Contributed By Kramer Levin Naftalis & Frankel LLP
In 2019, for the second year in a row, blockchain and cryptocurrencies were the main focus of French regulators among the fintech sector:
According to recent studies, there would be between 350 and 500 active fintech companies in France, most of them founded in the last few years. France’s attractiveness is encouraged by various factors, such as the support of regulatory agencies and public authorities to the fintech industry, the quality of French engineers, and the wide network of startup incubators and accelerators. The French fintech scene covers a wide range of businesses, among which mobile payments (Lydia, Pumpkin), personal fundraising apps (Leetchi and LePotCommun), neobanks specialised in startups and freelancers (Shine, Qonto), crowdlending and crowdfunding platforms (Lendix, KissKissBankBank, Younited, Unilend), robo-advisors (Advize, Yomoni) or payroll processors (Payfit).
French fintech companies are supported by a strong network of business angels and venture capital funds. According to France Fintech, French fintech startups raised an aggregate amount of EUR699 million in 2019, compared to EUR365 million in 2018. Recent high-profile deals include Kyriba, a cloud treasury and finance solutions provider (USD160 million), payment solutions provider Wynd (EUR72 million), crowdlending platform Younited (EUR65 million), Shift Technology, which specialises in fraud detection and claims automation (EUR53 million), and health insurance policy provider Alan (EUR40 million).Now that the PACTE Act has become effective, we do not expect that any significant fintech-related piece of legislation will be adopted. However, the European Commission seems determined to regulate crypto-assets and has included a “proposal on crypto-assets” in its 2020 work programme.
The creation of a functional stablecoin (whether or not it is actually based on cryptography) by a large financial institution or a public body could be a game changer in 2020, as would be the creation of a CBDC by the French Central Bank.
Beyond the crypto space, we expect that neobanks and innovative mobile payment solutions will be keep gaining market share and challenging established financial institutions in 2020.
As mentioned, French fintech companies cover a wide range of business models: mobile payment apps, group gifting/personal fundraising apps, bank accounts aggregators and personal finance apps, neobanks, bank-as-a-service platforms, crowdfunding and crowdlending platforms, robo-advisers, insurtechs, factoring and short-term financing providers, payroll processors, ICO issuers, cryptocurrency exchanges or hardware wallet makers, etc.
As for them, legacy players have understood the need to cooperate with these challengers in order to modernise and digitalise their business models and adapt to consumers who increasingly use mobile banking services and other payment innovations. Many French financial institutions have created their own fintech or insurtech incubators, such as L’Atelier by BNP Paribas, Le Village by Crédit Agricole, Kamet by AXA, Truffle Fintech Incubator by Truffle Capital, and Swave by a consortium of financial institutions including Société Générale, New Alpha Asset Management, and AG2R La Mondiale. Legacy players are also investing in some of the most successful French fintech companies (eg, Compte Nickel, Crédit.fr, KissKissBankBank, Pumpkin, Budget Insight, Treezor).
The regulatory regime applicable to fintech companies exclusively depends on their business model. As soon as an entity provides a regulated service, such entity must comply with a specific set of rules. Whether such entity is a newly created startup or a century-old financial institution, the applicable rules remain the same (even though the French regulators generally use a proportional approach when enforcing these rules). Even the Loi Pacte, which creates an ad-hoc regime for ICOs and digital assets services providers, does not apply exclusively to fintech companies, as any large financial institution has the possibility to provide services related to tokens or crypto-assets.
The specific regulatory regimes applicable to the fintech-related businesses mentioned above may be broadly presented as follows (although other regulatory regimes may apply depending on the particularities of each business model):
Although certain subsectors of fintech are subject to specific rules regarding their compensation model, compensation remains unregulated in most cases.
Generally speaking, the main limitations regarding fees charged to customers apply to the following verticals:
In any case, even when their pricing structure is unregulated, most fintech start-ups voluntarily disclose their fees on their website or in their general terms and conditions.
Legacy players’ (including credit institutions, insurance undertakings and investment services providers) activities are based on traditional banking operations and insurance or investment services and products, which are governed mainly by the CRD IV, Solvability II and MiFID II frameworks (both the regulations and the transposal of the directives into French law). These regulations relate in particular to capital, internal organisation and resources requirements which are expected to be fulfilled by entities likely to present a systemic risk, especially within the eurozone. In return, legacy players benefit from a monopoly on the regulated activities subject to the above-mentioned directives.
Based on technical and material criteria, fintech companies’ businesses are not comparable to those of legacy players. A lot of these businesses do not qualify as banking operations and insurance or investment services. Some of these businesses are not even regulated (ie, regtechs companies). Therefore, provided that their businesses do not qualify as regulated activities, fintech companies will not be subject to the heavy regulations applicable to legacy players.
In addition, there is no legal definition of fintech under French law (nor under European law). The EBA recently defined fintech as “technologically enabled financial innovation that could result in new business models, applications or processes or products with an associated material effect on financial markets and institutions and the provision of financial services”. In addition, fintech companies do not constitute a homogeneous category of service providers; therefore, a case by case approach based on the service provided must be followed in order to compare the regulations applicable to legacy players and fintech companies.
Although French regulators do not plan to establish any regulatory sandbox, the French regulatory approach is based on proportionality and relies on setting out tailor-made regulatory frameworks inspired by legacy regulations, but proportionate to fintech companies’ activities (so-called “soundbox”). For example, token issuers and digital assets service providers benefit from a specific legal regime, inspired by legacy regulations (such as MiFID II), but which is not a mere regulatory sandbox.
Both French regulators also created internal teams dedicated to fintech actors, whose purpose is to help fintech entrepreneurs navigate complex regulatory issues.
Traditional players are authorised and supervised by the AMF and the French Central Bank, through the Prudential Supervision and Resolution Authority (Autorité de contrôle prudentiel et de résolution or “ACPR” – the banking and insurance regulator) depending on the services they provide (banking, investment services or insurance). Broadly summarised, the AMF is in charge of protecting consumers investing in financial instruments, while the ACPR is in charge of preserving the stability of the financial and banking system. The precise allocation of responsibilities is complex: for example, an investment services provider is authorised by the ACPR, but its programme of activity must be approved by the AMF. Once the investment services provider is authorised, the ACPR monitors the entity’s activity and financial situation, while the AMF monitors its compliance with the applicable code of conduct.
As a general rule, regulated activities performed by financial institutions may only be delegated to entities which are also authorised to perform such activities. Operational functions related to a regulated service may also be outsourced, although the supervision of the competent regulator extends to the vendor. Outsourcing such functions does not relieve the regulated entity from its primary responsibility towards clients or third parties.
The regulated entity must implement measures to monitor efficiently the compliance of the vendor with the applicable regulatory requirements. In certain cases, the outsourcing must also be declared to the competent regulator.
French regulators recently focused on issuing warnings against cryptocurrencies. Several publications of the AMF and the ACPR notably outlined the significant volatility and risks of loss. Further, both institutions reminded that these cryptocurrencies are not legal tender and do not qualify as financial instruments under French law. Consequently, the investors’ attention is drawn to the fact that the legacy regulations aiming at protecting them do not apply.
In addition, the AMF publishes and regularly updates a blacklist of websites which market financial investments in France without authorisation. Such blacklist initially focused on forex trading, binary options, and investments miscellaneous property (eg, diamonds, wines, forests, etc), but was recently extended to websites irregularly marketing investments in crypto-assets and crypto-assets derivatives. The Act of 9 December 2016 on transparency and the fight against corruption also allows the AMF to require that such websites be made inaccessible to French Internet users through a temporary injunction.
We expect that significant enforcement actions will occur in the next few years against neobanks and innovative payment providers, in relation to their implementation of the anti-money laundering legislation.
Data privacy rules are provided in particular by Regulation 2016/679 of 27 April 2016 (General Data Protection Regulation or “GDPR”). From a domestic perspective, the Commission Nationale de l'Informatique et des Libertés (National Commission on Informatics and Liberty or “CNIL”) has jurisdiction over data privacy issues and protection of personal data, regardless of which entity is processing the data (public administrations, associations, private companies, etc). Entities must set out a data processing policy subject to the supervision of the CNIL. The CNIL may also sanction non-compliant entities.
The Agence nationale de la sécurité des systèmes d'information (National Cybersecurity Agency or “ANSSI”) is competent regarding cybersecurity issues. Cybersecurity regulation mainly arises from the transposition of Directive 2016/1148 of 6 July 2016 (“Network and Information Security Directive”). Under French law, entities designated as “operators of essential services” must notify to the ANSSI any breach or incident. In addition, operators of essential services must comply with various organisational requirements, under the supervision of the ANSSI. A government decree of May 2018 designates most regulated financial and banking institutions as operators of essential services. Fintech companies providing unregulated services would probably not be considered as operators of essential services under this regulation.
General anti-money laundering rules arising from Directives 2015/849 of 20 May 2015 and 2018/843 of 30 May 2018 (the fourth and fifth anti-money laundering directives) are applicable to fintech companies whose activity is regulated (such as payment services providers). More recently, transparency in relation to ICOs has been highlighted in the PACTE Act: tokens issued through a distributed ledger which does not allow their owners to be clearly identified will not qualify as tokens under French law and will not, therefore, benefit from the applicable provisions.
Legacy players’ communication is subject to a burdensome set of rules, especially when it relates to the distribution of regulated products or services. Customers must be provided with clear, accurate and non-misleading information at any time, whether such information is provided through the financial entities’ own website or through other media. Regarding social media, rules related to the distribution of regulated services apply regardless of the canal used for such distribution, as reminded in 2016 by the AMF (through the updates of several positions related to the marketing and distribution of financial products) and the ACPR (through a recommendation on the use of social networks for commercial purpose). Consequently, close attention should be paid to the content of the information posted on social media, as it is by nature likely to reach non-professional customers.
As regards fintech companies, their communication will only be subject to these rules if it relates to regulated services.
First of all, the appointment of an external auditor (commissaire aux comptes) is mandatory for all joint-stock companies (sociétés anonymes) and most simplified joint-stock companies (sociétés par actions simplifiées) (as soon as they exceed certain size thresholds). In addition, appointing an accounting firm is mandatory for all companies which carry out a regulated activity.
Regulated entities are subject to strict monitoring and supervision rules. In order to obtain an approval from the ACPR, for example, regulated entities must define a comprehensive internal compliance policy. The supervision is both internal and external: the compliance with the relevant rules is internally monitored by certain employees of the entity, while external consultants periodically audit and review its compliance procedures. Therefore, part of the supervision of the regulated entities is in practice outsourced to external consultants.
Fintech companies which provide regulated services must also comply with regulatory requirements. They tend to outsource most of the compliance processes to focus on technology and the core business. Otherwise, when fintech companies provide services which fall outside of the scope of the regulation, they are not subject to these compliance processes.
Generally speaking, under French law, most regulated entities may provide certain unregulated services. The extent of a regulated entity’s ability to provide unregulated services depends on its status. For example, credit institutions may provide a wide range of banking-related services (opérations connexes) which do not benefit from the banking monopoly, and acquire stakes of private companies. Credit institutions may also carry out various non-banking activities as soon as such activities remains limited (ie, less than 10% of the net banking income) and do not limit competition on the relevant markets.
Three trends can be found in the French market regarding robo-advisers: robo-advisers helping mainstream clients in their investment decisions, robo-advisers managing investments directly on behalf of their clients, and robo-advisers acting as insurance brokers.
Following the case, the services provided by robo-advisers can qualify as investment advice or portfolio management within the meaning of MiFID II and the robo-adviser must consequently be authorised by the AMF. Robo-advisers active in the insurance market have to register as intermediaries with the French register of banking, finance and insurance intermediaries (ORIAS).
However, contrarily to legacy players, most of the processes are integrally automatised. The clients provide information related to their financial capacity, objectives and risk aversion through standardised questionnaires. Depending on clients’ profiles, the robo-advisers provide advices related to investment opportunities or manage investments on their behalf. The AMF reminded in 2017 that entities offering automatised tools which provide clients with financial instruments’ performance estimations are subject to the duty to deliver clear, accurate and non-misleading information.
Generally speaking, robo-advisers allow customers to invest in a diversified portfolio of listed assets, such as a mix of bonds and stocks. Robo-advisers rely heavily on investments in ETFs or mutual funds.
Until now, the services provided by robo-advisers were reserved to clients with sufficient financial capacity in order to ensure the profitability of the service. Solutions introduced by robo-advisers target two key issues for mainstream clients: the service’s cost, on the one hand, and the entry ticket, on the other hand. Various studies recently outlined that reduced costs and low entry tickets are at the heart of robo-advisers strategy. Therefore, the main response of legacy players would be offering the same service to clients with lower financial capacity or entry tickets.
Issues relating to best execution of orders sent by clients do not differ between legacy players and robo-advisers. As a general principle, the services provided by robo-advisers qualify as investment services according to MiFID II (whether investment advice or portfolio management). Consequently, robo-advisers must set out a best execution policy in relation to orders traded on behalf of their clients.
The French regulatory framework of crowdlending has been created in 2014 with a new exemption to the banking monopoly allowing individuals to grant loans through platforms. Several conditions restrain the scope of this exemption: loans may only be granted by non-professional lenders, the amount of each loan is capped at EUR2,000 per lender and per project (EUR5,000 for interest-free loans), and the maturity of each loan must be below seven years. Borrowers raising funds through crowdlending cannot raise more than EUR1 million per project. Mortgage loans and consumer credits are also outside of the scope of crowdlending.
Concerning regulatory authorisations, crowdlending internet platforms only have to register with the ORIAS, whereas legacy lenders must be authorised as credit institutions by the ACPR. The regulatory requirements that crowdlending platforms have to respect are proportionate to their statute (ie, not as burdensome as rules applicable to legacy credit institutions).
Among other regulatory conditions aimed at protecting lenders, crowdlending platforms must deliver detailed information to potential lenders, which are mainly related to the underlying projects and the attached risks.
Funds raised through crowdlending platforms originally come from individual lenders acting for their own account, out of any professional context. Therefore, they are not subject to any specific regulation and market practices used in complex financing schemes do not apply.
However, in addition, investment funds have increasingly started to invest alongside individuals in SMEs financing deals through crowdlending platforms. Dedicated investment funds have been created, some of them by a regulated asset management subsidiary of the crowdlending platform operator, such as October.
No syndication of loans originated through crowdlending platforms is allowed under French law.
The definitions of payment services and payment transactions under French law are broad and cover most existing payment methods. The French Monetary and Financial Code defines what payment services and payment accounts are, rather than how a payment transaction must work from a technical point of view. Therefore, regulated payment processors (ie, payment services providers) should have the ability to use technical innovations to develop new payment methods within the scope of the existing regulation.
The regulation of payment services revolves around the notion of “funds”, which are defined as banknotes, coins, scriptural money, and electronic money. A payment method which would not use funds, but rather unregulated units of value (such as cryptocurrencies) might therefore fall outside of the scope of the regulation.
However, most payment operations involve a transfer of funds between two payment accounts. Therefore, any payment method implemented by a fintech startup needs to be compatible with the technical requirements of the entity in whose books the beneficiary’s account is opened.
Cross-border payments and remittances are included in the list of payment services and, therefore, are regulated as such, as soon as they involve the use of funds.
Fund administrators do not have a legal definition as such under French law. Traditional actors of the investment funds business include the management company and the depositary, which are both highly regulated entities under French law. Back-office services related to investment funds include mainly the calculation of the net asset value of the fund’s units, accounting services and reporting. These services are not regulated as such, although they are traditionally performed by branches of depositaries.
The contractual terms of the agreements between fund administrators and fund advisors are not regulated as such. We are not aware of specific provisions aimed at assuring performance and accuracy beyond what is generally used in equivalent agreements.
Under French law, the traditional gatekeeper in this context would be the depositary, whose legal duty is to assess the compliance of the management company’s decisions according to the applicable regulations.
The management company is also subject to specific disclosure obligations pursuant to AML/CFT rules, in case suspicious activities are identified.
The French regulation of trading platforms mostly replicates the taxonomy established by MiFID II. French law distinguishes three categories of trading platforms, in accordance with MiFID II: regulated markets, multilateral trading facilities (MTFs and organised MTFs) and organised trading facilities (OTFs).
First of all, all regulated trading platforms are subject to the same set of common rules, which include notably the prohibition of proprietary trading and various organisational and transparency requirements. Then, the main differences between regulated markets, MTFs and OTFs may be broadly described as follows:
Finally, with respect to marketplaces, no specific regulatory regime generally applies. Marketplaces may be regulated to the extent that they allow their clients to purchase or trade products which are subject to a regulation.
With respect to the listing on trading venues, not all asset classes are subject to the same regime. The relation between regulated trading venues and asset classes may be broadly presented as follows:
With respect to the Market Abuse Regulation, which establishes a common regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation, all financial instruments are subject to its provisions, whether they are traded on a regulated market, an MTF or an OTF.
The French regulation applicable to trading venues has not been impacted yet by the emergence of cryptocurrency exchanges. As financial instruments may not be listed on cryptocurrency exchanges for the time being, they remain outside of the scope of the regulation of traditional financial products.
Now that the PACTE Act is effective, cryptocurrency exchanges may apply for an optional licence with the AMF. Obtaining such licence would provide an exchange extended rights to market its services towards French clients, although it triggers the application of various obligations which are broadly similar to those of investment services providers. However, cryptocurrency exchanges are not compelled to obtain such registration – they may operate freely in France.
In any case, cryptocurrency exchanges will allow their clients to trade cryptocurrencies against legal currency either need to obtain a payment service provider status or work in relation with a payment service provider for the flows of legal currency. Therefore, cryptocurrency exchanges are always subject to AML-CFT requirements, as soon as they provide crypto-to-fiat trading services.
French law requires trading venues operators to have clear and transparent rules regarding the criteria used to determine which financial instruments may be traded within their system. In addition, the rules of a regulated market must provide for fair, orderly and efficient trading of the financial instruments.
Concerning the listing standards themselves, each trading venue operator establishes its own rules. However, these rules generally rely on the compliance of the issuer of the financial instrument with the relevant provisions of European and national law. Certain specific rules may also be set by the operators themselves. For example, concerning the minimal percentage of float, Euronext’s rules provide that, at the time of admission to listing, at least 25% of the subscribed capital represented by the class of securities concerned must be distributed to the public.
Order handling rules applicable in France arise from Delegated Regulation 2017/565 of 25 April 2016 and a section of the French Monetary and Financial Code. Pursuant to the Delegated Regulation, investment firms carrying out client orders must ensure that orders executed on behalf of clients are promptly and accurately recorded and allocated, execute client orders sequentially and promptly, unless the characteristics of the order, the prevailing market conditions, or the interests of the client require otherwise and inform promptly retail clients about any material difficulty.
Pursuant to the French Monetary and Financial Code, investment services providers are subject to an obligation to reach the best possible result when executing a client’s order (also called the “best execution” obligation). The best possible result depends on various parameters which include the price of the financial instrument, the cost of the order, the size of the order, etc. With respect to retail clients, the best possible result primarily depends on the aggregate cost of the order.
In addition, investment services providers must set out and communicate to their clients an orders’ execution policy, which describes how orders are executed by the intermediary.
To our knowledge, the rise of peer-to-peer crypto-assets trading platform has not impacted yet the regulation of trading venues. The development of such platforms is closely monitored by regulators both at national and European level.
Peer-to-peer platforms will definitely challenge the very definition of trading venues under MiFID II: all definitions refer to the notion of “multilateral system”. Hence, if peer-to-peer platforms are organised from a technical point of view to allow only bilateral trading, they might fall outside of the scope of MiFID II and an evolution of EU law may be needed. However, as ESMA notes, peer-to-peer crypto-assets trading platforms are still a long way from maturity and are still plagued by slowness and inefficiency.
Various issues may arise from the implementation of the obligation of best execution of clients’ orders. For example, as an investment services provider is allowed to execute orders on non-regulated venues (with the prior agreement of the client), the investment services provider may opt for a cheaper venue where the liquidity is lower, and miss the opportunity to complete a limit buy order which would have been executed if the investment services provider had chosen the most liquid and expensive venue. Therefore, the client might raise a claim against the investment services provider on the grounds that its order would have been executed if the investment services provider had chosen the best venue to carry out the order.
The AMF has addressed the issue of payment for order flows in its “guide to best execution” published in 2014. The AMF is aware of three kinds of payments for order flows: non-public price reductions, provision of tools or payment of connection fees and allocation of free shares in the company operating the trading venue.
To be considered lawful, non-public price reductions must satisfy three requirements: transparency vis-à-vis clients, enhancement of the service rendered and compliance with the duty to act in the best interests of the client. The AMF considers that these price reductions must be fully or partly passed on to clients in order to be considered lawful. Clients should also be informed about such price reductions. However, the AMF states that it is not allowed to forbid this practice under the existing rules.
With respect to connection offers, the AMF states that this practice may be acceptable if information about the connection offer is made public by the venue, the offer does not depend on reaching a certain volume of flows and clients are informed about that their intermediary benefits from this offer. Finally, concerning the allocation of free shares, the AMF considers that such practice creates too great a risk that the investment services provider might not act in the best interests of its clients.
In any case, the choice of the trading venue must be made in a manner that complies with best execution obligations and obligations relating to the prevention and management of conflicts of interest.
Investment services providers must disclose the use of algorithmic trading to the AMF and submit detailed information related to negotiation parameters, but also to the compliance monitoring set out in order to ensure that their algorithmic trading systems are resilient and subject to appropriate thresholds. The activities operated through the algorithmic trading systems must be stored for at least five years and made available upon request of the AMF. There are no specific rules depending on the underlying class of assets subject to the algorithmic trading.
The applicability of this regulation depends on the use of algorithms (or, in other words, automatised systems) for purposes of trading and not on the structure of the investment services providers using them. Therefore, entities using algorithmic trading are not likely to qualify, or be considered, as exchange platforms, but merely as members of a trading platform sending orders for their own account or on behalf of third parties.
The French Monetary and Financial Code provides that entities negotiating for their own account which use algorithmic trading systems are required to be licensed by the AMF as investment services providers for such purpose, even if they do not act on behalf or for the account of clients.
The obligation related to best execution of trades of investment services providers has been reinforced by MiFID II and includes trades arising from algorithmic trading systems. In order to allow the assessment by the AMF of this duty, investment services providers using algorithmic trading systems must notify the use of such technology to the AMF and store every order sent in the market, including cancelled orders, for at least five years.
Since the management companies of investment funds (AIFs and UCITS) are not considered investment undertakings as a result of the MiFID II transposal under French law, they are excluded from the scope of the EU provisions related to the algorithmic trading. However, they are subject to French rules of good conduct in relation to the best execution of orders.
The reception and transmission of orders related to financial instruments qualifies as an investment service within the meaning of MiFID II and, therefore, must be considered as a regulated activity. A strong difference can be found between professional and non-professional clients regarding the related remuneration. Non-professional clients must be provided with detailed information in relation to the cost of the execution of their orders by the provider. Further, such provider must compare the fees of each platform allowing the trade in order to determine which one of these platforms will be the less expensive for their client. These duties do not apply when the client is professional.
As reminded by a 2013 publication of the AMF, platforms and related participants are exempted from any registration duty as long as the service they provide qualifies as an investment research service or a financial analysis service related to financial instruments according to Article L 321-2 of the French Monetary and Financial Code. For this purpose, the service must rely on the diffusion of general and impersonalised information or financial analysis, which can be aimed at advising an investment strategy but must in any case be addressed to a specific client.
Providers of investment research service or financial analysis service are subject to so-called “good conduct rules” under the related control of the AMF. In particular, they must ensure providing the public at any time with clear, accurate and non-misleading information.
In addition, irrespective of the regulatory status, spreading unverified information is prohibited pursuant to the Market Abuse Regulation and may lead to administrative or criminal sanctions.
For now, there are no institutional platforms active in France allowing users to post any kind of financial content or information qualifying as investment research service or financial analysis service on the platform.
As mentioned above, the spreading of rumours and unverified information is forbidden under the Market Abuse Regulation. Even before the Market Abuse Regulation came into force, the AMF sanctioned, in 2013, two bloggers who had spread misleading information about a listed French bank.
Since there is no such institutional platform dedicated to sharing financial information or analysis, there is no specific disclosure duty.
Whether it is operated in a mere office or in the internet, insurance underwriting processes are regulated by the French insurance code. Several formal conditions must be set out by the insurance company in order to ensure that the agreement is valid and enforceable. When the insured party is a non-professional natural person and subscribes to the policy through an Internet platform, a further set of provisions arising from consumer law allows the insured party to withdraw from the insurance agreement within 14 days from the day of subscription.
Each type of insurance (life, annuities, property, etc) is subject to its own set of regulation under the French Insurance Code. The level of supervision of the ACPR is the same for each category of insurance service. It should also be noted that the prudential treatment of insurance undertakings by the ACPR will not differ depending on the type of insurance service provided by the entity, but rather on the compliance with the related prudential rules.
Regtech companies provide services related mainly to the compliance of legacy players with prudential regulations (ie, Solvency II, MiFID II and CRD IV directives), reporting, risk management, KYC and AML procedures. The provision of these services is not regulated.
As a general rule, regulated entities which choose to delegate functions related to prudential or organisational regulations must ensure that they are able to assess the performance of the outsourced service by the provider. Regulated entities remain responsible towards their regulator, even if a specific obligation is violated by the external provider rather than themselves. To facilitate such monitoring of the external providers, regulated entities often include in the agreements provisions which allow them to control the actual compliance of the external provider with the requirements of the applicable regulation.
Regtech companies are not included in the list of entities subject to a disclosure duty under the French Monetary and Financial Code in case a suspicious activity is identified. However, if regtech companies continue to grow, the regulator will probably address that question.
Since 2015 and 2016, most French financial institutions have started to work on implementations of blockchain technology. Several French banks have reportedly joined the R3 consortium which develops the private blockchain platform named Corda. Euronext, BNP Paribas, Société Générale, CACEIS, and Caisse des Dépôts have jointly created LiquidShare, a start-up aimed at building a blockchain-based settlement system for non-listed securities. In addition, various major French non-financial companies are also experimenting with blockchain technology in their own field: for example, Carrefour is partnering with IBM to develop a blockchain-based food traceability platform. The French Central Bank itself developed a blockchain-based system to manage SEPA creditor identifiers. Overall, French legacy players are all implementing or thinking about implementing blockchain technology in their processes or their activity.
Furthermore, the French Central Bank announced in December 2019 that it will develop and test and CBDC – although it is still unclear whether such CBDC would be based on an actual blockchain.
While French regulators have issued multiple warnings concerning the risks of crypto-assets, the treatment of blockchain technology has been much more favourable. Blockchain technology is widely regarded as a major innovation which will likely transform the financial industry, and may also transform other industries (such as supply chain, identity management, healthcare, etc). More specifically, in October 2018, the CNIL issued a report on the compatibility of blockchains with the GDPR, and in December 2018, a parliamentary working group published a report on blockchain technology.
However, the major step was the publication of the government decrees of 8 December 2017 and 24 December 2018 which allow the use of a blockchain (formally denominated “shared electronic recording system”) for the issuance, registration and transfer of unlisted equity and debt securities. Securities issued through a blockchain will still qualify as financial instruments: this new regime will not allow the creation of “security tokens”.
The widespread use of blockchain for the issuance, registration and transfer of securities remains hindered by various legal obstacles, such as the lack of a clear status for custodians of securities registered on a blockchain or the impossibility to trade such securities outside of a regulated platform (such as a MTF). The AMF has been involved with working groups in the last few months and plans to promote a legislative change, both at the national and European level, to stimulate the development of blockchainised securities.
Under the existing legislation, certain blockchain assets would qualify as financial instruments within the meaning of MiFID II (and its transposition to French law); any blockchain asset which would present the characteristics of a financial instrument would likely qualify as a financial instrument and be regulated as such.
The Loi Pacte will distinguish between two categories of blockchain assets: those who qualify as financial instruments and digital assets (actifs numériques), which would comprise all other crypto-assets (including tokens issued pursuant to ICOs which do not qualify as financial instruments). In addition, French regulators tend to use in their publications the taxonomy which distinguishes investment tokens, utility tokens and payment tokens.
Regulation No 2018-07 of the Accounting Standards Authority (Autorité des normes comptables or “ANC”) qualifies all cryptoassets, including cryptocurrencies, as “tokens” for accounting purposes.
The issuance of crypto-assets is not currently regulated under French law. However, if the issued crypto-assets qualify as financial instruments, the regulation applicable to these instruments would normally apply. The treatment of “security tokens” or “equity tokens” is still unclear under French law, and the AMF is expected to clarify its position in the first half of 2019.
With the Loi Pacte, the French government plans to establish France as a major hub for ICOs and therefore plans to create a comprehensive legal framework for ICO issuers. Under the proposed legislation, token issuers will have the right to ask the AMF to grant its approval (“visa”) to their ICO, as soon as the following requirements are met: the issuer is a legal entity incorporated in France, or at least registered in France through a branch; the white paper and the marketing materials are accurate, written in plain language, and non-misleading; and the issuer plans to implement adequate procedures to track and safeguard the funds raised in the ICO. The AMF’s visa will be optional.
In addition to this regime, the ANC published in December 2018 a regulation which establishes the accounting rules applicable to ICO issuers and ICO investors. Such regulation also clarifies the tax treatment of ICO issuers and investors, as fiscal and accounting rules are closely related.
providing the service of purchase or sale of digital assets against legal currency, and custodians of digital assets or private keys, are required to register with the AMF. Such registration mostly triggers the application of the anti-money laundering legislation – there are no other substantial rules which apply to registered DASPs.
In addition, all other entities whose activity involves crypto-assets may apply for an optional licence with the AMF. Then, entities which are not compelled to apply for the registration, such as crypto-to-crypto brokers or exchange platforms may apply for the licence. As explained, obtaining the licence triggers the application of the anti-money laundering legislation, as well as various other obligations similar to those of investment services providers. In return, licensed DASPs are allowed to broadly advertise their services towards French clients.
The actual regulatory status of crypto-assets exchange platforms is still quite unclear. These platforms are not required to register with the AMF as such, even if they allow the exchange of legal currency against crypto-assets. However, if they allow their clients to deposit legal currency, they are required, as explained above, to obtain a payment services provider status or delegate the handling of legal currency account to a regulated provider. In addition, if they provide crypto-assets custody services to their clients (which is always the case for “custodial” platforms), they are required to register as custodians of digital assets, although such service is only incidental.
As regards platforms trading crypto-assets which qualify as financial instruments, they will likely need to obtain authorisations to operate as regulated markets, MTFs or OTFs. However, ESMA’s Report on Crypto-assets and Initial Coin Offerings (January 2019) suggests that peer-to-peer platforms where crypto-assets qualified as financial instruments are listed might fall outside of the scope of the European regulation. As of February 2020, the AMF has not made its position known on the matter of peer-to-peer platforms.
French alternative asset manager Tobam launched in November 2017 the first European cryptocurrency fund, the Tobam Bitcoin Fund. However, this fund was not licensed by the AMF as cryptocurrencies do not fit in any existing category of the regulatory regime applicable to asset managers.
A provision of the PACTE Act now allows professional specialised investments funds (fonds professionnels spécialisés or “FPS”) to purchase assets registered in a shared electronic recording system, ie, a blockchain. Only professional investors will be able to invest in such cryptocurrencies FPS. Napoleon Asset Management, a regulated asset manager specialised in crypto-assets, launched in December 2019 the first regulated crypto-assets fund (even though this fund does not hold crypto-assets directly, but rather invests in Bitcoin derivatives listed on the CME).
The regime established by the PACTE Act does not treat cryptocurrencies differently from other “digital assets”. Similarly, Regulation No 2018-07 of the ANC considers cryptocurrencies such as Bitcoin or Ether as “tokens” for accounting purposes. In any case, there is no plan to give certain prominent cryptocurrencies any preferential legal treatment, such as acknowledging their use as money or medium of exchange.
Overall, regulators and legislators mainly expressed their interest in utility tokens and the use of ICOs as a new method of financing for start-ups and SMEs. Cryptocurrencies, however, are still treated with suspicion. The priority of the legislator is to prevent their use in money laundering schemes.
Public blockchains are at odds with certain rights guaranteed by the GDPR, such as the right to erasure, the right to rectification and the right to object to processing. In September 2018, the CNIL issued a report on the compatibility of public and permissioned blockchains with the GDPR. (As for private blockchains, the CNIL noted that they do not raise specific issues with respect to the GDPR, as their immutability is usually not guaranteed by design.) The CNIL stated that whenever a blockchain contains personal data, the GDPR applies. The CNIL focuses on personal data which may be uploaded to a blockchain as a way to ensure traceability of real-world documents (ie, a diploma), but seems to acknowledge the conflict between some GDPR requirements such as the right to erasure and the very nature of public blockchains. In any case, the CNIL recommends not storing unencrypted personal data in a blockchain. The CNIL also announced that the challenges raised by blockchains regarding data protection will have to be addressed at the European level.
Directive (EU) 2015/2366 of November 25, 2015 on payment services in the internal market (PSD2) was transposed into French law in August 2017. PSD2 aimed to modernise payment services in the European Union by taking advantage of the emergence of online and mobile banking. The cornerstone of that modernisation is the right to access a bank account, on which rely, for example, services which collect and consolidate information on the different bank accounts of a consumer in a single place or services which allow customers to make internet payments without using a credit card (ie, by sending a direct wire transfer from the customer’s account to the seller’s account). In practice, PSD2’s major contribution to the growth of open banking is the creation of two new categories of payment services under French law (the payment initiation service and the account information service) and the removal of certain barriers which prevented third party providers to provide these payment services. Several successful French fintech companies, such as Linxo and Lydia, are already providing regulated services under these new categories.
The transposal of PSD2 into French law forces banks to share with various fintech companies certain personal data related to their clients (eg, information related to clients’ bank accounts). In order to share this information, banks need to create secure application programming interfaces (APIs). It has been reported recently that banks were slow to create these APIs and justified their reluctance by invoking the need to guarantee the security of clients’ bank accounts and data. The deadline to implement these APIs was set at September 2019. According to reports, only a small percentage of French banks had made usable APIs available to third party providers in September 2019.
If they are unable to use APIs, third-party providers such as account aggregators and payment initiation providers will have to keep using web-scraping methods in order to access clients’ banking data, and these methods are considered insufficiently secure.
In addition, the obligation to share clients’ personal data raises the issue of the compliance of PSD2 with the GDPR, as certain payment data may prove sensitive. In any case, both banks and fintech companies will have to comply with the GDPR when processing a clients’ personal data.