I OVERVIEW

In addition to the implementation of recent EU regulations (such as PSD 2 and GDPR), France has recently adopted new regulations relating to, in particular, crowdfunding and the issuance and transfer of certain non-listed securities through a DLT.

Even though there is no ‘sandbox’ approach available in France (i.e., no new financial technologies can develop outside any regulation or benefit from a tailor-made regulatory regime), France is rather fintech-friendly.

The French banking regulator (ACPR)2 and the French financial markets regulator (AMF)3 launched a joint initiative in 20164 in order to accompany the fintech start-ups in their licensing process.

In addition, a Fintech forum has also been set up in order to foster dialogue between various stakeholders. These are public authorities such as the Ministry for the Economy and Finance,5 regulators such as the ACPR, the AMF, the data protection authority6 (CNIL) and the French National Cybersecurity Agency (ANSSI),7 companies and their lawyers. Meetings are generally held every quarter and address subjects from various perspectives.

ii REGULATION

i Licensing and marketing
Licensing

There is no special fintech licence in France; either the relevant service is regulated, and in that case the service provider must hold a licence, or the service is not regulated and in that case no licence is necessary.

In practice, most fintech companies provide regulated services and are regulated (either they apply for a licence in France or they benefit from an EU passport (see Section II.iv)).

In addition to the existing EU regulatory statuses (such as credit institutions, payment institutions, investment firms, management companies or insurance intermediaries) there are national statuses available in France to fintech companies provided that they meet the relevant requirements, such as independent financial advisers,8 intermediaries in banking transactions9 or intermediaries in crowdfunding activities.10

For instance, an automated digital advisory company may be regulated under different statuses depending on the type of clients it has and whether it provides other services. If the underlying product is a life insurance policy, the company can be regulated as an insurance intermediary (such as an insurance broker). If the company only provides investment advice, it can be regulated as an independent financial adviser or an investment firm, but if it provides other regulated investment services, it must be regulated as an investment firm. If the company can manage assets on behalf of the client, then it must be registered as a portfolio management company.

Marketing

The marketing of financial products or services is regulated. There are rules relating to the sale of the products themselves and specific rules where marketing is performed through solicitation activities. In addition and as a matter of principle, entities are generally prohibited from advertising without an appropriate licence.

ii Overview of the rules relating to the products

Offering transferable securities (such as shares and bonds) to the public in France is prohibited without an approved prospectus, unless an exemption applies. Specific rules apply to funds (UCITS or AIFs within the meaning of the EU directives).11 Other regulations may apply to the marketing of loans.

In addition, the new EU Regulation PRIIPS12 applies as of 1 January 2018 to various structured products targeted at retail investors and it aims to increase the transparency and comparability of such products through the issue of a standardised short form disclosure document.

iii Solicitation rules

Solicitation activities13 are defined as any unsolicited contact (i.e., contact that has not been previously requested by the customers), by any means, with identified individuals or legal entities, where this contact is initiated and conducted with a view to obtaining customers’ consent to, in particular, the conclusion of a transaction on financial instruments, the conclusion of a banking transaction or an investment service or a related transaction or service. The scope of transactions and services caught by the solicitation rules is broad.

Solicitation activities will be considered as being carried out in France if they target French investors. The terms ‘contact by any means’ should be broadly interpreted, for example, including contact by email, telephone, internet and solicitation can be constituted even if this behaviour has not been repeated on a regular basis.

iv Cross-border issues

Regulated activities can be passported from another jurisdiction into France provided that the activities (1) are carried out by a company licensed in an EU (or an EEA) jurisdiction to provide such services and (2) comply with the formal passporting requirements (e.g., the company has to provide the home regulator with relevant information and unless the home or host regulator raises any objection, the company can be passported into France and start its activities).

Services passported in France can be provided either on the basis of the freedom of establishment (which means that the company needs to set up a branch in France) or of the freedom to provide services (i.e., no establishment in France).

The benefit of the EU passport is only available to those services that are subject to an EU directive or regulation.

If the company benefits from a ‘local’ licence in another EU jurisdiction, it cannot rely on any passporting regime and must be also licensed in France if it wants to provide services in France.

There could be exemptions for reverse enquiry situations (i.e., where contact has been instigated by a client to obtain information about a product or service).14

iii DIGITAL IDENTITY AND ONBOARDING

On 5 January 2018, the Minister of Interior Affairs announced the launch of a unified digital identity process for all French citizens, foreign individuals legally resident in France and French companies, which would be effective in September 2019. This process would be integrated within the already existing digital platform of the French state and ‘France Connect’, a platform set up in June 2016 that offers a global system of identity management for online government services. The unified digital identity process would be designed so that it could be used for public services as well as for private entities.

Fully digitised onboarding of clients is possible provided that the relevant company (1) performs the know-your-customer requirements to which it may be subject and (2) has set up a process for electronic identification (in particular accordance with the eIDAS Regulation).15 In addition, a recent ordinance16 has clarified the rules relating to the digital transmission of pre-contractual and contractual information in the financial sector, which should also foster fully digitised onboarding of clients.

IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES

As a preliminary remark, a fintech project may fall within the scope of the AIFM Directive if the relevant entity (1) raises capital from a number of investors, with a view to investing it in accordance with a defined investment policy for the benefit of those investors and (2) is not a UCITS.17 The requirements are quite burdensome and fintech projects do not generally aim to fall into the definition of ‘alternative investment funds’. The French legal framework relating to, in particular, the banking monopoly and the scope of the public offer of securities has recently been modified to allow crowdfunding activities.

i Crowdfunding

In France, to foster the development of crowdfunding in a secure environment for contributors (lenders, investors or donors), the public authorities have amended the regulations and created two new ‘light’ regulatory statuses for crowdfunding platforms: crowdfunding adviser and crowdfunding intermediary.

ii Crowdfunding adviser

A platform for crowdfunding via the subscription of financial securities issued by an unlisted company must be registered in the ORIAS register (i.e., a register for financial intermediaries, including insurance intermediaries, intermediaries in banking transactions, etc.) as a crowdfunding adviser (CIP). Their activities consist of providing investment advice, as their regular activity, on plain vanilla capital and debt securities (ordinary shares, fixed rate bonds and convertible bonds). The activities must be conducted by means of a progressive-access website, fulfilling the characteristics laid down by the AMF. In order to benefit from the exemption to the publication of a prospectus, the amount issued shall not exceed €2.5 million.18

Such a platform may also opt for the status of investment services provider (ISP) providing investment advice services, in which case it must be licensed by the ACPR. Such platforms are regulated by the AMF alone in the case of CIPs and by the AMF and the ACPR jointly for ISPs.

iii Crowdfunding intermediary

If the website proposes to fund projects under the form of a loan with or without interest, the platform must be registered in the ORIAS register as a crowdfunding intermediary (IFP). We will focus in the rest of this paragraph on the intermediation of loans stipulated with or without interest, and granted to professionals (i.e., individuals acting in a professional capacity or commercial companies) by individuals not acting for professional purposes.19 With a view to protecting lenders, the amount lent shall not exceed €2,000 per lender and per project where the loan is granted with interest and €5,000 where no interest is stipulated. The total amount borrowed shall not exceed €1 million.

IFPs are regulated by the ACPR.

According to publicly available statistics, France has around 100 crowdfunding platforms and is now the second largest crowdfunding market in Europe. Market consolidation is expected as a result of strong competition between the platforms.

iv Payment services

The EU Directive 2015/2366 on payment services in the internal market (PSD 2) has been implemented into French law and applies as from 13 January 2018. Two new payments services are now available: payment initiation and account information services.

V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS (ICO)

Blockchain technology is not regulated as such. Cryptocurrencies do not have a specific status under French law.20

However, the following two elements should be noted.

There has been a recent change to French securities law so that securities that are not traded via a central securities depository and a securities settlement system can be represented and transmitted using distributed ledger technology (DLT).

There is also a potential new framework for ICOs, following a recent consultation launched by the AMF.

i Use of DLT for securities that are not traded via a central securities depository and a securities settlement system

A recent law21 granted the government powers to reform securities law so that securities that are not traded via a central depository and a security settlement system can be represented and transmitted using a DLT. An ordinance was published in November 201722 following a public consultation and will enter into force upon publication of the decree to be published by 1 July 2018. The decree will specify the technical conditions applicable to this new regime.

In summary, an issuer of debt securities, commercial paper, units or shares of a fund or unlisted securities could decide to register such securities in a DLT (which would facilitate the transmission of such securities). That said, it is expected that the pending decree will clarify certain aspects (in particular, how a pledge can be taken on securities registered in a DLT and whether the operator of the DLT will be regulated).

It is to be noted that this reform had been preceded by a more limited one in 2016 (in terms of scope), as in April 2016 an ordinance authorised the issuance and transfer of certain types of promissory notes called ‘minibons’ in a DLT.23 Minibons can be issued through the website of a crowdfunding adviser or an ISP (see Section IV.ii).

ii Potential new framework for ICOs

The AMF has recently published a consultation paper24 on ICOs aimed at gathering the views of stakeholders on the different means of supervision. The AMF has also launched a programme involving the support and analysis of ICOs, called UNICORN.25

During an ICO transaction, participants receive tokens issued by the project initiator, in exchange for their investment in cryptocurrency or legal tender currency. Depending on the transactions observed, these tokens do not automatically confer the same rights on their purchasers (user rights on services developed, financial or governance rights on the project, etc.).

In principle, tokens do not have the same characteristics as securities. Nevertheless, in light of the disparate nature of ICOs and tokens issued through these transactions, any regulation that currently applies to these operations in France can only be determined on a case-by-case basis.

According to the AMF ‘most of the offerings of which the AMF is aware appear not to be covered, in principle, by the rules that fall under the remit of the AMF, particularly those that govern public offer of “financial securities”, equity crowdfunding, collective investments or intermediation in miscellaneous assets’.26

Following numerous responses received by stakeholders (more than 80) and the publication of a synthesis of the responses to the consultation,27 the AMF is likely to adopt a position with respect to ICOs.

If the tokens can be characterised as financial securities because of their characteristics, the legal framework for prospectuses should apply to the extent that the tokens are offered to the public.

In the other cases (tokens that cannot be characterised as financial securities), the AMF may develop a specific framework such as (1) promoting a good practice guide under existing law or (2) proposing new legislation suited to ICOs (with one sub-option consisting in a compulsory regime and another sub-option consisting in an optional authorisation regime).28

Under the potential new optional regime, ‘ICO originators could decide, on an optional basis, to request a marketing authorisation from the AMF, which would then issue its “approval”, or to not submit an application to the AMF. Non-formally authorised offerings would not be banned but, if they are presented in France, should contain a mandatory disclaimer clearly stating this absence of AMF approval.’29

This sub-option was supported by almost two-thirds of respondents to the consultation.30

As of today, the AMF has decided to continue to work on the definition of a possible legal framework tailored to ICOs by specifying the appropriate information and guarantees that are necessary.

Nevertheless, the ACPR and the AMF also jointly issued a warning in December 2017 to clients about the risk of investing in Bitcoin (even though such assets do not strictly fall into the supervision perimeter of those authorities).

iii AML rules

Following the implementation in France of the Fourth AML Directive 2015/849,31 platforms for the exchange of cryptocurrencies shall in particular be subject to anti-money laundering rules.32

VI OTHER NEW BUSINESS MODELS

A new regime applies as of 1 January 2018 to operators of online platforms33 (such as, for instance, marketplaces or websites comparing products). Operators of online platforms must provide customers with clear, accurate and transparent information and are therefore subject to various disclosure obligations. In this respect, they must specify the listing and delisting conditions of the contents, the criteria for the classification of the contents, as well as whether there is an equity-based relationship or a remuneration of their profit that might influence the classification or the listing of any of the contents.

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

i Intellectual property

In France, business models cannot be protected by intellectual property rights (copyright or patent),34 which means that fintech companies cannot protect their business models.

France has implemented the European Directive of 14 May 1991 on the legal protection of computer programs. Therefore, software can be protected by copyright, not by a patent. Software is automatically protected by copyright, provided that it meets the originality requirements. If the patentability of software is excluded as a matter of principle, such protection may be granted where the software constitutes ‘a step in an industrial process and/or in the operation of a system’.35

Software created by one or more employees in the performance of their duties or following the instructions given by their employer belongs to the employer to which all the rights of authors are vested (unless the employment contract provides otherwise).

ii Data protection

As of 25 May 2018, the EU General Data Protection Regulation 2016/679 (GDPR) will apply in particular to the processing of personal data if the fintech company is based in France or outside the EU and offer goods or services, or monitor the behaviour of data subjects in France.

As part of this new regulation, the fintech companies subject to the GDPR (either as ‘data controllers’ or as ‘data processors’) will have to comply with a large number of obligations, which relate for example, but are not limited, to (1) the principles applying to the processing of personal data, for example, lawfulness, fairness, transparency, purpose limitation, data minimisation and ‘privacy by design’, accuracy, storage limitation, security, confidentiality, etc.; (2) the ability of the controller to demonstrate compliance with such principles (accountability); (3) the obligation to identify a legal basis before the processing (special requirements apply to certain specific categories of data such as sensitive data); and (4) data subjects’ rights (e.g., transparency, the right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object to a processing).

The upcoming application of the GDPR has compelled many fintech companies to launch comprehensive GDPR compliance programmes, including data mapping efforts, gap analysis and implementation programmes (e.g., by way of amendment of current internal processes, contracts, software’s technical characteristics, etc.).

GDPR also provides for rules relating to profiling activities.36 Profiling involves three elements: (1) it has to be an automated form of processing, (2) it has to be carried out on personal data and (3) the objective of profiling must be to evaluate aspects about an individual.

Under GDPR, fully automated individual decision-making,37 including profiling, that has a legal or similarly significant effect is prohibited unless limited exceptions apply. Automated processing will be deemed to significantly affect an individual in the following scenarios: online advertising solely based on automatic processing means where the individual being targeted is vulnerable (e.g., children, minority group) or differential pricing where higher prices effectively bar individuals from certain goods or services.

Fintech companies must ensure, as part of their GDPR compliance programmes, that suitable measures are in place to safeguard the rights and interests of individuals.

VIII YEAR IN REVIEW

The Fintech Innovation Hub launched by the ACPR has addressed one of the most significant barriers to entry for fintech companies, which lies in the spread of and knowledge about financial regulation ‘which may sometimes be very complex, especially for entrepreneurs that did not work in the financial sector before’.38 Since the launch of the Hub in June 2016, more than 200 financial players have been offered a meeting or a call with the Hub.39 Since the ACPR Hub welcomes fintech at the early stages, it is able to identify promptly evolving market practices and new business models. As of June 2017, 42 per cent of the companies met were payment institutions or neobanks, 20 per cent were crowdfunding platforms, 10 per cent were blockchain or technology projects and 10 per cent were advisory services in financial investment and life insurance.40

Since the beginning of the UNICORN programme launched by the AMF for ICOs, the AMF has met more than 20 undertakings. As of 19 February 2018, the total amount raised or planned to be raised by the project developers that met the AMF was around €350 million. The AMF’s discussions have shown that tokens issued as part of the examined ICOs vary considerably from project to project. Most of the tokens were utility tokens, giving the holder the right to use the technology or services distributed by the ICO promoter.41

With regard to payment services providers, the introduction of two newly regulated services (payment initiation and account information) by PSD 2 requires access for new actors (third-party providers) to the accounts held by other PSPs (such as traditional credit institutions). This means that existing credit institutions would have to open access to their clients’ data. This should foster open banking. In France, these new actors (which were unregulated before PSD 2) are quite active and can provide other services to their customers such as investment advice, accounting, etc.).

IX OUTLOOK AND CONCLUSIONS

In terms of regulatory developments for the following year, there is particular focus on the implementation of both PSD 2 and GDPR, which will give more rights to consumers. All participants (both existing financial institutions and new fintech companies) will have to comply with the new data protection rules.

It remains to be seen whether the reform of the securities law will really be a game changer for non-listed securities (in particular for the distribution of units or shares of funds through a DLT). The decree that specifies the technical details has not been published yet.

There is potential new regulation for ICOs as France is keen to attract ICO projects. The AMF is likely to try to find a balance between protecting customers and fostering innovation.

In terms of market activity, many fintech companies may decide not to compete directly with existing players but to cooperate with them. The financial sector is quite mature in France and the market shares of fintech companies is rather limited for the moment. The cooperation may take the form of partnerships or equity stakes. In any case, all existing actors in the banking, asset management or insurance sectors acknowledge the impact of digitalisation on their activities and the need to innovate.

1 Eric Roturier is a senior associate at Allen & Overy LLP. The author would like to thank Marianne Delassaussé (a senior associate in the intellectual property and litigation department at Allen & Overy LLP in Paris), Faustine Piechaud (an associate in the data protection department at Allen & Overy LLP in Paris) and Paul Vandecrux (an associate in the public law department at Allen & Overy LLP in Paris) for their assistance in the production of Section VII of this chapter. The author would also like to thank Didier Warzée, a member of the ACPR’s Fintech Innovation Hub, for being available to discuss the activities of the Fintech Innovation Hub.

4 Pôle FinTech-Innovation at the ACPR and Division Fintech, innovation et compétitivité at the AMF.

5 Direction générale du Trésor.

6 The Commission nationale informatiques et libertés.

7 The Agence nationale de la sécurité des systèmes d’information.

8 ‘Conseiller en investissements financiers’.

9 ‘Intermédiaire en opérations de banque et en services de paiement’.

10 ‘Conseiller en investissements participatifs’ or ‘Intermédiaire en financement participatif’.

11 Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) and Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers (AIFM).

12 Regulation (EU) 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products.

13 Article L. 341-1 of the Monetary and Financial Code.

14 In particular since the entry into force of MiFID II under French laws as of 3 January 2018.

15 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.

16 Ordinance No. 2017-1433 of 4 October 2017 relating to the dematerialisation of contractual relationships in the financial sector.

17 Article L. 214-24-I of the Monetary and Financial Code.

18 Article D. 411-2 of the Monetary and Financial Code.

19 Article L. 548-1 et seq. of the Monetary and Financial Code.

20 Only euros are legal tender in France in accordance with Article L. 111-1 of the Monetary and Financial Code.

21 Article 120 of the Transparency, Anti-Corruption and Economic Modernisation Act 2016-1691 of 9 December 2016.

22 Ordinance No. 2017-1674 of 8 December 2017.

23 Ordinance No. 2016-520 of 28 April 2016.

25 Universal Node to ICO’s Research & Network.

26 AMF ICO consultation, page 7.

28 See AMF ICO consultation, page 15.

29 See AMF ICO consultation, page 15.

30 See synthesis of the responses to the AMF ICO consultation.

31 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

32 Article L. 561-2-7° bis of the Monetary and Financial Code provides that ‘any person who, as a regular occupation, acts as counterparty or as an intermediary for the purchase or the sale of any digital instrument representing non-monetary units of value, which can be stored or transferred in order to purchase goods or services (but which does not represent a claim against any issuer)’ shall be subject to the AML rules.

33 Articles 111-7 et seq. of the Consumer Code.

34 In accordance with Article L. 611-10 of the Intellectual Property Code.

35 CA Paris, 4° ch., 15 June 1981, PIBD 1981, III, 175; Ann. 1982, 24, note Mathély.

36 Article 4(4) of GDPR defines ‘profiling’ as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’.

37 Articles 21 and 22 of GDPR.

38 Joint answer from Banque de France and ACPR to the European Commission’s Public consultation on Fintech: a more competitive and innovative European financial sector: https://acpr.banque-france.fr/sites/default/files/medias/documents/20170615_reponse_consultation_europe_0.pdf.

39 According to Didier Warzée, member of the ACPR’s Fintech Innovation Hub.

41 See synthesis of the responses to the AMF ICO consultation.