systems and electronic payments means.

i The No-Cash Directive and the Romanian Criminal Code

Until the transposal of No-Cash Directive (Directive 2018/713), the theft of virtual currencies through electronic means was not specifically punishable through a specific criminal penalty. The No-Cash Directive is to be implemented via amendments to the RCC.¹⁸ The aim of these amendments is to criminalise the actions and fraud involving non-cash payment instruments, virtual currencies being now expressly included.

ii Other special laws with criminal penalties – Securities Law and AML Law

Any unregistered sale of securities breaches the securities laws (which are heavily influenced by MiFID II and the Prospectus Directive). As such, an ICO or an STO that does not respect financial markets regulations is subject to hefty fines and criminal penalties both for the natural persons who lead the issuance as well as for the entities that issue illegal funding through virtual currencies. Specific penalties and provisions in relation to market manipulation or fraudulent information dissemination via inaccurate or false statements in white papers apply as well.

The AML Law provides a plethora of sanctions that start from administrative fines up to imprisonment and criminal fines. Inter alia, the non-reporting of a suspicious transaction can be fined up to 10 per cent of the annual turnover, forfeiture and other complementary measures such as withdrawal of its licence. The transfer of property, knowing that such property is derived from criminal activities, for the purpose of concealing or disguising the illicit origin of that property or of assisting any persons who were involved in the criminal activity to avoid the legal consequences of their action, or the acquisition, possession or use of property, knowing that the property is derived from criminal activities is punishable with imprisonment from three to 10 years. The anti-money laundering criminal sanction has nationality-based extraterritoriality, as the penalties apply to any Romanian citizen or company even if the crime has been committed outside Romania or the EU and even if in a third country, the alleged money laundering activity is not recognised as a crime under the laws of that third country.

In relation to extradition based on alleged money laundering activities involving virtual currencies, there is a recent case in which the executive officer, a Romanian citizen of a Romanian crypto exchange was extradited to the United States for aiding and abetting a cyber fraud ring that defrauded various US citizens. The ex-CEO and its company were accused of money laundering and are currently being charged under the RICO (Racketeer Influenced and Corrupt Organisations) Act in the Kentucky courts.¹⁹

iii Enforcement by the Romanian authorities

Romanian police special forces that deal with information systems fraud and prosecutors have a sound knowledge of the type of crimes where virtual currencies are involved for ransomware, fraud or money laundering. The exchange of information between Romanian DIICOT and EUROPOL, INTERPOL and the FBI and DOJ have been praised in recent years by these agencies. In a recent DIICOT case where funds were stolen from the seventh largest crypto exchange (based in the Cayman Islands), the DIICOT acted swiftly and proceeded to arrest the suspect.²⁰

Romanian authorities can confiscate virtual currencies that have been illegally obtained in the course of criminal infractions, just as they can confiscate other illegally obtained assets. The National Agency for the Management of Seized Assets (ANABI) has previously conducted auctions for Bitcoin (BTC) and Ethereum (ETH), which have been seized in criminal cases. The auctions are conducted online and anyone can register as bidders.

Tax

In Romania, transactions with virtual currencies were regulated for the first time in 2019, through Law No. 30/2019,²¹ which was introduced in the Fiscal Code provisions regarding the taxation of income obtained from transacting with cryptocurrency.

i Tax treatment of individual investors

Revenues from the transfer of virtual currency fall into the category of revenues from ‘alternative sources’ and are subject to the specific tax regime reserved for this category. Anyone deriving a profit from the transactions with virtual currencies has the responsibility to determine the income tax as well as any applicable contributions and report the entirety of the profits made. The profits realised from the virtual currency transactions are represented by the simple difference between the sale price and the purchase price, including the direct costs related to the transaction. Cryptocurrency capital gains for individual investors are taxed at a flat rate of 10 per cent. Earnings below the sum of approximately €40 per transaction are exempt from tax provided that the total earnings for the fiscal year do not exceed the sum of approximately €120. Note that the mere conversion made within the platform does not constitute a taxable event. A taxable event occurs only when the funds are transferred from the platform to the bank accounts of the beneficiary holder.

ii Tax treatment for corporations

Corporate capital gains realised by Romanian companies are taxed as any other corporate profits. A company should be very thorough in maintaining an accurate and proper record of all taxable cryptocurrency transactions (receiving payments in cryptocurrencies, exchanging, etc.). Tax audits have been carried out in the past that targeted cryptocurrency transactions and such controls are expected to occur more frequently in the near future.

iii Value-added tax regime

Under Romanian law there are no value-added taxes (VAT) applicable to any transfer of cryptocurrencies. Indeed, the exchange of the virtual currency with conventional currencies is considered to be a service. These services are exempt from VAT and do not conflict with the judgment rendered by the Court of Justice of the European Union in the Swedish Hedqvist case,²² also applicable to Romania and EU Member States.

Other issues

i Access to banking services for crypto exchanges

The NBR does not have competence to monitor crypto exchanges but has issued a recent warning statement on the speculative and risky nature of virtual currencies.²³ The NBR also mentions that ‘the premises for managing the risk of illicit use of virtual currencies have been created’; nor ‘does the use of virtual currencies pose a risk of financial stability’.

Against this background, the NBR highlights that NBR rules do not forbid credit institutions to offer operating accounts to crypto exchanges. Even so, Romanian banks continue to refuse to open crypto-banking accounts, as they require crypto exchange service providers to obtain a licence before considering the opening of such accounts. While it is true that banks have the commercial liberty to choose their customers, a commercial company from any economic sector (crypto exchanges included) cannot function without a bank account, especially considering the fact that owning a bank account will be a mandatory condition for obtaining the aforementioned licence according to the Ministry of Finance’s quoted Draft.²⁴ Banks are blocking unreasonably the legitimate operations of Romanian-based exchanges and crypto businesses because they do not understand the business model and they hide behind regulators’ lack of trust in the modernisation of finance and decentralisation. Institutional investors lack the opportunities to invest in the digitalisation of finance, which is a window of opportunity for Romania as fintech is a growing sector in the Central and Eastern European region. The AML Law should provide more clarity and define the obligations for crypto exchanges, which, in turn, would provide banks with the legal recognition of a nascent sector. However, in practice, not much has changed.²⁵ The burning remaining issue for Romanian crypto businesses from a macro perspective is that they may lose competition against other EU crypto businesses who are helped by their regulations, are well financed by domestic institutional investors, are banked and cannot be blocked by Romanian authorities, given their rights to operate in Romania based on passporting rights and liberty of services within the European Union. This leads to a form of unfair competition that should be addressed before the entry into force of the MiCA, as the pace of the crypto ecosystem growth far exceeds the regulatory process.

ii Operational issues related to the classification of cryptoassets

Commercial companies that accept crypto payments have complained about the lack of clarity in relation to the classification of virtual currencies for accounting purposes. The same applies to exchanges and miners. There are also commercial companies that wish to make investments in virtual assets. Certified accountants include the cryptocurrencies as intangible assets or as commodities or inventory.²⁶ Moreover, the valuation of virtual assets and their reflection in a company’s balance sheets has become complicated with no defined methodology or guidance under Romanian law. This lack of clarity raises practical issues related to tax obligations and to corporate matters (e.g., payment of dividends, liquidation and insolvency, as well as extinguishment of obligations by accepting and making payments with virtual currencies).

Looking ahead

We (optimistically) expect within the next year that the barriers to opening a bank or an e-money account will be solved. We anticipate that the authorisation process for crypto exchanges and custodians will be streamlined via a government decision requested under the Romanian AML Law. On tax and corporate matters, tax authorities are expected to provide clear guidance on the classification of virtual currencies. By the same token and from a business perspective, we expect to see more EU-based exchanges, payment and e-money institutions, providing services related to virtual currencies to take advantage of passporting rights and adhere to MICA standards. Merchant payments made with crypto as well as an increased trend for DeFi services are likely to become more visible. We have also seen heightened interest on asset tokenisation and financing in Romania, especially from real-estate developers. While decentralised autonomous organisations (DAOs) are not currently protected, we have recently seen interest in cooperative entity formation to act as functional DAOs under Romanian civil law.

NFT technical solutions and local marketplaces are being crafted as we speak. Finally, we expect a growing interest from venture capitalists, incubators and accelerators in DLT or crypto startups who plan to scale internationally, as the EU’s agenda on innovation has started to focus more on virtual currencies and their economic use.