ROMANIA Law and Practice Contributed by: Sergiu-Traian Vasilescu, Luca Dejan, Bogdan Rotaru and Ana-Maria Bută, VD Law Group
12.2 Areas of Regulatory Focus Romanian regulators, including the BNR and ASF, prioritise combating authorised push-payment (APP) fraud, where victims are tricked into sending payments to fraudsters via social engineering. This is amplified by rising digital banking and instant payment adop - tion. Identity theft and account takeover fraud are also key concerns, exploiting weak authentication or data breaches in fintech platforms. Under PSD2 (transposed via Law 209/2019), banks and payment providers must implement SCA and transaction monitoring to detect anomalies. Regula - tors also target investment scams (eg, fake crypto or high-yield schemes) and money laundering via fintech services, enforcing AML rules under Law 129/2019. With MiCA now applicable, crypto-related fraud (eg, fake ICOs, “rug pulls”) faces stricter oversight. 12.3 Responsibility for Losses In Romania, fintech providers’ liability for customer losses hinges on service type, compliance and fault. Under PSD2 (payment services), they must reimburse unauthorised transactions unless the customer was negligent (eg, shared credentials). For crypto-assets, MiCA imposes liability for custody failures or inad - equate risk disclosures. Investment platforms face liability under MiFID II for flawed advice or misrepre - sented risks. The GDPR holds providers accountable for data breaches due to poor cybersecurity. Contrac - tual breaches (eg, platform outages) are actionable under the Romanian Civil Code. Customer negligence or force majeure (eg, unpreventable cyber-attacks) may limit liability.
– hint at better days ahead. The BNR is now pushing for smoother collaboration between banks and fin - techs, which could finally turn the promise of open banking into an everyday reality for Romanians. 11.2 Concerns Raised by Open Banking In Romania and Europe, banks and technology pro - viders are looking into data privacy and security issues raised by open banking through a mixture of regula - tory compliance, advanced security measures, and transparent data handling practices. Under the GDPR and PSD2, banks need to obtain express customer consent when accessing the data of users, apply state-of-the-art encryption protocols, and create a process for strong user authentication via a two-factor process. Technology providers integrate secure APIs that allow third-party services access to data without revealing sensitive information, enabling tokenisation, and thus reducing the risk to users. Such measures include regular audits, compliance with cybersecurity standards and co-operation with the relevant regula - tors that help ensure banks and technology providers reduce the various risks in relation to data breaches and unauthorised access. Even with these measures, however, challenges remain in terms of the balancing act between innovation and the need to protect con - sumer privacy, which must still respond in real-time to evolving threats in the digital landscape. In Romania, fraud in financial services and fintech is analysed through the “fraud triangle” framework (opportunity, justification, pressure), per Emergency Ordinance 66/2011. Opportunity arises from weak internal controls or cybersecurity gaps (eg, flawed authentication, unsecured APIs). Justification involves rationalising actions (eg, “borrowing” funds, exploit - ing system loopholes). Pressure stems from financial instability (personal debt, corporate losses) or greed. For fintech, digital risks like identity theft, payment fraud or smart contract manipulation amplify these elements. 12. Fraud 12.1 Elements of Fraud
691 CHAMBERS.COM
Powered by FlippingBook