Fintech 2025

ROMANIA Law and Practice Contributed by: Sergiu-Traian Vasilescu, Luca Dejan, Bogdan Rotaru and Ana-Maria Bută, VD Law Group

BNR oversees this system, making sure banks and fintechs follow strict security rules and pro - tect user data under the GDPR. However, the rollout has not been smooth. While PSD2 set the stage, many Romanian banks have been slow to adopt the tech needed for seam - less integration, leaving smaller fintechs stuck in limbo. On the upside, PSD2 has pushed Romania into the EU’s open banking ecosystem, and recent tweaks – like clearer tech standards and sand - box programmes – hint at better days ahead. The BNR is now pushing for smoother collabo - ration between banks and fintechs, which could finally turn the promise of open banking into an everyday reality for Romanians. 11.2 Concerns Raised by Open Banking In Romania and Europe, banks and technol - ogy providers are looking into data privacy and security issues raised by open banking through a mixture of regulatory compliance, advanced security measures and transparent data han - dling practices. Under GDPR and PSD2, banks need to obtain express customer consent when accessing the data of users, apply state-of-the- art encryption protocols and create a process for strong user authentication via a two-factor process. Technology providers integrate secure APIs that allow third-party services access to data without revealing sensitive information, allowing tokenisation, thus reducing the risk to users. Such measures include regular audits, compliance with cybersecurity standards and co-operation with the relevant regulators that help ensure banks and technology provid - ers reduce the various risks in relation to data breaches and unauthorised access. Even with these measures, however, challenges remain in terms of the balancing act between innovation

and the need to protect consumer privacy, which must still respond in real-time to evolving threats in the digital landscape.

12. Fraud 12.1 Elements of Fraud

In Romania, fraud in financial services and fin - tech is analysed through the “fraud triangle” framework (opportunity, justification, pressure), per Emergency Ordinance 66/2011. Opportunity arises from weak internal controls or cybersecu - rity gaps (eg, flawed authentication, unsecured APIs). Justification involves rationalising actions (eg, “borrowing” funds, exploiting system loop - holes). Pressure stems from financial instability (personal debt, corporate losses) or greed. For fintech, digital risks like identity theft, pay - ment fraud or smart contract manipulation amplify these elements. 12.2 Areas of Regulatory Focus Romanian regulators, including the BNR and ASF, prioritise combating authorised push- payment (APP) fraud, where victims are tricked into sending payments to fraudsters via social engineering. This is amplified by rising digital banking and instant payment adoption. Identity theft and account takeover fraud are also key concerns, exploiting weak authentication or data breaches in fintech platforms. Under PSD2 (transposed via Law 209/2019), banks and payment providers must implement strong customer authentication (SCA) and trans - action monitoring to detect anomalies. Regula - tors also target investment scams (eg, fake cryp - to or high-yield schemes) and money laundering via fintech services, enforcing AML rules under Law 129/2019. With the EU’s MiCA Regulation

738 CHAMBERS.COM

Powered by