France's financial watchdog lays out stance on money laundering for cryptos

The French prudential control and resolution authority ACPR (Autorité de contrôle prudential et de resolution) has published (9 December 2022) in its official register its sectoral application principles (SAPs) for digital asset service providers (DASPs).

The principles specify obligations applicable to DASPs regarding anti-money laundering and combatting the financing of terrorism as well as asset freezing.

The SAPs highlight certain specificities of digital assets and services and specify DASPs obligations. They include identified risks and practices. However, the SAPs only complement the existing body of laws and regulations and various relevant publications, notably from the ACPR, France's finance intelligence agency Tracfin or the global intergovernmental watchdog the Financial Action Task Force (FATF). 

The SAPs highlight that the DASP can deviate from the reference publications if they are able to justify this with regard to their specific activities or clients and, therefore, imply that they have adapted to a specific situation.

This document emphasizes some of the elements developed in the SAPs,  triggering our attention, particularly in light of our experience in DASP assistance: 

The ACPR lists the risks specific to digital asset services, drawing together factors highlighted by Tracfin, the FATF and other specialist agencies. It is also up to the DASP to analyse the nature of the activities– and not only the services on digital assets – carried out; for example, with regard to a possible wealth management activity.

In addition to some of the risks inherent to digital assets that have been identified – depending on the services performed and their modalities (advanced encryption standards, privacy coins or assets from mixers or tumblers) – the nature of the service provider at the origin of the transfers is taken into account in the risk analysis. In particular, the fact that the assets come from or are sent to a provider not subject to equivalent regulation or supervision is taken into consideration with regard to the conditions of the transactions.

Risk classification

Risks specific to some activities involving digital assets are also detailed, including those that relate to the purchase of goods or services through digital assets, as well as the risk of concealing value transfers through the use of illiquid assets. 

Identification and verification of identity

With regard to remote entries into business relationships, for customers entering directly with digital assets, the practice of setting up a commission payment in legal tender from an account opened in the books of an establishment located in the European Union is mentioned (in accordance with the provisions of article R. 561-5-2, 3° of the French Monetary and Financial Code).

Customer knowledge

It emphasises that customer knowledge cannot rely only on transactional analysis tools (outils d’analyse transactionnelle (OAT), which are based on probabilistic methods, in particular, regarding the attribution of public addresses to users.

On-going monitoring

On the issue of transaction monitoring, that the SAPs recall that there is no obligation to implement automatic tools. However, these may be necessary given the nature or volume of activities. In any case, sufficient human and material resources must be deployed.

The ACPR emphasises that, depending on the digital assets offered, several OATs may be necessary (enabling to cover all assets). 

Furthermore, for services involving new digital assets, appropriate measures must be put in place (in particular, by restricting the possible operations or by setting up a blockchain scanner). The issue of anonymity-enhanced cryptocurrencies or privacy coins is also put forward as regards the need to adapt vigilance measures or limit the use of these types of assets. Monitoring cannot be based solely on a OAT and all the information collected in the framework of constant vigilance or enhanced due diligence must be taken into account. 

Suspicious activity report

With regard to suspicious activity reports, the elements specific to digital asset activities that must be specified were detailed (blockchain, transaction hash, public address of the client, see location) as was the relevance of attaching the OAT report.

Internal controls

On internal controls, the ACPR applies the principle of proportionality and specifies that small entities with a number of employees not sufficient to implement a permanent second-level control for limited activities with lower risks can only implement a periodic without second-level control. This situation remains exceptional and must be justified. The periodic control must be annual, at least. In addition, it notes the role of management in monitoring the institution's compliance with AML-CFT rules.

Asset freezing

Some clarifications are made about the assets freezing obligations and the nature of the services performed. The ACPR makes developments on the specific problem of attempts to violate or circumvent restrictive measures adopted in the framework of the sanctions regimes in force, including the sanctions regime related to the situation in Ukraine.