An Introduction to FinTech Legal in France

2020 was very intense for French FinTechs, which had and still have to face the financial and operational consequences of the world pandemic situation, as well as the implementation of new regulations the European and French regulators are adopting in order to provide a fair and balanced framework between innovation fostering and consumer protection.

Despite these potential difficulties, the FinTech market was very active during this whole year, especially for professional banking and banking-as-a-service players. A parallel evolution of payment habits may also constitute a true opportunity for FinTechs.

Economic situation of the market 

o Growing FinTechs

Some major fundraisings were announced in 2020 by French FinTechs, and in particular from:

• Qonto, a FinTech providing bank accounts to SMEs and freelancers, raised 104 million euros on Series C in January 2020, from six funds, including Tencent Holdings, which also invested in Lydia;

• Lydia, a FinTech that offers a mobile payment application, raised 40 million euros in January 2020 on Series B;

• Swile (formerly Lunchr), which issues digital meal vouchers, raised nearly 70 million euros in June 2020 on Series C.

This year was also marked by the EPO of Worldline on its competitor Ingenico, estimated at 7.8 billion euros, which led to the creation of the fourth biggest payments company in the world.

Evolution of payment methods 

French reluctance to give up on cash withdrawal and cash transactions is changing, accelerated by the COVID-19 pandemic which had unexpected consequences.

Indeed, the exceptional measures taken by the public authorities in response to the COVID-19 pandemic, in particular the lockdown of the population, had a direct impact on the payments market, for two distinct reasons:

On the one hand by the impact on the operational capacity of players in the payments market, who had to manage their activity under complex and unusual conditions, and who succeeded despite these conditions to adapt and give the appropriate answers to be able to grant full access and availability to the payment services. In addition, French supervisors maintain their normal activity both in terms of licensing and authorisation than in terms of controls.
On the other hand, because of the consequences of these measures for business activity and household consumption, reflected by an overall drop in payment flows during the lockdown period (decrease of one third of the payment flows between April 2019 and April 2020), and the evolution of payment methods, which constitutes good news for FinTechs.

The evolution of payment methods results in a reduction of proximity payments and an increase of e-commerce transactions, specifically during the lockdown, as well as with a strong increase of digital and contactless payments: 50% digital/contactless payments in 2018 against almost 70% in April 2020 (according to the last annual report of the Observatory for the security of the means of payment). Even in June after the end of the first lockdown, more than 60% of the payments were made digitally or contactless, which could reveal the development of new habits in the long run.

The raising of the contactless payment limit from 30 to 50 euros also explains this change. This modification was explained by health measures, but it is important to remind that this was compliant on both fraud and PSD2 perspectives:

• The fraud rate on contactless payments has been particularly stable for several years (at around 0.020%, or one euro of fraud for five thousand euros of payment), despite the strong growth in volumes. Consequently, there was no obvious warning against raising the limit.

• The PSD2 gives payment service providers the option to exempt from strong customer authentication (“SCA”) contactless proximity payments of less than 50 euros. Raising the contactless limit from 30 to 50 euros was therefore consistent with the limit set by European regulations.

This evolution also results in the diminution of cheque use and the increase of SEPA means, which leads to an overall diminution of fraud risks and fraud rates.

During this period, French institutions had to slow down the onboarding of cardholders to SCA compliant solutions because of the risk of affecting the ability to pay on the Internet, which was essential during lockdown, and to avoid the congestion of customer support. While some of the deployment actions have been delayed, market players have been invited by the Banque de France to actively resume migration actions in June 2020, with the target to be compliant on 31 December 2020.

• Mandatory registration for digital assets service providers

The PACTE law introduced in France in 2019 the qualification of digital assets service providers as well as the associated requirements. In particular, this new regulation states that those who provide the custody of digital assets on behalf of third parties or the exchange of digital assets for fiat currency have until 18 December 2020 to register with the French Financial Markets Authority (the “AMF”). In addition, in December 2020, the French government published a new act which states that those who provide the exchange of digital assets for other digital assets or the operation of a trading platform for digital assets have until 11 June 2021 to register.

Of the ten digital asset services listed by the French Monetary and Financial Code, the provision of only these four shall give rise to registration. Subject to the adoption of a new regulation by the French government, the six other digital asset services, listed below, can be operated in France without any obligation for registration, until the adoption and implementation of the proposal for a EU regulation on markets in crypto-assets (also known as “MiCA”):

• The reception and transmission of orders on digital assets on behalf of third parties,

• Portfolio management of digital assets on behalf of third parties,

• Provision of advice to subscribers of digital assets,

• Underwriting of digital assets,

• Guaranteed placing of digital assets,

• Non-guaranteed placing of digital assets.

AML updates 

Digital assets service providers and token issuers

The French service providers which provide the following services are now required to register to the AMF and to implement AML-KYC measures, whether they chose to apply for the optional authorisation to the AMF or not:

• The custody of digital assets on behalf of third parties,

• The exchange of digital assets for fiat currency that is legal tender,

• The exchange of digital assets for other digital assets,

• The operation of a trading platform for digital assets.

The providers of other digital assets services are required to implement AML-KYC measures only if they choose to apply for the optional authorisation to the AMF.

Besides, this obligation also applies now to the token issuers which were granted the optional authorisation of the AMF.

Face-to-face identity verification equivalent 

Until February 2020, under French regulation the means of electronic identification used for identity verification had to match a “high” assurance level, within the meaning of the eIDAS Regulation, to be considered as secure as face-to-face identification. The French transposition of AML 5 Directive has lowered this level of requirement and now requires an assurance level of “at least substantial".

However, this applies to means that are issued under a French electronic identification scheme notified to the European Commission. At the end of 2020 France did not notify of any such scheme yet.

In January 2020 though, the French competent authority (the ANSSI) declared that the "Identité Numérique" solution developed by La Poste complies with the substantial assurance level. If this means of electronic identification cannot replace face-to-face verification, it can be used as an additional measure when face-to-face is not possible.

KYC derogations 

Under certain conditions, EMIs are allowed not to implement AML-KYC measures. These conditions were drastically amended in 2020.

On the one hand, these conditions were amended in a more stringent way and will no longer apply:

• If the stored value of the EM instrument exceeds 150 euros (instead of 250),

• If the instrument allows cash withdrawal or reimbursement over 50 euros (instead of 100),

• For internet and remote payment transactions which exceeds 50 euros (new requirement). The French regulator granted French EMIs a transition period allowing them under certain conditions not to implement KYC measures for transactions not exceeding 150 euros. This derogation is due to expire on 31 December 2020.

On the other hand, the French regulator created a new exemption allowing for the loading of the e-money instrument in cash without implementing KYC measures, if the instrument is not reloadable and the stored value cannot exceed 50 euros.

Cybersecurity 

With the digital transformation of financial services, cyber risk must be considered by service and solution providers in order to ensure confidence and resilience, essential properties for this sector of activity.

In France, cybersecurity requirements are increasingly formulated in regulatory texts, and the AMF issued one of the first documents representative of this transformation: the instruction DOC-2019-24, which specifies the cybersecurity requirements that must be met by digital asset service providers as part of the optional authorisation request.

This instruction was drafted for digital assets service providers and therefore contain the specific requirements for these players. However, this instruction also contains general requirements which could, according to the AMF, be complied with by any FinTech player.

This instruction should be read together with the EBA Guidelines on ICT and security risk management, applicable from 30 June 2020 to payment services providers, credit institutions and investment firms.

Brexit 

In the absence of any deal between the EU and the UK and of the adhesion of the UK to the EEA, any institution or firm authorised in the UK in particular as credit institution, payment institution, electronic money institution of investment firm, and providing regulated services in France, will no longer be able to do so without incorporating and asking for an authorisation in France and/or another EEA Member State.

Competition Authority inquiry 

On 20 May 2020, the French Competition Authority launched a public consultation on the FinTech sector intended for all players and more particularly in payment services, in order to understand the competitive situation in the sector.

The consultation consisted of twelve questions grouped into three themes:

• Understanding the changes that have taken place in the sector,

• Market definition, market position and competitive advantages held by the different players,

• Business practices likely to be implemented by the different players.

If we have no feedback at this stage, this inquiry will not be neglected since sector inquiries are not customary and usually lead to enforcement actions and/or new regulations.