AML Compliance Guidelines: France

France, famous for its rich arts, culture, fashion, and tourism industries, is the second-largest economic power in the EU. Alongside Germany, France is the driving force shaping foreign policy and driving reforms in the Union, often dubbed in media as the “Franco-German Engine.” However, France faces significant money laundering and terrorism financing (ML/TF) risks, mainly due to its complex and large financial system, high-value industries, strategic location, and open economy.

Despite implementing a robust anti-money laundering (AML) and countering financing of terrorism (CFT) framework, the challenges persist. Key sources of illicit funds are tax evasion, drug trafficking, organized crime, and corruption, mostly laundered through the banking sector, real estate, and the trade of luxury goods.

Overview of AML and Sanction Regulatory Framework in France

France’s AML regulatory framework is governed by the French Monetary and Financial Code (Code Monétaire et Financier). This primary legislation is reinforced by the guidelines issued at the EU level and the general regulations provided by the AMF. The AMF (Autorité des Marchés Financiers) and ACPR (Autorité de Contrôle Prudentiel et de Résolution) are the main supervisory bodies that monitor AML/CFT compliance of the obliged entities. Obliged entities are required to conduct customer due diligence (CDD) and report suspicious transactions to the TRACFIN (Traitement du renseignement et action contre les circuits financiers clandestins) —  the financial intelligence unit (FIU) of France. Moreover, the National Sanctions Committee enforces compliance with the France sanctions regulations. Moreover, the collaboration between local agencies, EU bodies, and international organizations enhances the overall effectiveness of the regulatory framework.

TRACFIN

TRACFIN (Traitement du renseignement et action contre les circuits financiers clandestins), established in 1990, is the French Financial Intelligence Unit (FIU) and operates under the authority of the Ministry of Finance and Economy. Tracfin is also one of the specialized intelligence services of the first-tier intelligence community of France, as defined in Article R811-1 of the Internal Security Code. This dual identity gives Tracfin extensive powers and expertise to analyze and investigate financial crimes. Tracfin is responsible for fighting the underground banking system, money laundering, and terrorist financing in the country. In a nutshell, the major role of Tracfin is to collect suspicious activity reports from the obliged entities and investigate and disseminate verified reports of suspicious behavior to law enforcement and judicial authorities. However, Tracfin can’t collect or process information from private individuals.

AMF

Financial Markets Authority (AMF — Autorité des Marchés Financiers) is the principal financial regulatory body that oversees financial market infrastructure, financial intermediaries (providing investment management and investment advice), listed companies, digital asset service providers (DASPs), token issuers (ICOs). AMF drives regulatory changes by actively participating in many European and International bodies. It enacts rules to enforce the law, known as General Regulation. AMF also publishes a policy consisting of instructions, guidelines, and recommendations to assist regulated entities in interpreting and implementing General Regulations.

ACPR

The French banking and insurance supervisory authority is the Prudential Control and Resolution Authority (ACPR — Autorité de Contrôle Prudentiel et de Résolution). ACPR monitors these sectors to ensure that they fulfill their obligations to prevent money laundering and terrorist financing and their obligations regarding EU and UN sanctions. ACPR carries out onsite and offsite inspections and imposes administrative sanctions as a result of any assessed discrepancies.

Regulated Entities

As per Article 13(L). 561-2 of the Monetary and Financial Code, the following entities are subject to AML/CFT obligations:

• Financial Institutions
• Banks
• E-money Institutions
• Payment Institutions
• Credit Institutions
• Asset Management Companies
• Investment Service Providers
• Crowdfunding Platforms
• Real Estate Activity (EUR 10,000)
• Insurance Companies and Intermediaries
• Gaming and Betting Operators
• Online Casinos
• Traders of Works of Arts (EUR 10,000)
• Trading in Precious Metals and Precious Stones (EUR 10,000)
• Accountants & Auditors
• Lawyers, Notaries and Commissioners of Justice
• Furniture Auction Operators (EUR 10,000)
• Credit Managers
• Clerks of Commercial Courts
• Sports Agents
• Bureau De Change (Currency Exchange)

Key Elements of AML Compliance in France

Risk-Based Approach (RBA)

• The first step in a risk-based approach is to identify, assess, and classify risks by level (e.g., low, medium, high)
• When identifying risk, an obliged entity must consider risks associated with different categories of products, customers, and countries.
• When assessing risks, obliged entities must consider the results of EU-wide supranational risk assessment, national risk assessment (NRA,) and internal risk assessment of the obliged entity.
• The level of due diligence will be based on the risk classification

Customer Due Diligence (CDD) France

Obliged entities are required to perform due diligence measures appropriate to the risk level when establishing a business relationship or performing an occasional transaction. These customer due diligence obligations include:

• Identity customer, beneficial owner, or representative of the customer
• Verifying the identity of the customer, beneficial owner, or representative of the customer
• Assess the nature and purpose of the  business relationships or occasional transactions or obtain further information if required (particularly to build the risk profile of customers or analyse transactions)
• Continuously monitor and maintain updated knowledge and client risk profile.
• Monitor transactions and activities of the client throughout the business relationship, ensuring it aligns with the client’s updated knowledge and risk profile.

Simplified Due Diligence (SDD): If ML/TF risks are assessed as low, depending on the products and services offered, delivery channel used, and geographical connections like origin and destination of funds, the obliged entities can apply simplified due diligence measures. This means:

• Only identifying clients and beneficial owners
• Relaxing other requirements such as verification of identity and obtaining information about business relationships.

Enhanced Due Diligence (EDD): Obliged entities are required to apply enhanced measures for identification, verification, and ongoing monitoring where the risk of money laundering or terrorist financing are assessed as high, including when:

• Client or beneficiary is a politically exposed person (PEP), a family member or close associate of a PEP
• Providing products or services that promote anonymity, such as private banking and bearer securities,
• Performing transactions linked to high-risk jurisdictions—EU list of high-risk third countries and FATF grey list or black list.

Reporting Obligation

Under AML/CFT Regulations, obliged entities are required to file a report with the TRACFIN, in case they have any reasonable grounds to suspect that a transaction or activity of a client involves risk of a punishable crime or terrorist financing. A suspicious activity report must be filed even if a transaction was attempted, including when an obliged entity fails to complete due diligence measures after establishing a business relationship.

Record Keeping

Obliged entities must maintain and retain records and documents of transactions, client identity, and due diligence activities up to five years after the closure or termination of an account. This data must be processed and retained in accordance with other personal data protection requirements, such as the General Data Protection Regulation (GDPR).

Regulatory Guidance and Industry Best Practices

AMF provides comprehensive guidelines to obliged entities on specific subjects like guidelines on the concept of PEPs, guidance on risk factors, guidance on CDD obligations, guidance on risk-based approach, and guidance on TRACFIN reporting. Although some of these guidelines are specific to AMF-regulated entities, most of these guidelines are generally applicable to all the obliged entities.

Jurisdictional Risk Assessment

Obliged entities should have policies and procedures in place to determine if their client is domiciled/registered in a high-risk jurisdiction or sends or receives funds generated in a high-risk country. This can be achieved by AML screening against several lists, such as:

• FATF “grey list”
• FATF “blacklist”
• List of high-risk third countries published by the European Commission
• Lists of countries subject to EU or UN sanction
• Lists of non-cooperative jurisdiction in tax matters commonly referred to as “Tax Havens.”

PEP Screening Requirements in France

Obliged entities should have policies and procedures in place to determine whether a client or beneficiary is a PEP, a close associate, or a family member of a PEP when establishing a business relationship or has become one subsequently. Only relying on a client’s declaration about PEP status is not sufficient, this will not discharge the obliged entity’s obligation. To this effect, an obligated entity should also consult publicly available information such as appointment notices, govt websites, or credible media sources.

Monetary and Financial Code’s (CMF) PEP definition includes any foreign or French national who is exposed to particular risks due to their current or former political, judicial, or administrative function and extends to immediate family members and close associates. CMF outlines a full list of these functions as well as relatives who qualify as immediate family members. However, identification of close associates is rather trickier, as it requires uncovering the ultimate beneficial owners behind legal persons as well as publicly available information.

French AML/CFT Advisory Board (COLB) assessed in its 2023 annual report that the luxury goods sector — watchmaking, jewelry, and goldsmithing products — are priority targets for DGCCRF’s supervision. These high-value and easily transportable goods are mainly intended for foreign clientele. The vulnerabilities associated with its mostly foreign clientele, possibly from high-risk countries or having PEP status, justify the strict scrutiny.

The absence of a uniform PEP definition, variations in risk levels among different levels of PEPs, and lack of a centralized database at the local or international level, particularly due to the diverse geographical origins of such persons, introduce significant challenges for obliged entities to identify and classify them effectively.

Adverse Media Screening

The foundational stone of a risk-based approach is risk assessment and classification. An obliged entity can’t ignore the presence of publicly available information that can significantly impact the risk profile of a customer. Any negative information would be a red flag and would require increased due diligence measures. Adverse media screening is not only necessary at the time of establishing a business relationship, but on an ongoing basis to meet the regulatory requirement to maintain an updated risk profile.

The European Banking Authority (EBA) requires that, among other factors, firms should consider information from credible and reliable open sources, such as reports in reputable newspapers, and information from credible and reliable commercial organizations, such as risk and intelligence reports, when assessing the ML/TF risks. Such sources are comprehensively covered in EBA’s The ML/TF Risk Factors Guidelines.

The goal of a comprehensive risk assessment can be achieved by coupling adverse media screening with other predetermined factors such as client risk, product/service risk, delivery channel risk, and geographical risks. Adopting a reliable solution allows screening against official sources like criminal records, watchlists, fitness and probity lists, bankruptcy records, press releases,and administrative sanctions lists, as well as reliable public sources such as credible news agencies.

Digital Assets Service Providers (DASPs)

France is one of the earliest countries to adopt a regulatory framework in the field of digital assets. Supervision of DASPs is shared between AMF and ACPR depending on the type of services provided by them. The 2023 annual report of the French AML/CFT Advisory Board (COLB) assessed that the risk of digital assets exploitation for criminal purposes is very high with regards to ML/TF risks, which necessitates strict monitoring of this industry.

After the introduction of the Markets in Crypto Assets (MiCA) Regulation, DASPs must obtain authorization and license from the competent authorities before starting their operations. It seeks to protect the interests of the investors, promote transparency, reduce uncertainty, and harmonize the regulatory framework in the crypto industry across the EU market. MiCA Regulation will be fully effective from 30th December 2024. MiCA extends the scope of AML/CFT to crypto service providers. Regardless of the type of authorization or license, DASPs must fulfill all AML-CFT and asset-freezing obligations. MiCA grandfathering period in France is 18 months.

Sixth AML Directive (6th AMLD)

EU Parliament and Council enacted Directive (EU) 2024/1640 of 31 May 2024, commonly referred to as 6th AMLD. This directive will come into force on 10 July 2027; at this point, the 4th AMLD will be repealed. This new directive will necessitate the regulation and registration of currency exchanges, check cashers, trust or company service providers, and gambling service providers.  Additionally, it contains provisions for granting access to beneficial owner information registers to obliged entities or other entities with legitimate interests in obtaining this information, such as journalists.

French Sanctions Regulations

Sanctions can take a variety of forms, such as asset freezes, travel bans, arms embargoes, and trade restrictions. The French Sanctions framework implements measures adopted at the local, EU, and UN levels.

• EU Sanctions: Restrictive measures adopted by EU Council Decisions are directly applicable in France after publication in the official journal of the EU.
• UN Sanctions: UNSC Resolutions are incorporated into local laws by the Monetary and Financial Code. However, authorities recommend taking in account freezing measures provided by UN Sanctions not yet transposed in local regulations.
• Autonomous French Sanctions: Article L.151-2 of the Monetary and Financial Code authorizes the government to impose sanctions to defend national interests. This was the basis of most French Sanctions before the implementation of the single sanctions framework at the EU Level. Additionally, under Article L.562-1 of the Monetary and Financial Code, competent authorities may decide to freeze assets belonging to natural or legal persons who commit or attempt to commit terrorist acts.

Scope of Sanctions: Every natural person in France and legal entities incorporated in French territory, regardless of their location, including French nationals abroad, must comply with the applicable sanctions in France.

Russia-Ukraine Developments: The frequency of updates in sanctions lists has dramatically increased in recent years, particularly in the wake of the Russia-Ukraine conflict. As of December 2024, the EU has imposed 15 sanction packages on Russia, targeting thousands of individuals and companies and different sectors like energy, telecommunication, transport, and technology. Rapid developments in the sanctions lists has only made it more difficult to ensure compliance in real time.

Regulatory Guidance and Best Practices: The Directorate-General for Treasury operating under the Ministry of Finance and Economy, is authorized to monitor compliance with sectoral and financial sanctions and resulting asset freeze measures. The Directorate-General for Treasury and ACPR have jointly developed guidelines for the obliged entities to assist them in implementing economic and financial sanctions.  These guidelines recommend implementing a comprehensive sanctions compliance program that should:

• Screen customers before establishing business relationships or carrying out an occasional transaction
• Impose asset-freezing measures as soon as new sanctions are published
• Have management systems that conduct sanctions screening in real-time
• Re-screen the entire customer base in the event of any update to the sanctions list
• Screen both the payer and beneficiary of any transaction (subject to the following exemption)

Instead of screening every transaction in real-time, Regulation (EU) 2024/886  requires payment service providers (PSPs) to screen their users periodically, at least daily, to meet obligations arising from targeted financial restrictive measures. Seeking to facilitate instant payments, this exemption is limited to euro-denominated payments carried out in the single euro payments area (SEPA).

If a transaction is potentially matched with a designated entity, it should be withheld until it is established as a clear false positive. Any true matches should be reported to the Directorate-General for Treasury or any other competent authority.

1. Monetary and Financial Code
2. Guidelines on the concept of PEPs
3. Guidance on risk factors
4. Guidance on CDD obligations
5. Guidance on risk-based approach