Beyond remote topics contained in draft legal and regulatory provisions impacting financial institutions, some yet to be finalized (i.e., the so called « PACTE » and « anti-fraud » bills. At European level, one may also mention the recent Delegated Regulation of the European Commission on safe-keeping duties of depositaries (12 July 2018)), rather urgently one ought to prepare and turn to more immediate topics. Namely some key regulatory deadlines, whether already applicable or which must be implemented by year-end 2018.

This paper aims at unveiling and highlighting recent regulatory developments, grouping them into three topical categories; 1. directly affecting financial institutions, 2. affecting certain specific financial services and 3. anti-money laundering obligations. Under each topical category the paper evidences changes, highlights the regulatory deadlines and the need to anticipate them.

1. Relevant topics for financial institutions

1.1 Measures in preparation for Brexit ACPR release (June 2018)

In the ACPR release, which refers to its European counterparts (EBA, EIOPA, ESMA), the French regulator reminded that financial institutions must actively prepare for the effects of the Brexit. France The details of the European releases might have already been taken into account:

  • UK institutions exercising their activity in France through the European passport, which are likely to have to provide their post-Brexit plan to the ACPR; and
  • French institutions which have presented the same plans to the UK regulator and the ACPR or the ECB, as the case may be.

That said, it is worth mentioning that in its June 2018, the EBA requested, before the end of year-end, all credit institutions, investment firms e-money/payment institutions as well as other financial intermediaries to:

  • Take all concrete measures aiming at preparing for Brexit (notably vis-à-vis the UK counterparts); and
  • Clearly inform clients with whom they have an existing contractual relationship of the underlying risks associated with Brexit.

Worth noting is that this subject matter is particularly current given that on 13 July 2018 the UK government released its “new” white paper on what it expects from the future relationship between the UK and the EU. Most worth noting is that this document confirmed that post Brexit, the European passport will no longer be available.

1.2 EBA Consultation on its draft guidelines on outsourcing arrangements (22 June 2018)

Whilst the draft guidelines will likely not be finalized before year-end 2018, nevertheless, this draft document can serve as an excellent guidance document for auditing agreements aiming at outsourcing of core provision of services, which is a requirement under French law.

1.3 ACPR-AMF Joint Committee: developments of interest of the annual report released on 30 May

The annual report of the ACPR-AMF Joint Committee, like other recent reports released by the AMF (For example, the AMF overview of its audits carried out between year-end 2016 and year-end 2017 on the marketing of financial instruments (June 2018) as well as the outcome of AMF lead undercover customer visits regarding online subscription processes (June 2018)), does not call for immediate action but allow each institution to audit itself given the identified malpractice of other institutions.

1.4 Opinions and ACPR Compliance notices in relation to the EBA Guidelines

The ACPR regularly issues opinions or compliance notices in relation to EBA opinions. For example, the ACPR recently ruled on 12 July 2018 that the French financing firms (sociétés de financement) was subject to EBA’s Recommendations of March 2018 on outsourcing to cloud service providers applicable since 1 July 2018, which supplements existing outsourcing rules set forth under ACPR Ruling dated 3 November 2014 on outsourcing.

1.5 Preparing for entry into force of the Geo-Blocking EU Regulation

Applicable as of 3 December 2018, this Regulation aims at addressing unjustified geo-blocking and other forms of discrimination based on customers’ nationality & place of residence. It targets geo-blocking techniques which artificially segment national markets and prohibits them.

From a practical point of view, these discriminatory barriers are put in place through the blockage to the access of an internet website through:

  • the client IP address,
  • Redirecting the client to the website of another distributor,
  • Rejecting a purchase order,
  • Applying different prices depending on the localization of the client, or
  • Requiring that the client uses a local (French) bank account.

With respect to impacts of the new rules on financial services, while they do not require financial institutions to undertake a cross-border service (especially given their limited rights in this respect) or waive a price differentiation, no client discrimination can occur when the latter client wishes to benefit from the various terms and conditions of the services.

1.6 Impact of new French regulations on automated data exchange (ADE) – Common Reporting Standards (CRS)

Subsequent to the adoption of a Decree released on 4 July 2018 (entering into force on 1 November 2018), financial institutions subject to CRS reporting shall prepare themselves for situations involving clients who fail to reveal their tax residence(s).

1.7 Release of the French data protection law implementing GDPR

The French data protection law implementing some aspects of GDPR was released on 21 June 2018 (it notably addresses the 50 plus national law implementing provisions required by the GDPR). Financial institutions are theoretically already compliant with the GDPR but ought to verify that they are also compliant with some of the French specific provisions, such as: 3

  • Ensure the CNIL’s approval is obtained for approval for biometric/health data processing, given that data processing of the directory of natural persons and death (NIR) shall be subject to specific measures;
  • In the context of European passport and follow-up on internal control, ensure that their clients residing in France systematically benefit from French law in case the home country law of the provider applies rules that are contrary to French law principles;
  • Follow-up on CNIL guidance, e.g. with respect to the list of data processing that require carrying out of a prior impact assessment; in addition, it can also be necessary to follow CNIL guidance, recommendation, notices or other rules of conduct;
  • Take into account, that in France accounts opened in name of minors, under the age of 15, the decision of parents must be duly taken into account when collecting the said minor’s consent (for any data processing).

1.8 eIDAS (EU electronic identification/signature Regulation)

It is worth reminding that the mandatory reciprocal common recognition of electronic identification measures notified to the European Commission will start applying as of 18 September 2018. For example, given that Germany has notified its own electronic identification means in relation to German residents, such means will have to be recognized in France.

1.9 Impacts on contracts deriving from the new provisions of the French Civil Code

Financial institutions ought to be aware and carefully take into account, with respect to agreements concluded as of 1 October 2018, the impacts of the recent law dated 20 April 2018 which ratified the original ordinance amending French contract law.

2. Specific topics in financial services

2.1 Parliamentary discussions on ratification of the PSD2 ordinance (5 July 2018)

The French Senate is due to initiate, on 24 July 2018, its second reading review of the bill ratifying the French provisions implementing PSD2. It is worth noting that the French National Assembly rejected the original idea expressed by the Senate to trigger insurance requirement when aggregation or payment initiation services are undertaken in relation to bank accounts other than payment accounts.

Except for the new cashback service that is likely to be offered in France before year-end 2018, deliberations on PSD2, although intense on topics such as strong authentication and common and secure open standards of communication, most likely does not require immediate action before year-end 2018.

2.2 What next subsequent to the Landau report on cryptocurrencies (released on 4 July 2018)?

The Landau report (from the name of its author) does not appear to be an embryo on rules on cryptocurrencies given that its author said that it was “neither desirable nor necessary” to directly regulate cryptocurrencies. The report is nevertheless very informative as it provides clear guidance on both current and future use of cryptocurrencies. It also provides a map, which is very useful in the context of future French legal regime on initial coin offerings, deriving from the huge bill released earlier in June 2018 (designated under its French acronym PACTE).

2.3 Entry into force of rules set out in of French law implementing EU Insurance Distribution Directive (IDD)

Subsequent to the release of Ordinance dated 16 May 2018 and its implementing Decree dated 1 June 2018, financial institutions and their distribution network shall prepare themselves for the entry into force of the said new rules by 1 October 2018, which essentially impact on:

  • Product governance, in the same manner as the rules in connection with investment services;
  • Remuneration transparency, including the termination of the “advance payment” market practice;
  • Management of conflict of interest; and
  • Training of personnel.

The said institutions would be wise to refer to the EIOPA Q&A released on 11 July 2018 as well as to the ACPR guidance in relation to insurance advice released on 10 July 2018.

3. Fight against money laundering

Pursuant toto the French AML/CFT rules implementing the 4th EU Directive coupled with rules governing freezing of assets, institutions subject to those rules shall be prepared to comply by 1 October 2018 (see our recent alert). Whilst some expected amendments to existing rules are due to be released soon, of ample benefit might be consulting more remote laws some of them highlighted below.

3.1 Impact of the 5th AML/CFT Directive released in the OJEU on 19 June 2018

Some of the recent changes to French regulations go along the lines of the 5th AML/CFT Directive, among which one may mention the following:

  • AML/CFT vigilance for intermediaries of virtual currencies, including the registration requirement for virtual currency exchange platforms and virtual currency custodian wallet providers;
  • Reinforcing of consolidated AML/CFT supervision at group level, alike what French law already provides;
  • Lowering the threshold under which no identification is requirement for e-money to €150;
  • Client ID verification through electronic identification means offering a high level of guarantee within the meaning of eIDAS regulation, applicable in France as of 1 October 2018.
  • Details on the enhanced vigilance measures to be applied to correspondent banking transactions;
  • Harmonization of enhanced vigilance measures in relation to business relationship or transactions involving countries whose AML/CFT laws are deficient and which are placed on the black lists of the European Union.

3.2 Recent decisions from the ACPR sanctioning committee on AML/CFT matters

Decisions rendered by the ACPR sanctioning body always proves to be very educational and allows not only to improve internal procedures but also to better anticipate possible audits from the regulator (ACPR).

3.3 ACPR and AMF Guidelines

While recent publications occurred in 2018 and even in July 2018, one may expect an entire renewal of the guidelines and other sectorial recommendations by year-end 2018; after which it will be advisable to review internal procedures accordingly.

For example, the recent update of the sectorial guidelines on the AML/CFT vigilance in relation to clients exercising their right to open a bank account. The update clarified the balance between the core right of a private individual to open a bank account is not outweighed by the right of the bank not to open it when it cannot identify the private individual in a satisfactorily manner under the required AML/CFT vigilance.

3.4 FATF Publication of 29 June 2018 on grey/black lists

During its plenary meeting in June 2018, the Financial Action Task Force (FATF) updated its recommendations on the implementation of measures with respect to jurisdictions that have strategic deficiencies, including those countries:

  • subject to a FATF call on its members and other jurisdictions to apply counter-measures;
  • subject to a FATF call on its members and other jurisdictions to apply enhanced due diligence measures proportionate to the risks arising from the jurisdictions; and
  • whose regulations or their implementation evidenced strategic deficiencies.

In the business relationships implying each of these three categories of countries (the listed countries changed a little), the consequences attached to the business relationship are different, ranging from the initiation enhanced measures for the suspicion of transaction reports to the necessity to conduct enhanced due diligence measures with respect to business relationship and transactions involving such territories.