Skip to content
info@incorpore.ro

AML & KYC

What we ask,
why, and what we do with it.

Under Romanian Law 129/2019 — the local transposition of the EU AML directive — advisory firms must identify clients, assess risk, monitor relationships, and report suspicious activity to ONPCSB. The page below describes the cycle that any compliant Romanian advisor will follow on your engagement, in plain language.

Last updated 2026-01-01. Aligned with ONPCSB published guidance.

The five-stage cycle

From first contact
to record retention.

The same cycle applies to every engagement, scaled to risk. Standard for most founders. Enhanced for higher-risk profiles. Simplified for low-risk, narrow scopes.

  1. 01

    Onboarding

    Before any engagement letter is signed, the natural persons behind the contract are identified: shareholders above 25%, directors, ultimate beneficial owners. The standard set is a scanned passport, a recent proof of address, and a short source-of-funds note. For corporate counterparts, the certificate of incorporation, the register of shareholders traced to UBO, and good-standing evidence.

  2. 02

    Risk classification

    Each engagement is assessed against a documented risk matrix: nationality and tax residency, source of funds, business activity, geography, and politically exposed person status. The classification sets the level of due diligence — standard, enhanced, or simplified — and is reviewed annually.

  3. 03

    Ongoing monitoring

    For active engagements a periodic review cycle is maintained. Material changes in ownership, activity, or jurisdiction trigger re-verification. Transactions that depart from the established pattern are reviewed before they are facilitated.

  4. 04

    Reporting

    Where Romanian law requires it, suspicious-transaction or unusual-activity reports are submitted to ONPCSB (the Romanian AML supervisor). The client is not notified about a report, in line with the tipping-off prohibition under Article 38 of Law 129/2019.

  5. 05

    Records

    Identification documents, risk assessments, and engagement files are retained for ten years from the end of the engagement, as required by Romanian law. Records are stored encrypted, accessed on a need-to-know basis, and never shared with marketing or third-party processors outside the lawful chain.

What we collect

By profile.

The exact list is confirmed in your engagement letter. Items below are the standard set. Your specific case may need fewer or, for higher-risk profiles, additional items.

Individual founders

  • Scanned passport or national ID, all pages including blank.
  • Proof of address dated within 90 days (utility bill or bank statement).
  • Source-of-funds note describing where the working capital comes from.
  • Short business-activity description (CAEN code where known).
  • Politically exposed person self-declaration.

Corporate shareholders

  • Certificate of incorporation, dated within six months.
  • Certificate of good standing or equivalent.
  • Memorandum and articles of association.
  • Register of shareholders, traced to ultimate natural-person beneficial owners.
  • Director identification documents (passports, address proofs).
  • Last two years of audited or management accounts where available.

Higher-risk profiles

  • Enhanced source-of-funds documentation, including bank statements and supporting evidence.
  • Reference letter from an existing professional advisor or banking relationship.
  • Where applicable, evidence of regulatory licensing or registration in the home jurisdiction.
  • Detailed business plan and expected transaction profile.

Your rights and obligations

What you can ask,
what we cannot tell you.

You may ask, at any time, what data is held about you, why it is held, and the legal basis. The Privacy Policy at /privacy/ sets out the GDPR rights in detail.

Under Romanian law, you cannot be informed by your advisor if a suspicious-activity report has been submitted to ONPCSB about your file. Article 38 of Law 129/2019 prohibits this. If you suspect a report has been made and disagree with the basis, the lawful route is a complaint directly to ONPCSB or to ANSPDCP (the data-protection authority) on the data-handling aspect.

You are obliged, under the engagement letter and under Romanian law, to provide accurate information for AML purposes. Knowingly providing false information can constitute a criminal offence under Romanian law and will, in any case, terminate the engagement.

Questions about a specific item we asked for?

Write to info@incorpore.ro with the engagement reference. The compliance contact replies within one business day.

Contact compliance