1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

French fintech companies are subject to various regulatory regimes, depending on their activities. Where a company provides a regulated service, it must comply with a specific set of rules, which are the same for disruptive startups and well-established financial institutions. Some fintech startups are not subject to any specific rules, as their activities do not fall within the scope of any regulatory regime (eg, business-to-business technology providers developing white-label products).

The main regulatory regimes that govern the activities of fintech companies in France are as follows:

  • Payment service providers are subject to the regulations on payment services (which transpose the EU Second Payment Services Directive (2015/2366).
  • Neobanks and non-bank credit providers are subject to the regulations on credit and banking activities, as well as on payment services.
  • Insurtech startups are governed by the regulations on insurance, which derive from the Solvency II and Insurance Distribution Directives, and their transposition into French law.
  • Crowdfunding and crowdlending platforms are governed by a specific regulatory regime created in 2014.
  • Fintech startups that provide investment services are subject to the regulations on investment services, which mostly derive from the Second Markets in Financial Instruments Directive.
  • Startups whose activity involves digital assets are governed by a brand-new legal framework created by the PACTE Act of 22 May 2019.

1.2 Do any special regimes apply to specific areas of the fintech space?

While most players in the fintech space are subject to the same regulatory regimes as traditional financial institutions, some legal frameworks were specifically created to govern emerging fintech activities. The best examples are the regulations applicable to crowdfunding and crowdlending (2014), and the regulations on digital asset service providers (DASPs) and initial coin offering issuers (2019).

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Fintech startups and traditional financial institutions are subject to the supervision of the Financial Markets Authority (AMF) or the Prudential Supervision and Resolution Authority (ACPR). Some large financial institutions are supervised by both.

The AMF's focus is the proper functioning of financial markets and the protection of investors: therefore, it mainly supervises investment service providers, asset managers, crowdfunding platforms and DASPs. The ACPR's primary purpose is to preserve the stability of the financial system through the supervision of the banking, payments and insurance sectors.

The AMF and the ACPR have similar powers. They elaborate the lowest level of regulation (ie, the technical regulations implementing the general provisions of French laws or European directives), which are then validated by the government. For example, the General Regulation of the AMF governs the activities of entities supervised by the AMF. The AMF and the ACPR also publish and update binding or non-binding guidelines and recommendations. In addition, both authorities grant authorisations to regulated entities and monitor these entities on an ongoing basis. Finally, both the AMF and the ACPR include independent bodies tasked with enforcing the regulations. These bodies may impose fines and disciplinary penalties pursuant to quasi-judicial proceedings.

1.4 What is the regulators' general approach to fintech?

Over the last few years, both the AMF and the ACPR have adopted an open attitude towards fintech – although the AMF is more vocal. This approach is supported by the French government, which launched the ‘La French Tech' brand in 2013 to promote French startups abroad.

Both authorities created fintech hubs – that is, internal teams dedicated to emerging business models and technologies. These teams advise fintech startups and help them to identify the proper regulatory regime for their activities. They are also directly involved in the elaboration of innovative legal frameworks. For example, the AMF's fintech team played a key role in the drafting of the regulations on DASPs – notably through consultation with players in the crypto-assets industry. In addition, the AMF and the ACPR created the Fintech Forum, a consultation and dialogue body between regulatory agencies and the fintech sector.

A recent notable fintech-related initiative is the announcement by the French Central Bank in December 2019 that a wholesale central bank digital currency will be developed and tested in 2020.

1.5 Are there any trade associations for the fintech sector?

The most prominent fintech-related organisation is France Fintech, which was created in 2015 and represents more than 160 startups. The crowdfunding and crowdlending sector is also represented by Financement Participatif France. The emerging digital assets industry is championed by the Association pour le Développement des Actifs Numériques, founded in January 2020.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

The French fintech industry is flourishing, at least on the fundraising side: fintech startups raised €699 million in 2019, according to France Fintech, compared to €365 million in 2018. The actual adoption of the products developed by fintech startups is harder to measure, as some companies focus on the business-to-business (B2B) market, while others market their products to consumers (B2C).

Over the last few years, some fintech sub-sectors have seen spectacular adoption among the general population: mobile payment apps (eg, Lydia), neobanks dedicated to startups and freelancers (eg, Qonto, Shine), group-gifting and personal fundraising apps (eg, Leetchi, LePotCommun) and innovative insurance companies such as Alan and Luko.

The crowdfunding and crowdlending sector has also become quite successful. Platforms such as Anaxago and Unilend are now commonly used by individuals seeking attractive yields, notably on small and medium real estate projects.

2.2 What products and services are offered?

The products and services offered by fintech startups are diverse and include both B2B and B2C products. The most notable are:

  • mobile payments;
  • neobanks;
  • bank-as-a-service platforms (ie, regulated payment service providers that allow other startups to use their infrastructure to provide payment services to their clients);
  • group gifting/personal fundraising;
  • bank account aggregators and personal finance apps;
  • equity crowdfunding and crowdlending;
  • innovative insurance products;
  • payroll processors; and
  • crypto-assets trading platforms.

2.3 How are fintech players generally structured?

Almost all French startups are structured as sociétés par actions simplifiées (simplified joint stock companies), a simplified corporate form which allows for greater flexibility and tailor-made corporate governance. Successful startups may subsequently need to transform into sociétés anonymes (public limited companies) or sociétés en commandite par actions (partnerships limited by shares), in particular as a prerequisite to an initial public offering or in order to obtain a banking licence.

Most startups also use extensively equity warrants (which grant a right to subscribe to shares of the company at a pre-agreed price) rather than issuing shares, as the legal requirements for capital increases are more complex. Equity warrants may be granted to both employees and founders under a preferential tax regime, or to external investors.

To facilitate fundraising by startups, a startup accelerator also created a modified equity warrant template called BSA Air, which is similar to the Simple Agreement for Future Equity. BSA Air provides greater flexibility to startups, as the subscription price of the shares to be issued is not specified at the time of the initial investment and may vary depending on the success of the company.

2.4 How are they generally financed?

Startups' initial funding generally comes from the founders themselves, and their friends and families. Newly created startups may also obtain small grants or loans from various public bodies, such as Bpifrance or the Paris municipal administration.

Additional funds are then raised from business angels and venture capital funds. Some asset managers specialise in fintech startups, such as New Alpha Asset Management.

2.5 How are they positioned within the broader financial services landscape?

Fintech startups are gaining market share and becoming increasingly popular in various fields, such as mobile payments and neobanks. Innovative products and services have also emerged thanks to fintech startups, such as bank account aggregators and group gifting and personal fundraising apps.

Traditional financial institutions are not staying idle, and have all launched digital versions of their products and notably simplified mobile-first bank accounts.

In any case, there is room for cooperation between incumbents and challengers. First, established financial institutions have created in-house fintech or insurtech incubators (eg, L'Atelier by BNP Paribas, Le Village by Crédit Agricole, Kamet by AXA, Swave by a consortium of financial institutions). Many fintech startups have also been purchased by financial institutions over the last few years. Notable startups such as Compte Nickel, Crédit.fr, KissKissBankBank, Leetchi, Pumpkin, Budget Insight, and Treezor were all bought by large French banks between 2015 and 2019. In addition, many fintech startups – and notably, those providing credit (either to individuals or to small companies) – need to partner with a regulated financial institution to be able to carry out their activities in compliance with the regulations.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Most fintech startups outsource know-your-customer procedures (ie, client identification and politically exposed persons and sanctions screening). However, startups generally develop their own back office infrastructure, as developing such infrastructure internally allows them to be more efficient and agile.

As regards the rules applicable to outsourcing, the main principle is that the regulated entity remains responsible towards clients and third parties, even if an operational function has been outsourced. The regulated entity must also implement measures to monitor the vendor's compliance with the regulations. In some cases, the outsourcing must also be notified to the regulator.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

Online commerce is mainly regulated by the transposition into French law of various EU directives. Most of the rules applicable to online commerce arise from the E-commerce Directive (2000/31/EC). In addition, rules applicable to distance contracts also govern online commerce (since e-commerce contracts are distance contracts). These rules are now included in the Consumer Rights Directive (2011/83/EU). Finally, the validity and enforceability of online contracts are reinforced by the regulations on electronic signatures (now included in Regulation (EU) 910/2014 of July 2014 on electronic identification and trust services for electronic transactions).

More specifically, the online sale of financial services is regulated by the transposition into French law of Directive 2002/65/EC on the distance marketing of consumer financial services. Most of the rules arising from this directive (which was amended) are now similar to those applicable to the distance marketing of non-financial services – for example, the consumer's right of withdrawal is now set at 14 days for all distance contracts.

The specific regulation of online commerce mostly focuses on the formation and execution of online contracts. Specific rules govern the information which must be provided to the client before an online contract is concluded. For example, the merchant or service provider is expected to provide, on its website, information such as its identity, address, contact details and value added tax number. Concerning the formation of the online contract, the E-commerce Directive defines various steps which must be followed by the merchant for a contract to be valid. One of these steps is known as the ‘double click' – that is, requiring the client to confirm an order twice, in order to ensure that the first confirmation was not a mistake.

Finally, one of the most important aspects of the regulations on online commerce is the 14-day period during which a consumer may withdraw from the online contract without penalty and without giving any reason. This period generally begins when the contract is concluded (for services) or when the consumer physically receives the ordered goods. Various exceptions to this right of withdrawal exist. One applies to services whose price depends on fluctuations in the financial market which cannot be controlled by the service provider, and which may occur during the withdrawal period.

(b) Mobile (m-commerce)

Generally speaking, mobile applications that facilitate the purchase of goods or services are governed by the regulations applicable to online commerce.

(c) Big data (mining)

The automated large-scale collection and analysis of data (known as ‘big data' or ‘data mining') is not regulated per se under French law. Various regulations deal indirectly with data mining, by limiting the ability of a service provider to extract and analyse data. The most notable is the General Data Protection Regulation (2016/679) (GDPR). However, the GDPR mostly applies to personal data – that is, information relating to an identified or identifiable natural person. When the data used in data mining contains no personal data, the limitations arising from the GDPR should not apply.

Companies that specialise in data mining should ensure that their processes are compliant with the GDPR (and Act 78-17 of 6 January 1978). Specifically, when personal data is collected and analysed, it is crucial to obtain the data subject's consent, both to the collection and to its purpose. The security of the storage and processing of personal data should also be ensured – for example, through the pseudonymisation and encryption of personal data.

(d) Cloud computing

The banking, payment and insurance industries rely heavily on the outsourcing of various operational processes to cloud computing service providers (eg, Amazon, Google and Microsoft). The increasing reliance of the European financial sector on foreign entities has recently given French and European regulators cause for concern. In 2017, the European Banking Authority (EBA) published its "Recommendations on Outsourcing to Cloud Service Providers. These recommendations were later included in the update of the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which are fully implemented at the national level by the Prudential Supervision and Resolution Authority (ACPR).

The EBA guidelines require banking and financial institutions to enter into written agreements with their service providers (including cloud service providers). These agreements should notably include provisions detailing the reporting obligations of the service provider and the audit rights of the competent authorities.

In practice, the main cloud service providers are reluctant to enter into agreements which comply with the requirements of the EBA guidelines. This has prompted French and European banking and financial institutions to report these issues to their regulators. This review could lead to the drafting of a European regulation or directive determining standard contractual provisions which would be mandatorily included in agreements with cloud service providers.

(e) Artificial intelligence

The use of artificial intelligence (AI) by fintech companies is not in itself regulated in France. However, its development is closely followed by the regulatory authorities. The ACPR, in particular, published a discussion paper on the challenges of AI for the financial sector in December 2018, followed by a public consultation. In June 2020 the ACPR published another discussion paper on the governance of AI algorithms.

Although these documents do not focus primarily on the legal and regulatory aspects, several legal issues are identified. As in the case of big data, the main issue is the protection of personal data and how the GDPR applies to AI algorithms. The ACPR also seeks to monitor how financial institutions increasingly use AI to make strategic or commercial decisions, such as deciding to grant a loan or measuring the level of risk to which they are exposed.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Since the enactment of the PACTE Act in May 2019, certain activities involving digital assets are regulated. The ‘digital assets' category includes both cryptocurrencies (eg, Bitcoin and Ethereum) and tokens issued pursuant to initial coin offerings (ICOs) as long as they do not qualify as financial instruments.

Companies that provide cryptocurrency-related services may apply for a licence to the Financial Markets Authority (AMF). While this licence is optional, such companies are encouraged to apply, as obtaining a licence grants facilitated access to banking services and allows the licensed company to use mass advertising strategies. However, in order to comply with the requirements of the Fifth Anti-Money Laundering Directive (2018/843), digital asset service providers (DASPs) which provide custody services or buy or sell digital assets against legal currency are required to register with the AMF.

The PACTE Act also created an optional approval system for ICOs. Issuing tokens in France and selling them to French residents is allowed, but issuers are encouraged to apply to the AMF for approval. As regards licensed or registered DASPs, obtaining a licence grants extended advertising rights and facilitated access to banking services.

In return, licensed and registered DASPs and approved ICO issuers are fully subject to the anti-money laundering legislation.

In addition, the PACTE Act allows certain regulated alternative investment funds to directly purchase digital assets. However, these funds are legally required to appoint a depositary, whereas French depositaries are currently reluctant to provide custody services in relation to digital assets. In practice, the regulated investment funds focused on cryptocurrencies which have been created recently instead chose to purchase listed derivatives on digital assets, which qualify as financial instruments.

Finally, distributed ledgers or blockchains are not regulated per se in France. However, two government decrees of December 2017 and December 2018 allow the use of a blockchain for the issuance, registration and transfer of unlisted securities. Securities registered on a blockchain are legally identical to securities issued and registered using the traditional method. The AMF has been focusing on security tokens recently and in March 2020 published a discussion paper on the legal impediments to the development of security tokens. The AMF has suggested to the European Commission the creation of a Digital Lab, pursuant to which each national authority could selectively lift the requirements relating to various EU laws to favour the development of business models relating to security tokens.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Crowdfunding and crowdlending have been subject to a tailor-made regulatory framework since 2014. Issuers raising funds on a regulated crowdfunding platform are subject to lighter disclosure requirements under the Prospectus Regulation, up to an amount of €8 million.

Crowdlending also benefits from an exception to the banking monopoly, which normally prohibits entities other than licence banks from granting loans. Individuals are now allowed to grant loans on regulated crowdlending platforms, provided that certain caps are respected (regarding the duration of the loan, the amount lent per individual and the total amount of the loan). The PACTE Act also added another exemption which allows employees, managers, partners, clients and suppliers of a company to grant loans to each other in an amount of up to €30,000, in order to finance a personal project.

(b) Online lending and other forms of alternative finance

Generally speaking, online lending is subject to the same regulations as traditional lending: the entity granting the loans must obtain regulatory status that allows it to do so. On the other hand, alternative finance has developed significantly over the last few years and now offers additional options to individuals or companies that are willing to borrow. One of these options is crowdlending, which is described above. The others generally imply regulated alternative investment funds, which are increasingly allowed to purchase commercial loans or directly grant loans to companies (subject to various requirements). French law also facilitates the transfer of loans and receivables to dedicated investment funds (ie, pursuant to mechanisms related to securitisation).

(c) Payment services (including marketplaces that route payments from customers to suppliers (e.g., Uber and Airbnb)

Payment services are regulated in France pursuant to the transposition of the European directives on payment services, the last one being the Second Payment Services Directive (2015/2366) (PSD2). Under that regulation, the provision of payment services is a regulated activity which may be conducted only by a regulated payment institution, a bank or an electronic money institution. However, PSD2 allows companies to provide payment services without having to apply for regulated status in two situations:

  • The payment instruments used by the company allow the holder to acquire goods and services only in the premises of the issuer or within a limited network of service providers (the ‘limited network exclusion'); or
  • The payment instruments can be used only to acquire a very limited range of goods and services.

The emerging trend in payment services is without doubt open banking – that is, the ability for the clients of traditional banks to allow innovative companies to access their bank accounts and provide additional payment services.

Regarding marketplaces that route payments from customers to suppliers, these platforms are generally regarded as providing payment services and are thus required to obtain regulated status, unless they can benefit from one of the abovementioned exemptions, such as the limited network exclusion. These platforms generally partner with a regulated payment institution to handle the movement of cash or act as ‘agents' of the payment service provider (a regulated status under which the agent uses the infrastructure of the regulated entity to provide payment services to its own clients). The largest marketplaces (eg, Airbnb) can afford to create an in-house licensed payment institution to manage their payments within the European Union.

(d) Forex

Websites that allow individuals to trade in foreign currency have become popular during the last few years, which induced the Financial Markets Authority (AMF) and the legislature to update the relevant regulations.

First, while the spot purchase or sale of foreign currency is not subject to any regulation, derivatives based on a foreign currency qualify as financial instruments. Therefore, entities ‘selling' such derivatives are theoretically required to be licensed investment firms or banks. Operating a trading platform for such derivatives also qualifies as a financial service which may be provided only by an investment firm or another regulated entity.

In addition, in 2016 the rules restricting the advertising of financial services or products were tightened for products where the risk of loss is not known in advance and may exceed the initial investment. Binary options and contracts for difference on foreign currencies are directly targeted by that measure.

(e) Trading

The rules applicable to trading venues in France directly derive from the transposition of the Second Markets in Financial Instruments Directive (2014/65/EU) (MiFID 2). There are three categories of trading venues under the MiFID 2 framework: regulated markets, multilateral trading facilities (MTFs) and organised trading facilities (OTFs).

These three categories share a common definition: they are multilateral systems which bring together multiple third-party buying and selling interests in financial instruments in a way that results in a contract. The main differences between these categories are as follows:

  • Regulated markets must be authorised by a government decree on a proposal from the AMF and are operated by a market operator, while MTFs and OTFs may be operated by an investment firm;
  • Regulated markets and MTFs must apply non-discretionary rules, while OTFs are not subject to that requirement; and
  • Shares may not be listed on OTFs, which can only list debt securities, structured finance products, greenhouse gas emission allowances, derivatives and physically settled wholesale energy products.

All regulated trading venues are subject to the same set of obligations, which includes organisational and transparency requirements, and prohibits proprietary trading. Additional rules also apply to regulated markets and MTFs. In addition, the Market Abuse Regulation – which prohibits the unlawful disclosure of inside information and market manipulation – applies to all financial instruments, whether they are traded on a regulated market, an MTF or an OTF.

(f) Investment and asset management

The regulation of investment funds and asset managers derives from the transposition of two European directives: the Undertakings for the Collective Investment in Transferable Securities (UCITS) Directive (2009/65/EC) and the Alternative Investment Fund Managers (AIFM) Directive (2011/61/EU). The UCITS Directive mainly applies to the management and sale of mutual funds, while the AIFM Directive regulates alternative investment funds. Managing a collective investment scheme or an alternative investment fund generally requires an asset manager licence, which is granted by the AMF. In addition, most funds also need to be licensed by the AMF before the asset manager can market them to potential subscribers.

Various fintech startups have launched business models relating to asset management. These startups generally apply for an asset manager licence or partner with a licensed asset manager.

Finally, MiFID 2 also regulates separately investment advice and portfolio management. Portfolio management may also be provided by a licensed investment firm. In addition, financial investment advisers (a specific category created by French law) may also provide regulated investment advices without having to obtain an investment firm licence.

(g) Risk management

Risk management is a function which most regulated financial institutions must have, which means that a dedicated team must be created to manage risks in accordance with regulatory requirements. Fintech startups may provide tools to help regulated companies manage their risks better. However, risk management as a specific business model is not subject to specific regulation and is generally handled internally by regulated companies.

(h) Roboadvice

Roboadvice covers various services provided by fintech and insurtech startups. Regarding financial services, some roboadvisers help clients with their investment decisions, while others directly manage investments. With respect to insurance, some roboadvisers act as insurance brokers. Therefore, the services provided by roboadvisers may qualify as investment advice or portfolio management (which are regulated investment services), and the company operating the roboadviser must therefore be licensed by the Prudential Supervision and Resolution Authority (ACPR) or the AMF. In addition, companies operating roboadvisers which provide insurance services must be registered as insurance intermediaries.

In 2017 the AMF reminded that entities offering automated tools which provide clients with estimations of the performance of financial instruments are subject to the obligation to deliver clear, accurate and non-misleading information.

(i) Insurtech

The provision of insurance services is a regulated activity in France. Entities that provide these services must be licensed by the ACPR and are subject to a set of rules which depends on the type of insurance they provide (eg, life insurance, property insurance, annuities). Innovative actors in the insurance sector or ‘insurtechs' are not subject to simplified regulatory supervision, although all regulators apply the proportionality principle.

There are two categories of insurtechs in France. First, the number of independent insurtech companies has increased over the last few years. Alan, which has been licensed by the ACPR since 2016, raised €50 million in April 2020, after having raised €75 million between 2016 and 2019. Alan mostly markets health insurance products to startups, freelancers and small and medium-sized enterprises. Another prominent French insurtech is Luko, a home insurance startup which raised €20 million in 2019. Luko is not licensed as an insurance undertaking by the ACPR and acts an intermediary for licensed insurers.

Second, most French insurers have launched internal insurtech projects. These projects generally focus on using technology and data to simplify the insurance process and make it more user friendly. For example, in 2017 Axa launched Fizzy, a flight delay insurance service built on the Ethereum blockchain (this project was discontinued in 2019). In 2019 Axa announced a partnership with US startup Assurely to launch CrowdProtector, an insurance product dedicated to equity crowdfunding and security tokens issuers and investors. Société Générale also launched Moonshot-Internet, an insurtech specialised in the insurance needs of internet retailers.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

Data protection rules applicable in France arise from the General Data Protection Regulation (2016/679) (GDPR), which is directly applicable in France. The GDPR regulates the collection and processing of personal data, and specifies the rights of persons whose data is collected.

The key principles of the GDPR are as follows:

  • Personal data may be collected only with the agreement of the persons whose data is collected or if its collection is necessary for the performance of a contract or compliance with a legal obligation;
  • The amount of data collected should be reduced to a minimum when possible and stored for a reasonable duration;
  • The data must be accessible only by company employees whose functions require such access;
  • The persons whose data is collected have the right to access, rectify and erase their data; and
  • The company collecting personal data must implement adequate security measures.

The GDPR also regulates cross-borders transfers of data. Generally speaking, personal data shall not be transferred to non-EU countries unless the third country is considered by the European Commission to offer the same degree of protection or adequate guarantees are implemented.

Although the GDPR is directly applicable, French law provides for some additional rules and procedures. The Commission Nationale de l'Informatique et des Libertés (National Commission on Informatics and Liberty) is the national authority which monitors data privacy issues and may impose sanctions on non-compliant entities.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The regulation of cybersecurity arises from the transposition of the Network and Information Security Directive (2016/1148). The key obligation is the duty of entities designated as ‘operators of essential services' to notify the Agence nationale de la sécurité des systèmes d'information (National Cybersecurity Agency of France) of any security breach or incident.

Most regulated financial and banking institutions are considered as operators of essential services, which means that fintech companies that provide regulated services will normally be regarded as operators of essential services under this regulation.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

All regulated financial institutions are subject to the anti-money laundering legislation arising from the transposition of the Anti-money Laundering Directives (2015/849 and 2018/843). These directives directly derive from the recommendations of the Financial Action Task Force.

Fintech companies must comply with the anti-money laundering legislation as soon as they have obtained regulated status. French law does not exempt small regulated companies from any anti-money laundering requirements, although the French regulators apply a ‘proportionality principle', which states that the level of complexity of the procedures implemented by a regulated actor depends on its size and activities.

Fintech companies are directly affected by the rules related to the online onboarding of clients. Under the existing anti-money laundering legislation, when a regulated entity is unable to physically meet a client for onboarding, additional due diligence measures must be implemented. Most of the time, entities comply with these measures by simply asking the client to provide a second identification document and send its first payment or deposit from a bank account opened with a bank located within the European Union or European Economic Area, or in a third country regarded as having a high standard of anti-money laundering. However, regulated entities whose business model does not involve receiving payments or deposits from clients (eg, a digital asset custodian) may struggle with the implementation of these measures.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

No specific rules relating to competition apply directly to the fintech sector. However, the French antitrust regulator (Autorité de la concurrence) has launched a public consultation on fintech and may suggest changes to the French legislation when the results of that consultation are made public.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Innovation in the fintech space may be protected by a variety of IP rights, including patents, copyright and database rights.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

France incentivises innovation by providing grants and loans to fintech startups, as well as facilitating communication between these actors and the regulators, which have created dedicated fintech hubs. In addition, innovation in the financial sector is a priority of the European Commission. The adoption of the Second Payment Services Directive, which promotes the development of open banking, is an example of the focus of the European Union on fintech innovation.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Under French law, employees have extended rights, which include:

  • the right to a statutory notice period;
  • the right not to be unfairly dismissed; and
  • various types of family leave.

Employees are protected against discrimination. The self-employed have minimal rights, even if they regularly work for the same company.

However, the development of the gig economy has led to various court decisions on the criteria used to qualify the existence of an employment relationship. Several self-employed Uber drivers and Deliveroo riders have obtained court decisions establishing that their relationship with the company was similar to an employment contract, and that they should have benefited from the rights typically granted by French law to employees. Therefore, fintech startups which outsource various tasks to freelancers should be aware of that risk and ensure that their freelancers either have several clients or are not ‘subordinated' to them.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

European Economic Area (EEA) and Swiss nationals have the right to live and work in France under the freedom of movement principle.

For non-EEA/Swiss nationals, visitors' visas are available for those engaging in a limited number of permitted work-related activities for a short period. Long-term visas are available for those wishing to engage in activities for a longer period.

In addition, the French Tech Visa has been created to grant entrepreneurs, investors, researchers and skilled professionals a four-year renewable residency permit.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The French fintech industry seems to be doing well and does not seem to have been overly affected by the COVID-19 pandemic. During the first half of 2020, French fintech startups raised €455 million despite the pandemic, compared to €699 million for the full year 2019. In addition, fintech startups are supported by a network of dedicated incubators, business angels, venture capital funds and trade organisations. The government and the regulators also support financial innovation, although obtaining the necessary licences to provide regulated financial or payment services is not easier for startups.

The prominent trends of the last few years have been:

  • digital assets (for which a dedicated regulatory framework was created by the PACTE Act in May 2019);
  • open banking (which was boosted by the transposition of the Second Payment Services Directive); and
  • neobanks (which are rapidly gaining market share, notably among freelancers, startups and young professionals).

The major anticipated development in the regulation of fintech is the preparation by the European Commission of a regulatory package dedicated to digital assets. Sources indicate that the first draft of this upcoming legislation will be published in Autumn 2020. We expect that this legislation will cover security tokens and will waive for these instruments certain requirements arising from other European directives or regulations, as the Financial Markets Authority suggested in its March 2020 consultation paper. Finally, we expect that this regulatory package will create a regime for stablecoins, whether it includes them in the definition of ‘electronic money' or creates a tailormade framework for them.

Other anticipated developments include ongoing tests on central bank digital currencies carried out by the French Central Bank, for which intermediary results should be announced before the end of 2020.

Finally, a potential tightening of the regulation of outsourcing to cloud providers is expected in the next few years, since large financial institutions seem to rely too heavily on large US technology companies.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

The main advice for fintech player seeking to launch their business in France is to conduct a regulatory assessment of their project as early as possible. Although both the Financial Markets Authority (AMF) and the Prudential Supervision and Resolution Authority (ACPR) support financial innovation and have created fintech hubs, providing regulated investment, payment or banking services in France without the requisite licence or registration is forbidden. Therefore, regulatory and compliance costs should be taken into account in the business model, and newcomers should be aware that obtaining a licence usually takes between four and 12 months.

Fintech companies which already possess a licence to provide regulated services in another EU or European Economic Area country can also use the ‘passport' mechanism to provide services in France, without having to apply for a licence to the ACPR or the AMF.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.