Crypto License in France
The PSAN Regime and the Strategic MiCA Gateway
The Republic of France has strategically positioned itself at the forefront of European FinTech innovation and digital asset regulation. Unlike many EU member states that awaited the finalization of the Markets in Crypto-Assets (MiCA) Regulation, France, under the impetus of the 2019 PACTE Law, proactively established the world-renowned Prestataire de Services sur Actifs Numériques (PSAN) regime.
This dual-level framework of mandatory registration and optional authorization has provided a structured and legally certain environment for Digital Asset Service Providers (DASPs), making Paris a premier destination for global VASP operators seeking compliance certainty and a robust regulatory footing.
For any company seeking to legally offer crypto services within the French market or use France as its gateway to the European Union via the imminent MiCA Passporting, understanding the nuances of the AMF PSAN registration and the strategic path to obtaining the full CASP authorization is non-negotiable. The French approach represents an early adoption model that minimizes regulatory uncertainty and maximizes operational readiness for the pan-European regime. This proactive stance ensures that French-licensed firms are not merely compliant with baseline EU requirements, but often exceed them, positioning them as leaders in the transition to the unified MiCA framework. This depth of regulatory engagement provides a significant competitive advantage in terms of reputational credibility and speed to market across the European Economic Area (EEA).
The Regulatory Cornerstone: The French DASP/PSAN Regime
The core of France’s early regulatory success lies in the framework established by the PACTE Law in 2019, which created the distinct status of the Digital Asset Service Provider (DASP), known colloquially as PSAN.
This framework is administered jointly by the Autorité des marchés financiers (AMF), the financial markets regulator responsible for organizational and conduct rules, and the Autorité de Contrôle Prudentiel et de Résolution (ACPR), the French prudential supervision authority responsible for AML/CFT and financial stability. This dual oversight ensures a comprehensive and rigorous compliance assessment, encompassing both market integrity and financial crime prevention.
Mandatory PSAN Registration (AML Focus)
Registration with the AMF is mandatory for any entity, established in France or providing services to customers residing or established in France, that performs at least one of the following four core services:
Digital Asset Custody: Safekeeping digital assets or cryptographic access keys on behalf of clients. This includes maintaining control over the private keys necessary to access and transfer digital assets, often utilizing secure technical solutions like Hardware Security Modules (HSMs) and multi-signature schemes.
Buying or Selling Digital Assets in Legal Tender (Fiat-to-Crypto Exchange): Operating an exchange facility where transactions are executed against the euro or other official fiat currencies. This service attracts particular scrutiny from the ACPR regarding the management of fiat flows and compliance with payment services regulations.
Trading of Digital Assets Against Other Digital Assets (Crypto-to-Crypto Exchange): Facilitating the exchange between two different crypto-assets (e.g., Bitcoin for Ethereum). This requires robust market surveillance and transparent pricing mechanisms.
Operation of a Trading Platform for Digital Assets (Digital Asset Trading Venue): Running a multilateral system which brings together or facilitates the bringing together of multiple third-party buying and selling interests in digital assets, requiring clear rules of operation and transparent execution protocols.
The primary focus of this mandatory PSAN registration is on the integrity of the firm’s ownership and its procedures for combating illicit finance. Requirements center heavily on:
Compliance with stringent AML/CFT (Anti-Money Laundering and Counter-Terrorism Financing) procedures, jointly verified by the AMF and the ACPR. This includes detailed procedures for Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and the ongoing monitoring of business relationships.
The good repute and competence of the management and Ultimate Beneficial Owners (UBOs). The French regulators conduct extensive background checks, including criminal record checks and verification of professional experience.
Establishing a professional liability insurance or a minimum level of own funds, with the amount being determined by the scale and nature of the services provided, ensuring basic consumer protection.
Optional PSAN Authorization (MiFID/MiCA Focus)
The PACTE Law also regulates four additional services for which the optional PSAN Authorization (or “License”) is required. Obtaining authorization for these services demonstrates a comprehensive approach, closely aligning the firm with future MiCA requirements for investment services and imposing stricter organizational burdens.
These four additional services include:
Digital Asset Portfolio Management: Managing client portfolios that include digital assets on a discretionary basis. This necessitates adherence to MiFID II-like conduct rules, including regular reporting to clients and establishing clear investment mandates.
Digital Asset Advisory: Providing personalized recommendations to clients regarding digital assets. This requires robust suitability and appropriateness assessments, ensuring the advice given aligns with the client’s risk tolerance and financial situation.
Underwriting of Digital Assets.
Placement of Digital Assets (IEO or Securities Offering): Placement with or without a firm commitment. These activities are particularly scrutinized for market abuse prevention and investor disclosure requirements.
Obtaining this full French authorization (the “Gold Standard”) requires meeting additional, stringent organizational and prudential requirements, demanding robust IT infrastructure, comprehensive internal control mechanisms, and a formalized business continuity plan that covers all risks inherent to the firm’s operations. This full license significantly streamlines the future MiCA authorization process by providing the AMF with a proven track record of operating under elevated prudential and conduct standards.
Navigating Enhanced Registration and Joint AMF/ACPR Due Diligence
Since January 2024, France has operated an Enhanced Registration regime for new market entrants. This regime is explicitly designed to bridge the gap between initial AML checks and the full requirements of the European MiCA authorization. This measure reflects the French regulatory commitment to pre-alignment, minimizing the burden of the eventual MiCA transition.
Enhanced Registration Requirements and Organisational Resilience
The enhanced regime now requires new applicants for the four mandatory services to meet several operational and organizational standards that were previously exclusive to the optional license. Key components include:
IT Security Audit: Submission of an audit report from an independent, certified cybersecurity consultant, validating the resilient IT infrastructure and demonstrating adherence to the principles of the Digital Operational Resilience Act (DORA). This audit must cover network security, data encryption, and physical security measures for data centers.
Internal Control System: Implementation of detailed internal control mechanisms to manage financial, operational, and IT risks, extending beyond basic AML checks. This system must include documented processes for compliance monitoring, risk mapping, and annual internal control reporting submitted to the AMF.
Client Asset Segregation: Procedures demonstrating the physical and legal segregation of client crypto-assets from the firm’s own capital—a core MiCA principle designed to protect client funds in the event of insolvency. Documentation must specify the types of wallets used (hot/cold), the custodianship agreements, and the legal framework guaranteeing segregation and recoverability of client assets.
Programme of Operations: A detailed business plan with realistic financial projections (typically covering three to five years) to prove the viability and sustainability of the enterprise. This includes organizational charts, internal policies, and a description of human and technical resources, demonstrating the firm’s capacity to maintain operations under various stress scenarios.
The Joint AMF & ACPR AML/CFT Audit and Technical Diligence
The registration process involves deep collaboration between the two French regulators, ensuring both integrity and operational soundness.
The ACPR’s Critical AML/CFT Assent and KYT Expectations
The ACPR must give its formal assent to the applicant’s AML/CFT procedures and organizational setup. This check is exhaustive and focuses on:
KYC/KYT Efficacy: The effectiveness of the firm’s Customer Due Diligence (CDD) and the utilization of specialized RegTech solutions for on-chain monitoring (Know Your Transaction – KYT). The ACPR expects the firm to use sophisticated blockchain analytics tools to assess the risk scoring of wallets, identify illicit funds (e.g., from darknet markets, ransomware, sanctioned entities), and monitor transactions in real-time. The policies must detail the specific risk-based thresholds for flagging and investigating suspicious activity, integrating external data sources for effective screening.
MLRO and Governance: Verification that the appointed Money Laundering Reporting Officer (MLRO) and Compliance Officer (CCO) are properly resourced, senior, and meet the “Fit and Proper” test. The MLRO must have direct, unimpeded access to the management body and possess the technical competence to oversee a complex digital asset compliance program, including proficiency in blockchain analytics and reporting protocols.
Tracfin Reporting and FATF Travel Rule Implementation
French compliance is rigorous regarding global standards:
Tracfin Reporting: PSANs are Reporting Institutions and must immediately and thoroughly report all suspicious transactions (Suspicious Activity Reports – SAR) to Tracfin (the French FIU). The internal system must ensure rapid and accurate filing, including linking transactions to customer records (via the FICOBA database when applicable) and adhering to the strict deadlines imposed by the Monetary and Financial Code. Any attempted transaction over a certain threshold that is ultimately refused must also be reported.
Travel Rule Mechanism: For crypto transfers exceeding the FATF threshold ($1,000 equivalent), PSAN operators must implement technology to accurately collect, hold, and transmit the required originator and beneficiary information (name, account number, address) to the counterparty VASP. French requirements mandate highly sophisticated RegTech solutions for real-time compliance checks, including the ability to pause or block transactions where counterparty information is incomplete or where the counterparty VASP is located in a high-risk jurisdiction, demonstrating strict adherence to international anti-money laundering standards.
Technical Superiority, GRC, and Corporate Substance
The French regime places strong emphasis on robust corporate governance, internal controls, and technological resilience, significantly preparing firms for the full MiCA regime.
Governance, Risk, and Compliance (GRC) Framework
For authorized PSANs, the GRC framework must align with traditional financial institutions:
Internal Control Function: The firm must establish an independent Internal Control function responsible for continuously monitoring the firm’s compliance with all internal procedures and regulatory obligations. This function must report directly to the management body and must be structurally separated from the operational and trading units to ensure objectivity and prevent conflicts of interest. The annual internal control report is a cornerstone of continuous supervision.
Risk Management Policy: A comprehensive policy covering all material risks, including operational risk, cybersecurity risk, market risk (for firms dealing in proprietary trading), credit risk, and liquidity risk. This policy requires the regular stress testing of capital adequacy against various risk scenarios (e.g., flash crashes, sudden liquidity withdrawal, major cyber breaches).
Local Substance Requirements: France requires genuine operational substance. This includes the establishment of a fully functional legal entity (such as a Société par Actions Simplifiée – SAS) with a physical operational office in France. Furthermore, the management body must include individuals resident in France to ensure effective local supervision and regulatory engagement. The CEO, MLRO, and CCO are typically required to dedicate sufficient time and resources to the French entity, proving that the central management and control are genuinely exercised from France (a critical factor for tax purposes and regulatory oversight).
PSAN Cybersecurity Audit and DORA Alignment
The IT Security Audit, mandatory for the enhanced registration, must be performed by an independent, qualified consultant. This audit is highly prescriptive and serves as a direct precursor to DORA compliance.
The audit confirms:
Access Control and Key Management: Strict verification of multi-factor authentication (MFA), separation of duties, and access privileges, particularly for private key management within the custody solution. The use of Hardware Security Modules (HSMs) for cold storage must be verified and audited for physical and logical security, with clear procedures for key generation, storage, and destruction.
Operational Resilience and Incident Management: The audit must confirm the existence and regular testing (at least annually) of Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). The firm’s Incident Management Framework must align with DORA’s requirement for classifying, managing, and promptly reporting severe cyber or operational incidents to the AMF and ACPR within the prescribed time limits, demonstrating a mature approach to risk mitigation.
Penetration Testing: Mandatory regular, independent penetration testing on all critical infrastructure (trading platform, API gateways, and custody interfaces) to identify and remediate vulnerabilities before and after registration. The testing methodology must meet high-security standards accepted within the financial sector (e.g., OWASP, TIBER-EU).
Corporate Governance and the ‘Fit and Proper’ Test Deep Dive
The ‘Fit and Proper’ test is not a formality; it is an extensive regulatory review that goes beyond simple background checks. It assesses:
Integrity and Reputation: Criminal records, regulatory sanctions history, and professional integrity in previous roles.
Competence and Experience: Relevant professional qualifications, market knowledge, and direct experience in managing financial services or technological platforms of comparable complexity. The AMF is stringent, often requiring direct proof of expertise in digital asset operations, risk management, or compliance.
Financial Solvency: Personal financial background checks to ensure the absence of bankruptcy or significant personal financial distress that could compromise integrity.
Time Commitment: Assurance that key individuals (especially the CEO and MLRO) will dedicate sufficient time to the French entity to effectively carry out their supervisory and compliance duties.
Request more information
Prudential Safeguards and Cost: The Path to MiCA Capital
The French regime provides clarity on the financial commitment required, differentiating itself from less prescriptive national systems while maintaining an advantage in terms of initial administrative fees.
MiCA Capital Classes
The forthcoming MiCA Regulation standardizes these requirements across the EU, establishing clear classes based on the services offered:
Estimated Cost and Timeline (PSAN vs. MiCA)
The cost of obtaining and maintaining the French permit represents a significant but strategic investment in operational readiness and compliance certainty. The figures below are highly variable based on the firm’s complexity, service scope, and the quality of existing documentation.
Client Protection and Conduct of Business Rules
The full PSAN Authorization requires firms to adopt rigorous client protection and conduct of business rules, closely mirroring the standards of the MiFID II framework, a critical precursor to MiCA’s detailed conduct requirements.
Best Execution and Conflicts of Interest
Authorized PSANs must establish and implement a Best Execution Policy to ensure that they take all reasonable steps to obtain the best possible result for their clients when executing transactions. This involves considering price, costs, speed, likelihood of execution and settlement, and any other relevant factor.
Furthermore, firms must implement robust procedures to identify, prevent, manage, and disclose conflicts of interest between themselves, their employees, and their clients. The management of potential conflicts between the firm’s proprietary trading activities and client order execution is subject to particular scrutiny by the AMF. This framework demands structural separation between front-office and internal control functions.
Investor Disclosure and Suitability
MiCA places significant emphasis on transparent and fair marketing, and the AMF has already implemented stringent rules in this area. All marketing communications must be clearly identifiable as such, must not be misleading, and must include clear warnings about the risks associated with digital assets.
For advisory and portfolio management services, firms must conduct detailed suitability and appropriateness assessments to ensure that the services and products offered are aligned with the client’s financial situation, investment objectives, and risk tolerance. Detailed white papers and disclosures must be made available to retail investors before any service is rendered, providing a mandatory level of investor protection similar to traditional securities markets.
Overlap with Other EU Directives
The regulatory complexity is further amplified by overlaps with other EU regimes:
PSD2/Payment Services: Since many PSANs handle fiat on-ramps and off-ramps, their fiat processing activities often intersect with the requirements of the Payment Services Directive (PSD2). The ACPR, which also regulates Payment Institutions, scrutinizes these activities to ensure robust financial flows and consumer protection within the fiat ecosystem, particularly concerning Strong Customer Authentication (SCA) and secure operational standards.
MiFID II: The optional PSAN services (Portfolio Management and Advisory) are directly modeled on MiFID II principles, requiring firms to implement a high standard of professional conduct, governance, and operational resilience akin to traditional investment firms. This early MiFID II alignment significantly simplifies the CASP application, as the firm’s conduct framework is already proven and accepted by the AMF.
Strategic Advantages: Banking Access and MiCA Passporting
Choosing France for a Digital Asset Permit is a strategic economic choice designed to maximize market access and minimize critical operational friction points, leveraging the jurisdiction’s proactive regulatory stance.
Mitigating De-Banking: The Regulatory Right to a Bank Account
One of the most persistent hurdles for VASPs globally—the refusal by banks to open and maintain accounts—is mitigated in France, providing a crucial operational advantage.
Registered PSANs have the right to request the Bank of France (Banque de France) to designate a credit institution that will be obliged to open and service their account. This is a powerful remedy against “de-banking” and provides a unique level of operational certainty.
The ability to secure a Tier 1 banking relationship is often cited as the most significant benefit of the French license, providing a foundation of trust that unlocks wider financial and commercial partnerships across the continent.
The MiCA Passporting Advantage
The ultimate prize of the full CASP authorization is MiCA Passporting, which transforms a national license into a pan-European permit:
Pan-EEA Reach: A French-issued EU MiCA permit allows the operator to provide all its authorized crypto services across the entire European Economic Area (EEA), immediately expanding the accessible market to over 450 million people. Crucially, the French designation for CASP (Crypto-Asset Service Provider) is PSCA (Prestataire de services sur crypto-actifs), and this status is the key to pan-European passporting.
Enhanced Credibility: The reputation of the AMF as a strict yet efficient regulator enhances the credibility of the French-licensed firm, facilitating smoother integration with Tier 1 banking partners and traditional financial institutions across the EU, reducing the operational friction typically associated with cross-border crypto activities.
The MiCA Transitional Period Mechanics
MiCA grants existing national VASP operators an 18-month transitional period (until mid-2026) to continue operations while applying for the full CASP status. France’s foresight makes this period highly strategic.
Existing Authorized PSANs are already operating near MiCA standards, having undergone the stringent organizational, governance, and prudential reviews of the AMF and ACPR. Their application for the CASP status (PSCA) will benefit from an expedited review by the AMF, utilizing the accumulated regulatory file and ensuring the quickest and most predictable route to the final MiCA authorization and passporting rights. By investing in the French enhanced registration or optional permit today, firms minimize the future cost and time burden of MiCA compliance, effectively pre-empting the European-wide regulatory deadline.
French Crypto Tax Regime and Fiscal Compliance
While the AMF/ACPR focus is regulatory, the French fiscal environment adds another layer of compliance certainty that benefits licensed PSAN operators. France has a clear and relatively favorable tax regime for digital assets, which enhances its appeal as a financial hub.
Capital Gains Taxation
Since 2019, France has generally treated crypto-to-crypto and crypto-to-fiat transactions as subject to a fixed rate of taxation, known as the Flat Tax (PFU).
Individuals: Capital gains realized from the occasional sale of digital assets are subject to a flat tax rate of 30% (including 12.8% income tax and 17.2% social contributions). This simplified flat rate provides clarity compared to complex progressive income tax structures in other jurisdictions.
Exemption Threshold: Small disposals (below a certain annual threshold) are typically exempt from taxation, further simplifying the process for small retail investors.
Business and Operational Taxation
For licensed PSAN entities (SAS or SA), crypto activities are treated as commercial activities, subject to corporate income tax (IS), which currently stands at a competitive rate. The predictability of the tax framework minimizes risk for business planning.
PSAN Reporting Obligations: The French tax code mandates specific reporting requirements for PSANs. Licensed operators must ensure their internal systems can accurately track and provide clients with the necessary data points (transaction history, fiat valuations) to meet their annual tax declarations, which is viewed favorably by the AMF as part of holistic compliance.
France as the Nexus for EU Crypto Compliance
The Digital Asset Permit in France, through the AMF PSAN regime, offers a clear, secure, and strategically advantageous route into the European market. The depth of regulatory due diligence, spanning detailed IT security, robust corporate governance, and meticulous AML/CFT procedures, confirms the high standard expected.
France’s proactive regulatory measures under the PACTE Law, culminating in the enhanced registration and the alignment of the optional permit with MiCA, have positioned its jurisdiction as the most prepared for the 2025 regulatory shift. For global VASP operators, securing the French PSAN status today means more than just domestic compliance; it means securing the fastest and most credible path to the highly coveted EU MiCA authorization (PSCA status) and the comprehensive market access offered by MiCA Passporting. The investment in French regulatory alignment is a strategic choice for long-term operational success in the European digital asset market.
By prioritizing meticulous AML/CFT procedures, robust IT infrastructure, comprehensive risk management, and full compliance with the French AMF and ACPR, providers ensure not only their current legality but their future competitiveness, making France the essential launchpad for successful crypto business operations across the continent.
FAQ
PSAN stands for Prestataire de Services sur Actifs Numériques (Digital Asset Service Provider). France created this regime through the PACTE Law in 2019, positioning itself as a leader. Its importance for MiCA is strategic: the optional PSAN license was aligned with the forthcoming CASP standards, giving French-authorized firms a "fast track" advantage and market credibility for the MiCA transition.
Mandatory Registration (required for 4 core services like custody and exchange) focuses heavily on AML/CFT compliance and the good repute of managers, enforced by the AMF and ACPR.
The Optional PSAN License (or approval) requires additional, stricter standards, including robust IT infrastructure, internal control, and prudential safeguards, closely anticipating the comprehensive requirements of the full MiCA authorization.
The regime is administered jointly:
The AMF (Autorité des marchés financiers), the markets regulator, focuses on operational review, technical capacity, and the good repute of managers.
The ACPR (Autorité de Contrôle Prudentiel et de Résolution), the prudential authority, primarily grants its formal assent to the applicant’s AML/CFT procedures.
The enhanced registration (often called the "reinforced" regime) was introduced for new market entrants to bridge the gap between simple registration and full MiCA compliance. New applicants must now meet additional organizational standards, including a certified IT Security Audit and detailed internal control mechanisms, effectively pre-empting key MiCA operational requirements.
The ultimate benefit is Pan-EU Market Access. Once a French-licensed firm secures the full CASP authorization under MiCA, it automatically gains the right to provide all its authorized services across all 27 member states of the European Economic Area (EEA) without having to seek separate national permits.
French regulators are strict on the efficacy of AML/CFT procedures. PSAN operators must implement sophisticated RegTech solutions for real-time transaction monitoring and must comply with the FATF Travel Rule, which mandates the collection and transmission of required originator and beneficiary data for crypto transfers above the set threshold (the VASP equivalent of bank wire data).
Yes. Both the mandatory registration and the optional license require significant local substance. Applicants must establish a legal entity (such as a SAS) in France and typically must appoint management personnel who pass the Fit and Proper Test and an experienced Money Laundering Reporting Officer (MLRO) responsible for reporting to Tracfin (the French FIU).
The MiCA Regulation fully replaces the national PSAN regime for new applicants seeking full authorization from December 2024. However, existing registered and licensed PSANs benefit from an 18-month transitional period (until mid-2026) to continue operations while they apply for the full CASP authorization (EU MiCA license).
The requirements for the optional PSAN license were intentionally aligned with the MiCA requirements (including governance, capital, and IT security). Firms that already have the license are on a "fast track" to full CASP authorization because they've already satisfied most of the new prudential and organizational demands.
The main benefit is MiCA Passporting. Once the AMF grants the EU MiCA license, the firm is legally allowed to provide its authorized crypto services across all 27 EU member states without needing to obtain further national licenses.