On 19 December 2019, the Regulation of the National Bank of Romania no. 4/2019 on payment institutions and account information service providers
(NBR Regulation) was published in the Official Gazette of Romania and became effective on the same date.
The Regulation transposes the guide of the European Banking Authority on this subject and with its entry into force, Romania has a full legal framework that regulates traditional payment services, but also the innovative services of account information and payment initiation.
The local or international fintechs will be able to be authorized or registered in Romania for rendering payment initiation services and account information services, which paves the way for the development of the local fintech market.
The NBR Regulation adjusts the rules for the authorization of payment institutions that render traditional payment services with the new PSD2* requirements.
It also regulates the authorization and respectively the registration conditions of the new players on the payment services market in Romania, namely the payment initiation service providers (PISPs) and account information service providers (AISPs), elaborating the provisions of Law 209/2019.
The Regulation builds a local legal framework which is harmonized to the European authorization framework as it transposes into national legislation the Guide of the European Banking Authority (EBA) on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers (EBA Guide).
Because the main novelty element is the possibility of AISP registration and PISP authorization, we present below the key requirements that companies must consider for rendering these kind of services.
The key requirements for PISPs
PISPs are subject to authorization procedures as payment institutions; the main requirements are:
. Initial capital: at least the LEI equivalent of EUR 50,000.
If additional payments services are envisaged to be rendered, other than account information services, the company should hold an initial capital at the highest level of the thresholds applicable to each specific payment service
. Insurance: PISPs must determine, at least annually, the minim level of professional indemnity insurance or other comparable guarantee by observing the conditions, criteria, indicators and formula publicly communicated by the National Bank of Romania (NBR).
To establish these, the NBR will take into consideration the indications provided in the EBA Guide on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee
. Requirements for the persons responsible for the management and administration of payment services activities: the NBR Regulation provides that the responsibilities of managing and administrating the payment services activity can only be held by natural persons who, on one hand must have a good reputation, and on the other hand must have knowledge, skills and experience suitable for rendering such an activity.
In addition, the NBR also asses if the persons responsible for the management and administration of the activities grant sufficient time in order to perform such attributions
. Operational, business, governance, security, AML Requirements. The content of a PISP authorization file is not much simplified compared to that of a traditional payment institution and should include the following essential elements:
i. application for authorisation;
ii. programme of operations – must include amongst others the opinion of the National Authority of Consumer Protection on the draft framework agreements for providing payment services to natural persons, if the obligation to conclude such agreements exists;
iii. draft of the contracts for the operation of services, including outsourcing agreements, as the case may be;
iv. a description of the group to which the applicant belongs;
v. the documentation related to the PISPs management, to the persons that have a holding in the applicant’s capital whether directly or indirectly with the mention of those that have a qualified holding and their management;
vi. business plan;
vii. structural organization;
viii. governance arrangements and internal control mechanisms;
ix. a description of the procedures on monitoring, handling and following up on security incidents and security-related customer complaints;
x. a description of the process for filing, monitoring, tracking and restricting access to sensitive payment data;
xi. business continuity arrangements;
xii. a description of the principles and definitions applicable to the collection of statistical data on performance, transactions and fraud;
xiii. security policy;
xiv. internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing;
xv. documentation of how the applicant has calculated the insured amount for the special PISP professional indemnity insurance.
The key requirements for AISPs
As opposed to PISPs, AISPs do not have to be authorized as payment institutions, but are only subject to a registration process.
However, the AISP registration requirements are relatively similar to those necessary for the PISP authorization, the documentation being however to some extent simplified. The main differences compared to the requirements applicable to PISPs are:
. Initial capital: there is no initial capital requirement for AISPs.
.Insurance: the method of calculating the insured amount reflects the smaller risk attributable to this type of services, however the calculation will be based on the conditions listed by NBR and EBA.
. Documentation on the group to which AISP belongs: as opposed to PISPs, AISPs are not required to provide certain documentation such as detailed information on the group to which they belong or to the persons that have qualified participations.
Considering that the activity of AISPs entails lower risks, we expect that the NBR will evaluate the fulfilment of the requirements less strictly, but also the AISPs must be properly prepared in order to win the authorities’ trust.
What is the procedure if an entity wants to render both payment initiation and account information services?
The EBA clarifies that in the event when both services will be performed, that entity must be authorized as a payment institution and implicitly comply with the requirements provided for PISP.
By its entering into force, the NBR Regulation brought a much needed supplementation to the legal framework that governs payment transactions as the new players on the payments market can begin the authorization or the registration process with the NBR, as the case may be. Consequently, we expect that the first licensed AISPs and PISPs will appear in the first half of the following year.
* The Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”