AML and KYC Compliance for Fintech in France
A detailed guide to AML and KYC compliance for fintech companies in France, covering AMF PSAN registration, ACPR oversight, the French AML framework, and the transition to MiCA.
Introduction to Fintech Compliance in France
France has established itself as one of Europe's leading fintech hubs, driven by supportive government initiatives such as the French Tech programme and a regulatory environment that balances innovation with robust financial crime prevention. Fintech companies operating in France must navigate a dual supervisory structure: the Autorité des marchés financiers (AMF) oversees investment services and digital asset service providers, while the Autorité de contrôle prudentiel et de résolution (ACPR), a division of the Banque de France, supervises credit institutions, payment service providers, and insurance firms.
Understanding and implementing KYC and AML obligations is critical for any fintech seeking to launch or expand in the French market. This guide provides a comprehensive overview of the applicable regulatory framework, practical compliance considerations, and the impact of the EU's Markets in Crypto-Assets Regulation (MiCA) on French fintech firms. For a primer on identity verification fundamentals, consult our guide on what is KYC.
The French AML Legal Framework
Legislative Foundation
France's AML regime is primarily codified in the Code monétaire et financier (CMF), specifically Articles L. 561-1 through L. 561-50, which transpose the EU's Anti-Money Laundering Directives into national law. The framework is supplemented by:
- Arrêtés and décrets issued by the Ministry of Economy and Finance providing technical implementation details.
- Guidelines and position papers published by the AMF and ACPR, including the ACPR's Lignes directrices conjointes (joint guidelines on CDD).
- TRACFIN guidance: TRACFIN, France's Financial Intelligence Unit housed within the Ministry of Economy, publishes annual risk assessments and typology reports that inform firms' AML obligations.
Entities Subject to AML Obligations
The CMF defines a broad range of obliged entities (personnes assujetties), including:
- Credit institutions and banks
- Payment institutions and e-money institutions
- Investment firms and portfolio management companies
- Digital Asset Service Providers (Prestataires de services sur actifs numériques, or PSANs)
- Insurance and reinsurance undertakings
- Crowdfunding platforms (under certain conditions)
All obliged entities must implement a complete AML/CFT compliance programme covering risk assessment, customer due diligence, suspicious transaction reporting, and internal controls.
Customer Due Diligence (CDD) Under French Law
Standard CDD Requirements
Under Articles L. 561-5 and L. 561-6 of the CMF, obliged entities must:
- Identify the customer before establishing a business relationship or executing an occasional transaction above EUR 15,000. For individuals, this means collecting name, date and place of birth, and nationality. For legal entities, this includes the company name, registration number, registered office, and powers of the representatives.
- Verify the customer's identity using reliable and independent documents, data, or information. For individuals, a valid government-issued identity document (carte nationale d'identité, passeport, titre de séjour) is required. The ACPR accepts digital verification methods that provide equivalent assurance.
- Identify and verify the beneficial owner(s) — natural persons who ultimately own or control more than 25% of the capital or voting rights of a legal entity.
- Understand the purpose and intended nature of the business relationship and gather information on the origin of funds where appropriate.
Enhanced Due Diligence (Vigilance renforcée)
French law requires enhanced measures in several scenarios:
- Politically Exposed Persons (PPEs): Senior management approval, establishment of the source of wealth and funds, and enhanced ongoing monitoring are mandatory.
- High-risk third countries: The list is determined by the European Commission and supplemented by France's own risk assessment.
- Complex or unusually large transactions: Any transaction that appears to have no economic justification triggers EDD obligations.
- Remote onboarding: When the customer is not physically present, additional verification measures are required, though France has progressively accepted video-based and AI-driven identification methods.
Simplified Due Diligence
For low-risk relationships — such as accounts with strictly limited functionality or certain regulated financial counterparties — simplified measures may be applied, provided the firm has assessed the risk as genuinely low. SDD does not remove the identification obligation; it permits the use of less intensive verification methods and reduced monitoring frequency.
AMF and PSAN Registration
The PSAN Framework
France was one of the first EU member states to create a dedicated registration regime for Digital Asset Service Providers through the PACTE Law of 2019. The AMF administers the PSAN registration process, which covers services including:
- Custody of digital assets on behalf of third parties
- Buying and selling digital assets for legal tender
- Operating a digital asset trading platform
- Exchange of digital assets for other digital assets
Since 2023, PSAN registration has been mandatory for firms providing these services to French residents. The registration process requires applicants to demonstrate, among other things:
- Adequate AML/CFT policies and procedures
- A compliance officer with sufficient authority and resources
- Fit and proper assessments for managers and beneficial owners
- Cybersecurity and internal control arrangements
AML Obligations Specific to PSANs
PSANs face the same CDD obligations as other obliged entities under the CMF, with additional expectations from the AMF regarding blockchain-specific risks. This includes monitoring for transactions involving unhosted wallets, mixers, and addresses associated with sanctions or illicit activity. The AMF has published specific guidance on how PSANs should implement risk-based transaction monitoring.
Joinble's AI-powered identity verification platform assists PSANs in meeting these onboarding requirements by automating French identity document verification, biometric liveness checks, and real-time screening against sanctions and PEP databases — all while providing the audit trail the AMF expects.
ACPR Oversight for Payment and E-Money Institutions
Licensing and Supervision
Payment institutions (établissements de paiement) and e-money institutions (établissements de monnaie électronique) are licensed and supervised by the ACPR. The licensing process includes a thorough review of the applicant's AML programme, governance structure, and capital adequacy.
The ACPR conducts regular on-site and off-site examinations of supervised entities' AML controls. Its enforcement actions have included significant fines for deficiencies in CDD, transaction monitoring, and suspicious transaction reporting. Fintech companies authorized as payment or e-money institutions should expect scrutiny of their automated onboarding flows and the adequacy of their KYC technology.
Suspicious Transaction Reporting to TRACFIN
All obliged entities must file suspicious transaction reports (déclarations de soupçon) with TRACFIN when they know, suspect, or have reasonable grounds to suspect that funds are the proceeds of a criminal offence or are related to terrorist financing. Reports must be filed promptly, and firms are prohibited from tipping off the customer (obligation de non-divulgation). TRACFIN processed over 180,000 reports in recent years, reflecting the maturity and scale of France's AML reporting ecosystem.
The MiCA Transition
What MiCA Means for French Fintech
The Markets in Crypto-Assets Regulation (MiCA), which entered full application across the EU in December 2024, replaces national frameworks like the PSAN regime with a harmonized European licensing system. Key implications for French fintech include:
- Crypto-Asset Service Provider (CASP) authorization: Firms previously registered as PSANs must obtain CASP authorization under MiCA during the transitional period. France has set a transitional window allowing existing PSANs to continue operating while they apply for MiCA authorization.
- Passporting: MiCA-authorized CASPs can offer services across all EU member states without needing separate national registrations — a significant advantage for French fintechs seeking to expand.
- Strengthened AML integration: MiCA works alongside the EU's AML package (including the upcoming Anti-Money Laundering Authority, AMLA), ensuring that CASPs are fully integrated into the European AML supervisory framework.
French fintech firms should plan their MiCA transition carefully, ensuring that their KYC infrastructure supports the regulation's requirements for customer identification, suitability assessments, and ongoing monitoring. Joinble's verification platform, designed to meet the highest EU standards for identity proofing, provides a scalable foundation for firms navigating this regulatory shift.
Record Keeping and Data Protection
Under French law, AML-related records — including copies of identity documents, transaction records, and due diligence files — must be retained for five years after the end of the business relationship. Firms must also comply with the General Data Protection Regulation (GDPR) and France's Loi Informatique et Libertés, balancing their obligation to retain AML data with data minimisation and purpose limitation principles. The CNIL (Commission nationale de l'informatique et des libertés) has issued guidance on how to reconcile these competing requirements.
Penalties for Non-Compliance
The ACPR's sanctions committee (Commission des sanctions) can impose fines of up to EUR 100 million or 10% of annual turnover for AML failings. The AMF can withdraw PSAN registration and impose financial penalties. Criminal sanctions under French law for money laundering offences include up to 10 years imprisonment and fines of up to EUR 750,000 for individuals.
FAQ
Is PSAN registration still required after MiCA entered into force?
During the transitional period, existing PSANs can continue to operate under their French registration while applying for MiCA CASP authorization. New entrants must apply directly for MiCA authorization through the AMF. The French transitional arrangements provide a bridge, but firms should not delay their MiCA applications. For identity verification basics relevant to this process, see what is KYC.
What identity documents does French law accept for KYC verification?
The CMF and ACPR guidelines accept valid government-issued identity documents, including the French national identity card (CNI), passport, and residence permit (titre de séjour). Digital verification methods, including AI-powered document authentication and biometric matching, are accepted when they provide equivalent assurance to physical document inspection.
How does TRACFIN differ from other EU Financial Intelligence Units?
TRACFIN operates under the French Ministry of Economy and Finance and serves as the national FIU. It receives, analyses, and disseminates suspicious transaction reports from obliged entities. TRACFIN is known for its proactive approach, issuing sector-specific risk indicators and conducting outreach to obliged entities. It cooperates with EU counterparts through the FIU.net platform and bilateral agreements.
Can a French fintech passport its PSAN registration to other EU countries?
Under the national PSAN regime, passporting was not available — firms needed separate registrations in each member state. Under MiCA, CASP authorization from the AMF allows passporting across all EU and EEA member states, which is one of the principal advantages of transitioning to the MiCA framework.
What are the ACPR's priorities in AML examinations of fintech firms?
The ACPR has publicly identified several priority areas: the adequacy of automated onboarding and digital KYC solutions, the effectiveness of transaction monitoring systems (especially for novel payment methods), the quality and timeliness of suspicious transaction reports filed with TRACFIN, and the governance and resourcing of the AML compliance function. Firms using third-party KYC providers should ensure they retain full oversight and accountability.
Automate your compliance with AI Agents
Joinble's Agentic Identity platform reduces manual KYC reviews by up to 80%. Book a demo to see it in action.
Book a demoStay up to date on AI & KYC
Get the best articles on artificial intelligence, identity verification and compliance delivered straight to your inbox.
Related compliance guides
KYC and AML Compliance for Fintech in Argentina (UIF & CNV)
Detailed guide to KYC and AML compliance for fintech companies in Argentina, covering UIF regulations, CNV securities oversight, BCRA PSP licensing, and FATF grey list implications.
KYC and AML Compliance for Fintech in Canada (FINTRAC & PCMLTFA)
Complete guide to KYC, AML, and CTF compliance requirements for fintech and crypto companies operating in Canada under FINTRAC regulations.
KYC and AML Requirements for Fintech in Chile (Ley Fintech & CMF)
Complete guide to KYC and AML compliance for fintech companies in Chile under the Ley Fintech (Ley 21,521), CMF oversight, UAF reporting, and the open banking framework.
