The EU Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing repealing Directive 2005/60/EC of the European Parliament and of the Council (“4th AML Directive“) came into effect on 25 June 2015 and should have been transposed in all member states by 26 June 2017.
A draft law aimed at transposing the 4th AML Directive in Romania (“Draft AML Law“) was approved by the Romanian Parliament on 24 October 2018, but was shortly challenged with the Constitutional Court. On 5 December 2018, the Constitutional Court ruled that an article of the Draft AML Law (regarding an exception to reporting obligations for organisations representing minorities) is unconstitutional. Thus, the legislative procedure will resume and the Draft AML Law will return to the Parliament, where the unconstitutional article should be amended.
After its enactment, the Draft AML Law will replace the Law no. 656/2002 on prevention and sanctioning money laundering, as well as for setting up some measures for prevention and combating terrorism financing, republished and modified as well as its implementation norms (“Current AML Legal Framework“).
As a general remark, the overall approach of the Draft AML Law remains consistent with the Current Romanian AML Legal Framework. However, there are some key updates in line with the requirements set out under the 4th AML Directive, as reflected below.
Risk Based Approach
The Draft AML Law proposes a more robust risk-based approach as compared to the Current AML Legal Framework, in line with the 4th AML Directive, and requires the competent Romanian authorities to carry out a national-wide risk assessment to identify, understand, manage and mitigate the AML risks in Romania. These national assessments should take into account the outcome of the similar exercise carried out at EU level by the European Supervisory Authorities. The national assessments are expected to assist the obliged entities evaluate their own risk, where factors such as customer, product, geography must also be taken into consideration.
Customer Due Diligence
A. Standard Due Diligence
As compared to the Current AML Legal Framework, obliged entities are subject to express requirement for standard due diligence measures in case of transfer of funds exceeding EUR 1,000 (transfer of funds as defined under EU Regulation 2015/847 on information accompanying transfers of funds and repealing Regulation (EC) No. 1781/2006).
In line with the current development of the online transactions, the Draft AML Law expressly allows electronic identification through the means set out under EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market for the identification checks.
B. Simplified Due Diligence
The Draft AML Law sets out more stringed simplified due diligence (“SDD”) requirements. The obliged entities will no longer be entitled to apply SDD when dealing with specific customers and products. Under the Draft AML Law, SDD should be individually assessed based on a non-exhaustive (de minimis) list of factors and types of evidence for potentially lower risk situations and obliged entities should be able to prove the Romanian authorities that the SDD measures are / were justified on the basis of risk in line with a risk-based approach.
It is expected that the European Supervisory Authorities will issue guidelines on the risk factors to be taken into account and the measures to be taken where SDD measures are appropriate.
C. Enhanced Due Diligence
The Draft AML Law is more prescriptive also in its enhanced due diligence (“EDD”) requirements. EDD measures should be assessed as well as based on a non-exhaustive (de minimis) list of factors and types of evidence for potentially higher risk situation.
Nevertheless, the obliged entities are expressly required to carry out enhanced due diligence measures in certain additional cases as compared to the Current AML Legal Framework – i.e., inter alia, when dealing with: (i) natural persons / legal entities established in third countries identified by the EU Commission as high-risk countries, (ii) entities established in countries which do not comply with AML international standards or in countries internationally known as non-cooperating in the AML field, and (iii) entities having the beneficial owner qualified as PEP.
As well, it should be noted that the European Supervisory Authorities will issue guidelines on the risk factors to be taken into account and the EDD measures to be taken where appropriate.
Beneficial owners
Under the Draft AML Law, all private legal entities (companies and other legal entities), as well as fiducias established in Romania, should keep accurate and up-to-date information on beneficial ownership. The information on beneficial ownership will be held in central registers held by (i) the National Trade Register Office, in case of private companies, (ii) the Ministry of Justice, in case of associations and foundations, and (iii) the National Agency for Tax Administrations, in case of fiducia.
The central registers held by the competent Romanian authorities above will be accessible to obliged entities for the customer due diligence. However, the obliged entities should not rely exclusively on the central registers to fulfil their customer due diligence requirements, and should keep relevant evidence on the measures carried out in this regard.
The definition of ‘beneficial owners’ is broader and includes also beneficiaries of trusts and, in case of companies, the senior management of the company.
Politically Exposed Persons
Compared to the Current AML Legal Framework, the Draft AML Law sets out a broader definition of the politically exposed persons (e.g. members of the governing bodies of the political parties, management of international organisations) (“PEPs”). Domestic PEPs are also covered by the Draft AML Law. Further, where the PEP is no longer entrusted with a prominent public function, obliged entities shall, for at least 1 year, take into account the continuing risk posed by that person (until no further PEPs specific risk).
Reporting obligations
A. Suspicious Money Transactions
The Draft AML Law sets out two additional situations when the obliged entities are required to file a report for suspicious activity to the National AML Office, i.e.: (i) when the obliged entity holds information which may be relevant for a criminal investigation or for the enforcement of the AML legal framework; and (ii) the customer or the person acting on behalf of the customer does not use its real identity.
As well, such report should be filed to the National AML Office, when the obliged entity is not able to comply with the customer due diligence requirements for a certain transaction.
B. Non-Suspicious Money Transaction
Under the Draft AML Law, non-suspicious money transactions should still be reported to the National AML Office if with a value of the RON equivalent of at least EUR 10,000, and, additionally, where such transactions are carried out through credit or financial institutions, the reporting obligation falls under the responsibility of such credit or financial institutions.
The credit and financial institutions should as well report to the National AML Office the foreign account transfers with a value of at least the RON equivalent of EUR 10,000 (compared to the current threshold of EUR 15,000).
Not least, money remittance transactions with a value at least the RON equivalent to EUR 2,000 fall as well under the non-suspicious transactions subject to reporting to the National AML Office.
Record keeping
The record keeping requirement for the customer due diligence records for a period of five years is still in place, in line with the Current AML Legal Framework. However, in accordance with the Draft AML Law, any personal data relating to the customers should be deleted after these five years, unless otherwise permitted under the law. Further retention may only be carried out if necessary for prevention, detection or investigation of money laundering or terrorist financing, with maximum retention of up to ten years from the end of the business relationship with the affected customer.
Policies and procedures
The Draft AML Law is consistent with the Current AML Legal Framework as concerns the obligation of the legal entities to keep adequate internal AML policies, which, in addition should be approved by the senior management – the definition of ‘senior management’ seems to encompass a significantly wide group (not restricted only to the board of directors).
Depending on the size and type of the business, such internal AML policies may need to be audited by an independent auditor.
Not least, the obliged entities that are part of a group must implement group-wide policies and procedures (including data privacy policies and procedures for sharing information within the group for AML purposes). These policies are to be implemented effectively at the level of the branches and majority-owned subsidiaries in member states and third countries.
The Draft AML Law also requires electronic money issuers and payment service providers established in Romania in forms other than a branch, whose head office is situated in another Member State, to appoint a central point of contact in Romania. While the provisions on the central point of contact under the Draft AML Law reflect the Romanian translation of the provisions set out under the 4th AML Directive, the Draft AML Law does not set out additional details in relation to the central point of contact – reference is made to further technical standards to be drafted by the European Banking Authority.
Sanctions / Penalties
The panel of sanctions under the Draft AML Law is considerably more severe as compared with the Current AML Legal Framework. For serious, repeated and/or systemic failures in the areas of the customer due diligence, transaction reporting or record keeping, the credit or financial institutions may face penalties of up to 10% of the total annual turnover plus RON 5,000,000.
