The PACTE Act

In 2019, France adopted the PACTE Act (which stands for “Action Plan for the Growth and Transformation of Companies”) with the ambition to become a leading jurisdiction for blockchain technology and crypto-assets. This Act notably introduced a comprehensive regulatory framework for initial coin offerings (ICOs) and digital assets services providers (DASPs). 

Almost three years after the PACTE Act came into force, it has shown its success with 30 DASPs registered with the French financial regulator (Autorité des marchés financiers, AMF), as well as its shortcomings, with only three ICOs obtaining a visa from the AMF, the last one being on 13 October 2020.

Similarly, no DASP has yet been licensed by the AMF. However, applications should be forthcoming in order for DASPs to benefit from potential equivalence with the Markets in Crypto-Assets (MiCA) Regulation's authorisation.

European Commission Regulations

The MiCA Regulation is one of the components of the Digital Finance Package adopted on 24 September 2020 by the European Commission. This regulation, which is directly applicable within the European Union, notably creates a European framework for the authorisation of crypto-assets services providers (CASPs) and establishes a framework for the issuance and supervision of e-money tokens (better known as "stablecoins").

In parallel to the MiCA Regulation and the Digital Finance Package, a sixth AML/CFT Directive is expected to be adopted, together with a regulation establishing an EU AML Authority (AMLA), a regulation on AML/CFT (anti-money laundering/combating the financing of terrorism) regarding customer due diligence and beneficial ownership, as well as an amendment to the 2015 Regulation on Transfers of Funds to include aspects related to crypto-assets.

CBDC Experiments

Finally, the Banque de France's (BdF) experiments with central bank digital currency (CBDC) are continuing. On 8 November 2021, the BdF published a report on its wholesale CBDC experiments. The BdF concludes that a wholesale CBDC could help ensure the safe development of tokenised financial markets by preserving the central role of central bank money. Furthermore, a wholesale CBDC could help improve cross-border and cross-currency payments.

The Broader Fintech Ecosystem

Concerning the broader fintech ecosystem, there are presently around 800 active fintech companies in France. France’s attractiveness is enhanced by various factors, such as the support of regulatory agencies and public authorities for the fintech industry, the quality of French engineers, and the wide network of start-up incubators and accelerators. France's attractiveness is also enhanced by the organisation of numerous forums, such as the Paris Fintech Forum, the Paris Blockchain Week Summit, and the ACPR-AMF Fintech Forum (the "ACPR" being the French prudential supervision and resolution authority – Autorité de Contrôle Prudentiel et de Résolution). These events facilitate exchange and reflection between the various stakeholders.

The French fintech scene covers a wide range of businesses, among them, mobile payments (Lydia, Pumpkin); personal fundraising apps (Leetchi and LePotCommun); neobanks specialised in start-ups and freelancers (Shine, Qonto); dematerialised meal vouchers (Swile); crowdlending and crowdfunding platforms (Lendix, KissKissBankBank, Younited, Unilend); robo-advisers (Advize, Yomoni); insurtech (Alan, Luko); and payroll processors (Payfit).

A record year in 2021 for fundraising by French fintechs

French fintech companies are supported by a strong network of business angels and venture capital funds. According to France Fintech, French fintechs raised an aggregate amount of EUR2.273 billion in 93 transactions in 2021, compared to EUR830 million in 2020 (ie, an increase of 174%). High-profile deals in 2021 include Sorare (EUR585 million), Ledger (EUR380 million), Swile (EUR176 million), Alan (EUR185 million), Younited Credit (EUR142 milllion), and Lydia (EUR90 million).

The year 2022 is starting with the same trend, with EUR1.091 billion raised in January in 17 transactions. Among these transactions, Qonto has notably raised EUR486 million.

Beyond the crypto-space

It is expected that neobanks and innovative mobile payment solutions will keep gaining market share and challenging established financial institutions in 2022.

French fintech companies cover a wide range of business models: mobile payment apps, group gifting/personal fundraising apps, bank accounts aggregators and personal finance apps, neobanks, bank-as-a-service platforms, crowdfunding and crowdlending platforms, robo-advisers, insurtechs, factoring and short-term financing providers, payroll processors, coin and non-fungible token (NFT) issuers, cryptocurrency exchanges or hardware wallet makers, etc.

Legacy players have understood the need to co-operate with these challengers in order to modernise and digitalise their business models and adapt to consumers who increasingly use mobile banking services and other payment innovations. Many French financial institutions have created their own fintech or insurtech incubators, such as L’Atelier by BNP Paribas, Le Village by Crédit Agricole, Kamet by AXA, Truffle Fintech Incubator by Truffle Capital, and Swave by a consortium of financial institutions including Société Générale, New Alpha Asset Management, and AG2R La Mondiale. Legacy players are also investing in some of the most successful French fintech companies (eg, Compte Nickel, Crédit.fr, KissKissBankBank, Pumpkin, Budget Insight, and Treezor).

The regulatory regime applicable to fintech companies depends exclusively on their business model. As soon as an entity provides a regulated service, such entity must comply with a specific set of rules. Whether such entity is a newly created start-up or a century-old financial institution, the applicable rules remain the same (even though the French regulators generally use a proportional approach when enforcing these rules). Even the PACTE Act, which creates an ad hoc regime for ICOs and DASPs, does not apply exclusively to fintech companies, as any large financial institution is allowed to provide services related to crypto-assets.

The specific regulatory regimes applicable to the fintech-related businesses mentioned in 2.1 Predominant Business Modelsmay be broadly presented as follows (although other regulatory regimes may apply depending on the particularities of each business model):

• mobile payment apps are regulated as payment services providers;
• crowdfunding and crowdlending platforms are regulated as crowdfunding service providers, except for crowdfunding intermediaries licensed before 10 November 2021 who have until 10 November 2022 to obtain a crowdfunding service provider's licence (the French regulatory regime for crowdfunding intermediaries remains in place for crowdfunding and crowdlending platforms that are restricted to free loans and donations);
• group gifting/personal fundraising apps are regulated as payment services providers and/or crowdfunding service providers;
• bank account aggregators and personal finance apps are regulated as account information service providers and, where applicable, as payment services providers;
• neobanks are regulated as credit institutions or electronic money institutions;
• robo-advisers are regulated as investment services providers (ISPs) or as investment advisers, if the services provided qualify as investment advice;
• insurtechs are regulated as insurance undertakings or insurance intermediaries;
• payroll processors are normally unregulated, as they merely provide software and do not handle funds themselves; and
• DASPs are subject to the French regulatory regime created by the PACTE Act and are required to register with the AMF and comply with AML legislation if they are established in France or provide services in France. (DASPs may also choose to apply for an optional licence which grants additional rights. DASPs may also be regulated as payment services providers if they collect funds on behalf of their clients.)

Generally speaking, regulated actors are required to provide various information to their potential customers before entering into a relationship with them, even more so when their customer is a natural person who is acting for purposes which are outside their commercial, industrial, craft, liberal or agricultural activity. This information must include the fee structure of the service provider. Most regulated actors are also subject to rules on conflicts of interests which may affect their compensation structure.

More specifically, the main limitations regarding fees charged to customers apply to the following verticals.

• Banks and neobanks: the overdraft fees which may be charged by a bank are subject to a legal limitation. Since 1 November 2020, and due to the COVID-19 crisis, financially fragile people have benefited from the capping of payment incident fees at EUR25 per month for a period of three months.
• ISPs and asset managers are subject to strict rules (notably arising from the Markets in Financial Instruments Directive II, MiFID II) regarding their compensation and their ability to earn fees from third parties by executing trades on behalf of clients or recommending that they invest in specific financial instruments.

In any case, even when their pricing structure is unregulated, most fintech start-ups voluntarily disclose their fees on their website or in their general terms and conditions.

Legacy Players

Legacy players’ (including credit institutions, insurance undertakings and ISPs) activities are based on traditional banking operations and insurance or investment services and products, which are governed mainly by the CRD IV, Solvability II and MiFID II frameworks (both the regulations and the transposal of the directives into French law). These regulations relate in particular to capital, internal organisation and resources requirements which are expected to be fulfilled by entities likely to present a systemic risk, especially within the eurozone. In return, legacy players benefit from a monopoly on the regulated activities subject to the above-mentioned directives.

Fintech Companies

The businesses of fintech companies are not comparable to those of legacy players. A lot of these businesses do not qualify as banking operations and insurance or investment services. Some of these businesses are not even regulated (ie, regtech companies). Therefore, provided that their businesses do not qualify as regulated activities, fintech companies will not be subject to the heavy regulations applicable to legacy players.

In addition, there is no legal definition of fintech under French law (nor under European law). The ACPR recently defined fintech as “start-up projects that generally combine (i) a high degree of innovation and (ii) a service offer in one or more financial areas under the supervision of the ACPR. The innovation component may encompass a product, a process, a marketing technique, or organisational innovation based on the use of new technologies”. Fintech companies do not constitute a homogeneous category of service providers; therefore, a case-by-case approach – based on the service provided – must be followed in order to compare the regulations applicable to legacy players and fintech companies.

Although French regulators do not plan to establish any regulatory sandbox, the French regulatory approach is based on proportionality and relies on setting out tailor-made regulatory frameworks inspired by legacy regulations, but proportionate to the activities of fintech companies (so-called “sandboxes”). For example, token issuers and DASPs benefit from a specific legal regime, inspired by legacy regulations (such as MiFID II), but which is not merely a regulatory sandbox.

Both French regulators have also created internal teams dedicated to fintech actors, the purpose of which is to help fintech entrepreneurs navigate complex regulatory issues. The publication by the ACPR of the charter for the appraisal of "fintech" authorisation requests on 6 January 2022 illustrates this commitment to supporting fintech projects.

Traditional players are authorised and supervised by the AMF and the BdF, through the ACPR, depending on the services they provide (banking, investment services or insurance). Broadly summarised, the AMF is in charge of protecting consumers that invest in financial instruments, while the ACPR is in charge of preserving the stability of the financial and banking system. The precise allocation of responsibilities is complex: eg, an ISP is authorised by the ACPR, but its programme of activity must be approved by the AMF. Once the ISP is authorised, the ACPR monitors the entity’s activities and financial situation, while the AMF monitors its compliance with the applicable code of conduct. Similarly, the AMF is the authority that grants registration to DASPs, while the ACPR is in charge of validating the applicant’s anti-money laundering procedure.

As a general rule, regulated activities performed by financial institutions may only be delegated to entities which are also authorised to perform such activities. Operational functions related to a regulated service may also be outsourced, although the supervision of the competent regulator extends to the vendor. Outsourcing such functions does not relieve the regulated entity from its primary responsibility towards clients or third parties.

The regulated entity must efficiently implement measures to monitor the compliance of the vendor with the applicable regulatory requirements. In certain cases, the outsourcing must also be declared to the competent regulator.

As a general rule, regulated entities (whether start-ups or large companies) are responsible for ensuring that the services they provide are not used for illicit purposes. This is why all the regulated actors are subject to AML legislation, and are expected to obtain sufficient knowledge of their clients to be able to prevent them from using their platform for illicit activities.

Unregulated fintech companies are not subject to AML legislation, but are still forbidden from knowingly facilitating illicit activities. These actors need to be careful not to become the vectors of money-laundering or terrorism-financing schemes.

An interesting example is the emergence of blockchain-based decentralised trading platforms. Whether the person who deploys the smart contract on which the decentralised platform is based is responsible for potentially illicit activities conducted through the platform remains unclear.

French regulators recently focused on issuing warnings against crypto-assets. Several publications of the AMF and the ACPR notably outlined the significant volatility and risk of loss. Both institutions reminded their readers that these crypto-assets are not legal tender and do not qualify as financial instruments under French law. Consequently, the investors’ attention is drawn to the fact that the legacy regulations aimed at protecting them do not apply. Moreover, the AMF published an analysis of the legal qualification of derivatives on crypto-assets. For the regulator, basically all crypto-asset derivatives qualify as financial contracts, and therefore financial instruments. Consequently, the regulation applicable to the marketing of financial instruments in France (including the specific restrictions which apply to contracts for differences, CFDs) also applies to crypto-asset derivatives. 

In addition, the AMF publishes and regularly updates a blacklist of websites which market financial investments in France without authorisation. Such blacklist initially focused on forex trading, binary options, and alternative investments (eg, diamonds, wines, forests, etc), but was recently extended to websites irregularly marketing investments in crypto-assets and crypto-asset derivatives. The AMF also recently obtained an order from the Paris Court of Justice which requested the closure of six internet addresses relating to three sites illegally offering alternative investments.

Significant enforcement actions against neobanks and innovative payment providers can be expected in the next few years, in relation to their implementation of AML legislation.

The CNIL

Data privacy rules are provided in particular by Regulation 2016/679 of 27 April 2016 (the General Data Protection Regulation or GDPR). From a domestic perspective, the Commission Nationale de l'Informatique et des Libertés or CNIL (National Commission on Informatics and Liberty) has jurisdiction over data privacy issues and protection of personal data, regardless of which entity is processing the data (public administrations, associations, private companies, etc). Entities must set out a data-processing policy, subject to the supervision of the CNIL. The CNIL may also sanction non-compliant entities.

The ANSSI

The Agence nationale de la sécurité des systèmes d'information or ANSSI (National Cybersecurity Agency) is competent regarding cybersecurity issues. Cybersecurity regulation mainly arises from the transposition of Directive 2016/1148 of 6 July 2016 (the "Network and Information Security Directive”). Under French law, entities designated as “operators of essential services” must notify the ANSSI of any breach or incident. In addition, operators of essential services must comply with various organisational requirements, under the supervision of the ANSSI. A government decree of May 2018 designates most regulated financial and banking institutions as operators of essential services. Fintech companies providing unregulated services would probably not be considered as operators of essential services under this regulation.

Online Content

The communication of regulated actors is subject to a burdensome set of rules, especially relating to the distribution of regulated products or services. Customers must be provided with clear, accurate and non-misleading information at any time, whether such information is provided through a financial entity’s own website or through other media. Regarding social media, rules relating to the distribution of regulated services apply regardless of the channel used for such distribution, as reiterated in 2016 by the AMF (through the updates of several positions related to the marketing and distribution of financial products) and the ACPR (through a recommendation on the use of social networks for commercial purposes). Consequently, close attention should be paid to the content of the information posted on social media, as it is by nature likely to reach non-professional customers.

As regards fintech companies, their communication will only be subject to these rules where it relates to regulated services.

First of all, the appointment of an external auditor (commissaire aux comptes) is mandatory for all joint-stock companies (sociétés anonymes) and most simplified joint-stock companies (sociétés par actions simplifiées), as soon as they exceed certain size thresholds. In addition, appointing an accounting firm is mandatory for all companies which carry out a regulated activity.

Regulated entities are subject to strict monitoring and supervision rules. In order to obtain approval from the ACPR, for example, regulated entities must define a comprehensive internal compliance policy. The supervision is both internal and external: compliance with the relevant rules is internally monitored by certain employees of the entity, while external consultants periodically audit and review its compliance procedures. Therefore, part of the supervision of regulated entities is in practice outsourced to external consultants.

Fintech companies which provide regulated services must also comply with regulatory requirements. They tend to outsource most of their compliance processes, to focus on technology and the core business. When fintech companies provide services which fall outside the scope of regulation, however, they are not subject to these compliance processes.

Generally speaking, under French law, most regulated entities may provide certain unregulated services. The extent of a regulated entity’s ability to provide unregulated services depends on its status. For example, credit institutions may provide a wide range of banking-related services (opérations connexes) which do not benefit from the banking monopoly, and they may acquire stakes of private companies. Credit institutions may also carry out various non-banking activities as long as such activities remain limited (ie, less than 10% of the net banking income) and do not limit competition on the relevant markets.

Some regulated actors, such as crowdfunding intermediaries, are also forbidden to provide activities other than those for which they are regulated.       

Unregulated fintech companies are not subject to AML legislation, but are still forbidden from knowingly facilitating illicit activities. These actors need to be careful not to become the vectors of money-laundering or terrorism-financing schemes.

On the contrary, regulated fintech companies (ie, fintechs providing regulated services) are subject to AML rules, to the same extent as credit institutions, payment services providers or digital asset services providers are.

Even before the AML 6 package came into force, the French AML rules were being strengthened. For example, since an order on 9 December 2020, the ACPR has been carrying out an a priori verification of compliance with AML rules by DASPs providing the service of custody of digital assets on behalf of third parties and the service of purchase or sale of digital assets in legal tender. In addition, the decree of 2 April 2021 removes the EUR1,000 threshold in order to require DASPs to carry out KYC checks on their occasional customers as soon as the latter use their service.

The complexity and density of these AML rules may be an obstacle to the development of fintech start-ups if they are not properly advised.

Three trends can be found in the French market regarding robo-advisers:

• robo-advisers helping mainstream clients in their investment decisions;
• robo-advisers managing investments directly on behalf of their clients; and
• robo-advisers acting as insurance brokers.

In such cases, the services provided by robo-advisers qualify as investment advice or portfolio management within the meaning of the MiFID II framework and the robo-adviser must consequently be licensed as either a financial investment adviser or an ISP. Robo-advisers that are active in the insurance market have to register as intermediaries with the French register of banking, finance and insurance intermediaries ("ORIAS").

However, in contrast to legacy players, most of the processes of robo-advisers are integrally automatised. The clients provide information related to their financial capacity, objectives and risk aversion through standardised questionnaires. Depending on the client's profile, the robo-advisers provide advice related to investment opportunities or manage investments on their behalf. The AMF reiterated in 2017 that entities offering automatised tools which provide clients with financial instruments’ performance estimations are subject to the duty to deliver clear, accurate and non-misleading information.

Generally speaking, robo-advisers allow customers to invest in a diversified portfolio of listed assets, such as a mix of bonds and stocks. Robo-advisers rely heavily on investments in exchange-traded funds (ETFs) or mutual funds.

Until now, the services provided by robo-advisers were reserved for clients with sufficient financial capacity to ensure the profitability of the service. Solutions introduced by robo-advisers target two key issues for mainstream clients: the service’s cost, on the one hand, and the entry ticket, on the other hand. Various studies recently outlined that reduced costs and low-entry tickets are at the heart of robo-advisory strategy. Therefore, the main response of legacy players would be to offer the same service to clients with lower financial capacity or entry tickets.

Issues relating to best execution of orders sent by clients do not differ between legacy players and robo-advisers. As a general principle, the services provided by robo-advisers qualify as investment services according to MiFID II (whether investment advice or portfolio management). Consequently, robo-advisers must set out a best execution policy in relation to orders traded on behalf of their clients.

The French regulatory framework of crowdlending was created in 2014 with a new exemption to the banking monopoly allowing individuals to grant loans through platforms. Several conditions restrained the scope of this exemption: loans could only be granted by non-professional lenders, the amount of each loan was capped at EUR2,000 per lender and per project (EUR5,000 for interest-free loans), and the maturity of each loan should be less than seven years. Borrowers raising funds through crowdlending were not able to raise more than EUR1 million per project. Mortgage loans and consumer credits were also outside the scope of crowdlending.

The regulation (EU) 2020/1503 on European crowdfunding service providers for business has superseded the French regime. Crowdfunding intermediaries licensed under French law before 10 November 2021 have until 10 November 2022 to obtain a crowdfunding service provider's licence. This regulation will notably allow entrepreneurs to raise up to EUR5 million.

Concerning regulatory authorisations, crowdlending internet platforms must be licensed by the AMF as crowdfunding service providers with the assent of the ACPR if the applicant's programme of operations includes facilitating the granting of loans. Legacy lenders, on the other hand, must be authorised as credit institutions by the ACPR. The regulatory requirements that crowdlending platforms have to respect are proportionate to their statute (ie, not as burdensome as the rules applicable to legacy credit institutions).

As an exception, the French regulatory regime for crowdfunding intermediaries remains in place for crowdfunding and crowdlending platforms where their activity is restricted to free loans and donations.

Among other regulatory conditions aimed at protecting lenders, crowdlending platforms must deliver detailed information to potential lenders, mainly related to the underlying projects and the attached risks. To facilitate the comprehension of the investors, the crowdfunding platforms must notably make a key investment information sheet containing mandatory information available to prospective investors.

The underwriting process itself is not directly regulated for crowdlending platforms. 

Funds raised through crowdlending platforms initially came from individual lenders acting on their own account, outside of any professional context. However, investment funds have increasingly started to invest alongside individuals in SMEs in financing deals through crowdlending platforms.

In view of this trend, Regulation (EU) 2020/1503 introduced a different regime depending on whether the funding is provided by a sophisticated or unsophisticated investor.

No syndication of loans originated through crowdlending platforms is allowed under French law.

The definitions of payment services and payment transactions under French law are broad and cover most existing payment methods. The French Monetary and Financial Code defines what payment services and payment accounts are, rather than how a payment transaction must work from a technical point of view. Therefore, regulated payment processors (ie, payment services providers) should have the ability to use technical innovations to develop new payment methods within the scope of the existing regulation.

The regulation of payment services revolves around the notion of “funds”, which are defined as bank notes, coins, scriptural money, and electronic money. A payment method which does not use funds, but rather unregulated units of value (such as cryptocurrencies) might therefore fall outside the scope of the regulation.

However, most payment operations involve a transfer of funds between two payment accounts. Therefore, any payment method implemented by a fintech start-up needs to be compatible with the technical requirements of the entity in whose books the beneficiary’s account is opened.

Cross-border payments and remittances are included in the list of payment services and, therefore, are regulated as such, as soon as they involve the use of funds.

Fund administrators do not have a legal definition as such under French law. Traditional actors of the investment funds business include the management company and the depositary, which are both highly regulated entities. Back-office services related to investment funds include mainly the calculation of the net asset value of the fund’s units, accounting services and reporting. These services are not regulated as such, although they are traditionally performed by branches of depositaries.

The contractual terms of the agreements between fund administrators and fund advisers are not regulated as such. There do not appear to be specific provisions aimed at assuring performance and accuracy beyond what is generally included in equivalent agreements.

The French regulation of trading platforms mostly replicates the taxonomy established by MiFID II. French law distinguishes three categories of trading platforms, in accordance with MiFID II: regulated markets, multilateral trading facilities (MTFs and organised MTFs), and organised trading facilities (OTFs).

Firstly, all these trading platforms are subject to the same set of common rules, which include, notably, the prohibition of proprietary trading and various organisational and transparency requirements. Thereafter, the main differences between regulated markets, MTFs and OTFs may be broadly described as follows.

• Regulated markets are authorised by a government decree (on a proposal from the AMF) and are operated by a market undertaking (entreprise de marché), while MTFs and OTFs may be operated by an ISP.
• MTFs and OTFs may be operated by a market undertaking or an ISP.
• Organised MTFs are MTFs which are subject to additional regulatory requirements. This category is not present in MiFID II; it was created by the French legislator.
• OTFs may not list shares; they may only list the following asset classes: debt securities, structured finance products, greenhouse gas emission allowances, derivatives and physically-settled wholesale energy products.
• OTFs may match buying and selling orders in accordance with discretionary rules, while regulated markets and MTFs must use non-discretionary rules.

Finally, with respect to marketplaces, no specific regulatory regime generally applies. Marketplaces may be regulated to the extent that they allow their clients to purchase or trade products which are subject to a regulation.

With respect to the listing on trading platforms, not all asset classes are subject to the same regime. The relationship between regulated trading platforms and asset classes may be broadly presented as follows: 

• any financial instrument may be listed on a regulated market or an MTF; and
• an OTF may only list the following asset classes – debt securities, structured finance products, greenhouse gas emission allowances, derivatives, and physically-settled wholesale energy products.

With respect to the Market Abuse Regulation, which establishes a common regulatory framework on insider dealing, the unlawful disclosure of inside information and market manipulation, all financial instruments are subject to its provisions, whether they are traded on a regulated market, an MTF or an OTF.

The French regulation applicable to financial instruments' trading platforms has not yet been impacted by the emergence of cryptocurrency exchanges. As financial instruments may not be listed on cryptocurrency exchanges for the time being, they remain outside the scope of regulation of traditional financial products.

Since the PACTE Act came into effect, digital asset service providers operating a cryptocurrency exchange must register with the AMF, which means that they notably have to comply with the AML regulation. In addition, cryptocurrency exchanges which allow their clients to trade cryptocurrencies against legal currency either need to obtain a payment services provider status or partner with a payment services provider to handle the legal currency flows.

Finally, cryptocurrency exchanges can obtain an optional licence which provides extended rights to market their services in France. This optional licence also comes with additional obligations which are broadly similar to those of ISPs (ie, relating to reporting, transparency, conflicts of interests, etc).

French law requires trading venue operators to have clear and transparent rules regarding the criteria used to determine which financial instruments may be traded within their system. In addition, the rules of a regulated market must provide for fair, orderly and efficient trading of the financial instruments.

Concerning the listing standards themselves, each trading venue operator establishes its own rules. However, these rules generally rely on the compliance of the issuer of the financial instrument with the relevant provisions of European and national law. Certain specific rules may also be set by the operators themselves. For example, concerning the minimal percentage of float, Euronext’s rules provide that, at the time of admission to listing, at least 25% of the subscribed capital represented by the class of securities concerned must be distributed to the public.

Order handling rules applicable in France arise from Delegated Regulation 2017/565 of 25 April 2016 and a section of the French Monetary and Financial Code. Pursuant to the delegated regulation, investment firms carrying out client orders must ensure that orders executed on behalf of clients are promptly and accurately recorded and allocated. ISPs must execute client orders sequentially and promptly, unless the characteristics of the order, the prevailing market conditions, or the interests of the client require otherwise, and they must inform retail clients promptly about any material difficulty.

Pursuant to the French Monetary and Financial Code, ISPs are subject to an obligation to reach the best possible result when executing a client’s order (also called the “best execution” obligation). “The best possible result” depends on various parameters, including the price of the financial instrument, the cost of the order, the size of the order, etc. With respect to retail clients, the best possible result primarily depends on the aggregate cost of the order.

In addition, ISPs must set out and communicate to their clients an order's execution policy, which describes how orders are executed by the intermediary.

The rise of peer-to-peer crypto-assets trading platforms does not yet appear to have affected the regulation of trading venues. French and European regulators closely monitor the development of such platforms.

Peer-to-peer platforms will definitely challenge the very definition of trading venues under MiFID II: all the definitions refer to the notion of a “multilateral system” and imply the use of an order book. Hence, if peer-to-peer platforms are organised from a technical point of view to allow only bilateral trading, they might fall outside the scope of MiFID II, and an evolution of European law may be needed. In any case, the peer-to-peer trading platforms which currently exist do not allow the exchange of financial instruments, since they are designed for crypto-assets.

Various issues may arise from the implementation of the best execution of clients’ orders. For example, as an ISP is allowed to execute orders in non-regulated venues (with the prior agreement of the client), the ISP may opt for a cheaper venue where the liquidity is lower and miss the opportunity to complete a limit buy order which would have been executed if the ISP had chosen the most liquid and expensive venue. Therefore, the client might raise a claim against the ISP on the grounds that its order would have been executed if the ISP had chosen the best venue to carry out the order.

The AMF addressed the issue of payment for order flows in its “guide to best execution” published in 2014 and updated in 2020. The AMF is aware of three kinds of payments for order flows: non-public price reductions, provision of tools, or payment of connection fees and allocation of free shares in the company operating the trading venue.

To be considered lawful, these payments for order flows must satisfy three requirements: transparency vis-à-vis clients, enhancement of the service rendered and compliance with the duty to act in the best interest of the client. 

Concerning the duty to act in the best interest of the client, which is defined in Article 314-14 of the AMF’s General Regulations, three cumulative conditions must be met with regard to payments for order flows: 

• first, they must be justified by the provision to the client of an additional or higher level of service, commensurate with the incentive received (such as the provision of access, at a competitive price, to a wide range of financial instruments; the provision of one or several value-added tools; the provision of periodic reports on the performance of financial instruments and the associated costs and fee, etc); 
• second, they should not directly benefit the ISP, its shareholders or staff members, without any tangible benefit to the client; and
• third, they should be justifiable by the provision to the client of a long-term service in relation to the incentive received. 

In any case, the choice of trading venue must be made in a manner that complies with best-execution obligations, as well as obligations relating to the prevention and management of conflicts of interest.

The market abuse regulation was the subject of a major reform at the European level in 2014 with the creation of two instruments: the Market Abuse Directive (Directive 2014/57/EU on criminal sanctions for market abuse) and the Market Abuse Regulation (Regulation (EU) No 596/2014 on market abuse).

The concept of market abuse covers any illicit behaviour on a financial market and more precisely, insider trading, unlawful disclosure of privileged information and market manipulation.

The market abuse regulation is built around sanction (with a dual administrative and criminal procedure) and prevention (with the implementation of measures designed to enable the detection of prohibited behaviour). 

For instance, the operators of multilateral trading systems have to declare any suspicious operation to the AMF immediately. For this purpose, procedures and appropriate monitoring systems have been set up to prevent and detect market abuse or attempted market abuse. 

ISPs must disclose the use of algorithmic trading to the AMF and submit detailed information related to negotiation parameters, as well as to the compliance monitoring set out, in order to ensure that their algorithmic trading systems are resilient and subject to appropriate thresholds. The activities operated through the algorithmic trading systems must be stored for at least five years and made available upon request to the AMF. There are no specific rules relating to the underlying class of assets subject to the algorithmic trading.

The French Monetary and Financial Code provides that entities negotiating for their own account which use algorithmic trading systems are required to be licensed by the AMF as investment services providers for such purpose, even if they do not act on behalf of or for the account of clients.

Since the management companies of investment funds (AIFs and UCITS) are not considered as investment undertakings as a result of the MiFID II transposal under French law, they are excluded from the scope of EU provisions related to algorithmic trading. However, they are subject to French rules of good conduct in relation to the best execution of orders.

Programmers who develop and create trading algorithms or other electronic trading tools are not apparently regulated as such.

As provided for in the AMF’s General Regulations, platforms and related participants are exempted from any registration duty as long as the service they provide qualifies as an investment research service or a financial analysis service related to financial instruments, according to Article L 321-2 of the French Monetary and Financial Code. For this purpose, the service must rely on the diffusion of general and impersonalised information or financial analysis, which can be aimed at advising an investment strategy but must not be addressed to a specific client.

Providers of investment research services or financial analysis services are subject to so-called “good conduct rules” under the control of the AMF. In particular, they must provide the public at any time with clear, accurate and non-misleading information.

In addition, irrespective of regulatory status, the spreading of unverified information is prohibited pursuant to the Market Abuse Regulation and may lead to administrative or criminal sanctions.

For now, there are no institutional platforms active in France allowing users to post any kind of financial content or information qualifying as an investment research service or financial analysis service on the platform.

As mentioned above, the spreading of rumours and unverified information is forbidden under the Market Abuse Regulation. In 2013, before the Market Abuse Regulation came into force, the AMF sanctioned two bloggers who had spread misleading information about a listed French bank.

Whether they are operated in an office or on the internet, insurance underwriting processes are regulated by the French insurance code. Several formal conditions must be set out by the insurance company in order to ensure that the agreement is valid and enforceable. When the insured party is a non-professional natural person and subscribes to the policy through an internet platform, a further set of provisions arising from consumer law allows the insured party to withdraw from the insurance agreement within 14 days from the date of subscription.

Each type of insurance (life, annuities, property, etc) is subject to its own set of regulations under the French Insurance Code. The level of supervision of the ACPR is the same for each category of insurance service. It should also be noted that the prudential treatment of insurance undertakings by the ACPR does not differ according to the type of insurance service provided by the entity, but rather, according to its compliance with the related prudential rules.

Regtech companies provide services related mainly to the compliance of legacy players with prudential regulations (ie, the Solvency II, MiFID II and CRD IV Directives), reporting, risk management, KYC and AML procedures. The provision of these services is not regulated.

As a general rule, regulated entities which choose to delegate functions related to prudential or organisational regulations must ensure that they are able to assess the performance of the outsourced service by the provider. Regulated entities remain responsible towards their regulator, even if a specific obligation is violated by the external provider rather than themselves. To facilitate such monitoring of external providers, regulated entities often include in their agreements provisions which allow them to control the compliance of the external provider with the requirements of the applicable regulation.

Since 2015 and 2016, most French financial institutions have started to work on implementations of blockchain technology. Several French banks have reportedly joined the R3 consortium which develops the private blockchain platform named Corda. Euronext, BNP Paribas, Société Générale, CACEIS, and Caisse des Dépôts have jointly created LiquidShare, a start-up aimed at building a blockchain-based settlement system for non-listed securities. Similarly, Société Générale Forge, a Société Générale subsidiary, has already issued digital finance securities on public blockchains, such as Ethereum and Tezos. In addition, various major French non-financial companies are also experimenting with blockchain technology in their own field. For example, Carrefour is partnering with IBM to develop a blockchain-based food traceability platform, and LVMH has partnered with ConsenSys and Microsoft to create the Aura consortium, the objective of which is to enable brands to verify the origin and authenticity of luxury products. The BdF itself has developed a blockchain-based system to manage SEPA creditor identifiers. Overall, French legacy players are all implementing, or thinking about implementing, blockchain technology in their processes or their activity.

Furthermore, since March 2020, the BdF has collaborated with private sector innovators (such as Accenture, Euroclear, HSBC, etc) to conduct a programme of eight experiments on a wholesale CBDC, such as using a wholesale CBDC to settle an issue of digital financial securities with Société Générale Forge. On 8 November 2021, the BdF published the results and key findings of its experiments.

Finally, Paris Europlace, which is a think tank that federates and represents the diversity of players in the financial industry and provides reports and advice, wrote a report in response to the European digital euro project in which it highlights the potential uses of blockchain in the financial industry and the economic, technical and legal challenges.

While French regulators have issued multiple warnings concerning the risks of crypto-assets, the treatment of blockchain technology has been much more favourable. Blockchain technology is widely regarded as a major innovation which will likely transform the financial industry, and may also transform other industries (such as supply chain, identity management, healthcare, etc). More specifically, in October 2018, the CNIL issued a report on the compatibility of blockchains with the GDPR, and in December 2018, a parliamentary working group published a report on blockchain technology.

Government Decrees

However, the major step was the publication of the government decrees of 8 December 2017 and 24 December 2018 which allow the use of a blockchain (formally denominated “shared electronic recording system”) for the issuance, registration and transfer of unlisted equity and debt securities. Securities issued through a blockchain will still qualify as financial instruments, and this new regime will not allow the creation of “security tokens”.

Pilot Regime

The widespread use of blockchain for the issuance, registration and transfer of securities remains hindered by various legal obstacles, such as the lack of clear status for custodians of securities registered on a blockchain or the fact that it is not possible to trade such securities outside a regulated platform (such as an MTF). In this respect, the European Commission published a digital finance package on 24 September 2020, including a proposal for a regulation on a pilot regime for market infrastructures based on blockchain. The purpose of the pilot regime is to create a framework supporting the development of security tokens.

Under the existing legislation, certain blockchain assets qualify as financial instruments within the meaning of MiFID II (and its transposition to French law), ie, any blockchain asset which presents the characteristics of a financial instrument would likely qualify and be regulated as such.

The Monetary and Financial Code, as amended by the PACTE Act, distinguishes between two categories of blockchain assets:

• tokens which qualify as financial instruments; and
• digital assets (actifs numériques), which comprise all other crypto-assets (including tokens issued pursuant to ICOs which do not qualify as financial instruments).

In addition, French regulators tend to use taxonomy in their publications to distinguish between security tokens, utility tokens and payment tokens.

Regulation No 2018-07 of the Accounting Standards Authority (Autorité des normes comptables or ANC) qualifies all crypto-assets, including cryptocurrencies, as “tokens” for accounting purposes.

The Monetary and Financial Code, as amended by the PACTE Act, now includes a section dedicated to token issuers. These provisions apply to the issuance of tokens that do not qualify as financial instruments.

Under French law, token issuers have the right to ask the AMF to grant its approval (“visa”) to their ICO, as soon as the following requirements are met:

• the issuer is a legal entity incorporated in France, or at least registered in France through a branch;
• the white paper and the marketing materials are accurate, written in plain language, and not misleading; and
• the issuer plans to implement adequate procedures to track and safeguard the funds raised in the ICO.

The AMF visa is optional.

In addition to this regime, the ANC published a regulation in December 2018 which establishes the accounting rules applicable to ICO issuers and ICO investors. This regulation also clarifies the tax treatment of ICO issuers and investors, as fiscal and accounting rules are closely related.

Finally, the digital finance package published on 24 September 2020 includes a proposal for a regulation on MiCA, which would create a European framework for ICOs. 

Registration as a DASP

Four services in digital assets require the person providing them to register with the AMF as a DASP:

• the service of custody of digital assets on behalf of third parties;
• the service of buying or selling digital assets in legal currency;
• the service of exchanging digital assets for other digital assets; and
• the operation of a digital assets trading platform. 

Such registration mostly triggers the application of AML legislation – there are no other substantial rules that apply to registered DASPs.

AMF Licence

In addition, all entities that are actively involved in crypto-assets may apply for an optional licence with the AMF, including those entities which also provide other services (such as reception and transmission of orders, portfolio management, advice to subscribers, etc). Obtaining the licence triggers the application of the AML legislation, as well as various other obligations similar to those of ISPs. In return, licensed DASPs are allowed to market and advertise their services broadly to French clients.

Other Crypto-asset Platforms

If DASPs operating a crypto-assets exchange platform allow their clients to deposit legal currency or collect client funds to place orders on their behalf, these DASPs are also required to obtain a payment services provider status, or delegate the handling of legal currency flows to a regulated provider. 

As for platforms trading crypto-assets which qualify as financial instruments, they will likely need to obtain authorisation to operate as regulated markets, MTFs or OTFs. However, the European Securities and Markets Authority's (ESMA) Report on Crypto-assets and Initial Coin Offerings (January 2019) suggests that peer-to-peer platforms where crypto-assets that qualify as financial instruments are listed, might fall outside the scope of the European regulation.

Finally, the French legislation created by the PACTE Act inspired the MiCA proposal, which provides for a European framework for DASPs.

French alternative asset manager Tobam launched the first European cryptocurrency fund, the Tobam Bitcoin Fund, in November 2017. However, this fund was not licensed by the AMF, as cryptocurrencies do not fit into any existing category of the regulatory regime applicable to asset managers.

French law, as amended by the PACTE Act, now allows professional specialised investment funds (fonds professionnels spécialisés or FPS) and specialised private equity funds (fonds professionnels de capital-investissement or FPCIs) to purchase digital assets registered in a shared electronic recording system, ie, a blockchain. Only professional investors are able to invest in such FPS or FPCIs. Napoleon Asset Management, a regulated asset manager specialised in crypto-assets, launched the first regulated crypto-assets fund in December 2019 (even though this fund does not hold crypto-assets directly, but rather invests in bitcoin derivatives listed on the CME).

The regime established by the PACTE Act does not treat cryptocurrencies differently from other “digital assets”. Similarly, Regulation No 2018-07 of the ANC considers cryptocurrencies, such as Bitcoin or Ether, as “tokens” for accounting purposes. In any case, there is no plan to give certain prominent cryptocurrencies any preferential legal treatment, such as acknowledging their use as money or as a medium of exchange.

However, in a decision of 26 February 2020, the Nanterre Commercial Court ruled that a bitcoin loan agreement was a consumption loan due to the fungible and consumable nature of bitcoin. Although this controversial decision is the only one so far concerning the nature of loans of bitcoins, it is interesting to note that judges tend to align the lending regime of bitcoins with the traditional currency-lending regime. 

Overall, regulators and legislators have mainly expressed their interest in utility tokens and the use of ICOs as a new method of financing start-ups and SMEs. Cryptocurrencies, on the other hand, are still treated with suspicion, and it remains a priority of the legislator to prevent their use in money-laundering schemes.

Decentralised finance ("DeFi") is not currently defined or regulated under French law.

However, most DeFi platforms offer services that could fall within the regime of DASPs. For example, decentralised exchanges such as Uniswap provide the service of exchanging digital assets for other digital assets, which requires registration with the AMF. Platforms allowing users to earn interest on deposits of crypto-assets and to borrow crypto-assets, such as Aave, could potentially fall under the regulation of banking operations, although that regulation has been made to apply to the use of “funds” (ie, legal currency).

It appears that the DASP regime is not adapted to truly decentralised platforms with decentralised governance. The regime was designed to regulate platforms operated by a centralised entity. It is possible that regulators will struggle to identify the persons responsible for the operation of these platforms, and may not, in fact, be able to enforce the regulation.

As published on 24 September 2020, the MiCA Regulation proposal does not aim to regulate DeFi either.

Before any development, it should be noted that many assets are called non-fungible tokens (NFTs) without being so. Indeed, to qualify as such, an asset must:

• be non-fungible;
• be issued, registered, held or transferred by means of a blockchain; and
• represent a right, generally an intellectual property right.

An NFT is therefore close to the notion of a token as defined by Article L 552-2 of the French Financial and Monetary Code. However, an NFT should not be qualified as a token, notably because the French legislator was in fact aiming at utility tokens, which give the right to a good or service.

Therefore, as French law currently stands, (genuine) NFTs and trading platforms for such assets do not fall under any legal regime. The MiCA Regulation proposal does not directly aim to regulate NFTs. However, this could fall under the broad definition of crypto-assets, and therefore be regulated, in addition to trading platforms offering such NFTs.

Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (PSD2) was transposed into French law in August 2017. PSD2 aimed to modernise payment services in the EU by taking advantage of the emergence of online and mobile banking. The cornerstone of that modernisation is the right to access a bank account to perform services, eg, to collect and consolidate information on the different bank accounts of a consumer in a single place, or to allow customers to make internet payments without using a credit card (ie, by sending a direct wire transfer from the customer’s account to the seller’s account). In practice, PSD2’s major contribution to the growth of open banking was the creation of two new categories of payment services under French law (the payment initiation service and the account information service) and the removal of certain barriers which prevented third parties from providing these payment services. Several successful French fintech companies, such as Linxo and Lydia, are already providing regulated services under these new categories.

Creation of APIs

The transposal of PSD2 into French law forced banks to share certain personal data related to their clients (eg, information related to clients’ bank accounts) with various fintech companies. In order to share this information, banks need to create secure application programming interfaces (APIs). It was reported recently that banks were slow to create these APIs and justified their reluctance by invoking the need to guarantee the security of clients’ bank accounts and data. The deadline to implement these APIs was set at September 2019.

At the end of 2020, the level of technical implementation of APIs was not consistent among all actors. According to the co-founder of Linxo, an account aggregator, the potential of PSD2-compliant APIs is still "under-exploited".

Web-Scraping Methods

If they are unable to use APIs, third-party providers such as account aggregators and payment initiation providers will have to keep using web-scraping methods in order to access clients’ banking data, although these methods are not considered sufficiently secure.

GDPR Compliance

In addition, the obligation to share clients’ personal data raises the issue of the compliance of PSD2 with the GDPR, as certain payment data may prove sensitive. In any case, both banks and fintech companies must comply with the GDPR when processing clients’ personal data.