Order No 37 of March 2^nd, 2021 approving the Norms for the application of Law No 129/2019 on prevention and control of money laundering and financing of terrorism and amending and supplementing some regulations for the reporting entities which are monitored and controlled by the National Office for Prevention and Control of Money Laundering was published in the Official Journal of Romania, Part I, No 240 of March 9^th, 2021 (hereinafter referred to as the “Order”)¹.

The Order repeals the norms approved previously² and introduces some modifications and clarifications, as described below:

A. Which are the reporting entities monitored and controlled by the Office?

• non-banking financial institutions registered solely in the General Registrar of the National Bank of Romania, which do not qualify as payment institutions or digital currency issuers as well;
! Non-banking financial institutions registered solely in the General Registrar which qualify as payment institutions or digital currency issuers, as well, are monitored and controlled by the National Bank of Romania.

• non-banking financial institutions registered in the Registry of the National Bank of Romania, that is, the pawn shops, the mutual companies and non-profit entities;
! Non-banking financial institutions registered in the Special Registry are monitored and controlled by the National Bank of Romania.

• suppliers specialized in account information services registered in the Registry of payment institutions and suppliers specialized in account information services of the National Bank of Romania;

• exchange offices authorized by the Ministry of Finance;

• suppliers of postal services authorized by the National Authority for Management and Regulation in Communications, which provide payment services;

• suppliers of gambling games services authorized by the National Office of Gambling Games;

• financial auditors registered with the Romanian Chamber of Financial Auditors;

• expert accountants and authorized accountants registered with the Body of Expert and Licensed Accountants of Romania;

• licenses valuators registered with the National Association of Licensed Valuators of Romania;

• tax consultants registered with the Chamber of Tax Consultants;

• the entities that undertake to provide, whether directly or through other affiliated persons, material support, assistance or counseling in terms of tax or financial matters, as their main economic or professional activity. Entities that actually carry out the activities provided in art. 5 para. (1) letter e) of the Law according to NACE code 7022 – Business and management consultancy activities, are also included.

• public notaries registered with the National Union of Notaries Public of Romania;

• lawyers registered with the bars attached to the National Union of Romanian Bars;

• enforcement officers registered with the National Union of Enforcement Officers of Romania;

• insolvency practitioners registered with the National Union of Insolvency Practitioners;

• other persons who practice liberal legal professions, whenever they offers assistance to their clients for the preparation or performance of operations regarding:

– purchase or sale of properties,
– shares or social parts or other elements of the goodwill,
– management of financial instruments, securities or other assets of the clients,
– operations or transactions that involve money or a transfer of property, the opening or administration of bank accounts, savings accounts or financial instruments accounts,
– organization of the subscription process for the contributions necessary to establish, operate or manage a company; the creation, administration or management of such companies, companies for collective investment in securities or other similar structures,
– in case of participation for and on behalf of their clients in any financial operations or operations regarding properties, the creation, operation or management of trusts, companies, foundations or structures.

• suppliers of services for companies or trusts, other than the ones listed herein above, as the same are defined in article 2 paragraph (l) of the Law³, as well as entities that carry out these activities according to the NACE:

i. 6420 – activities of holding companies,
ii. 6910 – legal activities,
iii. 6820 – renting and sub-renting of own or leased real estate.

• suppliers of exchange services between virtual currency and cash changeover, authorized by/registered with the Ministry of Finance;

• suppliers of digital wallets, authorized by/registered with the Ministry of Finance;

• real estate agencies and developers, inclusively when they act as agents for the lease of properties, but only in respect of transactions for which the monthly rent is the Lei equivalent of Euro 10,000 or more, as well as the entities that actually carry out the activities listed in article 5 paragraph (1) letter (h) of the Law according to NACE codes 6831 – Real estate agencies and 4110 – Real estate development;

• other persons who act as professionals and sell assets, only to the extent they perform transactions in cash with the minimum threshold equal to the Lei equivalent of Euro 10,000, irrespective whether the transactions is performed in one operation or several inter-related operations;

• persons who sell artwork or act as agents in the sale of artwork, also when the sale is performed through an art gallery or auction houses, if the value of the transaction or of a series of inter-related transactions is the Lei equivalent of Euro 10,000 or more. This category includes the entities that actually carry out these activities according to NACE codes:

i. 4778 – other retail sale of new goods in specialized stores;
ii. 4779 – retail sale of second-hand goods in stores;
iii. 4791 – retail sale via mail order houses or via Internet;
iv. 4799 – other retail sale outside the stores, stalls or markets;
v. 9003 – artistic creation.

• persons who store or sell artworks or act as brokers in the sale of artworks, whenever the sale is performed in free zones, if the value of the operation or of a series of inter-related operations is the Lei equivalent of Euro 10,000 or more. This category includes entities who actually carry out these activities in the free zones according to NACE codes:

i. 4778 – Other retail sale of new goods in specialized stores ;
ii. 4779 – Retail sale of second-hand goods in stores ;
iii. 4791 – Retail sale via mail order houses or via Internet;
iv. 4799 – Other retail sale outside of stores, stalls or markets;
v. 9003 – Artistic creation.

B. Procedure for appointing the designated person/compliance officer

Who appoints?

• The representatives of the reporting entity

When?

• Upon incorporation of the reporting entity or, as the case may be;

• When the entity becomes a reporting entity according to the Law.
! A new person shall be appointed whenever necessary.

How?

• Pursuant to a test that confirms that the person is fit and competent
! Testing shall be resumed whenever changes are operated in the Law or in the secondary regulations.

Criteria to be considered⁴

• The specific knowledge;
• The professional reputation;
• The moral integrity.

Powers and duties

The reporting entities shall provide distinct and explicit information about:

• The powers and duties granted for the purpose of implementation of the Law;
• The actual way in which access is allowed to the information held by the reporting entities, directly and in due time.

C. Obligations regarding the protection of persons reporting infringements of the Law

• Who is responsible?

The reporting entities

• Who is protected?

i. The appointed person;
ii. The compliance officer;
iii. The employees and persons in similar positions who report either internally or to the Office

• What do they consist in?

i. Mechanisms for protection of the appointed persons;
ii. Providing a specific, independent and anonymous channel for infringement reporting by employees and persons in a similar position;
iii. Providing means of identity protection and confidentiality;
iv. Providing legal protection against exposure to threats, retaliation or hostile behavior, in particular against harassing or discriminating behavior at work.

• Can the compliance with the reporting obligations be considered a breach of the disclosure restriction and result in the liability of persons who reported the infringement of the Law?

No. Such compliance shall not be deemed a breach even if the disclosure restrictions are laid down in a contract or a writ having the force of a law or an administrative document.

No. No liability shall result for them even if the reporting entity or its employees did not know for sure the type of criminal activity or the type of breach of whatever nature of the Law and irrespective whether the activity did occur or not.

D. Independent audit

• What is the purpose?

To test the efficiency and the method of actual implementation of policies, norms, procedures and mechanisms put in place by the reporting entities.

• When is it performed?

When either two of the figures below exceeded the threshold during the last year:

i. the total assets were worth more than 16,000,000 Lei;
ii. the total net turnover was worth more than 32,000,000 Lei;
iii. the average number of employees was more than: 50.

E. Training the employees of reporting entities

• Who is in charge?

The reporting entities

• When?

At least once a year or whenever necessary

• How?

At least by:

i. putting in place adequate standards for hiring personnel in charge with implementation of the Law;
ii. inserting specific and precise duties in the job description of employees, as appropriate, in terms of implementation of the provisions of the law;
iii. participating in training programs intended to enhance employees’ awareness of the operations that may be connected to money laundering or financing of terrorism;
iv. periodically assessing the employee’s knowledge about the regulations in force from time to time.

• Fulfilment of the obligation must be documented.

The reporting entities have the obligation to register and keep their own track records, either on paper or on electronic format, of all documents that prove they met their training obligations; they shall forward these documents to the authorities with control powers, upon request.

F. Obligation to assess risks

• Who is in charge?

The reporting entities.

• What does it mean?

The global process that helps the reporting entities to identify the specific risks, to identify the actual risk events related to each factor and measure the risk degree of each client; for instance, “low”, “standard” and “high”.

The risk degree related to each client shall be recorded in the client acceptance records kept by the reporting entity or in other records as determined in their internal regulations.

• For what purpose?

To allow the reporting entity to put in place the set of KYC measures.

• How is the assessment system implemented?

Based on the internal administration procedures which provide for at least the following measures:

• Allotting responsibilities to the personnel while implementing the risk–based assessment process;

• Clearly stating the sources of information to be used in assessment;

• Identifying and assessing the relevant risk factors related to the clients, to the products and services offered as well as to the distribution channels, countries and geographical areas for each transaction and for the entire activity;

• Implementing the methods to identify the value/the relevance/the weight of each risk factor, depending on their importance in assessing the risk degree related to each client, if the reporting entity decides to treat differently the risk factors identified;

• Implementing the methods to identify the risk degree related to clients and operations performed by them, the products and services, the products distribution channels and, where appropriate, the outsourced activities and activities carried out through branches and subsidiaries operating in other countries, by adding up the values/relevance of each risk factor identified;

• Analyzing the risks based on periodic elaboration and re-assessment, whenever elements appear which are likely to alter the risk degree, of the categories of risks related to clients, products and services offered, distribution channels, countries and geographical areas for each transaction, depending on the related risk degree and for the entire activity conducted;

• Permanent monitoring of the evolution of risk factors in terms of money laundering or financing of terrorism in order to identify the need to update the risk assessment;

• Managing client-related risks by identifying and implementing measures intended to mitigate or remove such risks.

• What are the risk factors to be considered?

At least the relevant risks laid down in article 11 paragraph (6), article 16 paragraph (2) and article 17 paragraph (14) of the Law.

!! Upon request of the competent authorities, the reporting entities have the obligation to produce an assessment-based proof that the KYC measures were pro-rated to the risk category that each client was included in.

G. KYC measures

• Which are the mandatory standard measures?

At least the ones referred to in article 11(1) of the Law.

• Simplified measures – when do they apply and what do they consist of?

They apply in accordance with article 16 of the Law and they are basically standard measures, adjusted by methods such as, but not limited to:

– limitation of the type or time dedicated to the KYC measures;
– obtaining of a lower volume of information regarding client and beneficial owner identification;
– simplification of verifications in respect of the identity of clients and beneficial owners;
– lowering the frequency of updating in terms of the information about clients during the business relation;
– lowering the intensity of extension and degree of monitoring and verification of transactions.

!! Whenever the reporting entity decides to apply simplified KYC measures, it shall make sure that:

– the information obtained prove that the assessment is justified and complies with article 16 of the Law, transposed in the internal regulations;
– it obtained sufficient information so as to be able to identify unusual or suspect transactions.

• Additional measures – when do they apply and what do they consist of?

The additional measures are applied according to article 17 of the Law and are standard measures adjusted by methods such as, but not limited to⁵:

– obtaining additional information about the proxy, the beneficial owner, the headquarters, the occupation, the sources of income, the size of assets etc. and other information available from public databases;

– conducting additional information such as internet searches using independent and open sources;

– obtaining additional information and, where appropriate, documentary evidence regarding the nature of the business relation and of the client’s sources of funds/assets;

– obtaining information about the reasons behind the transactions;

– reducing the 25% threshold provided in the definition of the beneficial owner laid down in article 4 paragraph (2) letter (a) and (d) of the Law;

– conducting additional monitoring of the business relation by increasing the number and time of verifications conducting and by selecting the transaction patterns that require additional verifications;

– enhancing the awareness of high risk transactions and clients across all departments involved in business relations with the client, as well as allowing the possibility to disclose additional information to the personnel in charge with that client.

• Which data shall be stored by the reporting entities in respect of each client⁶?

– for natural persons – the identity data included in the identity card, passports or stay visas;

– for corporate entities – the identity data included in:

• the incorporation documents, the certificates of registration or the extracts thereof;

• the documents outlining the identity of the beneficial owner, that is, the natural person who ultimately holds or controls the client and/or the natural person on behalf of whom a transaction, an operation or an activity is performed;

• if the client is a corporate entity represented by an attorney in fact – the identity data listed above as well as the proxy/the empowering document issued by the attorney in fact of the reporting entity on behalf of which he/she acts;

• if a client is a party to a trust or other similar legal constructions – copies of the declarations of registration of the trust agreements lodged with the relevant tax bodies.

¹ Whenever used in this update the National Office for Prevention and Control of Money Laundering shall be referred to as the “Office” and Law No 129/2019 on prevention and control of money laundering and financing of terrorism and amending and supplementing some regulations for the reporting entities monitored and controlled by the National Office for Prevention and Control of Money Laundering shall be referred to as the “Law”.

² Order No 102/2020 of the chairman of the National Office for Prevention and Control of Money Laundering approving the Norms for the application of Law No 129/2019 on prevention and control of money laundering and financing of terrorism and amending and supplementing some regulations for the reporting entities monitored and controlled by the National Office for Prevention and Control of Money Laundering.

³ l) Suppliers of services for trusts, companies and other entities or legal structures means the natural person as well as the corporate entity that provides any of the following services to third parties, as a professional:

1. incorporates companies or other corporate entities;
2. acts as manager or director of a company or is a shareholder in a partnership or a joint partnership or holds a similar position in other corporate entities or arranges for another person to hold these positions or capacities;
3. makes available a corporate sear, operating unit, a business, postal or administrative address or any other similar service;
4. acts as trustee in a trust or a similar structure or arranges for another person to act as such;
5. is a shareholder or arranges for another person to act as shareholder of a corporate entity, other than a company whose shares are listed on a regulated market which is subject to publicity requirements in accordance with the EU regulations or internationally established standards.

⁴ The criteria may include the criminal record and previous employers credentials as well.

⁵ In case of business relations or operations with the high risk third party countries identified according to article 17(1)(d) of the Law, the reporting entities apply additional KYC measures in accordance with article 171 of the Law.

⁶ Data shall be stored in respect of the beneficial owner as well.