ROMANIA Law and Practice Contributed by: Sergiu-Traian Vasilescu, Luca Dejan, Bogdan Rotaru and Ana-Maria Bută, VD Law Group
2.6 Jurisdiction of Regulators In Romania, regulatory oversight of fintech and financial services participants is activity-based, meaning regulators derive jurisdiction from the specific services or features offered by a com - pany rather than its status as “fintech” or “legacy player” . Each regulator has strict, legally defined competence over distinct activities, and a sin - gle entity may fall under multiple regulators if it engages in diverse services. • The ASF regulates activities like crowdfunding and capital markets. • The BNR oversees payment services, e-mon - ey institutions and other financial services such as card issuing and money transfers. • ANCOM supervises telecommunications and broadcasting, relevant for fintechs with telecom-based services. • ANSPDCP enforces GDPR compliance, regu - lating data protection for companies handling personal data. For example, a fintech offering both crowdfund - ing and payment services would be regulated by the ASF for crowdfunding and by the BNR for payment services. This activity-based regu - lation ensures that each regulator supervises its Romanian regulators do not formally issue “no- action” letters as seen in other jurisdictions. They are generally reluctant to provide legal advice on the qualification of specific activities or whether certain activities fall under particular regulations. Instead, their responses typically reference gen - eral terms within the applicable laws, often pro - viding extracts from the relevant regulations. However, during consultancy periods, it is possi - ble to obtain clear guidance regarding the qualifi - specific area of expertise. 2.7 No-Action Letters
cation of an activity or the applicable regulations and necessary licences. While not a formal “no- action” letter, these informal consultations can lead to more specific and actionable answers regarding a company’s regulatory obligations. 2.8 Outsourcing of Regulated Functions Vendors must comply with specific obligations according to relevant laws and regulations when functions become regulated for outsourcing, for example, security and confidentiality of data, compliance with industry standards or enabling audit requests or other information by regula - tory authorities. Outsourcing agreements usually entail due diligence, written contract and period - ic performance evaluation for compliance pur - poses. Outsourcing does not take away liability from the contracting party concerning regulatory compliance of the outsourced function even if subcontracted to a vendor. Outsourcing such functions to a vendor already subject to regu - latory control offers another layer of assurance that the vendor could understand and satisfy the legal framework – an action that may lead to reduced risk and simple compliance manage - ment. Again, it will require due diligence and defined contractual terms detailing what the vendor should do and be held accountable for regardless of this qualifying status. 2.9 Gatekeeper Liability Fintech providers are increasingly recognised as “gatekeepers” under EU regulations, depend - ing on their role, market influence and services offered. Under the Digital Markets Act (DMA), large platforms with significant market pow - er (eg, dominant payment systems or crypto exchanges) may be designated as gatekeepers, requiring them to ensure fair competition, inter - operability and transparency. While the DMA primarily targets tech giants, fintechs control -
722 CHAMBERS.COM
Powered by FlippingBook