In addition to the implementation of recent EU regulations (such as PSD 2 and GDPR), France has recently adopted new regulations relating to, in particular, crowdfunding and the issuance and transfer of certain non-listed securities through a DLT. France has recently adopted a framework for initial coin offerings (ICOs) and a framework for providers of crypto services.
Even though there is no 'sandbox' approach available in France (i.e., no new financial technologies can develop outside any regulation or benefit from a tailor-made regulatory regime), France is rather fintech-friendly.
In addition, a Fintech forum has also been set up in order to foster dialogue between various stakeholders. These are public authorities such as the Ministry for the Economy and Finance,5 regulators such as the ACPR, the AMF, the data protection authority6 (CNIL) and the French National Cybersecurity Agency (ANSSI),7 companies and their lawyers. Meetings are generally held every quarter and address subjects from various perspectives.
i Licensing and marketing
There is no special fintech licence in France; either the relevant service is regulated, and in that case the service provider must hold a licence, or the service is not regulated and in that case no licence is necessary.
In practice, most fintech companies provide regulated services and are regulated (either they apply for a licence in France or they benefit from an EU passport (see Section II.iv)).
In addition to the existing EU regulatory statuses (such as credit institutions, payment institutions, investment firms, management companies or insurance intermediaries) there are national statuses available in France to fintech companies provided that they meet the relevant requirements, such as independent financial advisers,8 intermediaries in banking transactions9 or intermediaries in crowdfunding activities.10
For instance, an automated digital advisory company may be regulated under different statuses depending on the type of clients it has and whether it provides other services. If the underlying product is a life insurance policy, the company can be regulated as an insurance intermediary (such as an insurance broker). If the company only provides investment advice, it can be regulated as an independent financial adviser or an investment firm, but if it provides other regulated investment services, it must be regulated as an investment firm. If the company can manage assets on behalf of the client, then it must be registered as a portfolio management company.
The marketing of financial products or services is regulated. There are rules relating to the sale of the products themselves and specific rules where marketing is performed through solicitation activities. In addition and as a matter of principle, entities are generally prohibited from advertising without an appropriate licence.
ii Overview of the rules relating to the products
Offering transferable securities (such as shares and bonds) to the public in France is prohibited without an approved prospectus, unless an exemption applies. Specific rules apply to funds (UCITS or AIFs within the meaning of the EU directives).11 Other regulations may apply to the marketing of loans.
In addition, the EU Regulation PRIIPS12 applies to various structured products targeted at retail investors and it aims to increase the transparency and comparability of such products through the issue of a standardised short form disclosure document.
iii Solicitation rules
Solicitation activities13 are defined as any unsolicited contact (i.e., contact that has not been previously requested by the customers), by any means, with identified individuals or legal entities, where this contact is initiated and conducted with a view to obtaining customers' consent to, in particular, the conclusion of a transaction on financial instruments, the conclusion of a banking transaction or an investment service or a related transaction or service. The scope of transactions and services caught by the solicitation rules is broad.
Solicitation activities will be considered as being carried out in France if they target French investors. The terms 'contact by any means' should be broadly interpreted, for example, including contact by email, telephone, internet and solicitation can be constituted even if this behaviour has not been repeated on a regular basis.
iv Cross-border issues
Regulated activities can be passported from another jurisdiction into France provided that the activities are carried out by a company licensed in an EU (or an EEA) jurisdiction to provide such services, and comply with the formal passporting requirements (e.g., the company has to provide the home regulator with relevant information and unless the home or host regulator raises any objection, the company can be passported into France and start its activities).
Services passported in France can be provided either on the basis of the freedom of establishment (which means that the company needs to set up a branch in France) or of the freedom to provide services (i.e., no establishment in France).
The benefit of the EU passport is only available to those services that are subject to an EU directive or regulation.
If the company benefits from a 'local' licence in another EU jurisdiction, it cannot rely on any passporting regime and must be also licensed in France if it wants to provide services in France.
There could be exemptions for reverse enquiry situations (i.e., where contact has been instigated by a client to obtain information about a product or service).14
iii DIGITAL IDENTITY AND ONBOARDING
On 5 January 2018, the Minister of Interior Affairs announced the launch of a unified digital identity process for all French citizens, foreign individuals legally resident in France and French companies, which would be effective in September 2019. This process would be integrated within the already existing digital platform of the French state and 'France Connect', a platform set up in June 2016 that offers a global system of identity management for online government services. The unified digital identity process would be designed so that it could be used for public services as well as for private entities.
Fully digitised onboarding of clients is possible provided that the relevant company performs the know-your-customer requirements to which it may be subject, and has set up a process for electronic identification (in particular accordance with the eIDAS Regulation).15 In addition, a recent ordinance16 has clarified the rules relating to the digital transmission of pre-contractual and contractual information in the financial sector, which should also foster fully digitised onboarding of clients.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
As a preliminary remark, a fintech project may fall within the scope of the AIFM Directive if the relevant entity raises capital from a number of investors, with a view to investing it in accordance with a defined investment policy for the benefit of those investors, and is not a UCITS.17 The requirements are quite burdensome and fintech projects do not generally aim to fall into the definition of 'alternative investment funds'. The French legal framework relating to, in particular, the banking monopoly and the scope of the public offer of securities, has recently been modified to allow crowdfunding activities.
In France, to foster the development of crowdfunding in a secure environment for contributors (lenders, investors or donors), the public authorities have amended the regulations and created two new 'light' regulatory statuses for crowdfunding platforms: crowdfunding adviser and crowdfunding intermediary.
ii Crowdfunding adviser
A platform for crowdfunding via the subscription of financial securities issued by an unlisted company must be registered in the ORIAS register (i.e., a register for financial intermediaries, including insurance intermediaries, intermediaries in banking transactions, etc.) as a crowdfunding adviser (CIP). Their activities consist of providing investment advice, as their regular activity, on plain vanilla capital and debt securities (ordinary shares, fixed rate bonds and convertible bonds). The activities must be conducted by means of a progressive-access website, fulfilling the characteristics laid down by the AMF. In order to benefit from the exemption to the publication of a prospectus, the amount issued shall not exceed €2.5 million.18
Such a platform may also opt for the status of investment services provider (ISP) providing investment advice services, in which case it must be licensed by the ACPR. Such platforms are regulated by the AMF alone in the case of CIPs and by the AMF and the ACPR jointly for ISPs.
iii Crowdfunding intermediary
If the website proposes to fund projects under the form of a loan with or without interest, the platform must be registered in the ORIAS register as a crowdfunding intermediary (IFP). We will focus in the rest of this paragraph on the intermediation of loans stipulated with or without interest, and granted to professionals (i.e., individuals acting in a professional capacity or commercial companies) by individuals not acting for professional purposes.19 With a view to protecting lenders, the amount lent shall not exceed €2,000 per lender and per project where the loan is granted with interest and €5,000 where no interest is stipulated. The total amount borrowed shall not exceed €1 million.
IFPs are regulated by the ACPR.
According to publicly available statistics, France has around 100 crowdfunding platforms and is now the second largest crowdfunding market in Europe. Market consolidation is expected as a result of strong competition between the platforms.
iv Payment services
Since the implementation into French law in 2018 of EU Directive 2015/2366 on payment services in the internal market (PSD 2), two new payments services are now available: payment initiation and account information services.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS
Blockchain technology is not regulated as such. However, the following two elements should be noted.
There has been a recent change to French securities law so that securities that are not traded via a central securities depository and a securities settlement system can be represented and transmitted using distributed ledger technology (DLT).
There are also two new frameworks: one for ICOs and another for providers of crypto services.
i Use of DLT for securities that are not traded via a central securities depository and a securities settlement system
A recent law20 granted the government powers to reform securities law so that securities that are not traded via a central depository and a security settlement system can be represented and transmitted using a DLT. An ordinance was published in November 201721 following a public consultation. A decree was published in December 201922 in order to specify the technical conditions applicable to this new regime.
In summary, an issuer of debt securities, commercial paper, units or shares of a fund or unlisted securities could decide to register such securities in a DLT, instead of a traditional securities account (which would facilitate the transmission of such securities).
The DLT would have to meet certain conditions, such as:
- the owner of the securities must be able to access his or her statement of transactions;
- a business continuity plan must be in place; and
- the DLT must preserve the integrity of the transactions that are recorded.
The decree has also clarified the provisions relating to the pledging of securities registered in a DLT.
This reform was preceded by a more limited one in 2016 (in terms of scope), as in April 2016 an ordinance authorised the issuance and transfer of certain types of promissory notes called 'minibons' in a DLT.23 Minibons can be issued through the website of a crowdfunding adviser or an ISP (see Section IV.ii).
ii New framework for ICOs
Following a consultation launched by the AMF on ICOs and numerous responses received from stakeholders, the new law 'Loi Pacte'24 aims at creating an optional regime for ICOs.
Under the new optional regime, ICO originators could decide, on an optional basis, to request a marketing authorisation from the AMF, which would then issue its approval.
Tokens issued through an ICO would be defined as:
any intangible property representing, in digital form, one or more rights, which may be issued, registered, held or transferred through an electronic distributed ledger that identifies, directly or indirectly, the owner of such property.
Issuers who decide to obtain an approval from the AMF would have to submit to the AMF an information memorandum describing the ICO and any related marketing document.
The AMF would, in particular, ensure that the issuer is located in France and that adequate measures are in place to secure the rights of tokenholders.
If the tokens can be characterised as financial securities because of their characteristics, the legal framework for prospectuses should apply to the extent that the tokens are offered to the public.
iii New framework for providers of crypto services
The new law Loi Pacte25 also aims at creating a special legal regime for financial intermediaries that provide token-related services.
For the purposes of these provisions of the Loi Pacte, tokens are defined as:
any intangible property representing, in digital form, one or more rights, which may be issued, registered, held or transferred through an electronic distributed ledger that identifies, directly or indirectly, the owner of such property; or
any digital representation of a value which is not issued or guaranteed by a central bank or a public authority, which is not necessarily pegged to a currency which has legal tender and which does not have the legal status of a currency, but which is accepted by physical persons or non-natural persons as an means of exchange and which may be transferred, stored or exchanged electronically.
Such definition includes tokens stricto sensu, which may be issued as part of an ICO but excludes securities tokens or more generally any token that has the characteristics of a financial instrument. It encompasses any cryptocurrency or any cryptoassets used as a means of exchange.
The new legal regime for token service providers would apply to any intermediary that provides the following services:
- the custody service of private cryptographic keys on behalf of third parties, in order to own, store or transfer tokens;
- the service of purchasing or selling tokens against fiat currency;
- the service of exchanging tokens against other tokens;
- the operation of a tokens trading venue; and
- the following services:
- reception and transmission of orders on behalf of third parties;
- portfolio management on behalf of third parties;
- investment advice;
- underwriting of tokens;
- placing of tokens with a firm commitment basis; and
- placing of tokens without a firm commitment basis.
A licence would be mandatory to provide services (a) and (b), namely, custody of private cryptographic keys and purchase, sale of tokens against fiat currency (licence granted by the AMF, in cooperation with the ACPR).
A licence would be optional to provide services (c) to (e) (licence granted by the AMF).
iv AML rules
VI OTHER NEW BUSINESS MODELS
A new regime applies as of 1 January 2018 to operators of online platforms28 (such as, for instance, marketplaces or websites comparing products). Operators of online platforms must provide customers with clear, accurate and transparent information and are therefore subject to various disclosure obligations. In this respect, they must specify the listing and delisting conditions of the contents, the criteria for the classification of the contents, as well as whether there is an equity-based relationship or a remuneration of their profit that might influence the classification or the listing of any of the contents.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
i Intellectual property
In France, business models cannot be protected by intellectual property rights (copyright or patent),29 which means that fintech companies cannot protect their business models.
France has implemented the European Directive of 14 May 1991 on the legal protection of computer programs. Therefore, software can be protected by copyright, not by a patent. Software is automatically protected by copyright, provided that it meets the originality requirements. If the patentability of software is excluded as a matter of principle, such protection may be granted where the software constitutes 'a step in an industrial process and/or in the operation of a system'.30
Software created by one or more employees in the performance of their duties or following the instructions given by their employer belongs to the employer to which all the rights of authors are vested (unless the employment contract provides otherwise).
ii Data protection
The EU General Data Protection Regulation 2016/679 (GDPR) applies in particular to the processing of personal data if the fintech company is based in France or outside the EU and offer goods or services, or monitor the behaviour of data subjects in France.
As part of this new regulation, the fintech companies subject to the GDPR (either as 'data controllers' or as 'data processors') have to comply with a large number of obligations, which relate for example, but are not limited, to:
- the principles applying to the processing of personal data, for example, lawfulness, fairness, transparency, purpose limitation, data minimisation and 'privacy by design', accuracy, storage limitation, security, confidentiality, etc.;
- the ability of the controller to demonstrate compliance with such principles (accountability);
- the obligation to identify a legal basis before the processing (special requirements apply to certain specific categories of data such as sensitive data); and
- data subjects' rights (e.g., transparency, the right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object to a processing).
The application of the GDPR has compelled many fintech companies to launch comprehensive GDPR compliance programmes, including data mapping efforts, gap analysis and implementation programmes (e.g., by way of amendment of current internal processes, contracts, software's technical characteristics).
GDPR also provides for rules relating to profiling activities.31 Profiling involves three elements:
- it has to be an automated form of processing;
- it has to be carried out on personal data; and
- the objective of profiling must be to evaluate aspects about an individual.
Under GDPR, fully automated individual decision-making,32 including profiling, that has a legal or similarly significant effect is prohibited unless limited exceptions apply. Automated processing is deemed to significantly affect an individual in the following scenarios: online advertising solely based on automatic processing means where the individual being targeted is vulnerable (e.g., children, minority group) or differential pricing where higher prices effectively bar individuals from certain goods or services.
Fintech companies must ensure, as part of their GDPR compliance programmes, that suitable measures are in place to safeguard the rights and interests of individuals.
VIII YEAR IN REVIEW
The Fintech Innovation Hub, launched by the ACPR, has addressed one of the most significant barriers to entry for fintech companies, which lies in the spread of and knowledge about financial regulation 'which may sometimes be very complex, especially for entrepreneurs that did not work in the financial sector before'.33 Since the launch of the Hub in June 2016, more than 200 financial players have been offered a meeting or a call with the Hub.34 Since the ACPR Hub welcomes fintech at the early stages, it is able to identify promptly evolving market practices and new business models.
Since the beginning of the UNICORN programme launched by the AMF for ICOs (involving the support and analysis of ICOs), the AMF has met more than 25 undertakings.35 The AMF's discussions have shown that tokens issued as part of the examined ICOs vary considerably from project to project. Most of the tokens were utility tokens, giving the holder the right to use the technology or services distributed by the ICO promoter.36
With regard to payment services providers, the introduction of two newly regulated services (payment initiation and account information) by PSD 2 requires access for new actors (third-party providers) to the accounts held by other PSPs (such as traditional credit institutions). This means that existing credit institutions would have to open access to their clients' data. This should foster open banking. In France, these new actors (which were unregulated before PSD 2) are quite active and can provide other services to their customers such as investment advice, accounting, etc.).
IX OUTLOOK AND CONCLUSIONS
In terms of regulatory developments for the following year, there is particular focus on the implementation of both PSD 2 and GDPR, which will give more rights to consumers. All participants (both existing financial institutions and new fintech companies) will have to comply with the new data protection rules.
It remains to be seen whether the reform of the securities law will really be a game changer for non-listed securities (in particular for the distribution of units or shares of funds through a DLT).
There are two new frameworks: one for ICOs, another for providers of crypto-services, as France is keen to attract and develop such activities and better regulate them.
In terms of market activity, many fintech companies may decide not to compete directly with existing players but to cooperate with them. The financial sector is quite mature in France and the market shares of fintech companies is rather limited for the moment. The cooperation may take the form of partnerships or equity stakes. In any case, all existing actors in the banking, asset management or insurance sectors acknowledge the impact of digitalisation on their activities and the need to innovate.
1 Eric Roturier is a senior associate at Allen & Overy LLP. The author would like to thank Faustine Piechaud (an associate in the data protection department at Allen & Overy LLP in Paris) and Paul Vandecrux (an associate in the public law department at Allen & Overy LLP in Paris) for their assistance in the production of Section VII of this chapter and Hassan Benseghir (an intern in the international capital markets department at Allen & Overy LLP in Paris) for his assistance in this year's update.
4 Pôle FinTech-Innovation at the ACPR and Division Fintech, innovation et compétitivité at the AMF.
5 Direction générale du Trésor.
6 The Commission nationale informatiques et libertés.
7 The Agence nationale de la sécurité des systèmes d'information.
8 'Conseiller en investissements financiers'.
9 'Intermédiaire en opérations de banque et en services de paiement'.
10 'Conseiller en investissements participatifs' or 'Intermédiaire en financement participatif'.
11 Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) and Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers (AIFM).
12 Regulation (EU) 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products.
13 Article L. 341-1 of the Monetary and Financial Code.
14 In particular since the entry into force of MiFID II under French laws.
15 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
16 Ordinance No. 2017-1433 of 4 October 2017 relating to the dematerialisation of contractual relationships in the financial sector.
17 Article L. 214-24-I of the Monetary and Financial Code.
18 Article D. 411-2 of the Monetary and Financial Code.
19 Article L. 548-1 et seq. of the Monetary and Financial Code.
20 Article 120 of the Transparency, Anti-Corruption and Economic Modernisation Act 2016-1691 of 9 December 2016.
21 Ordinance No. 2017-1674 of 8 December 2017.
22 Decree No. 2018-1226 of 24 December 2018 on the use of an electronic recording device shared for the representation and transmission of securities and the issuance and sale of minibons.
23 Ordinance No. 2016-520 of 28 April 2016.
24 Action Plan for Business Growth and Transformation (PACTE), Article 26: adopted by the National Assembly on 11 April 2019.
25 Action Plan for Business Growth and Transformation (PACTE), Article 26 bis (the law must nevertheless be enacted in order to enter into force).
26 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
27 Article L. 561-2-7° bis of the Monetary and Financial Code provides that 'any person who, as a regular occupation, acts as counterparty or as an intermediary for the purchase or the sale of any digital instrument representing non-monetary units of value, which can be stored or transferred in order to purchase goods or services (but which does not represent a claim against any issuer)' shall be subject to the AML rules.
28 Article 111-7 et seq. of the Consumer Code.
29 In accordance with Article L. 611-10 of the Intellectual Property Code.
30 CA Paris, 4° ch., 15 June 1981, PIBD 1981, III, 175; Ann. 1982, 24, note Mathély.
31 Article 4(4) of GDPR defines 'profiling' as 'any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements'.
32 Articles 21 and 22 of GDPR.
33 Joint answer from Banque de France and ACPR to the European Commission's Public consultation on Fintech: a more competitive and innovative European financial sector: https://acpr.banque-france.fr/sites/default/files/medias/documents/20170615_reponse_consultation_europe_0.pdf.
34 According to Didier Warzée, member of the ACPR's Fintech Innovation Hub.
35 Universal Node to ICO's Research & Network.
36 See synthesis of the responses to the AMF ICO consultation: https://www.amf-france.org/en_US/Publications/Consultations-publiques/Archives?docId=workspace%3A%2F%2FSpacesStore%2Fa9e0ae85-f015-4beb-92d2-ece78819d4da.