Moldova: Legal And Regulatory Considerations For Launching A Biometric Authentication Service In Moldova

Biometric authentication, a method of utilizing unique physical characteristics to verify one's identity, has seen growing adoption in various sectors, with significant implications for financial services. In this article, we delve into the legal and regulatory landscape surrounding the introduction of a Biometric Authentication Service in the Republic of Moldova. We examine key legal considerations and offer insights into the implications of different consent models, potential liability, and other regulatory concerns.

1. ELECTRONIC PAYMENT LAWS AND REGULATIONS

The Republic of Moldova has established a comprehensive framework of electronic payment laws and regulations that impact electronic payment services, authentication, authorization, and processing. These laws and regulations include:

• Law no. 114 of 18.05.2012, which pertains to payment services and electronic currency.
• The Regulation on the provision of payment services through automated remote service systems, approved by the National Bank of Moldova (NBM).
• The regulation regarding payment cards, approved by the Decision of the Board of Administration of the NBM.

These regulations are in alignment with the standards of the European Union, and Moldova's pursuit of EU accession has accelerated the harmonization of its financial regulations with EU directives. In addition to these existing regulations, Moldova is in the process of joining the Single Euro Payments Area (SEPA), signifying a commitment to align its financial systems with broader European standards.

2. CONSENT MODELS: OPT-IN VS. OPT-OUT

The choice between opt-in and opt-out consent models is of paramount importance when introducing a biometric authentication service. An opt-in model requires users to provide explicit consent, usually through affirmative actions like checking a box or actively confirming their agreement. In Moldova, opting for an opt-in approach is recommended, as it ensures that individuals provide clear and explicit consent. This aligns with best practices for securing user consent and data privacy.

3. MERCHANT LITIGATION AND RISKS

The offer of the Solution on an opt-out basis may raise concerns about the legal implications of users' consent. In Moldova, as in many jurisdictions, it is advisable to employ both opt-in and optout methods to maintain legal compliance and to provide users with the flexibility to withdraw their consent when desired. This dual approach allows businesses to cater to a broader range of user preferences and legal requirements.

4. REGULATORY AUTHORITY

The National Bank of Moldova (NBM) is the primary regulatory authority governing the financial sector, including payment services and electronic money issuance. The NBM plays a crucial role in licensing, supervising, and regulating financial institutions, such as banks and payment companies. While NBM approval is not explicitly required for Mastercard to offer the Solution in Moldova, it is crucial to ensure compliance with existing laws and regulations and to collaborate with financial institutions and regulatory authorities.

5. CONSUMER PROTECTION LAWS

Moldova boasts robust consumer protection laws designed to safeguard the rights and interests of consumers. These laws include:

• Law no. 105 of 13.03.2003, which outlines general consumer protection requirements.
• Law no. 157 of 18.07.2014, which focuses on distance contracts regarding consumer financial services.

The recent establishment of the National Financial Market Commission further enhances consumer protection in the financial sector. This regulatory consolidation seeks to reduce fragmentation and enhance efficiency in overseeing consumer financial services, including banking and non-banking entities.

6. BANKING SECRECY LAWS

Banking secrecy is a vital aspect of the financial sector in Moldova. Law no. 202 of 06.10.2017 governs banking secrecy and mandates the confidentiality of all information relating to the bank's activities, customer information, and financial data. The rigorous enforcement of banking secrecy laws is critical to ensuring customer data protection and compliance with legal requirements.

7. DATA BREACH LIABILITY

In the event of a data breach involving the Solution, Mastercard is held liable. Article 72 of Law no. 114 of 18.05.2012 provides for the right to recourse action, allowing entities to seek compensation for damages incurred due to the fault of another payment service provider or intermediary. Financial compensation can be negotiated based on agreements and relevant legal provisions.

8. MANDATING THE SOLUTION

Mastercard cannot mandate the use of the Solution with or without penalties or liquidated damages. The effectiveness of the Solution remains Mastercard's responsibility, and the company must ensure that its product meets security and performance standards.

9. OUTSOURCING LAWS AND REGULATIONS

Outsourcing activities are subject to specific regulations, as outlined in Article 82 of Law no. 202 of 06.10.2017. Banks must seek prior approval from the National Bank of Moldova for activities of material importance that are outsourced to third parties. Clear agreements and well-defined responsibilities are essential when using a reseller/distribution model, and compliance with regulations must be maintained.

10. CONSUMER PROTECTION LAWS

Cybersecurity regulations are of paramount importance, particularly in the context of digital financial services. The Regulation regarding the minimum requirements for the Information and Communication Systems of banks, approved by the National Bank of Moldova, outlines the minimum requirements for banks' information and communication systems. It ensures that banks have robust cybersecurity measures in place, aligned with their overall business strategies. Moldova has recently adopted the Cyber Security Law, set to take effect in 2025. This legislation is part of a broader initiative aimed at enhancing cyber resilience in public sector organizations and critical infrastructure actors.

The National Bank of Moldova places a strong emphasis on identifying and effectively managing the risks associated with information and communication technologies. It assesses ICT risks, evaluates compliance with cybersecurity regulations, and promotes resilience in the financial sector against cyber threats and attacks.

11. OTHER LEGAL OR REGULATORY CONCERNS

As of the present moment, no additional legal or regulatory concerns have been identified that may affect the launch of the Solution in the Moldovan market.

12. EMBEDDED SERVICE MODEL

The embedded service model, where Mastercard sells the Solution to partners (acquirers and payment service providers) for integration into their own products and services, shares common legal and regulatory considerations with the reseller/distribution model. The key difference is the extent of integration and responsibility assumed by partners. Clear cooperation, roles, and responsibilities should be outlined in agreements to ensure compliance with relevant laws and regulations.

13. EMBEDDED SERVICE MODEL

The advice provided applies to both domestic and cross-border transactions. Moldova's regulatory framework seeks alignment with European standards, and the same principles generally apply to transactions within and beyond Moldova's borders.

14. IMPENDING REGULATIONS

Outsourcing activities are subject to specific regulations, as outlined in Article 82 of Law no. 202 of 06.10.2017. Banks must seek prior approval from the National Bank of Moldova for activities of material importance that are outsourced to third parties. Clear agreements and well-defined responsibilities are essential when using a reseller/distribution model, and compliance with regulations must be maintained.

15. CONSUMER PROTECTION LAWS

As of the current assessment, there are no imminent regulations in the pipeline that may impact the legal considerations mentioned above. However, it is essential to remain vigilant and responsive to any future developments in the regulatory landscape. Conclusion:

Introducing a Biometric Authentication Service in Moldova requires careful consideration of the existing legal and regulatory framework. Ensuring compliance with electronic payment laws, adopting secure consent models, and safeguarding consumer protection are key aspects. Cybersecurity, data protection, and responsible outsourcing are essential considerations to deliver a secure and efficient Solution. Collaboration and clear agreements with partners are vital when employing distribution and embedded service models. Finally, it is essential to stay informed about any future regulatory developments that may affect the financial technology landscape in Moldova.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.