Romania's banking and finance sector operates under a dual regulatory framework: European Union directives transposed into national law, and domestic legislation enforced by the National Bank of Romania (Banca Națională a României, BNR). For international businesses entering the Romanian market - whether through lending, project finance, fintech ventures, or cross-border capital structures - understanding the local legal architecture is not optional. It is the foundation of every commercially viable decision. This article maps the key legal tools, regulatory requirements, procedural timelines, and practical risks that define banking and finance law in Romania today. It covers licensing, lending structures, AML obligations, fintech regulation, enforcement mechanisms, and dispute resolution, giving decision-makers a structured roadmap for operating in this jurisdiction.
The primary statute governing banking activity in Romania is Government Emergency Ordinance No. 99/2006 on credit institutions and capital adequacy (Ordonanța de urgență nr. 99/2006 privind instituțiile de credit și adecvarea capitalului). This act, substantially amended to incorporate EU Capital Requirements Directives (CRD IV and CRD V), defines who qualifies as a credit institution, what activities require authorisation, and what prudential standards apply. It is the cornerstone of banking law in Romania.
The BNR functions as the primary prudential supervisor for credit institutions incorporated in Romania. It grants and revokes banking licences, sets capital and liquidity requirements, and conducts on-site inspections. For financial institutions operating in capital markets, the Financial Supervisory Authority (Autoritatea de Supraveghere Financiară, ASF) holds concurrent jurisdiction over investment firms, insurance companies, and pension funds. Understanding which regulator has authority over a specific activity is the first practical question any international operator must answer.
Romania is a member of the European Banking Union's Single Supervisory Mechanism (SSM), but only significant institutions fall under direct European Central Bank supervision. Most Romanian banks remain under BNR's direct oversight, with the ECB exercising indirect supervision through the SSM framework. This distinction matters for cross-border banking groups: a subsidiary incorporated in Romania is subject to BNR, while a branch of an EU-authorised institution may passport its licence under the EU single passport regime.
The Banking Law (Law No. 58/1998, now largely superseded by OUG 99/2006) established the foundational definitions still referenced in Romanian courts and regulatory correspondence. Practitioners must track both the current statute and its interpretive history to understand how BNR applies rules in practice.
A banking licence in Romania is issued by the BNR under OUG 99/2006, Article 10 and following. The process is demanding by design. The BNR evaluates the applicant's business plan, governance structure, capital adequacy, fit-and-proper assessments of management, and risk management frameworks before granting authorisation.
The minimum initial capital requirement for a credit institution incorporated in Romania is set at the equivalent of EUR 5 million, consistent with EU minimum standards under CRD V. In practice, the BNR expects significantly higher capitalisation for institutions with broad retail ambitions. Applicants must demonstrate that capital is fully paid up and sourced from legitimate, verifiable origins - a requirement that intersects directly with AML obligations.
The authorisation process typically unfolds in two phases. The first phase involves a preliminary assessment of the application file, which the BNR must complete within 90 days of receiving a complete submission. The second phase involves a detailed review, with a final decision required within 12 months of the initial application date under EU Directive 2013/36/EU as transposed. In practice, incomplete files - a common issue for international applicants unfamiliar with Romanian documentation standards - restart the clock.
Key conditions for authorisation include:
A common mistake made by international groups is underestimating the fit-and-proper assessment. The BNR scrutinises the professional background, criminal records, and financial integrity of each proposed director and significant shareholder. Gaps in documentation - particularly for shareholders domiciled outside the EU - routinely delay applications by several months.
For entities that do not require a full banking licence, Romanian law provides for the registration of payment institutions and electronic money institutions under Law No. 209/2019 (implementing PSD2) and Law No. 210/2019 (implementing the E-Money Directive). These lighter-touch regimes allow fintech operators to offer payment services and issue electronic money without the full capital and governance burden of a credit institution licence.
To receive a checklist on banking licence applications in Romania, send a request to info@vlolawfirm.com
Lending in Romania is regulated at multiple levels. Consumer credit is governed by Government Ordinance No. 50/2010 (Ordonanța Guvernului nr. 50/2010 privind contractele de credit pentru consumatori), which transposed the EU Consumer Credit Directive. Mortgage credit falls under Law No. 52/2020, which transposed the Mortgage Credit Directive (MCD). Corporate and project lending operates primarily under general contract law as codified in the Civil Code (Codul Civil, Law No. 287/2009), supplemented by specific provisions in OUG 99/2006 and BNR prudential regulations.
For consumer lending, Romanian law imposes strict disclosure obligations. Lenders must provide a Standard European Consumer Credit Information (SECCI) form before contract execution. The annual percentage rate (APR) must be calculated and disclosed using the method prescribed in OUG 50/2010, Annex I. Failure to comply with disclosure requirements can render the credit agreement partially or fully void, with the borrower entitled to repay only the principal without interest or fees - a significant financial exposure for non-compliant lenders.
Corporate lending structures in Romania typically use syndicated loan agreements modelled on Loan Market Association (LMA) standards, adapted for Romanian law. Security packages commonly include:
The AEGRM is a critical tool in Romanian secured lending. Registration of a movable pledge in the AEGRM establishes priority over subsequent creditors and is a prerequisite for enforcement. A non-obvious risk for international lenders is that Romanian law treats the moment of AEGRM registration - not the moment of contract execution - as the priority date. Delays in registration, even of a few days, can subordinate a lender's security interest to a competing creditor.
Project finance in Romania follows international structures but requires careful attention to local law constraints. Romanian law does not recognise the common law concept of a trust, which affects how security trustee arrangements are structured in syndicated deals. Parallel debt structures or Romanian-law security agency arrangements are used as alternatives. Practitioners must ensure that the security agent's authority is properly documented under Romanian civil law to avoid enforceability challenges.
Interest rate caps apply to consumer credit under OUG 50/2010. For corporate lending, no statutory cap exists, but usury-adjacent provisions in the Civil Code (Article 1168 on lesion) can be invoked in extreme cases. In practice, Romanian courts have shown limited appetite for reducing corporate interest rates on grounds of lesion, but the risk is not entirely theoretical for transactions involving smaller businesses or individuals acting in a commercial capacity.
Anti-money laundering regulation in Romania is governed by Law No. 129/2019 on preventing and combating money laundering and terrorist financing (Legea nr. 129/2019 privind prevenirea și combaterea spălării banilor și finanțării terorismului). This act transposed the EU's Fourth and Fifth Anti-Money Laundering Directives (4AMLD and 5AMLD) and introduced significant new obligations for financial institutions, lawyers, notaries, and other obliged entities.
The Office for Prevention and Combating Money Laundering (Oficiul Național de Prevenire și Combatere a Spălării Banilor, ONPCSB) is the Romanian financial intelligence unit. It receives suspicious transaction reports (STRs), analyses financial intelligence, and cooperates with law enforcement and foreign FIUs. Credit institutions must file STRs with ONPCSB within 24 hours of identifying a suspicious transaction, and must not tip off the subject of the report.
Customer due diligence (CDD) requirements under Law 129/2019 follow the risk-based approach mandated by FATF standards. Standard CDD applies to all customers. Enhanced due diligence (EDD) is mandatory for:
A common mistake by international financial institutions operating in Romania through branches or subsidiaries is applying group-level CDD standards without verifying their equivalence with Romanian law requirements. The ONPCSB has issued guidance clarifying that group policies must be supplemented by Romania-specific procedures where local law imposes stricter standards.
Beneficial ownership transparency is a key compliance area. Law 129/2019 requires obliged entities to identify and verify the ultimate beneficial owner (UBO) of every legal entity customer. Romanian companies must register their UBOs in the Trade Register (Registrul Comerțului) under Law No. 265/2022 on the Trade Register. Failure to maintain accurate UBO records exposes both the company and its directors to administrative fines and, in serious cases, criminal liability.
The penalties for AML non-compliance in Romania are substantial. Administrative fines under Law 129/2019 can reach up to 10% of annual turnover for credit institutions, or fixed amounts up to RON 5 million for other obliged entities. The BNR has authority to impose additional prudential sanctions, including licence suspension, for systemic AML failures. In practice, the BNR has used its supervisory powers to require remediation programmes and management changes at institutions with identified AML weaknesses.
Many underappreciate the intersection of AML obligations with data protection law. Romanian implementation of GDPR (through Law No. 190/2018) creates tension between the obligation to retain CDD records for five years and the data minimisation principle. Financial institutions must document their legal basis for retaining personal data collected during CDD, typically relying on the legal obligation ground under GDPR Article 6(1)(c).
To receive a checklist on AML compliance requirements for financial institutions in Romania, send a request to info@vlolawfirm.com
Romania's fintech sector has grown substantially, driven by EU regulatory harmonisation and increasing digital adoption. The legal framework for fintech in Romania is built on three pillars: the payment services regime under Law 209/2019, the electronic money regime under Law 210/2019, and the emerging EU-level frameworks for crypto-assets and digital finance.
Payment institutions (instituții de plată) registered under Law 209/2019 may provide payment services including money remittance, payment initiation, and account information services without holding a full banking licence. The BNR supervises payment institutions and electronic money institutions. Registration requires a minimum initial capital of EUR 20,000 to EUR 125,000 depending on the category of payment services, a documented governance framework, and compliance with PSD2 security requirements including strong customer authentication (SCA).
Open banking obligations under PSD2, as transposed by Law 209/2019, require account-servicing payment service providers (ASPSPs) - primarily banks - to provide access to payment account data to third-party providers (TPPs) through standardised APIs. Romanian banks have implemented these APIs with varying degrees of quality and reliability. A practical risk for fintech operators building on open banking infrastructure in Romania is the inconsistency of API implementations, which can affect service reliability and regulatory compliance.
The EU Markets in Crypto-Assets Regulation (MiCA), which applies directly in Romania as an EU member state, introduces a comprehensive licensing regime for crypto-asset service providers (CASPs). Entities offering crypto-asset services in Romania must obtain authorisation from the ASF under MiCA. Existing operators that registered with the ASF under earlier national frameworks must transition to MiCA authorisation within the transitional periods specified in the regulation. The ASF has published guidance on the transition process, and early engagement with the regulator is strongly advisable.
Buy-now-pay-later (BNPL) products occupy a regulatory grey zone in Romania. Where BNPL arrangements qualify as consumer credit under OUG 50/2010, full consumer credit disclosure and licensing requirements apply. Where they fall below the thresholds or within exemptions in the directive, lighter obligations apply. The EU Consumer Credit Directive 2023/2225, which Romania must transpose, will bring most BNPL products within the consumer credit framework. Operators currently relying on exemptions should model the impact of the new directive on their product structures.
Crowdfunding platforms operating in Romania are subject to EU Regulation 2020/1503 on European crowdfunding service providers (ECSPR), which applies directly. The ASF is the competent authority for authorising and supervising crowdfunding service providers in Romania. The regulation imposes requirements on investor disclosures, key investment information sheets, and default rate reporting that differ materially from earlier national frameworks.
A non-obvious risk in Romanian fintech is the interaction between financial regulation and consumer protection law. The National Authority for Consumer Protection (Autoritatea Națională pentru Protecția Consumatorilor, ANPC) has jurisdiction over consumer-facing financial products and has demonstrated willingness to take enforcement action against digital financial service providers for unfair commercial practices under Law No. 363/2007. Fintech operators must ensure their terms and conditions, fee disclosures, and complaint handling procedures comply with both financial regulation and consumer protection law.
When banking and finance disputes arise in Romania, parties have several procedural routes available. Romanian courts have general jurisdiction over banking disputes. The Bucharest Court of Appeal (Curtea de Apel București) and the High Court of Cassation and Justice (Înalta Curte de Casație și Justiție, ICCJ) handle significant commercial and banking cases at appellate level. First-instance jurisdiction for high-value commercial disputes typically lies with the Tribunal (Tribunalul), a mid-tier court with specialised commercial sections in major cities.
Arbitration is a viable alternative for cross-border banking disputes. The Court of International Commercial Arbitration attached to the Chamber of Commerce and Industry of Romania (Curtea de Arbitraj Comercial Internațional de pe lângă Camera de Comerț și Industrie a României, CCIR) administers domestic and international arbitrations under its own rules. International parties frequently opt for ICC or LCIA arbitration with a seat outside Romania, particularly in syndicated loan transactions. Romanian courts have generally respected arbitration clauses and enforced foreign arbitral awards under the New York Convention, to which Romania is a party.
Enforcement of security interests in Romania follows a structured process. For real estate mortgages, enforcement proceeds through the court-supervised auction process under the Civil Procedure Code (Codul de Procedură Civilă, Law No. 134/2010), Articles 813-858. The process from enforcement initiation to auction completion typically takes between 6 and 18 months, depending on court workload and debtor challenges. For movable pledges registered in the AEGRM, out-of-court enforcement is available under Law No. 99/1999, allowing the pledgee to sell the pledged asset without court involvement if the pledge agreement so provides.
Three practical scenarios illustrate the range of enforcement challenges:
Insolvency proceedings in Romania are governed by Law No. 85/2014 on insolvency prevention and insolvency proceedings (Legea nr. 85/2014 privind procedurile de prevenire a insolvenței și de insolvență). For credit institutions, a separate regime applies under Law No. 312/2015, which transposed the Bank Recovery and Resolution Directive (BRRD). The BNR acts as resolution authority for Romanian credit institutions, with powers to apply bail-in, transfer assets, and establish bridge institutions.
Creditors in Romanian insolvency proceedings must file claims within the deadline set by the insolvency practitioner, typically 30 to 60 days from the opening of proceedings. Late claims are admitted only in limited circumstances and rank below timely claims. A non-obvious risk for foreign creditors is that Romanian insolvency law requires claims to be filed in Romanian, with supporting documents translated by authorised translators. International banks with Romanian law security packages must have Romanian-language documentation ready before insolvency events occur.
Pre-insolvency restructuring tools include the concordat preventiv (preventive concordat) and the ad hoc mandate (mandat ad-hoc), both available under Law 85/2014. These tools allow distressed debtors to negotiate with creditors outside formal insolvency, with court supervision providing a degree of protection against individual creditor enforcement. Lenders considering participation in restructuring negotiations should obtain independent Romanian legal advice on the implications for their security position, as certain restructuring measures can affect the enforceability of security interests.
To receive a checklist on banking dispute resolution and enforcement procedures in Romania, send a request to info@vlolawfirm.com
What are the main risks for a foreign bank operating in Romania through a branch rather than a subsidiary?
A foreign EU bank passporting into Romania through a branch benefits from its home state authorisation and is not subject to BNR licensing. However, the BNR retains supervisory powers over the branch's liquidity, consumer protection compliance, and AML obligations. A non-EU bank establishing a branch in Romania must obtain BNR authorisation under OUG 99/2006 and meet capital and governance requirements comparable to those for a subsidiary. The key practical risk is that branch operations are subject to Romanian consumer protection and AML law regardless of the home state framework, and the BNR has authority to restrict branch activities if it identifies compliance failures. Governance arrangements that work in the home jurisdiction may not satisfy Romanian requirements without adaptation.
How long does it take to enforce a loan security in Romania, and what does it cost?
Enforcement timelines vary significantly by security type. Out-of-court enforcement of a movable pledge through the AEGRM can be completed in weeks if the debtor does not challenge the process. Court-supervised enforcement of a real estate mortgage typically takes between 6 and 18 months, with debtor challenges potentially extending this to 24 months or more in contested cases. Consumer debt enforcement is subject to additional procedural constraints and can be slower. Legal fees for enforcement proceedings typically start from the low thousands of EUR for straightforward matters, scaling with complexity and dispute value. Court fees are calculated as a percentage of the claimed amount and can represent a meaningful upfront cost for large exposures. Lenders should factor enforcement costs and timelines into their credit risk assessments at origination.
When should a fintech company in Romania seek a payment institution licence rather than partnering with an existing licensed institution?
The choice between obtaining a payment institution licence and operating under a banking-as-a-service (BaaS) arrangement with a licensed institution depends on the business model, transaction volumes, and long-term strategy. A fintech with high transaction volumes, a proprietary customer relationship, and plans to expand across the EU will generally benefit from its own licence, which provides direct regulatory standing and the ability to passport services. The BNR registration process for payment institutions takes approximately 3 to 6 months for a complete application. A BaaS arrangement is faster to market and avoids the capital and compliance burden of direct licensing, but creates dependency on the partner institution's risk appetite and operational capabilities. A common mistake is underestimating the ongoing compliance obligations of a licensed payment institution, including PSD2 security requirements, incident reporting, and annual regulatory reporting to the BNR.
Banking and finance law in Romania combines EU-level harmonisation with a distinct national regulatory culture shaped by BNR supervisory practice and Romanian civil law traditions. For international operators, the key to success is early engagement with the regulatory framework, rigorous documentation of security interests and CDD procedures, and a clear understanding of enforcement mechanics before disputes arise. The cost of non-specialist advice in this jurisdiction - whether through defective security registration, non-compliant consumer credit disclosures, or inadequate AML procedures - consistently exceeds the cost of proper legal structuring at the outset.
Our law firm VLO Law Firm has experience supporting clients in Romania on banking and finance matters. We can assist with licence applications, lending structure reviews, AML compliance programmes, security package documentation, and dispute resolution strategy. To receive a consultation, contact: info@vlolawfirm.com