Enhancing financial security in Romania: the role of KYC, video identification, and strong customer authentication

Author: Rebecca Marina (counsel Filip & Company)

In today's digital era, the financial sector is more susceptible to fraudulent activities than ever before. Romania, akin to many other EU member states, grapples with significant challenges in curbing financial crime, especially in the domains of banking fraud and money laundering. This article explores Romania's robust legal framework designed to enhance transaction security and prevent fraud through Know Your Customer (KYC) processes, video identification, and strong customer authentication (SCA).

The KYC legal foundation in Romania

Romania's primary legislative tool for combating financial crime is the Law no. 129/2019 on the prevention and combating of money laundering and terrorist financing (Law 129/2019). This law transposes the EU's 4th and 5th Anti-Money Laundering (AML) Directives into Romanian law, establishing comprehensive obligations for financial institutions and designated non-financial businesses and professions. Its core objective is to protect the integrity of the financial system by ensuring that all entities operating in high-risk sectors, including financial institutions, legal professionals, real estate agents, and certain traders, apply due diligence to identify and mitigate financial crime risks. The law also creates mechanisms for cooperation between authorities, centralized risk assessments, and data-sharing to strengthen institutional capacity in detecting and addressing suspicious financial activity.

Under this law, reporting entities have several key obligations. They must conduct customer due diligence, including identifying clients and beneficial owners, monitoring transactions, and understanding the nature of business relationships. Additionally, they are required to report suspicious transactions and certain high-value cash or cross-border operations to the AML authority. Entities must also maintain internal compliance programs, train staff, and cooperate with relevant authorities. Non-compliance can lead to significant administrative and financial penalties, reflecting the law’s focus on accountability and proactive risk management.

Crypto Asset Regulation in Romania

Building on the robust KYC framework, recent legislative amendments have also addressed the regulation of crypto assets. An amendment to Law 129/2019 introduced by Government Emergency Ordinance no. 10/2025 has significantly expanded the law's reach, particularly in the digital space. Key updates include clarifying the scope of entities subject to AML obligations, notably extending it to crypto asset service providers (CASPs), enhancing the powers of the AML authorities, and strengthening mechanisms for automated transaction monitoring and digital client profiling. It streamlined the classification of CASPs by removing outdated and redundant references to exchange and wallet providers, while simultaneously integrating these entities into the broader category of “financial institutions”.

Following these changes, CASPs in Romania are subject to the full spectrum of AML requirements, including customer due diligence, transaction monitoring, and reporting of suspicious activity. They are also explicitly included in risk-based supervisory mechanisms and must comply with the EU’s “travel rule,” requiring the transmission of sender and recipient information for crypto transfers. Law 129/2019 now requires CASPs to apply mandatory KYC for any transaction exceeding EUR 1,000, and to use enhanced transaction monitoring, especially for peer-to-peer transfers and anonymous wallets.

Furthermore, a legislative proposal initiated by the Romanian Government in 2025 proposes substantial amendments to Law 129/2019 for the implementation of the 6th AML Directive. The draft law aims to align Romania’s anti-money laundering and counter-terrorist financing framework with the latest EU standards and international best practices, particularly those set by the Financial Action Task Force and the Council of Europe’s MONEYVAL Committee. It strengthens the legal and institutional tools available for risk-based supervision, national risk assessment, and cross-border cooperation.

Key proposed changes include enhancing the due diligence measures for dealings with high-risk third countries and reinforcing the role of the AML authority in coordinating national policy and operational response to AML risks. These provisions reflect a broader effort to ensure greater transparency, accountability, and efficiency in combating financial crime in both traditional and digital financial sectors.

Remote video identification of customers

In implementation of the rules on KYC and customer due diligence under the Law 129/2019, the Romanian Authority for the Digitalization of Romania (ADR) has taken a lead role in defining technical standards for remote digital identification, particularly through video identification. This is particularly relevant for onboarding users to payment platforms, fintech apps, and crypto exchanges, where seamless yet secure client identification is critical. ADR's work also ties into Romania's implementation of eIDAS 2.0, paving the way for interoperable digital wallets and trusted electronic identities.

​The Decision no. 564/2021, issued by the President of ADR, establishes the regulatory framework for remote identity verification using video means. This decision approves the "Norms regarding the regulation, recognition, approval, or acceptance of the procedure for remote identification of persons using video means," aligning with the provisions of Regulation (EU) No. 910/2014 (eIDAS) and Law 129/2019. The norms set minimum technical and security requirements for electronic identification procedures, ensuring that remote identification via video is conducted securely and reliably.

The decision applies to various entities, including trust service providers, payment service providers, credit institutions, non-banking financial institutions, public sector bodies, and third parties responsible for identity verification. These entities must obtain approval from ADR before implementing remote video identification procedures. Additionally, entities authorized in other EU member states wishing to conduct such activities in Romania must comply with the notification conditions outlined in the norms.

The norms also allow for the use of advanced technologies, such as artificial intelligence and machine learning, in the identification process. Each platform implementing video identification must undergo a comprehensive audit process and receive approval from ADR, ensuring the highest level of security and compliance with the established standards.

Strong Customer Authentication and preventive measures in payments

In addition to KYC processes and video identification, strong customer authentication plays a crucial role in combating banking fraud. SCA, as mandated by the EU's Payment Services Directive 2, requires multifactor authentication for online transactions, combining something the customer knows (e.g., a password), something the customer has (e.g., a mobile device), and something the customer is (e.g., biometric data – fingerprints or facial recognition). This layered approach significantly reduces the risk of unauthorised access and fraudulent transactions.

Safeguarding against banking fraud necessitates the implementation of robust security measures by both businesses and individuals. These measures include multifactor authentication, one-time passwords, biometric authentication (such as facial or fingerprint recognition) for highly sensitive information, data encryption, and advanced cybersecurity solutions. Additionally, careful verification of suspicious emails and messages to avoid phishing, due diligence on business partners, scrutiny of suspicious payments, and comprehensive financial education and employee training are essential to recognising and mitigating fraud attempts. By adopting these practices, Romania can continue to enhance its financial security and protect against evolving threats.