Robo-advisers in Romanian Wealth Management: Who's Liable? Regulatory Limits Under MiFID II, GDPR and AI Act

By Rebecca Marina (Counsel) and Roxana Șerban (Associate), Filip & Company

Robo-advisers are transforming wealth management by offering automated investment recommendations and portfolio management. In Romania, however, the regulatory framework determines not what technology can do, but what institutions can legally offer these services.

Although robo-advisers are permitted, they do not enjoy a separate regulatory regime. Instead, they are treated as a delivery method for regulated investment services and assessed through the lens of Law no.126/2018 on markets in financial instruments, which transposes MiFID II. This has an immediate and important consequence: robo-advisory does not reduce the legal obligations applicable to investment advice or portfolio management. On the contrary, the use of automation often amplifies regulatory expectations, particularly in relation to investor protection and accountability.

Only certain types of institutions can provide investment services in Romania. Licensed investment firms (SSIFs) may operate platforms as part of their authorised investment services, where they can provide investment advice and portfolio management. Similarly, banks with investment service capabilities can integrate robo-advisers into their private banking or wealth management products. Institutions based elsewhere in the European Union may also provide robo-advisory to Romanian clients under the MiFID II cross-border passporting regime, provided they notify the Romanian Financial Supervisory Authority (ASF) and comply with local requirements. Crucially, unlicensed fintechs or technology start-ups cannot provide robo-advisory services in Romania, as doing so would constitute the provision of investment services by an unregulated entity, and regulatory authorisation is mandatory regardless of the technology used.

The type of licence required depends on the nature of the service. Platforms providing investment advice must operate under a MiFID II licence for “investment advice”, which is defined as a personal recommendation to a client about a specific financial instrument. Generic or marketing communications do not amount to investment advice unless they are presented as suitable for, or based on the circumstances of, a particular person. Platforms managing client assets on a discretionary basis require a MiFID II licence for “portfolio management”. In both cases, the robo-adviser functions as a delivery channel and the underlying service remains fully regulated.

One of the most significant limitations arises from MiFID II’s suitability regime. Investment firms must ensure that any recommendation is suitable for the client’s objectives, financial

situation and risk tolerance. When this assessment is delegated to an algorithm, the firm remains fully responsible for both the design of the model and the quality of the data on which it relies. Errors in client profiling, overly simplified questionnaires or biased assumptions may translate directly into regulatory breaches. From a liability perspective, the fact that advice was generated automatically offers no defence: under Romanian law, responsibility for unsuitable advice cannot be shifted to technology. Where a tool does not make a personal recommendation (for example, client-selected model portfolios or decision aids), firms must still perform an assessment for complex products and warn clients where the service or product is not appropriate.

Transparency requirements further constrain robo-advisory models. MiFID II and Law 126/2018 oblige firms to provide clear and comprehensible information about the nature of the service and the basis on which recommendations are made. This creates practical limitations for highly complex or opaque algorithms. If the reasoning behind an investment recommendation cannot be explained to the client, the model itself may become legally problematic. Firms must also maintain records that evidence the recommendation logic, client interactions and versioning of models and questionnaires to enable effective audit and supervision. In this context, the regulatory preference is clear: efficiency cannot come at the expense of explainability.

Liability concerns intensify when considering the degree of automation involved. While MiFID II does not explicitly prohibit fully automated advice, it assumes a level of human oversight sufficient to detect errors, market anomalies or client vulnerability. A robo-adviser operating without meaningful human control may expose firms to heightened regulatory and civil liability, particularly where significant losses occur.

These constraints are reinforced by the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which introduces a horizontal framework governing the use of AI across sectors. Robo-advisory systems used in investment decision-making are likely to be classified as high-risk AI systems, due to their potential impact on individuals’ financial interests. This classification imposes strict obligations relating to risk management, data

governance, documentation and monitoring. Importantly, the AI Act does not replace

MiFID II; it operates alongside it, adding a new layer of compliance and, potentially, a new source of liability.

From a Romanian law perspective, this creates a convergence of regulatory responsibilities.

Failure in model governance, inadequate human oversight or biased training data

may trigger not only supervisory sanctions from the ASF, but also contractual and non-

contractual liability under the Romanian civil code. The AI Act makes it increasingly difficult to argue that algorithmic outcomes are unforeseeable or uncontrollable.

Data protection obligations under GDPR add another layer of limitation. Robo-advisers rely heavily on personal data for profiling and decision-making, and fully automated investment decisions may engage Article 22 GDPR where decisions are based solely on automated processing (including profiling). In such cases, clients have safeguards including the right to request human intervention, to express their point of view, and to contest the decision. Investment firms and banks providing robo-adviser services must ensure that data processing is lawful, proportionate and transparent, and that alternative or behavioural data is used responsibly.

Moreover, the use of alternative or behavioural data raises questions of proportionality and purpose limitation. From a liability standpoint, excessive or insufficiently justified data processing may expose firms to enforcement action by data protection authorities, as well as reputational damage in a highly trust-sensitive market such as private banking.

In practice, the combined effect of MiFID II, GDPR and the AI Act is not to prohibit robo-advisers, but to discipline their use. Romanian law permits innovation, but only where it is accompanied by robust governance, transparency and accountability mechanisms. Firms cannot outsource legal responsibility to algorithms, nor can they rely on technology to shield them from liability. Robo-advisers are legally permitted in Romania, but only when offered by authorised institutions with the appropriate MiFID II licences. Technology may automate investment decisions, but legal responsibility remains firmly with the institutions.