Order no.

24/2008

to implement the Norms concerning the prevention and control of money laundering and terrorist
financing through the insurance market

In force as of 7 January 2009

The consolidated text as at 24 November 2014 is based on the publication in the Official Journal, Part I
No. 12 of 7 January 2009 and includes the amendments made by the following acts:

Order 5/2011;

Last amendment as at 16 March 2011

Pursuant to art. 4 para. (26) and (27) of Law no. 32/2000 on insurance undertakings and insurance
supervision, and in accordance with the Insurance Supervisory Commission Council Decision of 16
December 2008, whereby the Norms concerning the prevention and control of money laundering and
terrorist financing through the insurance market were adopted,

The President of the Insurance Supervisory Commission hereby issues the following order:

Art. 1. – The Norms concerning the prevention and control of money laundering and terrorist financing
through the insurance market, set out in the annex which shall be an integral part of this order shall be
implemented.

Art. 2. – As of the date when this order becomes effective, the Norms concerning the prevention and
control of money laundering and terrorist financing through the insurance market, as approved by Order
no. 3.128/2005 of the President of the Insurance Supervisory Commission, and published in the Official
Gazette of Romania, Part I, no. 1.165 of 22 December 2005 shall be repealed.

Art. 3. – The specialized directorates of the Insurance Supervisory Commission shall be responsible for
the implementation of this order.

President of the Insurance Supervisory Commission

Angela Toncescu

Bucharest, 22 December 2008

No. 24
ANNEX

NORMS concerning the prevention and control of money laundering and terrorist financing through the
insurance market

CHAPTER I

General provisions

Art. 1. – these norms shall regulate the prevention and control of money laundering and terrorist
financing through the insurance market.

Art. 2. – Insurance undertakings, reinsurance undertakings, insurance and/or reinsurance brokers who
are Romanian legal entities and subsidiaries in Romania of insurance undertakings, reinsurance
undertakings, insurance and/or reinsurance brokers based within the European Economic Area,
hereinafter referred to as entities shall be subject to the provisions laid down in these norms.

Art. 3. - (1) For the purposes of these norms, the words, expressions and abbreviations below shall have
the following meanings:

a) money laundering – as defined in art. 2 letter a) of Law no. 656/2002 on the prevention and
sanctioning of money laundering and the implementation of some measures to prevent and control
terrorist financing, as amended and supplemented;

b) terrorist financing – crime defined in art. 36 of Law no. 535/2004 on the prevention and control of
terrorism;

c) suspicious transaction – an operation with no apparent economic or legal substance or which, by its
nature and/or unusual character in relation with the operations conducted by the client of one of the
entities referred to in art. 2 arises suspicions of money laundering or terrorist financing;

d) cross-border transfers to and from accounts – cross-border transfers, as defined in the national legal
provisions, as well as payments to and from the accounts of residents from and to the accounts of non-
residents;

e) client – natural or legal person policyholder/potential policyholder/contracting party or beneficiary of

the insurance/reinsurance contract;

f) CSA – Insurance Supervisory Commission;

g) Office – National Office for the Prevention and Control of Money Laundering;

h) politically exposed persons - natural persons who are or have been entrusted with prominent public
functions, immediate family members as well as persons publicly known to be close associates of natural
persons that are entrusted with prominent public functions. This definition shall be supplemented with
the provisions of art. I point. 3 and art. 21 of Government Emergency Ordinance no. 53/2008 concerning
the amendment and supplementation of Law no. 656/2002 on the prevention and sanctioning of money
laundering and the implementation of measures to prevent and control terrorist financing;

i) beneficial owner - any natural person who ultimately owns or controls the customer and/or the
natural person on whose behalf or interest a transaction or activity is being conducted, directly or
indirectly. This definition shall be supplemented with the provisions of art. I point. 3 and art. 21 of
Government Emergency Ordinance no. 53/2008;

j) business relationship - the professional or commercial relationship that is connected with

the professional activities of the entities and which is expected, at the time when the contact is
established, to have an element of duration.

(2) The words and expression above shall be supplemented with the provisions laid down in the specific
legislation concerning the prevention and control of money laundering and terrorist financing.

Art. 4. - (1) CSA shall supervise and control the entities referred to in Art. 2 to ensure that such entities
apply and comply with the legal provisions in force concerning the identification, verification and
registration of clients and transactions, reporting suspicious transactions, cash transactions and external
transfers, and also the preparation and implementation of certain procedures for compliance with all
requirements and training of personnel in this respect.

(2) CSA shall be entitled to check the internal procedures and/or norms of the entities concerning the
prevention and control of money laundering and terrorist financing.

(3) CSA shall be entitled to request the amendment of the internal procedures and/or norms issued by
entities, whenever such internal procedures and/or norms fail to observe the prudential requirements
set out in these norms.

(4) CSA shall be entitled to monitor the transactions in financial instruments performed by entities in
order to identify suspicious transactions.

(5) CSA shall immediately inform the Office whenever the data collected shows suspicions of money
laundering, terrorist financing or breach of the provisions laid down in Law no. 656/2002, as amended
and supplemented.

(6) As part of the supervisory and oversight process, CSA may request that entities provide any relevant
information or document.

CHAPTER II

Obligations of the entities

Art. 5. - (1) Entities shall draft and implement adequate policies, procedures and mechanism aimed at
client due diligence, reporting, record keeping, internal control, risk assessment and management to the
purpose of preventing and deterring operations which raise money laundering or terrorist financing
suspicions and shall see to the appropriate training of its own personnel as well as of authorized agents.

(2) Implementation mechanisms and measures shall allow the identification of potential high risk clients,
products, services, operations and transactions by means of a scoring system.

(3) Entities shall have in place their own risk-based review system, according to which clients shall be
classified into at least 3 risk categories.

(4) Existing clients shall be classified within 18 months from the effective date of these norms.

(5) All new clients shall be subject to the standard due diligence procedure.

(6) The risk profile of the clients, products and services, as well as of operations and transactions shall be
established based on the review of the data collected within the due diligence process, as well as
through the ongoing monitoring of the business relationship.

(7) Entities shall have in place a written client acceptance procedure.

(8) Entities shall establish, verify and record the identification data of clients and beneficial owners
before establishing business relationships or performing transactions on behalf of clients/beneficial
owners.

(9) Internal policies and procedures shall be observed by all entity units, including the units located in
the European Economic Area or in non-member states, as well as by the head offices and branches of
legal person agents.

(10) Internal procedures shall be made available to CSA by electronic means – CD – within 90 days from
the effective date of these norms and subsequently, within 10 days from the effective date of
amendments thereto.

Art. 6. - (1) Entities shall appoint one or several persons from among their own personnel, who shall be
in charge of the implementation of and compliance with applicable legal provisions concerning the
control of money laundering and terrorist financing.

(2) The persons designated after the effective date of these norms shall be trained in the field of the
prevention and control of money laundering and terrorist financing.

(3) The persons referred to in para. (1) shall be granted direct and permanent access to the
management of the respective entity as well as to all the entity’s records, which shall be prepared in
observance of the provisions laid down in these norms and in the relevant legislation.

(4) The names, positions and responsibilities of the persons referred to in para. (1) shall be
communicated to the Office and CSA within 30 days from the effective date of these norms.

(5) Entities shall notify the Office and CSA with respect to the replacement or substitution of the persons
referred to in para. (1) within 10 days from relevant replacement or substitution.
(6) The persons appointed under para. (1) shall be responsible for the discharge of their duties in the
implementation of these norms and of the relevant legislation concerning the prevention and control of
money laundering and terrorist financing.

Art. 7. - (1) Entities shall ensure the training of their own personnel as well as of their authorized agents
with respect to issues concerning the prevention and control of money laundering.

(2) Training programs shall ensure that relevant persons are:

a) aware of the laws, regulations, norms and procedures concerning the prevention and control of
money laundering and terrorist financing;

b) competent enough to review transactions so that to identify money laundering and terrorist financing
operations;

c) fully aware of relevant reporting requirements.

(3) Entities shall inform all the persons referred to in para. (1) of the procedure concerning the
prevention and control of money laundering and terrorist financing.

Art. 8. – Entities shall have in place screening procedures for all their own personnel as well as, when
appropriate, for the natural and/or legal persons who act as authorized representatives thereof, to the
purpose of observing high quality requirements.

CHAPTER III

Standard client due diligence

Art. 9. - (1) In carrying out their activities, entities shall adopt proper measures for preventing money
laundering and terrorist financing and, for that purpose, shall apply, based on risk, standard, simplified
or enhanced customer due diligence measures which shall also allow the identification of the beneficial
owner, as the case may be.

(2) When in the course of a business relationship, suspicions arise with respect to a particular client, the
relevant entity shall assign the respective client to another risk category.

(3) Entities shall ensure that all standard client due diligence measures are applied by all entity units,
including the units located in the European Economic Area or in non-member states, as well as by the
head offices and branches of legal person agents.

Art. 10. - (1) Entities shall apply standard client due diligence measures in the following situations:

a) when establishing a business relationship;

b) when carrying out one-off transactions amounting to EUR 15,000 or more, irrespective whether the
transaction is carried out in a single operation or in several operations which seem to be linked;
c) when there are suspicions that the transaction is intended for money laundering or terrorist financing,
regardless of the derogation on the obligation to apply standard client due diligence measures, and the
amount involved in the transaction;

d) when there are doubts about the accuracy or appropriateness of previously obtained client
identification data; when there are suspicions that the client might not act in his own behalf or when
there is evidence that the client acts on behalf of another person, entities shall apply standard client due
diligence measures to obtain information regarding the true identity of the person in whose name or on
whose behalf the client acts.

(2) Entities shall review the information regarding the client’s identity, whenever suspicions arise with
respect to the respective client in the course of the business relationship.

Art. 11. - (1) - «repealed»;

(2) Entities shall have in place mechanism and implement permanent monitoring measures of
the business relationship, including: the review of the transactions performed in the course of the
business relationship, to ensure that such transactions are in line with the information held on the
client, his activities and risk profile, the review of the source of funds, when appropriate and the
permanent updating of relevant document, data and information.

(3) When client identification is not possible under these norms, entities shall not initiate
operations, perform transactions or shall prohibit any operation involving the respective client or shall
cease the business relationship with the said client and report the case to the Office and CSA, as
appropriate.

(4) An entity may reject operations whenever suspicions arise that the client may be involved in
money laundering or terrorist financing.

Art. 12. - (1) Client identification data shall be verified and updated or supplemented, as appropriate, in
the case of transactions amounting to minimum the lei equivalent of EUR 15,000 euro, irrespective
whether the transaction is carried out in a single operation or in several operations which seem to be
linked.

(2) Pursuant to art. 3 para. (1) and art. 9 para. (3) of Law no. 656/2002, as amended and supplemented,
whenever evidence shows that certain operations are carried out to the purpose of money laundering or
terrorist financing, clients shall be identified and reported, irrespective whether the amount of the
operation is lower than EUR 15,000.

(3) Entities shall screen the persons who conclude insurance policies as well as the beneficiaries of such
persons against the list of suspicious persons, as published in Government Decision no. 784/2004 to
approve the list of natural and legal persons under suspicion of terrorism or terrorist financing and in
Government Decision no. 1.272/2005 to approve the list of natural and legal persons under suspicion of
terrorism or terrorist financing.
Art. 13. - «repealed»;

Art. 14. - (1) Entities shall request that natural person clients provide under personal signature at least
the following information:

a) surname and first name of the client and any other names used (for example, a pseudonym);

b) date and place of birth;

c) personal numeric code or another similar unique identification code, in the case of non-residents;

d) the number and series of the identity document;

e) the date when the identity document was issued and the issuing authority;

f) domicile/residence (full address - street, number, block, entrance, floor, apartment, city,
county/sector, postal code, country);

g) citizenship or nationality;

h) resident/non-resident;

i) telephone /fax number, email address, where applicable;

j) «repealed»;

k) occupation and name of employer or nature of own activity, where applicable;

l) significant public position held, when appropriate;

i) name of the true beneficiary.

(2) Entities shall retain a copy of the client’s identity document. Clients shall present identity documents
issued by official authorities which have photos attached.

(3) Entities shall verify the information provided by clients by means of the documents presented.

Art. 15. - (1) Entities shall request that legal persons or entities without legal personality, as appropriate,
provide the following information:

a) full business name/name listed in the Registry of foundations and associations;

b) legal form;

c) number, series and date of the registration certificate/registration document with the National Trade
Register Office or similar or equivalent authorities;

d) «repealed»;
e) unique registration code or the equivalent thereof in the case of foreign legal persons;

f) «repealed»;

g) identity of the persons entrusted, according to their instruments of incorporation and/or resolutions
of their statutory bodies, with the competence to manage and represent the entity, and their powers to
bind such entity;

h) full address of registered office/head office or branch, as appropriate;

i) shareholder/partnership structure;

j) telephone /fax number, email address, where applicable;

k) type and nature of the activity carried out;

l) name/business name of beneficial owner.

(2) Legal person clients or entities without legal personality shall present the following documents and
the entity shall retain copies thereof, as appropriate:

a) memorandum of association/articles of association and by-laws;

b) power of attorney issued for the client’s authorized agent, when such person is not also the client’s
legal representative;

c) certificate issued by the National Trade Register Office (in the case of companies) or other similar
authorities of the home state and equivalent documents in the case of other types of legal persons or
entities without legal personality, which shall certify the client identification data;

d) a statement signed by the client’s legal representatives concerning the business pursued by the client
and the legal incorporation thereof.

(3) Entities shall identify the natural persons who seek to act on behalf of legal persons or entities
without legal personality in accordance with the policies and procedures implemented with respect to
the identification of natural persons and shall review the documents which authorize the said natural
persons to act on behalf of legal persons or entities without legal personality.

(4) The documents presented by legal person clients or entities without legal personality shall also
include legalized translations into Romanian, provided that such documents are prepared in another
language.

Art. 16. - (1) For the purposes of standard client due diligence, entities may also employ information
provided by third parties.

(2) When the third party acts as an intermediary between the client and the entity, the said third party
shall provide the entity which applies standard due diligence measures with all the information which
would have been requested in the course of direct identification, so that the requirements set out in
these norms are met.

(3) The third party shall immediately provide copies of the documents employed in the identification of
the client and beneficial owner, as appropriate, at the request of the person to whom the client was
recommended.

(4) The persons who use the information provided by a third party shall be ultimately liable for the
application of all standard due diligence measures.

CHAPTER IV

Simplified or enhanced client due diligence

Art. 17. - Entities may apply simplified customer due diligence measures in the situations referred to in
Art. 12 of Law No. 656/2002, as subsequently amended and supplemented, and also in the situations
referred to in Arts. 7-9 of the Regulation implementing the provisions of Law No. 656/2002 on the
prevention and sanctioning of money laundering and implementation of certain measures to prevent
and combat terrorist financing, as subsequently amended and supplemented, approved by Government
Decision No. 594/2008, as subsequently amended.

(1) Entities may apply simplified customer due diligence measures in the case of non-life insurance
policies if the insurance premium is smaller than or equal to the lei equivalent of EUR 2,500.

(2) Entities may apply simplified customer due diligence measures in the case of life insurance
policies if the insurance premium or annual payment instalments are smaller than or equal to the lei
equivalent of EUR 1,000, or the insurance single premium paid is smaller than or equal to the lei
equivalent of EUR 2,500.

(3) If periodical premium instalments or annual payable amounts are or shall be increased so as
to exceed the limit of EUR 1,000, and EUR 2,500, lei equivalent, the standard customer due diligence
measures shall apply.

(4) In the case of life insurance activities, the identity of the beneficiary of a life insurance policy
shall be verified whenever it is changed throughout the term of the insurance contract.

(5) Entities applying simplified customer due diligence measures must obtain sufficient
information about clients and continuously monitor their activity to establish whether they fall within
the category for which simplified customer due diligence measures were applied.

Art. 18. – (1) Besides standard due diligence measures, entities shall apply risk-based enhanced due
diligence measures in situations which, by their nature, entail high money laundering or terrorist
financing risk.

(2) «repealed»
(3) The application of enhanced customer due diligence measures shall be mandatory at least in the
following situations:

a) in the case of persons not physically present when operations are carried out; in this
situation, entities shall apply one or more of the following measures, without this list being exhaustive:

1. request additional documents and information to establish the identity of the client and
beneficial owner;

2. take enhanced measures to verify or certify the documents provided, or request certification
from a credit or financial institution subject to certain requirements for preventing and combating
money laundering and terrorist financing, equivalent to the standards provided in Law No. 656/2002, as
subsequently amended and supplemented, and in the regulations issued for the application thereof;

3. request that the first operation be made through an account opened in the name of the client
at a credit institution subject to certain requirements for preventing and combating money laundering
and terrorist financing, equivalent to the standards provided in Law No. 656/2002, as subsequently
amended and supplemented, and in the regulations issued for the application thereof;

b) in the case of occasional transactions or business relationships with politically exposed

persons, resident in another Member State of the European Union or European Economic Area or in a
third state, in which situation entities must:

1. have in place risk-based procedures and rules to allow the identification of clients/beneficial
owners falling within this category;

2. obtain the written approval of the entity’s executive management prior to entering into a
business relationship with a client falling within such category. If a client was accepted, and
subsequently such client was identified as falling within such category of clients, then, the written
approval of the entity’s management must be obtained for the continuation of the business relationship
with such client;

3. adopt proper measures to establish the source of income and of the funds involved in the
business relationship or occasional transaction;

4. continuously monitor and supervise the manner in which the business relationship with
persons falling within such category is conducted.

Art. 18.1. - (1) The entities which establish that one or more operations which were carried out
in the name of a client reveal signs of anomaly for such client’s activity or for the type of operation
concerned shall inform the Office and CSA whether there are any suspicions that the purpose of the
deviations from normality is money laundering or terrorist financing.

(2) Entities may consider that one or more of the following cases, without limitation, are signs of
anomaly for the insurance activity:
 a) the purchase of life insurance policies that require the payment of large premiums which
seem contrary to its client’s economic profile or to its capacity to obtain income;

b) the frequent payment of certain premiums in cash or foreign currency for large amounts
which seem contrary to its client’s financial capacities or to its activity;

c) the frequent payment of premiums in cash made by fractioned payments which in aggregate
would exceed the minimum values referred to in Art. 12 Para (1);

d) the appointment of certain beneficiaries for life insurance policies, so that the amounts
intended to be paid to each of them and established under the insurance contract as fractions of the
total amount, would exceed in aggregate the minimum values referred to in Art. 12 Para (1), if the
relationship between the policyholder and beneficiary does not justify it;

e) the execution of insurance policies with the payment of premiums by cheques issued by third
parties, especially in the situation in which there is no apparent link between the third parties and client;

f) the execution by the same contractor of certain life insurance policies of the same type which
have different beneficiaries;

g) the change of the beneficiary of the insurance policy in favour of third parties who are not
members of the policyholder’s family or have no relation whatsoever with the policyholder, in a justified
manner;

h) the client refuses to provide or is reserved in providing the required information for the
conclusion of the insurance contract, or provides inaccurate information;

i) the legal person client submits financial statements which are not prepared by an accountant;

j) the client submits ownership documents of the property to be insured which are not
consistent with reality or which show signs of forgery;

k) the client refuses to allow the entity’s representative to verify whether the property subject
of the insurance contract exists;

l) the client avoids direct contact with the entity’s employees or collaborators through the
frequent issuance of mandates or powers of attorney, in an unjustified manner;

m) the client avoids repeatedly direct contact with the entity, communications being sent by fax
or other means;

n) the client opens a large number of accounts at more branches of one/more credit institutions
and makes repeated transfers of significant amounts used to pay the insurance premiums;

o) the payment of insurance premiums by using the accounts of a trading company with
reduced activity and which does not justify the conclusion of insurance contracts for significant
amounts;
 p) the request that the first operation be made through an account opened in the name of the
client at a credit institution which is not subject to equivalent requirements for preventing and
combating money laundering and terrorist financing.

Art. 18.2. - Entities shall give special attention to transactions and products which, by nature,
may favour anonymity or which may allow interaction with client in its absence, and may be linked to
money laundering or terrorist financing.

Art. 18.3. - Entities must apply enhanced customer due diligence measures also in cases other
than those referred to in Art. 18, which, by nature, involve an enhanced risk of money laundering or
terrorist financing.

Art. 18.4. - (1) Entities must monitor all operations made by their clients, giving priority to the
category of high-risk clients.

(2) When decision is made on the clients included in the category of high-risk clients, the
following information shall be considered:

a) the type of client - natural/legal person, or the entity devoid of legal personality;

b) the home country;

c) the public office or significant position held;

d) the type of activity carried out by the client;

e) the source of client’s funds;

f) other risk indicators.

Art. 18.5. - (1) Entities must give enhanced attention to business relationships and transactions
with persons of jurisdictions which do not have in place proper systems for preventing and combating
money laundering and terrorist financing.

(2) Entities shall give special attention to all complex transactions, unusually high, or which do
not fall within the standard typology, including the operations which do not seem to have an economic,
commercial or legal sense.

(3) The circumstances and purpose of such transactions must be analysed as soon as possible by
the entity, inclusively based on additional documents, requested from the client for the justification of
the transaction.

(4) The findings of the verifications made in accordance with the provisions of Para (3) must be
recorded in writing and shall be available for further verifications or for the competent authorities and
auditors for a period of at least 5 years.
CHAPTER V

Politically exposed persons

Art. 19. – In the case of one-off transactions or business relationships with politically exposed persons,
entities shall have in place risk-based rules and procedures to identify clients/beneficial owners in this
category.

Art. 20. - (1) The approval of the entity’s management shall be sought and obtained before establishing
a business relationship with any politically exposed person. When a client is accepted and is
subsequently identified as politically exposed person, the approval of the entity’s management shall be
also obtained in order to continue the business relationship with the respective client.

(2) Entities shall adopt adequate procedures and measures to identify the source of income as well as
the source of the funds used in the business relationship or one-off transaction.

(3) Entities shall permanently monitor and supervise the business relationships established with the
clients in this category.

Art. 21. – Entities shall apply enhanced due diligence measures in situations other than those referred to
in art. 18, which, by their nature entail high money laundering or terrorist financing risks.

CHAPTER VI - «repealed»

CHAPTER VII

Record keeping and reporting requirements

Art. 24. - (1) Entities shall keep all client identification information for a period of at least 5 years as of
the date when the business relationship with the client ceased.

(2) Entities shall retain adequate operational records of all the financial operations carried out by the
client for a period of time of 5 years or more from the date of the relevant operation, at the request of
the Office or of other authorities, irrespective whether the insurance contract expired, was terminated
unilaterally or by mutual agreement, was cancelled or the insured event occurred. Such records shall be
sufficient to track each individual transaction, including the amount and currency, in order to constitute
evidence in court, when appropriate.

(3) Entities shall have in place internal procedures and systems to facilitate the immediate sending, at
the request of the Office, CSA and/or law enforcement authorities, of information concerning the
identity of clients and nature of business relationship, in case of existing clients or former clients in the
past 5 years.

Art. 25. - (1) Entities shall have in place procedures to identify the suspicious transactions or the types of
suspicious transactions performed on behalf of their clients.
(2) When certain operations which shall be carried out raise suspicions of money laundering or terrorist
financing, the entity shall provide the Office and CSA with a suspicious transaction report within no
more than 24 hours.

(3) The entity’s directors/members of the supervisory board, managers/members of the management
board/representatives and employees shall be prohibited to disclose the information concerning money
laundering and terrorist financing operations outside the scope of the relevant law and to warn the
clients or third persons involved of the fact that a suspicious transaction report or related information
was/will be sent to the Office and CSA.

Art. 26. - (1) Entities shall report to the Office and CSA within no more than 10 business days cash
operations denominated in lei and foreign currency which are equal to or exceed the lei equivalent of
the EUR 15,000, irrespective whether the transaction is performed in one operation or several
operations which seem to be linked.

(2) The provisions set out in para. (1) shall also apply to cross-border transfers.

Art. 27. – Entities shall be prohibited to claim the enforcement of non-disclosure agreements, of the
laws and legal provisions concerning professional secrecy as means to avoid reporting of suspicious
transactions.

Art. 28. – The entities referred to in art. 2 shall use solely the reporting forms issued by the Office.

CHAPTER VIII

Sanctions and other provisions

Art. 29. – Entities shall review their procedures and/or internal rules issued for preventing and
combating money laundering and terrorist financing, within 60 days following any amendment of the
specific legislation, and also depending on the identification of new risks.

Art. 30. – Non-compliance with the provisions laid down in these norms shall be deemed offence and
shall be sanctioned pursuant to art. 39 of Law no. 32/2000 on insurance undertakings and insurance
supervision, as amended and supplemented.

Art. 31. – These norms shall be rightfully supplemented with the other provisions of the legislation
concerning the prevention and control of money laundering and terrorist financing.