Authors: Rebecca Marina (counsel), Sandra Danciu (associate)
As the European Union accelerates its digital transformation, financial services providers in Romania must adapt swiftly to evolving regulatory landscapes. The Instant Payments Regulation, the Third Payments Services Directive (“PSD3”) and the Payment Services Regulation (“PSR”) will redefine the payments ecosystem. These regulatory shifts present both challenges and opportunities for banks, payment institutions, and fintech companies operating in Romania.
Immediate Implications: Instant Payments and Operational Readiness
Starting on January 9, 2025, financial institutions across the euro area have been receiving instant payments—a significant milestone in the EU’s push for real-time transactions. By October 9, 2025, these institutions must also be fully equipped to send instant payments. For Romanian-based credit institutions, the deadline is set for 2027. However, discussions regarding the applicable deadline may arise for foreign credit institutions licensed and regulated in eurozone jurisdictions (such as the Netherlands, France, and Ireland) but operating in Romania or other non-euro zone country either directly or through a branch.
Additionally, to remain competitive with eurozone banks, some Romanian-based credit institutions may choose to adopt instant payments earlier. This mandate requires banks and payment service providers to upgrade their infrastructure, strengthen fraud detection mechanisms, and ensure operational resilience in compliance with the Digital Operational Resilience Act (DORA).
A crucial regulatory requirement under the Instant Payments Regulation is the verification of payee, which enhances transaction security by confirming recipient details before processing payments. Additionally, institutions must guarantee fee parity between instant and traditional transactions and ensure greater transparency for customers. Romanian financial players need to proactively implement these measures to remain competitive while maintaining compliance with evolving EU standards.
Evolution or revolution: PSD3 and PSR Reshaping the Market
Following the European Commission’s review of PSD2, the upcoming PSD3 and PSR will significantly impact the Romanian financial services market. These regulations aim to streamline compliance, mitigate fraud risks, and promote a more competitive environment.
Merging e-money and payment institutions regimes
PSD3 seeks to consolidate the regulatory treatment of electronic money institutions (EMIs) and payment institutions, addressing longstanding supervisory challenges. Under the proposed changes, institutions will have to reapply for their licenses within 24 months of PSD3’s implementation. However, firms that meet the revised standards could benefit from automatic authorization, subject to approval by the National Bank of Romania.
This regulatory shift will require Romanian financial institutions to reassess their licensing strategies, operational structures, and compliance frameworks. Consolidation of regulatory regimes presents an opportunity for businesses to streamline operations while navigating the complexities of the new compliance landscape.
Strengthening Fraud Prevention and Liability Reforms
With digital fraud becoming increasingly sophisticated, PSD3 enhances Strong Customer Authentication (SCA) requirements. While SCA has successfully reduced unauthorized transaction fraud, new provisions will hold payment service providers liable for certain authorized fraud cases, such as:
- Failures in IBAN/name verification services resulting in misdirected payments;
- “Spoofing” fraud where scammers impersonate bank representatives to manipulate users.
In Romania, financial institutions must prepare for heightened liability risks by implementing advanced fraud prevention measures, strengthening customer authentication mechanisms, and developing proactive risk management strategies. The European Commission has also proposed the secure sharing of fraud-related data across financial institutions, necessitating compliance with GDPR and data protection laws.
Furthermore, PSD3 imposes stricter safeguarding requirements for customer funds, compelling payment institutions to diversify their fund-holding strategies. Rather than concentrating safeguarded funds within a single credit institution, firms may opt to place these funds with central banks, subject to their discretion.
The timeline for safeguarding e-money has been shortened—funds must now be safeguarded by the end of the business day following receipt. For Romanian EMIs and payment service providers, this means adopting more efficient liquidity management strategies and ensuring compliance with tighter regulatory deadlines.
Strategic Considerations for Romanian Financial Institutions
The upcoming regulatory changes require Romanian banks, EMIs, payment institutions and fintechs to take a proactive approach. To remain competitive and compliant, financial institutions should consider:
- Infrastructure Upgrades: Investing in real-time payment capabilities, fraud detection technologies, and robust cybersecurity frameworks to meet new requirements;
- Regulatory Alignment: Conducting comprehensive compliance assessments and working closely with the National Bank of Romania to ensure smooth adaptation to PSD3 and PSR; and
- Strategic Partnerships: Collaborating with technology providers, legal advisors, and compliance specialists to navigate the evolving financial landscape effectively.
As Romania aligns with the EU’s broader push for a more secure and innovation-driven payments ecosystem, financial institutions that embrace these changes proactively will be best positioned for success. Regulatory compliance is no longer just an obligation, it is a strategic advantage in an increasingly competitive market.
