Crypto License in France
The French DASP Regime: Navigating the Crypto License in France
The Foundational Regulatory Architecture: DASP Registration vs. Licensing
The Crypto License in France is formalized through the Digital Asset Service Provider (DASP) status, established by the PACTE Law of 2019. This framework is crucial for any entity offering services related to digital assets within French territory. The French regime operates on a distinctive two-tier compliance system, overseen primarily by the Autorité des Marchés Financiers (AMF), the financial markets regulator, and the Autorité de Contrôle Prudentiel et de Résolution (ACPR), the prudential supervisor.
Mandatory DASP Registration
For specific, high-risk digital asset services, DASP registration is mandatory before commencing operations. This stage is focused entirely on preventing financial crime.
ACPR Vetting: The ACPR is the primary authority for assessing registration applications, specifically focusing on anti-money laundering and counter-terrorist financing (AML/CTF) compliance.
Mandatory Services: Registration is non-negotiable for two core services:
Digital Asset Custody (Custodial Services).
Buying/Selling Digital Assets for Legal Tender (Exchange Services).
AML/CTF Focus: Registration requires the implementation of robust AML/CTF systems, the appointment of a qualified Compliance Officer, and the establishment of stringent internal control procedures, verified by the FIU Tracfin. Registration is fundamentally an AML/CTF clearance and does not confer the right to market services widely.
Optional DASP Licensing
The DASP License is currently optional but is considered the “Gold Standard” of compliance. It grants significant commercial advantages and provides a crucial pre-positioning for future EU legislation.
AMF Vetting: The AMF is the primary authority for granting the license, focusing on organizational structure, financial health, consumer protection, and governance.
Extended Services: Licensing is available for services beyond custody and exchange, including:
Operating a Digital Asset Exchange Platform.
Reception and Transmission of Orders (RTO).
Portfolio Management and Advice.
Client Protection and Governance: Licensing imposes much stricter requirements on organizational resilience, conflicts of interest management, disclosure to clients, and the fitness and properness of managers.
The MiCA Transition
The French DASP regime is the EU’s most advanced pre-cursor to the Markets in Crypto-Assets (MiCA) Regulation.
MiCA Pre-Positioning: The DASP License essentially meets most requirements of the future MiCA framework. When MiCA comes into full force, the DASP License will be automatically converted into the EU-wide MiCA license (or “passport”), granting the VASP the right to operate across all EU member states.
Mandatory Licensing: MiCA will make licensing mandatory for all defined virtual asset services, phasing out the simple registration process for most activities.
The Regulatory Mandate: MiCA and the PSAN Transition
The French regime, established by the PACTE Act of 2019, provided an optional PSAN Authorization and a mandatory PSAN Registration. The market must align with MiCA, creating a dual system: a basic national registration and the comprehensive European CASP license.
The most significant regulatory hurdle is the transition of existing PSAN registrants into the CASP framework for continued European operation. This means that firms must upgrade their technology, governance, and capital to meet the higher European standard, even if they currently hold a valid PSAN Registration.
MiCA Implementation and the French Edge
The MiCA regulation, fully effective across the EEA by the end of 2026, standardizes licensing for crypto-asset services, including custody, exchange, advice, and portfolio management. France’s early compliance posture means its regulator, the AMF, is highly experienced in the digital asset space.
| MiCA Mandate | French Regulatory Body |
| Custody & Exchange Services | AMF (Autorité des marchés financiers) |
| AML/CFT Oversight & Supervision | ACPR (Autorité de contrôle prudentiel et de résolution) |
France’s dual regulatory oversight (AMF for markets, ACPR for AML) necessitates a highly coordinated VASP Registration application, requiring flawless communication between the applicant and both bodies.
PSAN Registration: The National Baseline
The current PSAN Registration remains mandatory for any firm providing custody services or facilitating the purchase/sale of crypto-assets with legal tender in France. This is the baseline license, focused primarily on anti-money laundering and counter-terrorist financing (AML/CFT) protocols.
The PSAN Registration process is rigorous but provides no MiCA Passporting rights. Firms holding only the PSAN Registration must operate exclusively within French borders. AMF Crypto License procedures at this level focus heavily on the integrity of the MLRO (Money Laundering Reporting Officer) and the source of funds checks on all Ultimate Beneficial Owners (UBOs).
Governance and Organizational Requirements
The French regulators demand institutional-grade governance from all DASP applicants, treating them akin to established financial services firms.
The Management Team and Fit & Proper Assessment
The integrity and competence of the management team are non-negotiable requirements for both registration and licensing.
Statutory Officers: Mandatory appointment of a local Compliance Officer (Responsable de la Conformité et du Contrôle Interne, RCCI) and a Risk Manager. These officers must possess demonstrable experience in financial services.
Fit and Proper Test: The AMF conducts exhaustive background checks on all Directors, Shareholders (10%+), and Executive Management, assessing their solvency, integrity, and technical competence. Any history of financial crime, bankruptcy, or regulatory sanction results in automatic disqualification.
Shareholder Structure: The AMF scrutinizes the entire shareholder structure to ensure no undue influence is exerted by entities lacking financial stability or known for illicit activities.
Financial and Prudential Requirements
The ACPR imposes minimum financial standards to ensure the DASP’s solvency and operational durability.
Minimum Capital Requirement (MCR): DASP applicants must demonstrate adequate MCR based on the services provided. The exact amount is determined by the specific services and is generally lower for basic custody/exchange (registration) than for RTO/portfolio management (licensing).
Professional Indemnity Insurance: The DASP must maintain comprehensive Professional Indemnity Insurance covering potential losses arising from professional errors, omissions, or system failures. This insurance serves as a key financial protection measure for clients.
Continuous Capital and Liquidity: The DASP must demonstrate the capacity to maintain continuous financial reserves, ensuring operational liquidity to cover fixed operating costs for a minimum period (typically 6-12 months).
Financial Crime Compliance: The Tracfin and AML/CTF Mandate
Tracfin (Traitement du Renseignement et Action Contre les Circuits Financiers Clandestins), the French Financial Intelligence Unit (FIU), mandates stringent AML/CTF standards that form the backbone of the DASP registration process.
Know Your Customer (KYC) and Enhanced Due Diligence (EDD)
The DASP’s AML Manual must strictly follow the requirements set by the French Monetary and Financial Code.
Risk-Based Approach (RBA): Mandatory implementation of a risk-based approach, classifying clients as standard, high, or very high-risk based on geographic origin, profession, and transaction volume.
EDD for High-Risk: Enhanced Due Diligence (EDD) is required for all clients classified as high-risk, including Politically Exposed Persons (PEPs) and individuals from high-risk jurisdictions identified by the FATF.
Beneficial Ownership: Verification of the Ultimate Beneficial Owner (UBO) is mandatory for all corporate clients, tracing ownership back to the natural persons who ultimately control the entity.
Suspicious Activity Reporting (SAR) and Tracfin Protocols
The VASP acts as the first line of defense against financial crime.
Transaction Monitoring: Implementation of automated transaction monitoring systems capable of detecting suspicious patterns, such as structuring, layering, or rapid velocity transfers indicative of illicit activity.
Tracfin Reporting: Mandatory and immediate filing of Suspicious Activity Reports (SARs) to Tracfin upon the detection of any suspected money laundering or terrorist financing. Compliance with Tracfin’s reporting format and timelines is critical and non-negotiable.
Record Retention: All KYC/CDD documentation and transaction records must be archived in a secure, non-erasable format for a minimum of five years following the termination of the business relationship.
Technology and Custody Requirements
For firms offering Digital Asset Custody, the requirements are prescriptive, aiming to eliminate single points of failure and ensure asset segregation.
Digital Asset Custody Protocols
Custodians must adhere to the highest standards of cryptographic security and operational integrity.
Asset Segregation: Client digital assets must be legally and technically segregated from the DASP’s own proprietary funds, ensuring client protection in the event of insolvency.
Cold Storage Mandate: A significant proportion of client assets must be secured in Cold Storage (offline, air-gapped systems) to mitigate cyber risk. The exact ratio is subject to the DASP’s internal risk policy but must be demonstrably secure.
Key Management System (KMS): Mandatory use of robust security practices, including the use of Hardware Security Modules (HSMs) for key generation, storage, and signing.
Multi-Signature and Access Control
Controls must prevent any single individual from accessing client assets.
Multi-Signature (Multi-Sig): Implementation of a multi-signature (multi-sig) policy for the movement of assets from cold storage, requiring consensus from multiple authorized personnel.
Business Continuity Plan (BCP): A mandatory, tested BCP and Disaster Recovery (DR) plan must be in place, defining clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical custody and trading systems.
Consumer Protection and Market Conduct
The DASP License requires stringent market conduct and investor protection protocols, ensuring fair treatment of clients.
Conflicts of Interest Management
Licensed DASPs must proactively identify and mitigate any conflicts between the firm’s interests and those of its clients.
Disclosure: Comprehensive disclosure of all potential conflicts to the client before the commencement of services.
Priority of Client Orders: Strict adherence to the principle that client orders must take priority over the DASP’s own proprietary trading activities (anti-front-running rules).
Suitability and Risk Disclosure
For services involving advice or portfolio management, the DASP must ensure client transactions are appropriate.
Risk Profile Assessment: Mandatory assessment of the client’s knowledge, experience, financial situation, and investment objectives before providing advice or managing a portfolio.
Risk Disclosure: Clients must receive clear, non-misleading information regarding the nature, risks, and fees associated with digital asset investments.
MiCA Readiness and Future French DASP Compliance
The Markets in Crypto-Assets (MiCA) Regulation will fundamentally reshape the French DASP regime, increasing the required standard of compliance and opening EU-wide markets.
The Transition Timeline and Increased Scrutiny
Harmonization: MiCA aims to harmonize rules across the EU, effectively making the current optional DASP License the mandatory standard across Europe.
Increased Capital: MiCA introduces higher Minimum Capital Requirements for certain asset services, likely requiring many currently registered DASPs to raise additional capital.
The MiCA Passport Advantage
EU Access: A French DASP that successfully transitions to the MiCA framework will gain the MiCA Passport, allowing it to offer services across all EU member states without needing local registration in each. This single passport is the greatest long-term commercial driver for seeking the French DASP License now.
Tax and Legal Specifics of Operating in France
The financial advantage of the Crypto License in France is complemented by its specific tax and corporate legal structure.
French Digital Asset Taxation
Corporate Tax: Corporate profits derived by the VASP are subject to France’s standard corporate tax rate.
Individual Capital Gains: France imposes a Flat Tax Rate (PFU) on capital gains from digital assets for individuals. This single rate (currently 30%, including social contributions) simplifies tax reporting.
VASP Withholding: The VASP is often required to assist the French tax authority by providing transaction data on its clients.
Consumer Law and Data Protection (GDPR)
GDPR: As an EU member state, France enforces the General Data Protection Regulation (GDPR), placing stringent requirements on the DASP regarding client data storage, processing, and the handling of client data rights (e.g., the right to erasure).
Consumer Code: DASP client contracts are subject to the French Consumer Code, providing strong consumer protections against unfair contract terms or deceptive marketing practices.
The Procedural Flow of DASP Licensing (AMF/ACPR)
The DASP licensing process is not linear; it is an iterative dialogue between the applicant and the AMF (for licensing) and the ACPR (for AML/CTF clearance). Expert preparation is required to manage the inevitable Deficiency Notices (DNs) efficiently.
Pre-Filing and Organizational Setup
The initial phase is entirely focused on demonstrating readiness and suitability before the formal application submission.
Pre-Consultation: Mandatory pre-consultation with the AMF to present the business model, confirm the required service categories, and receive initial feedback on the organizational structure. This step is critical for avoiding immediate rejection.
Entity Establishment: The VASP must be a legally established commercial entity in France.
Drafting Documentation: Preparation of the foundational regulatory documents: the DASP Operating Manual, the Risk Management Framework (RMF), and the comprehensive AML/CTF Manual. These manuals must clearly articulate the local application of the French Monetary and Financial Code.
ACPR’s AML/CTF and Financial Scrutiny
This phase is dedicated to the core compliance and financial vetting, primarily driven by the ACPR and the FIU Tracfin.
AML Manual Review: The ACPR scrutinizes the AML/CTF Manual, verifying the adequacy of the RBA and the implementation of Tracfin reporting protocols.
Financial Model Assessment: Verification of the Minimum Capital Requirement (MCR), the continuous liquidity management plan, and the adequacy of the Professional Indemnity Insurance coverage.
Background Checks: Formal submission of documentation for the Fit and Proper Test for all key personnel.
AMF’s Governance and Technology Audit
The AMF assesses the operational and market conduct components, particularly for the full license.
Internal Control Review: Detailed review of the Internal Control System (ICS), including the independence and resources allocated to the RCCI (Compliance Officer) and the Risk Manager.
Technology Audit: Submission of an Independent IT Audit Report certifying the security of the trading platform, the robustness of the KMS, and the implementation of the BCP/DR plan.
Consumer Protection Protocols: Scrutiny of client onboarding agreements, risk disclosures, and the methodology for managing Conflicts of Interest (COI).
Approval and Post-Licensing Obligations
Final Approval: The DASP License is granted following the successful clearance of all Deficiency Notices from both the AMF and the ACPR.
Ongoing Reporting: Post-licensing, the DASP is subject to continuous, periodic reporting obligations to both the AMF (market activity, governance) and the ACPR/Tracfin (AML/CTF metrics).
Specialized AML/CTF Tools: Tracfin's Requirements
Tracfin, as the key financial intelligence unit, demands advanced sophistication in how DASPs detect and report suspicious activity.
Advanced Transaction Monitoring and Filtering
The DASP must employ sophisticated tools beyond basic KYC.
Geo-Risk Monitoring: Automated filtering of transactions involving high-risk geographic areas and jurisdictions on the FATF Grey/Black Lists.
Wallet Screening: Continuous screening of digital asset wallets against global sanctions lists and known criminal addresses (e.g., darknet, malware).
Behavioral Analysis: Implementation of transaction monitoring systems that use behavioral models to flag transactions that deviate significantly from a client’s established transaction profile.
The Travel Rule Implementation
As an EU jurisdiction following FATF guidelines, France requires compliance with the Travel Rule for digital asset transfers.
Information Sharing: For transfers exceeding the defined threshold (€1,000), the VASP must collect and transmit mandatory originator and beneficiary information to the counterparty VASP.
Protocol Integration: The DASP must use a certified Travel Rule solution provider to ensure compliance with the technical protocols for secure and compliant data transmission.
Governance and the Internal Control System (ICS)
The Internal Control System (ICS) is the formal framework dictating how the DASP manages all its operational, compliance, and financial risks.
The Role of the RCCI
The RCCI is the linchpin of the ICS, holding significant statutory power.
Independence: The RCCI must operate independently of the commercial and trading functions, reporting directly to the Board of Directors.
Whistleblowing Protocol: The RCCI is typically responsible for managing the internal, confidential Whistleblowing Protocol, ensuring that internal breaches can be reported without fear of retaliation.
Training Mandate: The RCCI is responsible for ensuring mandatory, continuous AML/CTF training for all staff, particularly those in client-facing roles.
The Audit Committee and External Verification
Audit Committee: The DASP must establish an independent Audit Committee responsible for overseeing the financial reporting process and the effectiveness of the ICS.
External Audit: Mandatory annual External Financial Audit and IT Security Audit by a certified third party, with reports submitted directly to the AMF and ACPR.
Request more information
Risk Management Framework (RMF)
A detailed Risk Management Framework (RMF) is required for licensing, defining how the DASP identifies, measures, and mitigates all operational and financial risks.
Defining Risk Metrics and Limits
Risk Categories: The RMF must systematically address all relevant risk categories: Operational Risk (system failure, fraud), Market Risk (volatility), Liquidity Risk (inability to meet redemptions), and Compliance Risk (regulatory sanction).
Value-at-Risk (VaR): For trading activities, the RMF must define quantitative risk metrics, such as Value-at-Risk (VaR) thresholds, to limit proprietary trading exposure.
Contingency Funding Plan: A detailed plan outlining strategies for raising emergency funds in case of unexpected, severe liquidity stress.
Operational Resilience and BCP/DR Testing
RTO/RPO: The BCP/DR plan must define and regularly test the Recovery Time Objective (RTO) (how quickly the system must be restored) and the Recovery Point Objective (RPO) (the maximum acceptable data loss).
Penetration Testing: Mandatory, frequent Penetration Testing (Pen Test) of all critical systems by an independent IT auditor, with immediate remediation of all high-severity vulnerabilities.
Client Relationships and Contractual Framework
DASP operations are heavily regulated by French consumer and financial law, demanding transparent contractual relationships.
The DASP Client Agreement
Fairness and Transparency: Client agreements must adhere to the French Consumer Code, ensuring the terms are fair and transparent, avoiding overly complex or ambiguous language.
Complaints Procedure: Mandatory implementation of a clear, efficient, and documented Client Complaints Procedure, with a dedicated function for handling disputes.
Mediation: The DASP must inform clients of their right to use the AMF Ombudsman (Médiateur) for resolving unresolved disputes free of charge.
Advertising and Marketing Rules
Non-Misleading Communication: All advertising and marketing materials, particularly for the optional licensed services, must be clear, balanced, and not misleading regarding the potential risks and returns of digital assets. The AMF actively monitors DASP advertising materials to prevent false or overly optimistic claims.
The MiCA Passport: Strategic Implications
The convergence of the French DASP License with MiCA provides a clear strategic runway for pan-European expansion.
Regulatory Arbitrage Prevention
High Standard: France’s high regulatory standard ensures that French DASPs are well-prepared for MiCA, avoiding the need for extensive structural changes later.
First Mover Advantage: By securing the DASP license now, French entities will be among the first to gain the MiCA Passport, enabling rapid cross-border expansion upon the regulation’s effective date.
Requirements for the MiCA White Paper
MiCA will mandate the publication of a detailed Crypto-Asset White Paper for public offerings.
Disclosure: The White Paper must include comprehensive information on the issuer, the project, the risks, the technology, and the governance mechanisms.
Liability: The issuer and the DASP will be held liable for any misleading or inaccurate information contained within the White Paper.
Summary Checklists
| Requirement | Mandatory Standard (AMF/ACPR Focus) |
| Registration | Mandatory for Custody/Exchange (ACPR/Tracfin) |
| Licensing | Optional, but required for RTO/Advice (AMF) |
| Key Personnel | RCCI and Risk Manager Appointed & Fit/Proper |
| Capital | MCR Met + Professional Indemnity Insurance |
| AML/CTF | Tracfin Reporting & FATF Travel Rule Compliance |
| Custody | Asset Segregation & Multi-Sig KMS Enforced |
| Governance Area | Compliance Protocol |
| Risk Management | Documented RMF with VaR Limits |
| Operational Resilience | Tested BCP/DR with defined RTO/RPO |
| Conflicts | Mandatory COI Policy and Internal Controls |
| Data Privacy | Full GDPR Compliance and Data Subject Rights Protocol |
| Consumer Protection | AMF Ombudsman Access & Fair Contract Terms |
| MiCA Strategy | Clear plan for MiCA Passport transition |
Auditing and Operational Security Standards
The technical requirements imposed by the AMF for the DASP License go beyond generic best practices, mandating specific procedures for independent verification and continuous monitoring that reflect the stringent standards of the French financial market.
Mandatory Independent IT Audit
The VASP must engage an independent, certified IT auditor to perform a statutory review of the entire technical infrastructure.
Scope of the Audit: The audit must cover the full scope of the DASP’s operations, including the trading platform integrity, custody system security, Key Management System (KMS) protocols, and the effectiveness of the AML/CTF monitoring software.
Audit Opinion: The auditor must provide a formal opinion to the AMF and ACPR certifying that the technical architecture complies with all requirements of the French Monetary and Financial Code. This certification is a non-negotiable prerequisite for obtaining the DASP License.
Vulnerability Disclosure and Remediation: All identified vulnerabilities, particularly those rated as critical or high severity, must be disclosed to the AMF, and the DASP must provide a formal, documented plan for immediate remediation.
Cryptographic Key Management and Hardware Security
The security of the digital asset custody function is centrally assessed through the controls over private keys.
HSM Standards: The Hardware Security Modules (HSMs) used for key generation and signing must meet recognized international security standards (e.g., FIPS 140-2 Level 3 or higher).
Key Lifecycle Management: The DASP must have documented procedures covering the entire key lifecycle: generation, storage, usage, backup, disaster recovery, and eventual destruction.
Governance and Procedures: Access to the Key Management System (KMS) must be logged, monitored, and restricted to a small, pre-approved group of high-level personnel, governed by the multi-signature (multi-sig) policy.
Business Continuity Planning (BCP) and Geographic Redundancy
Operational resilience against unexpected events, including cyber-attacks or physical disasters, is mandatory.
Disaster Recovery (DR) Site: The DASP must maintain a geographically separate and fully functional Disaster Recovery (DR) site.
Periodic Testing: The BCP/DR plan must be tested at least annually under realistic simulation conditions, and the results, demonstrating that the defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are met, must be formally reported to the AMF.
Personnel Training: Critical personnel must be regularly trained in the execution of the BCP/DR plan to ensure rapid and effective response during a crisis.
Interoperability with the Conventional Banking Sector
A crucial operational hurdle for any VASP in France is establishing and maintaining reliable banking relationships within the Eurozone, which are subject to stringent ACPR oversight and AML/CTF pressures.
Fiat Gateway and Liquidity Management
The DASP must ensure seamless, compliant management of fiat currency flows.
Banking Relationship Due Diligence: The VASP must demonstrate to the ACPR that it has performed enhanced due diligence on its banking partners to ensure their internal AML/CTF controls are compatible and robust.
Fiat Segregation: Client fiat funds must be held in segregated bank accounts, distinct from the DASP’s operational accounts, maintaining the principle of asset segregation under French financial law.
Liquidity Risk: The Risk Management Framework (RMF) must specifically address liquidity risk arising from bank processing delays, particularly during periods of high client withdrawal demand.
Regulatory Pressure on Banks
The ACPR often exerts indirect pressure on commercial banks regarding their crypto-clientele, making the DASP’s compliance status essential for its banking stability.
De-risking Mitigation: The DASP must demonstrate an exceptionally high level of AML/CTF compliance to mitigate the risk of “de-risking,” where conventional banks terminate relationships with crypto firms due to perceived regulatory risk. The DASP License acts as a powerful signal of regulatory credibility to banking partners across the Eurozone.
Inter-Regulator Communication: The ACPR and the Banque de France maintain open communication with regulated banks regarding the status and compliance health of licensed DASPs.
The Legal Status of Digital Assets and MiCA Qualification
The French legal framework, anticipating MiCA, has established complex rules for the legal qualification of digital assets, affecting issuance, marketing, and the regulatory burden on the VASP.
Asset Qualification under French Law
Digital assets are categorized based on their functional characteristics, determining which part of the PACTE Law (and MiCA) applies.
Crypto-Currency (Utility Tokens): Assets intended primarily as a medium of exchange or store of value. These are primarily subject to AML/CTF rules.
Security Tokens (Financial Instruments): Assets that confer rights similar to traditional securities (e.g., voting rights, share of profits). These fall under the strict rules of the AMF and the European Markets in Financial Instruments Directive (MiFID II), requiring additional licenses.
Asset-Referenced Tokens (ART) and E-Money Tokens (EMT): These MiCA categories (e.g., stablecoins) are already anticipated in French regulatory thinking, requiring stringent reserve management, governance, and potentially a separate authorization from the ACPR.
The MiCA White Paper and Issuer Liability
For any public offer of crypto-assets (excluding specific MiCA exemptions), the issuer, often assisted by the DASP, must produce a compliant White Paper.
Mandatory Content: The MiCA White Paper must contain all necessary information for investors to make an informed decision, including detailed information about the issuer, the project, the underlying technology, the risks involved, and the environmental impact.
Civil Liability: The issuer, and potentially the DASP assisting the offer, face civil liability for losses incurred by investors due to misleading or inaccurate information contained within the White Paper.
AMF Notification: The MiCA White Paper must be formally notified to the AMF before the commencement of the public offering, although the AMF does not “approve” the content, only its completeness.
Sanctions, Penalties, and Regulatory Intervention
The French regulatory bodies possess aggressive and immediate powers of intervention and sanction against non-compliant DASPs, designed to maintain financial market integrity and public confidence.
AMF and ACPR Sanctioning Mechanisms
Sanctions are applied based on the nature and severity of the breach (market conduct vs. prudential/financial crime).
Administrative Fines: The AMF and ACPR can impose substantial administrative monetary fines, often reaching millions of Euros, particularly for breaches of MiCA-related governance or AML/CTF failures.
License/Registration Withdrawal: Severe, chronic, or systemic non-compliance can lead to the withdrawal of the DASP License or the cancellation of the DASP Registration, effectively barring the firm from operating in France.
Public Censure: The regulators often issue public censures against non-compliant firms, causing significant reputational damage.
Tracfin’s Immediate Intervention Powers
The FIU Tracfin has powers distinct from the financial regulators, focusing on the immediate prevention of illicit fund flows.
Asset Freezing: Upon suspicion of money laundering or terrorist financing, Tracfin can issue immediate, statutory orders to freeze digital asset accounts and associated fiat bank accounts without prior judicial review.
Information Sharing with Law Enforcement: Tracfin shares its intelligence directly with the judicial authorities, leading to potential criminal prosecution against the DASP’s directors and the RCCI.
Personal Liability of Directors and RCCI
The French legal system imposes a high degree of personal accountability on key management and compliance personnel.
RCCI Personal Sanction: The RCCI (Compliance Officer) can face personal administrative penalties from the ACPR for failing to establish or maintain effective AML/CTF procedures.
Director Liability: Directors and executive managers can be held personally liable for financial and criminal sanctions resulting from systemic failures in the DASP’s governance or internal controls.
Advanced Conflict of Interest Management
The AMF (Autorité des Marchés Financiers) places significant emphasis on neutralizing potential Conflicts of Interest (COI), ensuring that the DASP operates solely for the benefit of its clients and maintains market fairness. The DASP License mandates sophisticated, auditable protocols for identifying and managing these conflicts.
Personal Transactions of Key Personnel
Controlling the digital asset trading activities of employees is essential to prevent insider trading and market abuse, which falls directly under the purview of the RCCI (Compliance Officer).
Pre-Clearance Requirement: Mandatory pre-clearance procedures must be implemented for all personal digital asset transactions conducted by Responsible Officers (ROs), executive management, the RCCI, and other personnel with access to non-public information.
Blackout Periods: The DASP must define and enforce blackout periods during which key personnel are prohibited from trading specific assets (e.g., prior to listing announcements or significant corporate events).
Disclosure and Monitoring: Employees must maintain a formal register of their digital asset holdings and transactions, which must be regularly monitored and audited by the Compliance function to detect any misuse of confidential client or market information. Failure by key personnel to adhere to the personal trading rules can lead to immediate dismissal and severe regulatory sanctions against the DASP itself.
Handling Related Party and Proprietary Trading Conflicts
The DASP must prove that its own commercial interests do not unfairly impact client execution and pricing.
Affiliate Transactions: Any transaction involving an affiliate, a related entity, or the DASP’s own proprietary trading desk must be meticulously documented and executed at arm’s length and under the same or better conditions offered to external clients.
Information Barriers (Chinese Walls): The effectiveness of the physical and digital separation of the proprietary trading desk from the client-facing execution and advisory desks must be continuously tested and certified by the IT Auditor.
Reporting Protocol: The RCCI must submit a periodic report to the AMF detailing all significant Conflicts of Interest identified and the specific mitigation steps taken, ensuring the regulator is fully informed of internal risk management actions.
The Statutory Role of External Auditors
In France, the external statutory auditor, or Commissaire aux Comptes, holds a powerful legal mandate that places them in a position of direct responsibility to the regulators, the AMF and ACPR. Their role is critical for the continuous certification of the DASP’s financial and control integrity.
Extended Statutory Obligations
The auditor’s duties go far beyond standard financial reporting, encompassing the entire regulatory compliance structure.
Alert Procedure (Procédure d’Alerte): The Commissaire aux Comptes is legally obliged to trigger an alert procedure immediately upon discovering facts that could compromise the DASP’s continuity, such as a significant breach of the Minimum Capital Requirement (MCR) or catastrophic operational failure. This direct reporting mandate overrides client confidentiality and ensures the regulator is notified of severe risks instantly.
Internal Control System Review: The auditor must provide a statutory opinion on the adequacy and effectiveness of the DASP’s Internal Control System (ICS), including the robustness of the RCCI function and the Risk Management Framework (RMF).
Client Asset Certification: The auditor must specifically certify the VASP’s adherence to the asset segregation rules, verifying that client funds and digital assets are legally and technically separated from the DASP’s own capital.
Audit Reporting to Regulators
The final audit deliverables are submitted directly to the French regulators.
Regulatory Addendum: The audit report includes a mandatory addendum, specifically addressing compliance with the French Monetary and Financial Code and the directives of the AMF and ACPR, providing a focused regulatory view.
Sanctions Risk: The AMF and ACPR can impose disciplinary sanctions on the statutory auditor if they determine that the auditor failed to report known or discoverable compliance breaches.
MiCA Specialization: Regulation of Stablecoins
The transition to MiCA places a specialized regulatory burden on DASPs involved in the trading, custody, or advisory services related to stablecoins, now formally categorized as Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs).
MiCA Classification and Authorization
The classification of the stablecoin determines the authorization path and the regulatory body responsible (AMF or ACPR).
-
E-Money Tokens (EMTs): Stablecoins referencing a single fiat currency (e.g., Euro or USD) are classified as EMTs. Issuance of these tokens falls under the strict regulation of the ACPR and the Banque de France, often requiring an Electronic Money Institution (EMI) license in addition to the DASP status.
-
Asset-Referenced Tokens (ARTs): Stablecoins referencing a basket of currencies, commodities, or other assets (excluding e-money) are classified as ARTs. Issuance requires authorization from the AMF, with stringent requirements regarding reserve assets and governance.
Reserve Asset Management and Custody
MiCA imposes rigorous prudential and custody requirements on the reserve assets backing the stablecoins.
-
Reserve Segregation: The reserve assets must be held in accounts legally and operationally separate from the issuer’s and the DASP’s own funds.
-
Reserve Investment: Reserve assets must be invested only in highly liquid, minimal-risk instruments (e.g., short-term government bonds), minimizing market and credit risk.
-
Custodian Requirements: The DASP providing custody for the reserve assets must comply with enhanced due diligence and segregation standards, ensuring the safety of the collateral. The DASP must be able to demonstrate, via continuous audit, that the reserve assets are fully collateralized and managed according to the MiCA standard.
DASP Obligations for Trading MiCA Tokens
The DASP trading platform must adapt its procedures for listing and suitability based on the MiCA token type.
-
White Paper Vetting: Before listing an ART or EMT, the DASP must verify that the issuer has published a compliant MiCA White Paper and that it has been correctly notified to the relevant EU regulator (e.g., AMF).
-
Suitability and Risk Warnings: The DASP must implement specific risk warnings for trading these tokens and ensure that its suitability assessments adequately account for the specific liquidity and stability risks associated with the token’s reserve mechanism.
FAQ
The PSAN Registration was the French national baseline, primarily focused on AML/CFT compliance and limited to operating within France. The CASP Authorization is the new, definitive, full European license established by MiCA Regulation. It demands higher capital, comprehensive organizational and technical resilience (DORA/NIS2), and critically, grants MiCA Passporting rights across the entire EEA.
If your firm relied on the Pre-MiCA PSAN Grandfathering mechanism, the grace period is now effectively over. You were required to have submitted a full CASP Authorization application to the AMF by the final deadline to legally continue operating. Firms operating solely on the old PSAN Registration are now highly restricted or subject to regulatory action, as the national regime has been superseded.
The process is coordinated between two main bodies, reflecting France's dual oversight:
The AMF (Autorité des marchés financiers) grants the final AMF Crypto License (the CASP Authorization) after assessing the business model, governance, and organizational requirements.
The ACPR (Autorité de contrôle prudentiel et de résolution) handles the mandatory AML/CFT component, specifically reviewing the Audit of French Crypto AML Protocols.
This is a mandatory independent audit required under the CASP framework (and the EU's DORA) to prove that the VASP’s distributed ledger technology (DLT) platform can withstand severe technical and security failures. The testing ensures:
Secure key revocation (MPC/multi-sig failure).
System integrity during blockchain forks or high congestion.
The Business Continuity Plan (BCP) is fully functional, minimizing client access downtime.
The system must utilize advanced RegTech (AI/ML) to score and flag transactions in real-time. Crucially, it must be capable of:
Identifying subtle patterns of structuring (breaking up large transfers into small ones).
Screening non-custodial wallet addresses against global sanctions lists.
Demonstrating a clear, auditable trail to the ACPR of why a transaction was flagged or cleared.
They require the VASP to adopt institutional-grade cyber defense. Key requirements include:
Mandatory use of zero-trust network architecture.
Annual third-party security audits (IT System Risk Assessment PSAN).
A formal Incident Response Team capable of reporting major breaches to the AMF/ACPR within tight, prescribed deadlines (often 4 hours).
It is a deep due diligence process on all Ultimate Beneficial Owners (UBOs) and Key Persons (Directors, MLROs). The AMF verifies:
Honourability: No history of financial crime or misconduct.
Competence: Relevant professional experience in finance, technology, or regulation.
Financial Soundness: The legitimate Source of Wealth (SoW) for all capital invested in the VASP.
The cost is substantial due to compliance requirements, not just fees. While AMF application fees range from €10k to €30k, the total projected cost (excluding the minimum capital requirement) is primarily driven by:
Legal & Advisory: €80,000 – €200,000 for application preparation.
Technical Audits: €25,000 – €50,000 for DLT and IT system validation.
PII: The mandatory Professional Indemnity Insurance for CASP, which can cost €30,000 – €80,000 annually based on Assets Under Management (AUM).
It acts as a primary form of consumer protection under MiCA. The insurance must cover client losses resulting from VASP operational errors, negligence, internal fraud, and failures in key management (e.g., loss of private keys), ensuring that clients are protected even if the VASP suffers a critical security lapse.
The CASP Authorization grants the right (the "passport") to offer the licensed services in any other EEA member state. The VASP must:
Formally notify the AMF of its intent to use the passport in specific countries.
Adhere to host countries' local Conduct of Business and marketing rules (e.g., language requirements, specific disclosures).
The AMF mandates strict compliance with client protection rules, requiring VASPs to:
Conduct suitability and appropriateness tests for complex services (e.g., leveraged trading).
Provide clear, non-misleading risk warnings.
Maintain organizational measures to prevent and manage conflicts of interest.
Ensure full legal segregation of client crypto-assets from the VASP's proprietary funds.