The Authority for the Digitalisation of Romania (the “Authority” or the “ADR”) approved long-awaited norms on the regulation, recognition, approval or acceptance of procedures for the remote identification of persons using video means (the “Norms”). The Norms approved via Decision no. 564/2021 were published in the Official Gazette on 24 November 2021. Despite certain inconsistencies (some signalled in this brief), the Norms will be enforceable as of 24 December 2021.
The Norms set out a framework for the recognition in Romania of remote video identification systems of persons, inter alia in accordance with the e-IDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”).
The Authority (which is also the Romania supervisory authority for Romanian trusted services providers) is the public authority designated for supervision and control of the application of the Norms.
Who is concerned
The Norms regulate how credit institutions, non-banking financial institutions, payments services providers, trusted services providers, public entities and third-party identification services providers may use or offer for use remote video recognition systems in full compliance with the existing legislation in Romania and with the requirements of the eIDAS Regulation.
Practice note: it is not clear whether the requirements in the Norms apply to other types of entities that conduct, or intend to conduct, remote identification via video means in their business, such as insurance companies and intermediaries, other financial institutions (such as investment or pension funds), online gambling companies, etc. It appears that such other entities will need to use remote video identification systems compliant with the Norms, i.e., by employing third parties complying with the Norms, to benefit from recognition of legal effects of the remote identification systems deployed. Inhouse systems, or generally systems that do not fall under the scope of the Norms, will not be recognised as valid and conclusive in courts.
What needs to be done
Companies listed in the Norms as remote video identification providers must notify the Authority with 30 days prior to using a remote video identification system and provide substantiating documentation including (i) a description of the technical solution, (ii) an audit report issued by an ADR-registered IT auditor/evaluation report according to eiDAS, confirming compliance with the Norms, (iii) third-party liability insurance policies (only banks, non-banking financial institutions and payment services are required to submit such TPL), (iv) the security standards with which the system complies, as well as (v) statements that adequate policies and procedures are used in the process.
Banks, non-banking financial institutions and payment services providers that use third-party identification systems will only have to notify copies of the services contract with the third-party provider and statements on policies and procedures on the use of the system at the notifying entity.
Practice note: contracts with third-party identification services providers will need to be carefully drafted to address matters such as liability, compliance, security standards, cooperation, etc.
Remote video recognition systems currently used in practice must achieve compliance with the Norms. It is not clear from the Norms whether compliance is a precondition to the continued use of the remote identification systems, which could lead to suspending the use of said systems before a technical notice is provided by the Authority.
Nonetheless, it may be argued that the longer, 240-day compliance period listed in the Norms should apply and allow companies that currently use such systems to continue to use them and conduct in parallel the procedures set out by the Norms.
Practice note: it is recommendable to approach the Authority on this point, in particular for banks , non-banking financial institutions and payment institutions, as it is expected that the National Bank of Romania will be keen to require full compliance with the Norms as soon as they are applicable.
Who can offer remote video identification as a service
Third parties that intend to offer remote video identification services must register with the Authority and will be listed on the Authority’s website.
Currently, no such third-party services providers are listed on the Authority’s website, although it is expected that trusted services providers will step in to register with the Authority to be able to offer these services to companies on the market. A full list of trusted services providers authorised in the EU, including in Romania, is available here.
What are the requirements for remote video identification
The Norms list various requirements on the actual conduct of remote video identification, including an obligation to conduct risk assessments in relation to the systems, security requirements, use of trained personnel, verification steps and standards, technical and organisational requirements for the identification, as well as retention requirements.
Practice note: the Norms indicate that identity verifications may be made using third-party data, such as evidences of public bodies, based on contracts with those entities. The draft Government Ordinance issued in 2020 on remote video identification set out specifically that such entities included the public bodies managing persons’ records. However, in the absence of this detail, the Norms may be an insufficient legal ground for public bodies managing persons’ records to enter contracts with private companies enabling a thorough remote identification of persons.
Multiple references are made in the Norms on the obligation to data protection requirements in the use of the remote video identification systems, such as obtaining consent for conducting video identification and data protection policies.
What sanctions for failure to comply with the Norms
The Norms do not include sanctions on the use of remote video identification systems without ADR’s technical notice. In a draft Government Ordinance (which was not enacted), use of remote video identification systems involving a trusted services provider or third party without technical notices is classified as several misdemeanours subject to fines of up to 20 minimum salaries (i.e., currently approximately RON 45,000, or EUR 9,000).
Although these sanctions will not apply to companies in breach of the Norms in the absence of a specific legal provision, we expect that failures to comply with the Norms be sanctioned, in the case of credit institutions or non-banking financial institutions, pursuant to sector-specific legislation or as operational or legal risk incidents.
On the other hand, failure to comply with the provisions of the Norms may trigger the waiving of the technical approval issued by the Authority (if such is previously issued).
The above does not represent legal advice or assistance in relation to the provisions of the draft whistleblowing legislation in Romania. For further details on the above, we kindly ask you to contact us at firstname.lastname@example.org