• Financial regulator: The Autorité des Marchés Financiers (AMF), The Financial Markets Authority.
  AMF regulates the French financial marketplace, its participants and the investment products distributed via the markets.
• Data protection authority: The Commission nationale de l’informatique et des libertés (CNIL), The National Commission for Information Technology and Liberties.
  CNIL is an independent administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.

• Largest banks: BNP Paribas, Crédit Agricole, Société Générale, and Groupe BPCE.
• Central bank: Banque de France is an independent institution of the French Republic that has guarded the nation’s currency and financial system for over 200 years.
• Currency: Euro. France adopted the euro on January 1, 2002, replacing its old currency, the franc.

France is the world’s seventh-largest economy by nominal GDP, or Gross Domestic Product.

• GDP nominal 2023 – $3.052 trillion.
• Share of world GDP – 2.87%.
• GDP per capita – $45,934.

Eight questions in collaboration with Cathie-Rosalie Joly, Partner at Bird&Bird, and Nicolas Mordaunt Crook, Partner at Bird&Bird in France.

1. Who are the main regulators for financial services in France and how would you describe their appetite for regulating the markets?

From an industry-specific perspective, the supervision of authorised entities in the banking, financial and insurance sectors is essentially distributed between two administrative authorities, namely:

• the Autorité de Contrôle Prudentiel et de Résolution (ACPR), which is in particular responsible for the licensing/authorization and supervision of companies operating in the banking and insurance sectors as these are broadly understood – for example, banking institutions, payment and electronic money institutions and investment services providers (which include both credit institutions that hold MiFID permissions and investment firms per se); and
• the Autorité des Marchés Financiers (AMF), which is primarily responsible for the licensing/authorization and supervision of asset managers, token issuers, and crypto-asset service providers, in addition to overseeing financial markets, listed companies and associated transactions (public offerings).

It should be mentioned that, in certain instances, authority is shared between these two regulators. For instance, although permissions for investment services providers (other than asset management companies) are formally granted by the ACPR, they are subject to prior approval of the regulatory business plan by the AMF.

Alongside the supervision of licensed entities, the French regulatory framework also addresses the marketing and promotion of financial products and services by financial intermediaries. These accordingly need to be registered with the French ORIAS and align with specific conduct of business rules and compliance standards. Here again, general oversight is distributed between the ACPR (for banking, payment and insurance products) and the AMF (for investment products).

In practice however, supervision is primarily exercised by ACPR or AMF-approved trade associations, membership of which is (in most cases) a prerequisite for registration. These associations are responsible for verifying compliance with regulatory standards (for example, in terms of competence, good repute, organizational structure, civil liability insurance, and so on) and may cancel an intermediary’s membership if serious shortcomings are identified, with the regulators retaining their authority to hand down (other) sanctions.

Finally, in addition to the ACPR and AMF’s industry-specific focus, other supervisory authorities should also be taken into account, when it comes to assessing the regulatory accountability of financial services providers and intermediaries. Particular mention should be made of:

• the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (DGCCRF), in the area of consumer protection and compliance with competition rules; and
• the Commission Nationale de l’Informatique et des Libertés (CNIL), which is the French data protection authority.

Overall, to the extent that France is a member of the European Union and EU regulations are directly applicable, French banking, financial and insurance provisions are at least equivalent to those applicable under EU law, and in some areas more stringent (for example, for AML/CFT). The regulatory framework is both robust and prescriptive and the regulator’s appetite for ensuring its thorough implementation (including through regulatory investigations and proceedings) is strong.

2. What are the main sources of regulatory laws in your jurisdiction?

In addition to European regulations, which are directly applicable in France (with these provisions often being supplemented or specified by various decrees and orders), primary sources of regulation include, but are not limited to:

• for the banking and financial industry – the Monetary and Financial Code;
• in the investment services, capital markets and asset management space – the AMF’s General Rulebook (Règlement Général de l’AMF); and
• in the insurance sector – the Insurance Code, the Mutual Insurance Code (or, where applicable, the Social Security Code);

all of which transpose European directives with some local variations or additions.

Furthermore, it should be stressed that guidance issued either by EU regulators (EBA, EMSA and EIOPA) or French regulator (ACPR and AMF) serves as a significant source of information, influencing policy and decision-making across the various areas of the financial industry.

3. How can firms outside France do financial services business in your country?

Banking, financial and insurance institutions headquartered in other EU Member States may carry on business in France either:

• under the freedom of establishment regime (that is, by establishing a permanent presence in the host Member State in the form of a branch, agents or, where applicable, distributors); or
• on a cross-border basis under the freedom to provide services regime;

subject, of course, to those activities, which are taken up in France, falling within the ambit of permissions granted by the competent authorization in the home Member State.

Firms that are not registered in the EU (“third countries”) will as a general rule need to seek authorization as a “third-country branch” in France in order to take up banking, financial or insurance business. In practice, third-country branches are treated much in the same way as institutions headquartered in France in terms of regulatory authorization and supervision, although there are variations and certain limited exemptions (for example, from a prudential standpoint).

Finally, reverse solicitation is recognized as a concept, albeit subject to strict conditions, which means that banking, financial and insurance undertakings may in some circumstances sell products and services to customers located in France without relying on prior authorisation or an EU passport, provided no client solicitation has taken place (that is, it can be documented that the customer initiated steps leading up to the sale of a financial product or service).

4. What types of activities require a license in your jurisdiction?

The type of authorization required and the competent authority(ies) involved primarily depend on the nature of proposed financial business. As a rule however, the exercise of banking, financial or insurance activities will require a licence, authorization or registration. In broad terms:

• credit and deposit-taking activities (including loan business on a stand-alone basis), payment services, the issuance and management of E-money / E-money tokens (and related activities), investment services (other than asset management activities – cf. (ii)), loan management as well as life and no
• portfolio management activities, cryptoasset services and fundraising activities require prior licensing by the AMF;
• acting as a payment services agent or as an e-money distributor on behalf of a payment service provider requires being mandated by the payment service provider under whose responsibility the agent or distributor will act. The payment service provider must then proceed with the registration or notification of the agent or distributor with the ACPR, before the start of their activities;
• foreign exchange business (other than as a credit institution, finance company, payment institution or electronic money institution) requires prior authorization by the ACPR;
• intermediation activities in the banking and financial sectors (for example, banking and payment services intermediaries, financial investment advisers, tied agents, etc.) or the insurance sector (insurance brokers, insurance agents, etc.) require a mandate from an authorized institution and for the intermediary to proceed with their own prior registration with the Registre officiel des intermédiaires en Assurance, Banque et Finance (ORIAS).

5. What are your top three enforcement actions and briefly explain why the firms were censured.

• In its decision of December 13, 2024, the AMF Enforcement Committee fined a US investment fund and its director a total of €10m ($10.3m) for price manipulation during an initial public offering on the Nasdaq and breaches of its reporting obligations.
• In its decision of November 4, 2024, the AMF Enforcement Committee fined a financial investment advisor, two asset management companies and their directors, and a credit institution, a total of €5,670,000 ($5,814,445) for breaches of their professional obligations in connection with the marketing and management of investment funds.
• In its decision of October 9, 2024, the ACPR Sanctions Committee fined a Tunisian foreign bank a total of €1.7m ($1.7m) due to serious deficiencies in permanent control, insufficient resources allocated to the .audit function to carry out its investigations, failure to follow up on recommendations from permanent and periodic control, and insufficient control of critical service providers.
• In its decision of June 27, 2024, the ACPR Sanctions Committee fined a French bank a total of €2.5m ($2.6m) for deficiencies in transaction monitoring systems, failure to conduct enhanced due diligence, and failure to report suspicious transactions.

6. What is the regulatory attitude to crypto? 

Since the adoption of the PACTE Law in 2019, the AMF has registered over 100 Digital Asset Service Providers (PSAN) and granted four approvals. This law introduced a comprehensive legal framework for digital assets in France, ensuring that providers offering custody or trading services for legal tender must register with the AMF, with the ACPR’s approval. The framework has laid the foundation for a secure and regulated crypto market in France.

The MiCA regulation, effective from December 30, 2024, builds on this foundation by creating a stringent and unified regulatory framework across the European Union. This regulation enhances investor protection and ensures a consistent approach to crypto-asset services throughout the EU. The AMF had anticipated MiCA’s implementation and began examining approval applications as Crypto Asset Service Provider (CASP) as early as July 2024, demonstrating its proactive stance in adapting to new regulations.

The AMF’s innovative regulatory approach has been recognized internationally. The International Association for Trusted Blockchain Applications (INATBA) awarded the AMF for its efforts in regulating digital assets and supporting the transformation of the financial sector. This award highlights the AMF’s commitment to fostering a secure and innovative ecosystem for digital assets and decentralized finance.

Under its “Impact2027” strategic plan, the AMF is dedicated to identifying key innovation challenges and promoting their development within a secure framework for investors. This plan involves maintaining an active dialogue with ecosystem stakeholders, ensuring that regulatory measures keep pace with technological advancements while protecting investors.

The ACPR and AMF also play a crucial role in consumer protection. They regularly issue warnings about the risks associated with investing in crypto-assets, emphasizing their high volatility and the lack of regulatory oversight. Additionally, they monitor communications from influencers on social media to ensure compliance with regulations, further safeguarding investors from potential risks.

7. Where does business stand on ESG? 

In France, financial institutions are governed by a robust regulatory framework that includes several key regulations. The Monetary and Financial Code sets the foundational principles, while the Capital Requirements Regulation (CRR) and the Non-Financial Reporting Directive (NFRD) mandate the disclosure of sustainability risks and non-financial information.

The Corporate Sustainability Reporting Directive (CSRD) enhanced these requirements. Additionally, the Sustainable Finance Disclosure Regulation (SFDR) and the Taxonomy Regulation aim to improve transparency and classify sustainable economic activities.

Furthermore, the Pacte Law in 2019 introduced into French law the obligation to manage French companies in their best social interests, taking into account the social and environmental challenges of their activities. With the adoption and implementation of the CSRD into French law, which imposes a transparency requirement, French company directors must pay very close attention to sustainability issues, and to the way in which a company’s governance and departments are structured and operate to ensure this is done in accordance with ESG principles.

Note that CSRD has been fully transposed by Ordinance no. 2023-1142 of December 6, 2023, Decree no. 2023-1394 of December 30, 2023 and Decree no. 2024-152 of February 28, 2024. The implementing law and regulations came into force on January 1, 2025.

However, it is important to notice that, according to a recent statement of the executive vice-president of the European Commission, a European omnibus legislation, due to be presented by the European Commission on February 26, 2025, could go as far as abolishing CSRD reporting obligations, although it is more likley that such reporting obligations will be greatly simplified.

8. What is your government’s position on data privacy? What are the biggest concerns?

A major concern in data privacy for financial services is the risk of data breaches, which can cause significant financial and reputational damage. Proper handling of data transfers, especially across borders, is also crucial, requiring strict adherence to international data protection standards.

The French government prioritizes data privacy in financial services, guided by the General Data Protection Regulation (GDPR) through Law No. 2018-493 of June 20, 2018. This regulation ensures personal data is handled with care, emphasizing transparency, security, and individual rights.

The CNIL enforces these regulations by providing guidelines, conducting audits, and imposing sanctions for non-compliance. The CNIL also ensures that organizations adhere to the highest standards of data protection through its comprehensive oversight. Additionally, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) is involved in cybersecurity.

In the financial sector, beyond personal data protection, the security of financial institutions against cyber threats is a top priority. The ACPR and the AMF emphasize the importance of protecting consumers’ personal data and ensuring the security of financial systems.

They stress the need for transparency and compliance with regulations like the GDPR and the more recent Digital Operational Resilience Act (DORA), effective from January 17, 2025. DORA establishes a comprehensive framework for managing Information and Communication Technology (ICT) risks, including cybersecurity. It mandates financial institutions to implement robust risk management frameworks, report major ICT-related incidents, conduct resilience testing, and manage risks associated with third-party ICT service providers.

The CNIL and the ANSSI collaborate closely with the ACPR and the AMF to address cyber threats in the financial sector. This partnership involves regular information-sharing and coordinated responses to minimize disruptions caused by cyber incidents. Overall, the French authorities’ approach to data privacy and cyber risk is proactive and comprehensive, focusing on regulatory compliance and practical measures to safeguard the financial ecosystem.

Money laundering

According to the global money laundering and terrorist financing watchdog FATF, (the Financial Action Task Force), France faces a “substantial range of money laundering threats” such as tax fraud and drug trafficking, along with an elevated threat level of terrorism and terrorist financing since the 2015 terrorist attacks.

The FATF suggested that areas such as the supervision of professionals involved in the activities of legal persons, and the real estate sector required “improvement.”

But the FATF also indicated that the country has a robust and sophisticated framework to fight both money laundering and terrorist financing with strong law enforcement, confiscation rules, and a history of international cooperation in this area.

In January 2025, for example, the French authorities formally opened new investigations into Binance activities in France between 2019 and 2024, with allegations including money laundering, terrorist financing and tax fraud.

And Telegram CEO Pavel Durov was detained by French police in August 2024. Charges against him included alleged complicity in running an online platform that enabled illicit transactions, facilitated distribution of images of child sex abuse, enabled drug trafficking and fraud, and provided money laundering as well as cryptographic services to criminals. While freed after posting a bail of €5m ($5.43m), he has been prevented from leaving France while awaiting trial.

Data protection – Sanctions up

The French Data Protection Authority CNIL issued 87 sanctions in 2024, more than double when compared to 2023, new data shows. The regulator also increased the number of compliance order and reprimands, and issued a total of 331 corrective measures during the year.

While the number of sanctions rose sharply, the total amount levied was €55,212,400 ($56,933,758) – almost $35m less than 2023’s total of €89,179,500 ($91,959,850).

During 2024, CNIL also slightly increased the number of compliance orders issued, with 168 in 2023 rising to a record 180 last year. In addition 64 reprimands over not meeting legal obligations were issued with the CNIL calling this “an unprecedented number for this type of measure.”

Actions	2023	2024
Sanctions	42	87
Sanctions total amount	€89,179,500	€55,212,400
Formal notices	168	180
European decisions examined by CNIL	5	12
CNIL decisions in cooperation with its counterparts	6	7

An interesting recent case by the CNIL was against Orange, the telecommunications provider, which was fined €50m ($52.5m) for injecting ads into users’ inboxes without their permission. The size of the fine reflected the number of users affected, but also signalled the willingness of the regulator to issue meaningful sanctions where companies breached key rules.

Cybersecurity

In November 2022, representatives from 36 countries and the EU met to continue their work to fight ransomware, and issued a joint statement after their second International Counter Ransomware Initiative (CRI) Summit, convened by the White House.

Since the first meeting in autumn 2021, the CRI members, including France, have been working on five core goals: to increase resilience, disrupt ransomware cartels, counter money laundering, build partnerships with private sector cyber firms, and strengthen international cooperation.

France is a CRI member.

---

Cyber attacks

In March 2024, the French government was a hit by a “massive cyberattack” that targeted multiple government ministry websites. Anonymous Sudan, a pro-Russain hacktivist group, claimed responsibility for the attack and said in an announcement on Telegram that it had “conducted a massive cyber-attack on the infrastructure of the French Interministerial Directorate of Digital Affairs.”

The attack was made using the InfraShutdown DDoS kit (distributed denial of service) – which involves flooding a site with data to overwhelm it and knock it offline.

Multiple sites were said to have been shut down, including the Directorate General of Civil Aviation, Ministry of Health and Social Affairs, National Geographic Institute, Ministry of Economy, Finance and Industrial and Digital Sovereignty, and Ministry of Ecological Transition and Territorial Cohesion. “Their infrastructure includes more than 17,000 IPs and devices as well as over 300+ domains that have all been knocked down strongly,” the hacker group said.

The group also attacked France in March 2023, when medical facilities, universities and airports were targeted in the wake of the Charlie Hebdo cartoon furore. The group also leaked information from several airlines and payment providers, claiming it hacked the organizations and gathered sensitive data for sale.

• January 2025: The Dispute Settlement and Sanctions Committee (CoRDiS) of the French energy regulatory authority (CRE) imposed a €4m ($4.2m) fine on Equinor ASA and an €8m ($8.4m) fine on its trading arm Danske Commodities A/S for manipulating annual capacity auctions at the virtual interconnection point between France and Spain (PIR Pirineos) in 2019 and 2020. These penalties come under the REMIT Regulation (EU) No 1227/2011, which prohibits market manipulation and seeks to protect the integrity and transparency of the EU’s wholesale energy markets.
  
• September 2024: Cegedim Santé, a company that publishes and sells management software for general practitioners working in surgery and health centers, was fined €800,000 ($886,809) by CNIL for processing health data without authorization. The data was found to be pseudonymous – not anonymous – which made it possible to to re-identify the people concerned.
  
• August 2024: Uber was hit – again – with a €290m ($324m) fine for failing to safeguard the data of its drivers while transferring it to the US. The fine was brought by Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, in collaboration with CNIL and other European DPAs. By failing to safeguard the data during the transfers, Uber was found to have seriously violated EU GDPR, especially Article 44.
  Uber Technologies, Inc and Uber B.V. (Uber) were earlier hit with a €10m ($10.9m) fine by AP over infringement of privacy regulations after a referral from CNIL. The fine arose from complaints from more than 170 French drivers. According to AP, Uber failed to disclose the full details of its retention periods for the European drivers’ data, or to name the non-European countries where the data was shared. It was also found that Uber had “obstructed the drivers’ efforts to exercise their right to privacy” by making it unnecessarily difficult to send requests to view or get copies of their personal data.
  
• April 2024: HUBSIDE.STORE, a technology and lifestyle store, was fined €525,000 ($570,639) by CNIL for using customer data in prospecting campaigns without proper consent. The company, which promotes its electronic products via phone and SMS, was found using customer information from data brokers for commercial prospecting activities – without ensuring that the individuals had given their valid consent for these purposes.
  
• December 2023: Amazon France Logistique was fined €32m ($35m) by CNIL for setting up an “excessively intrusive system” to monitor the activities and performance of several thousand of its employees. The authority ruled that it was “illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption”, and found that the company breached several GPDR Articles.

The materials on the GRIP website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Always consult a qualified lawyer for specific legal matters.