In 2019, France proclaimed its goal to become a leading jurisdiction for blockchain technology and crypto-assets and adopted the PACTE Act (which stands for “Action Plan for the Growth and Transformation of Companies”), which introduced the first comprehensive regulatory framework for initial coin offerings (ICOs) and intermediaries dealing with crypto-assets.
Despite the COVID-19 pandemic, the progress made in 2020 was in line with this goal.
The Broader Fintech Ecosystem
Concerning the broader fintech ecosystem, there are presently around 600 active fintech companies in France. France’s attractiveness is enhanced by various factors, such as support by regulatory agencies and public authorities for the fintech industry, the quality of French engineers, and the wide network of start-up incubators and accelerators. The French fintech scene covers a wide range of businesses, among them, mobile payments (Lydia, Pumpkin); personal fund-raising apps (Leetchi and LePotCommun); neobanks specialised in start-ups and freelancers (Shine, Qonto); dematerialised meal vouchers (Swile); crowdlending and crowdfunding platforms (Lendix, KissKissBankBank, Younited, Unilend); robo-advisers (Advize, Yomoni); insurtech (Alan, Luko); and payroll processors (Payfit).
Development of contactless payment solutions and digitalisation of banking and financial services
French fintech companies are supported by a strong network of business angels and venture capital funds. According to France Fintech, French fintech start-ups raised an aggregate amount of EUR828 million in 2020, compared to EUR699 million in 2019. Against all expectations, the COVID-19 pandemic seems to have had a positive impact on the fintech sector due to the development of contactless payment solutions and the broader digitalisation of banking and financial services. Recent high-profile deals include Qonto (EUR104 million), payment solution providers Lydia (EUR112 million) and Swile (EUR70 million), and health insurance policy provider Alan (EUR50 million).
The European Commission's digital finance package
Now that the PACTE Act has become effective, it is not expected that any significant fintech-related piece of legislation will be adopted, and especially as legislation is being prepared at the European level. On 24 September 2020, the European Commission published a digital finance package, including a digital finance strategy and legislative proposals on the regulation of crypto-assets and the creation of a pilot regime for market infrastructures based on blockchain.
Creation of digital coinage
The creation of a functional stablecoin (whether or not it is actually based on cryptography) by a large financial institution or public body could be a game changer in 2021, as would be the creation of a CBDC by the French Central Bank.
Beyond the crypto-space
It is expected that neobanks and innovative mobile payment solutions will keep gaining market share and challenging established financial institutions in 2021.
French fintech companies cover a wide range of business models: mobile payment apps, group gifting/personal fundraising apps, bank accounts aggregators and personal finance apps, neobanks, bank-as-a-service platforms, crowdfunding and crowdlending platforms, robo-advisers, insurtechs, factoring and short-term financing providers, payroll processors, ICO issuers, cryptocurrency exchanges or hardware wallet makers, etc.
Legacy players have understood the need to co-operate with these challengers in order to modernise and digitalise their business models and adapt to consumers who increasingly use mobile banking services and other payment innovations. Many French financial institutions have created their own fintech or insurtech incubators, such as L’Atelier by BNP Paribas, Le Village by Crédit Agricole, Kamet by AXA, Truffle Fintech Incubator by Truffle Capital, and Swave by a consortium of financial institutions including Société Générale, New Alpha Asset Management, and AG2R La Mondiale. Legacy players are also investing in some of the most successful French fintech companies (eg, Compte Nickel, Crédit.fr, KissKissBankBank, Pumpkin, Budget Insight, Treezor).
The regulatory regime applicable to fintech companies depends exclusively on their business model. As soon as an entity provides a regulated service, such entity must comply with a specific set of rules. Whether such entity is a newly created start-up or a century-old financial institution, the applicable rules remain the same (even though the French regulators generally use a proportional approach when enforcing these rules). Even the PACTE Act, which creates an ad hoc regime for ICOs and digital asset service providers, does not apply exclusively to fintech companies, as any large financial institution has the possibility to provide services related to crypto-assets.
The specific regulatory regimes applicable to the fintech-related businesses mentioned in 2.1 Predominant Business Models may be broadly presented as follows (although other regulatory regimes may apply depending on the particularities of each business model):
Generally speaking, regulated actors are required to provide various information to their potential customers before entering into a relationship with them. This information must include the fee structure of the service provider. Most regulated actors are also subject to rules on conflicts of interests which may affect their compensation structure.
More specifically, the main limitations regarding fees charged to customers apply to the following verticals.
In any case, even when their pricing structure is unregulated, most fintech start-ups voluntarily disclose their fees on their website or in their general terms and conditions.
Legacy players’ (including credit institutions, insurance undertakings and investment services providers) activities are based on traditional banking operations and insurance or investment services and products, which are governed mainly by the CRD IV, Solvability II and MiFID II frameworks (both the regulations and the transposal of the directives into French law). These regulations relate in particular to capital, internal organisation and resources requirements which are expected to be fulfilled by entities likely to present a systemic risk, especially within the eurozone. In return, legacy players benefit from a monopoly on the regulated activities subject to the above-mentioned directives.
The businesses of fintech companies are not comparable to those of legacy players. A lot of these businesses do not qualify as banking operations and insurance or investment services. Some of these businesses are not even regulated (ie, regtech companies). Therefore, provided that their businesses do not qualify as regulated activities, fintech companies will not be subject to the heavy regulations applicable to legacy players.
In addition, there is no legal definition of fintech under French law (nor under European law). The European Banking Authority (EBA) recently defined fintech as “technologically enabled financial innovation that could result in new business models, applications or processes or products with an associated material effect on financial markets and institutions and the provision of financial services”. Fintech companies do not constitute a homogeneous category of service providers; therefore, a case-by- case approach based on the service provided must be followed in order to compare the regulations applicable to legacy players and fintech companies.
Although French regulators do not plan to establish any regulatory sandbox, the French regulatory approach is based on proportionality and relies on setting out tailor-made regulatory frameworks inspired by legacy regulations, but proportionate to the activities of fintech companies (so-called “soundbox”). For example, token issuers and digital asset service providers benefit from a specific legal regime, inspired by legacy regulations (such as MiFID II), but which is not merely a regulatory sandbox.
Both French regulators have also created internal teams dedicated to fintech actors, whose purpose is to help fintech entrepreneurs navigate complex regulatory issues.
Traditional players are authorised and supervised by the AMF and the French Central Bank, through the Prudential Supervision and Resolution Authority (Autorité de contrôle prudentiel et de résolution or ACPR – the banking and insurance regulator) depending on the services they provide (banking, investment services or insurance). Broadly summarised, the AMF is in charge of protecting consumers that invest in financial instruments, while the ACPR is in charge of preserving the stability of the financial and banking system. The precise allocation of responsibilities is complex: eg, an investment services provider is authorised by the ACPR, but its programme of activity must be approved by the AMF. Once the investment services provider is authorised, the ACPR monitors the entity’s activity and financial situation, while the AMF monitors its compliance with the applicable code of conduct. Similarly, the AMF is the authority that grants registration to digital asset service providers, while the ACPR is in charge of validating the applicant’s money-laundering procedure.
As a general rule, regulated activities performed by financial institutions may only be delegated to entities which are also authorised to perform such activities. Operational functions related to a regulated service may also be outsourced, although the supervision of the competent regulator extends to the vendor. Outsourcing such functions does not relieve the regulated entity from its primary responsibility towards clients or third parties.
The regulated entity must efficiently implement measures to monitor the compliance of the vendor with the applicable regulatory requirements. In certain cases, the outsourcing must also be declared to the competent regulator.
As a general rule, regulated entities (whether they are start-ups or large companies) are responsible for ensuring that the services they provide are not used for illicit purposes. This is why all the regulated actors are subject to anti-money laundering legislation, and are expected to obtain sufficient knowledge of their clients to be able to prevent them from using their platform for illicit activities.
Unregulated fintech companies are not subject to anti-money laundering legislation, but are still forbidden from knowingly facilitating illicit activities. These actors need to be careful not to become the vectors of money-laundering or terrorism-financing schemes.
An interesting example is the emergence of blockchain-based decentralised trading platforms. Whether the person who deploys the smart contract on which the decentralised platform is based, is responsible for potentially illicit activities conducted through the platform remains highly unclear.
French regulators recently focused on issuing warnings against crypto-assets. Several publications of the AMF and the ACPR notably outlined the significant volatility and risk of loss. Both institutions reminded their readers that these crypto-assets are not legal tender and do not qualify as financial instruments under French law. Consequently, the investors’ attention is drawn to the fact that the legacy regulations aimed at protecting them do not apply. Moreover, the AMF published an analysis of the legal qualification of derivatives on crypto-assets. For the regulator, basically all crypto-asset derivatives qualify as financial contracts, and therefore financial instruments. Consequently, the regulation applicable to the marketing of financial instruments in France (including the specific restrictions which apply to CFDs) also applies to crypto-asset derivatives.
In addition, the AMF publishes and regularly updates a blacklist of websites which market financial investments in France without authorisation. Such blacklist initially focused on forex trading, binary options, and alternative investments (eg, diamonds, wines, forests, etc), but was recently extended to websites irregularly marketing investments in crypto-assets and crypto-asset derivatives. The AMF also recently obtained an order from the Paris Court of Justice which requested the closure of six internet addresses relating to three sites illegally offering alternative investments.
Significant enforcement actions against neobanks and innovative payment providers can be expected in the next few years, in relation to their implementation of anti-money laundering legislation.
Data privacy rules are provided in particular by Regulation 2016/679 of 27 April 2016 (General Data Protection Regulation or GDPR). From a domestic perspective, the Commission Nationale de l'Informatique et des Libertés or CNIL (National Commission on Informatics and Liberty) has jurisdiction over data privacy issues and protection of personal data, regardless of which entity is processing the data (public administrations, associations, private companies, etc). Entities must set out a data processing policy, subject to the supervision of the CNIL. The CNIL may also sanction non-compliant entities.
The Agence nationale de la sécurité des systèmes d'information or ANSSI (National Cybersecurity Agency) is competent regarding cybersecurity issues. Cybersecurity regulation mainly arises from the transposition of Directive 2016/1148 of 6 July 2016 (“Network and Information Security Directive”). Under French law, entities designated as “operators of essential services” must notify the ANSSI of any breach or incident. In addition, operators of essential services must comply with various organisational requirements, under the supervision of the ANSSI. A government decree of May 2018 designates most regulated financial and banking institutions as operators of essential services. Fintech companies providing unregulated services would probably not be considered as operators of essential services under this regulation.
The communication of regulated actors is subject to a burdensome set of rules, especially when it relates to the distribution of regulated products or services. Customers must be provided with clear, accurate and non-misleading information at any time, whether such information is provided through a financial entity’s own website or through other media. Regarding social media, rules relating to the distribution of regulated services apply regardless of the channel used for such distribution, as reiterated in 2016 by the AMF (through the updates of several positions related to the marketing and distribution of financial products) and the ACPR (through a recommendation on the use of social networks for commercial purposes). Consequently, close attention should be paid to the content of the information posted on social media, as it is by nature likely to reach non-professional customers.
As regards fintech companies, their communication will only be subject to these rules where it relates to regulated services.
First of all, the appointment of an external auditor (commissaire aux comptes) is mandatory for all joint-stock companies (sociétés anonymes) and most simplified joint-stock companies (sociétés par actions simplifiées), as soon as they exceed certain size thresholds. In addition, appointing an accounting firm is mandatory for all companies which carry out a regulated activity.
Regulated entities are subject to strict monitoring and supervision rules. In order to obtain approval from the ACPR, for example, regulated entities must define a comprehensive internal compliance policy. The supervision is both internal and external: compliance with the relevant rules is internally monitored by certain employees of the entity, while external consultants periodically audit and review its compliance procedures. Therefore, part of the supervision of regulated entities is in practice outsourced to external consultants.
Fintech companies which provide regulated services must also comply with regulatory requirements. They tend to outsource most of their compliance processes, to focus on technology and the core business. Otherwise, when fintech companies provide services which fall outside the scope of regulation, they are not subject to these compliance processes.
Generally speaking, under French law, most regulated entities may provide certain unregulated services. The extent of a regulated entity’s ability to provide unregulated services depends on its status. For example, credit institutions may provide a wide range of banking-related services (opérations connexes) which do not benefit from the banking monopoly, and they may acquire stakes of private companies. Credit institutions may also carry out various non-banking activities as long as such activities remain limited (ie, less than 10% of the net banking income) and do not limit competition on the relevant markets.
Some regulated actors, such as crowdfunding intermediaries, are also forbidden to provide activities other than those for which they are regulated.
Three trends can be found in the French market regarding robo-advisers:
In such cases, the services provided by robo-advisers qualify as investment advice or portfolio management within the meaning of the MiFID II framework and the robo-adviser must consequently be licensed as either a financial investment adviser or an ISP. Robo-advisers that are active in the insurance market have to register as intermediaries with the French register of banking, finance and insurance intermediaries (ORIAS).
However, in contrast to legacy players, most of the processes of robo-advisers are integrally automatised. The clients provide information related to their financial capacity, objectives and risk aversion through standardised questionnaires. Depending on the client's profile, the robo-advisers provide advice related to investment opportunities or manage investments on their behalf. The AMF reiterated in 2017 that entities offering automatised tools which provide clients with financial instruments’ performance estimations are subject to the duty to deliver clear, accurate and non-misleading information.
Generally speaking, robo-advisers allow customers to invest in a diversified portfolio of listed assets, such as a mix of bonds and stocks. Robo-advisers rely heavily on investments in exchange-traded funds (ETFs) or mutual funds.
Until now, the services provided by robo-advisers were reserved for clients with sufficient financial capacity to ensure the profitability of the service. Solutions introduced by robo-advisers target two key issues for mainstream clients: the service’s cost, on the one hand, and the entry ticket, on the other hand. Various studies recently outlined that reduced costs and low-entry tickets are at the heart of robo-advisory strategy. Therefore, the main response of legacy players would be to offer the same service to clients with lower financial capacity or entry tickets.
Issues relating to best execution of orders sent by clients do not differ between legacy players and robo-advisers. As a general principle, the services provided by robo-advisers qualify as investment services according to MiFID II (whether investment advice or portfolio management). Consequently, robo-advisers must set out a best execution policy in relation to orders traded on behalf of their clients.
The French regulatory framework of crowdlending was created in 2014 with a new exemption to the banking monopoly allowing individuals to grant loans through platforms. Several conditions restrain the scope of this exemption: loans may only be granted by non-professional lenders, the amount of each loan is capped at EUR2,000 per lender and per project (EUR5,000 for interest-free loans), and the maturity of each loan must be less than seven years. Borrowers raising funds through crowdlending cannot raise more than EUR1 million per project. Mortgage loans and consumer credits are also outside the scope of crowdlending.
The regulation (EU) 2020/1503 on European crowdfunding service providers for business will supersede the French regime after a transition period of 12 months on 10 November 2021. This regulation will allow entrepreneurs to raise up to EUR5 million.
Concerning regulatory authorisations, crowdlending internet platforms only have to register with the ORIAS, whereas legacy lenders must be authorised as credit institutions by the ACPR. The regulatory requirements that crowdlending platforms have to respect are proportionate to their statute (ie, not as burdensome as the rules applicable to legacy credit institutions).
Among other regulatory conditions aimed at protecting lenders, crowdlending platforms must deliver detailed information to potential lenders, mainly related to the underlying projects and the attached risks.
The underwriting process itself is not directly regulated for crowdlending platforms.
Funds raised through crowdlending platforms originally come from individual lenders acting on their own account, outside of any professional context. Therefore, they are not subject to any specific regulation, and market practices used in complex financing schemes do not apply.
However, investment funds have increasingly started to invest alongside individuals in SMEs in financing deals through crowdlending platforms. In certain cases, dedicated investment funds have been created, some by a regulated asset management subsidiary of the crowdlending platform operator, such as October.
No syndication of loans originated through crowdlending platforms is allowed under French law.
The definitions of payment services and payment transactions under French law are broad and cover most existing payment methods. The French Monetary and Financial Code defines what payment services and payment accounts are, rather than how a payment transaction must work from a technical point of view. Therefore, regulated payment processors (ie, payment services providers) should have the ability to use technical innovations to develop new payment methods within the scope of the existing regulation.
The regulation of payment services revolves around the notion of “funds”, which are defined as banknotes, coins, scriptural money, and electronic money. A payment method which does not use funds, but rather unregulated units of value (such as cryptocurrencies) might therefore fall outside the scope of the regulation.
However, most payment operations involve a transfer of funds between two payment accounts. Therefore, any payment method implemented by a fintech start-up needs to be compatible with the technical requirements of the entity in whose books the beneficiary’s account is opened.
Cross-border payments and remittances are included in the list of payment services and, therefore, are regulated as such, as soon as they involve the use of funds.
Fund administrators do not have a legal definition as such under French law. Traditional actors of the investment funds business include the management company and the depositary, which are both highly regulated entities. Back-office services related to investment funds include mainly the calculation of the net asset value of the fund’s units, accounting services and reporting. These services are not regulated as such, although they are traditionally performed by branches of depositaries.
The contractual terms of the agreements between fund administrators and fund advisers are not regulated as such. There do not appear to be specific provisions aimed at assuring performance and accuracy beyond what is generally included in equivalent agreements.
The French regulation of trading platforms mostly replicates the taxonomy established by MiFID II. French law distinguishes three categories of trading platforms, in accordance with MiFID II: regulated markets, multilateral trading facilities (MTFs and organised MTFs), and organised trading facilities (OTFs).
First of all, all regulated trading platforms are subject to the same set of common rules, which include notably the prohibition of proprietary trading and various organisational and transparency requirements. Thereafter, the main differences between regulated markets, MTFs and OTFs may be broadly described as follows.
Finally, with respect to marketplaces, no specific regulatory regime generally applies. Marketplaces may be regulated to the extent that they allow their clients to purchase or trade products which are subject to a regulation.
With respect to the listing on trading venues, not all asset classes are subject to the same regime. The relationship between regulated trading venues and asset classes may be broadly presented as follows:
With respect to the Market Abuse Regulation, which establishes a common regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation, all financial instruments are subject to its provisions, whether they are traded on a regulated market, an MTF or an OTF.
The French regulation applicable to trading venues has not yet been impacted by the emergence of cryptocurrency exchanges. As financial instruments may not be listed on cryptocurrency exchanges for the time being, they remain outside the scope of regulation of traditional financial products.
Now that the PACTE Act is effective, cryptocurrency exchanges must register with the AMF, which means that they have to comply with the anti-money laundering regulation. In any case, cryptocurrency exchanges which allow their clients to trade cryptocurrencies against legal currency either need to obtain a payment services provider status or partner with a payment services provider to handle the legal currency flows.
In addition, cryptocurrency exchanges can obtain an optional licence which provides extended rights to market their services in France. This optional licence also comes with additional obligations which are broadly similar to those of investment services providers (ie, relating to reporting, transparency, conflicts of interests, etc).
French law requires trading venue operators to have clear and transparent rules regarding the criteria used to determine which financial instruments may be traded within their system. In addition, the rules of a regulated market must provide for fair, orderly and efficient trading of the financial instruments.
Concerning the listing standards themselves, each trading venue operator establishes its own rules. However, these rules generally rely on the compliance of the issuer of the financial instrument with the relevant provisions of European and national law. Certain specific rules may also be set by the operators themselves. For example, concerning the minimal percentage of float, Euronext’s rules provide that, at the time of admission to listing, at least 25% of the subscribed capital represented by the class of securities concerned must be distributed to the public.
Order handling rules applicable in France arise from Delegated Regulation 2017/565 of 25 April 2016 and a section of the French Monetary and Financial Code. Pursuant to the Delegated Regulation, investment firms carrying out client orders must ensure that orders executed on behalf of clients are promptly and accurately recorded and allocated, they must execute client orders sequentially and promptly, unless the characteristics of the order, the prevailing market conditions, or the interests of the client require otherwise, and they must inform retail clients promptly about any material difficulty.
Pursuant to the French Monetary and Financial Code, investment services providers are subject to an obligation to reach the best possible result when executing a client’s order (also called the “best execution” obligation). "The best possible result" depends on various parameters, including the price of the financial instrument, the cost of the order, the size of the order, etc. With respect to retail clients, the best possible result primarily depends on the aggregate cost of the order.
In addition, investment services providers must set out and communicate to their clients an order's execution policy, which describes how orders are executed by the intermediary.
The rise of peer-to-peer crypto-assets trading platforms does not yet appear to have affected the regulation of trading venues. French and European regulators closely monitor the development of such platforms.
Peer-to-peer platforms will definitely challenge the very definition of trading venues under MiFID II: all the definitions refer to the notion of “multilateral system” and imply the use of an order book. Hence, if peer-to-peer platforms are organised from a technical point of view to allow only bilateral trading, they might fall outside the scope of MiFID II, and an evolution of European law may be needed. In any case, the peer-to-peer trading platforms which currently exist do not allow the exchange of financial instruments, since they are designed for crypto-assets.
Various issues may arise from the implementation of the best execution of clients’ orders. For example, as an investment services provider is allowed to execute orders on non-regulated venues (with the prior agreement of the client), the investment services provider may opt for a cheaper venue where the liquidity is lower, and miss the opportunity to complete a limit buy order which would have been executed if the investment services provider had chosen the most liquid and expensive venue. Therefore, the client might raise a claim against the investment services provider on the grounds that its order would have been executed if the investment services provider had chosen the best venue to carry out the order.
The AMF addressed the issue of payment for order flows in its “guide to best execution” published in 2014 and updated in 2020. The AMF is aware of three kinds of payments for order flows: non-public price reductions, provision of tools, or payment of connection fees and allocation of free shares in the company operating the trading venue.
To be considered lawful, these payments for order flows must satisfy three requirements: transparency vis-à-vis clients, enhancement of the service rendered and compliance with the duty to act in the best interest of the client.
Concerning the duty to act in the best interest of the client, which is defined in Article 314-14 of the AMF’s General Regulations, three cumulative conditions must be met with regard to payments for order flows:
In any case, the choice of trading venue must be made in a manner that complies with best-execution obligations, as well as obligations relating to the prevention and management of conflicts of interest.
The market abuse regulation was the subject of a major reform at the European level in 2014 with the creation of two instruments: the Market Abuse Directive (Directive 2014/57/EU on criminal sanctions for market abuse) and the Market Abuse Regulation (Regulation (EU) No 596/2014 on market abuse).
The concept of market abuse covers any illicit behaviour on a financial market and more precisely, insider trading, unlawful disclosure of privileged information and market manipulation.
The market abuse regulation is built around sanction (with a dual administrative and criminal procedure) and prevention (with the implementation of measures designed to enable the detection of prohibited behaviour).
For instance, the operators of multilateral trading systems have to declare any suspicious operation to the AMF immediately. For this purpose, procedures and appropriate monitoring systems have been set up to prevent and detect market abuse or attempted market abuse.
Investment services providers must disclose the use of algorithmic trading to the AMF and submit detailed information related to negotiation parameters, as well as to the compliance monitoring set out in order to ensure that their algorithmic trading systems are resilient and subject to appropriate thresholds. The activities operated through the algorithmic trading systems must be stored for at least five years and made available upon request to the AMF. There are no specific rules relating to the underlying class of assets subject to the algorithmic trading.
The French Monetary and Financial Code provides that entities negotiating for their own account which use algorithmic trading systems are required to be licensed by the AMF as investment services providers for such purpose, even if they do not act on behalf of or for the account of clients.
Since the management companies of investment funds (AIFs and UCITS) are not considered as investment undertakings as a result of the MiFID II transposal under French law, they are excluded from the scope of EU provisions related to algorithmic trading. However, they are subject to French rules of good conduct in relation to the best execution of orders.
Programmers who develop and create trading algorithms or other electronic trading tools are not apparently regulated as such.
As provided for in the AMF’s General Regulations, platforms and related participants are exempted from any registration duty as long as the service they provide qualifies as an investment research service or a financial analysis service related to financial instruments, according to Article L 321-2 of the French Monetary and Financial Code. For this purpose, the service must rely on the diffusion of general and impersonalised information or financial analysis, which can be aimed at advising an investment strategy but must not be addressed to a specific client.
Providers of investment research services or financial analysis services are subject to so-called “good conduct rules” under the control of the AMF. In particular, they must provide the public at any time with clear, accurate and non-misleading information.
In addition, irrespective of regulatory status, the spreading of unverified information is prohibited pursuant to the Market Abuse Regulation and may lead to administrative or criminal sanctions.
For now, there are no institutional platforms active in France allowing users to post any kind of financial content or information qualifying as an investment research service or financial analysis service on the platform.
As mentioned above, the spreading of rumours and unverified information is forbidden under the Market Abuse Regulation. In 2013, before the Market Abuse Regulation came into force, the AMF sanctioned two bloggers who had spread misleading information about a listed French bank.
Whether they are operated in an office or on the internet, insurance underwriting processes are regulated by the French insurance code. Several formal conditions must be set out by the insurance company in order to ensure that the agreement is valid and enforceable. When the insured party is a non-professional natural person and subscribes to the policy through an internet platform, a further set of provisions arising from consumer law allows the insured party to withdraw from the insurance agreement within 14 days from the date of subscription.
Each type of insurance (life, annuities, property, etc) is subject to its own set of regulations under the French Insurance Code. The level of supervision of the ACPR is the same for each category of insurance service. It should also be noted that the prudential treatment of insurance undertakings by the ACPR does not differ according to the type of insurance service provided by the entity, but rather according to its compliance with the related prudential rules.
Regtech companies provide services related mainly to the compliance of legacy players with prudential regulations (ie, the Solvency II, MiFID II and CRD IV Directives), reporting, risk management, KYC and AML procedures. The provision of these services is not regulated.
As a general rule, regulated entities which choose to delegate functions related to prudential or organisational regulations must ensure that they are able to assess the performance of the outsourced service by the provider. Regulated entities remain responsible towards their regulator, even if a specific obligation is violated by the external provider rather than themselves. To facilitate such monitoring of external providers, regulated entities often include in their agreements provisions which allow them to control the compliance of the external provider with the requirements of the applicable regulation.
Since 2015 and 2016, most French financial institutions have started to work on implementations of blockchain technology. Several French banks have reportedly joined the R3 consortium which develops the private blockchain platform named Corda. Euronext, BNP Paribas, Société Générale, CACEIS, and Caisse des Dépôts have jointly created LiquidShare, a start-up aimed at building a blockchain-based settlement system for non-listed securities. In addition, various major French non-financial companies are also experimenting with blockchain technology in their own field. For example, Carrefour is partnering with IBM to develop a blockchain-based food traceability platform, and LVMH has partnered with ConsenSys and Microsoft to create the Aura consortium, the objective of which is to enable brands to verify the origin and authenticity of luxury products. The French Central Bank itself has developed a blockchain-based system to manage SEPA creditor identifiers. Overall, French legacy players are all implementing, or thinking about implementing, blockchain technology in their processes or their activity.
Furthermore, the Banque de France is now collaborating with private sector innovators (such as Accenture, Euroclear, HSBC, etc) to conduct a programme of eight experiments on a wholesale CBDC. In May 2020, the Banque de France successfully tested the use of a blockchain developed by its teams, to experiment using a wholesale CBDC to settle an issue of digital financial securities with Société Générale Forge.
Finally, Paris Europlace, which is a think tank that federates and represents the diversity of players in the financial industry and provides reports and advice, wrote a report in response to the European digital euro project in which it highlights the potential uses of blockchain in the financial industry and the economic, technical and legal challenges.
While French regulators have issued multiple warnings concerning the risks of crypto-assets, the treatment of blockchain technology has been much more favourable. Blockchain technology is widely regarded as a major innovation which will likely transform the financial industry, and may also transform other industries (such as supply chain, identity management, healthcare, etc). More specifically, in October 2018, the CNIL issued a report on the compatibility of blockchains with the GDPR, and in December 2018, a parliamentary working group published a report on blockchain technology.
However, the major step was the publication of the government decrees of 8 December 2017 and 24 December 2018 which allow the use of a blockchain (formally denominated “shared electronic recording system”) for the issuance, registration and transfer of unlisted equity and debt securities. Securities issued through a blockchain will still qualify as financial instruments; this new regime will not allow the creation of “security tokens”.
The widespread use of blockchain for the issuance, registration and transfer of securities remains hindered by various legal obstacles, such as the lack of a clear status for custodians of securities registered on a blockchain or the fact that it is not possible to trade such securities outside a regulated platform (such as an MTF). In this respect, the European Commission published a digital finance package on 24 September 2020, including a proposal for a regulation on a pilot regime for market infrastructures based on blockchain. The purpose of the pilot regime is to create a framework supporting the development of security tokens.
Under the existing legislation, certain blockchain assets would qualify as financial instruments within the meaning of MiFID II (and its transposition to French law), ie, any blockchain asset which presents the characteristics of a financial instrument would likely qualify and be regulated as such.
The Monetary and Financial Code, as amended by the PACTE Act distinguishes between two categories of blockchain assets:
In addition, French regulators tend to use taxonomy in their publications which distinguishes security tokens, utility tokens and payment tokens.
Regulation No 2018-07 of the Accounting Standards Authority (Autorité des normes comptables or ANC) qualifies all crypto-assets, including cryptocurrencies, as “tokens” for accounting purposes.
The Monetary and Financial Code, as amended by the PACTE Act, now includes a section dedicated to token issuers. These provisions apply to the issuance of tokens that are not qualified as financial instruments.
Under French law, token issuers have the right to ask the AMF to grant its approval (“visa”) to their ICO, as soon as the following requirements are met:
The AMF’s visa is optional.
In addition to this regime, the ANC published a regulation in December 2018 which establishes the accounting rules applicable to ICO issuers and ICO investors. This regulation also clarifies the tax treatment of ICO issuers and investors, as fiscal and accounting rules are closely related.
Finally, the digital finance package published on 24 September 2020 includes a proposal for a regulation on Markets in Crypto-Assets (MiCA) which would create a European framework for ICOs.
Registration as a DASP
Four services in digital assets require the person providing them to register with the AMF as a digital asset service provider (DASP):
Such registration mostly triggers the application of anti-money laundering legislation – there are no other substantial rules that apply to registered DASPs.
In addition, all entities that are actively involved in crypto-assets may apply for an optional licence with the AMF, including those entities which also provide other services (such as reception and transmission of orders, portfolio management, advice to subscribers etc). Obtaining the licence triggers the application of the anti-money laundering legislation, as well as various other obligations similar to those of investment services providers. In return, licensed DASPs are allowed to advertise their services broadly to French clients.
Other Crypto-Asset Platforms
If crypto-assets exchange platforms allow their clients to deposit legal currency, they are also required to obtain a payment services provider status, or delegate the handling of legal currency flows to a regulated provider.
As for platforms trading crypto-assets which qualify as financial instruments, they will likely need to obtain authorisation to operate as regulated markets, MTFs or OTFs. However, ESMA’s Report on Crypto-assets and Initial Coin Offerings (January 2019) suggests that peer-to-peer platforms where crypto-assets that qualify as financial instruments are listed, might fall outside the scope of the European regulation.
Finally, the French legislation created by the PACTE Act inspired the MiCA proposal, which provides for a European framework for DASPs.
French alternative asset manager Tobam launched the first European cryptocurrency fund, the Tobam Bitcoin Fund, in November 2017. However, this fund was not licensed by the AMF, as cryptocurrencies do not fit into any existing category of the regulatory regime applicable to asset managers.
French law, as amended by the PACTE Act, now allows professional specialised investments funds (fonds professionnels spécialisés or FPS) to purchase assets registered in a shared electronic recording system, ie, a blockchain. Only professional investors are able to invest in such FPS cryptocurrencies. Napoleon Asset Management, a regulated asset manager specialised in crypto-assets, launched the first regulated crypto-assets fund in December 2019 (even though this fund does not hold crypto-assets directly, but rather invests in bitcoin derivatives listed on the CME).
The regime established by the PACTE Act does not treat cryptocurrencies differently from other “digital assets”. Similarly, Regulation No 2018-07 of the ANC considers cryptocurrencies such as Bitcoin or Ether as “tokens” for accounting purposes. In any case, there is no plan to give certain prominent cryptocurrencies any preferential legal treatment, such as acknowledging their use as money or a medium of exchange.
However, in a decision of 26 February 2020, the Nanterre Commercial Court ruled that a bitcoin loan agreement was a consumption loan due to the fungible and consumable nature of bitcoin. Although this controversial decision is the only one so far concerning the nature of loans of bitcoins, it is interesting to note that judges tend to align the lending regime of bitcoins with the traditional currency-lending regime.
Overall, regulators and legislators have mainly expressed their interest in utility tokens and the use of ICOs as a new method of financing for start-ups and SMEs. Cryptocurrencies, on the other hand, are still treated with suspicion, and it remains a priority of the legislator to prevent their use in money-laundering schemes.
Decentralised Finance (DeFi) is not currently defined or regulated under French law.
However, most DeFi platforms offer services that could fall within the regime of digital asset service providers. For example, decentralised exchanges such as Uniswap provide the service of exchanging digital assets for other digital assets, which requires registration with the AMF. Platforms allowing users to earn interest on deposits of crypto-assets and to borrow crypto-assets, such as Aave, could potentially fall under the regulation of banking operations, although that regulation has been made to apply to the use of “funds” (ie, legal currency).
It appears that the DASP regime is not adapted to truly decentralised platforms with decentralised governance. The regime was designed to regulate platforms operated by a centralised entity. It is possible that regulators will struggle to identify the persons responsible for the operation of these platforms, and may not, in fact, be able to enforce the regulation.
Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (PSD2) was transposed into French law in August 2017. PSD2 aimed to modernise payment services in the EU by taking advantage of the emergence of online and mobile banking. The cornerstone of that modernisation is the right to access a bank account to perform services, eg, to collect and consolidate information on the different bank accounts of a consumer in a single place, or to allow customers to make internet payments without using a credit card (ie, by sending a direct wire transfer from the customer’s account to the seller’s account). In practice, PSD2’s major contribution to the growth of open banking was the creation of two new categories of payment services under French law (the payment initiation service and the account information service) and the removal of certain barriers which prevented third parties from providing these payment services. Several successful French fintech companies, such as Linxo and Lydia, are already providing regulated services under these new categories.
Creation of APIs
The transposal of PSD2 into French law forced banks to share certain personal data related to their clients (eg, information related to clients’ bank accounts) with various fintech companies. In order to share this information, banks need to create secure application programming interfaces (APIs). It was reported recently that banks were slow to create these APIs and justified their reluctance by invoking the need to guarantee the security of clients’ bank accounts and data. The deadline to implement these APIs was set at September 2019.
At the end of 2020, the level of technical implementation of APIs was not consistent among all actors. According to the co-founder of Linxo, an account aggregator, the potential of PSD2-compliant APIs is still "under-exploited".
If they are unable to use APIs, third-party providers such as account aggregators and payment initiation providers will have to keep using web-scraping methods in order to access clients’ banking data, although these methods are not considered sufficiently secure.
In addition, the obligation to share clients’ personal data raises the issue of the compliance of PSD2 with the GDPR, as certain payment data may prove sensitive. In any case, both banks and fintech companies must comply with the GDPR when processing a clients’ personal data.