Fintech 2025

FRANCE Law and Practice Contributed by: Hubert de Vauplane and Hugo Bordet, Morgan Lewis & Bockius LLP

2.11 Implications of Additional, Non- Financial Services Regulations The CNIL Data privacy rules are provided in particular by Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation, GDPR). From a domestic perspective, the National Com - mission on Informatics and Liberty ( Commission nationale de l’informatique et des libertés , CNIL) has jurisdiction over data privacy issues and protection of personal data, regardless of which entity is processing the data (public adminis - trations, associations, private companies, etc). Entities must set out a data processing policy, subject to the supervision of the CNIL. The CNIL may also sanction non-compliant entities. The ANSSI The National Cybersecurity Agency ( Agence nationale de la sécurité des systèmes d’information , ANSSI) is competent regarding cybersecurity issues. Cybersecurity regulation mainly arises from the transposition of Direc - tive (EU) 2016/1148 of 6 July 2016 (the Net - work and Information Security Directive). Under French law, entities designated as “operators of essential services” must notify the ANSSI of any breach or incident. In addition, operators of essential services must comply with various organisational requirements, under the supervi - sion of the ANSSI. A government decree of May 2018 designates most regulated financial and banking institutions as operators of essential services. Fintech companies providing unregu - lated services would probably not be considered as operators of essential services under this regulation. Online Content The communication of regulated actors is sub - ject to a burdensome set of rules, especially relating to the distribution of regulated products

of the legal classification of derivatives based on crypto-assets. For the regulator, basically all crypto-asset derivatives qualify as financial contracts, and therefore financial instruments. Consequently, the regulations applicable to the marketing of financial instruments in France (including the specific restrictions which apply to contracts for difference) also apply to crypto- asset derivatives. In addition, the AMF publishes and regularly updates a blacklist of websites which market financial investments in France without authori - sation. This blacklist initially focused on forex trading, binary options and alternative invest - ments (eg, diamonds, wines, forests, etc), but was recently extended to websites irregularly marketing investments in crypto-assets and crypto-asset derivatives. The AMF also recently obtained an order from the Paris Court of Jus - tice which requested the closure of six internet addresses relating to three sites illegally offering alternative investments. In September 2022, the AMF removed Bykep (formerly Keplerk) from the list of registered DASPs following an investigation that showed serious malpractices and deficiencies in the implementation of the AML-CTF obligations. In April 2024, an affiliate of a French financial institution was fined EUR1 million for deficien - cies in its AML-CTF framework, particularly regarding its risk profiling and the implementa - tion of customer due diligence measures. Signif - icant enforcement actions against neobanks and innovative payment providers can be expected in the next few years, in relation to their imple - mentation of AML legislation. So far, most ACPR sanctions have targeted traditional banks and foreign fintechs.

256 CHAMBERS.COM

Powered by