France Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in France?

France's AML supervision runs through four bodies, each with a distinct remit.

The ACPR (Autorité de Contrôle Prudentiel et de Résolution) is the lead prudential supervisor. It operates under the Banque de France and covers banks, insurance companies, payment institutions, and electronic money issuers. The ACPR conducts on-site inspections, issues binding orders, and can impose administrative sanctions including fines and licence revocations. Its enforcement decisions are published at acpr.banque-france.fr.

The AMF (Autorité des Marchés Financiers) covers investment firms, asset managers, crowdfunding platforms, and crypto-asset service providers. It runs parallel AML supervision for entities in its perimeter and coordinates closely with the ACPR on cross-sector cases. The AMF's enforcement doctrine and supervisory guidance are public at amf-france.org.

Tracfin (Traitement du renseignement et action contre les circuits financiers clandestins) is France's financial intelligence unit, operating within the Ministry of Economy and Finance. Tracfin receives suspicious transaction declarations (déclarations de soupçon), analyses them, and forwards intelligence to prosecutors, tax authorities, or other agencies. It doesn't supervise reporting entities but it can request additional information from them during an investigation. In 2022, Tracfin received over 190,000 declarations, a record at the time. Its annual reports are public at economie.gouv.fr/tracfin.

The DGFiP (Direction Générale des Finances Publiques) administers tax collection and auditing. It shares data with Tracfin on suspicious financial flows and manages the FICOBA registry, France's national database of bank accounts, which judicial and tax authorities query to locate all accounts held by a given individual or entity.

For complex investigations, the ACPR, AMF, and Tracfin work with the PNF (Parquet National Financier), France's specialist financial crimes prosecution unit established in 2014.

What are the key AML and fraud laws in France?

The Code Monétaire et Financier (CMF) is France's primary AML statute. Articles L.561-1 through L.561-50 set out the complete framework: covered entities, Know Your Customer (KYC) and customer due diligence obligations, enhanced due diligence for high-risk relationships, correspondent banking controls, and the Tracfin reporting regime. The CMF was substantially updated by Ordonnance n° 2020-115 of 12 February 2020, which transposed the Fifth Anti-Money Laundering Directive (5AMLD) into French law. The current consolidated text is available at legifrance.gouv.fr.

The French Penal Code (Code Pénal) treats money laundering (Articles 324-1 et seq.) and terrorist financing (Articles 421-1 et seq.) as serious criminal offences. Individuals face up to 10 years' imprisonment and €750,000 in fines. For legal persons, fines can reach €3.75 million. These criminal penalties sit alongside the ACPR's administrative sanctions; one doesn't exclude the other.

The Sapin II Law (Loi n° 2016-1691 of 9 December 2016) introduced anti-corruption obligations for large companies, including mandatory risk mapping, enhanced due-diligence procedures on third parties, and whistleblowing systems. Its requirements for financial institutions overlap with AML risk management, particularly around correspondent and supplier relationships.

On data protection, France applies the GDPR directly. The Loi Informatique et Libertés (Law n° 78-17), updated in 2018, supplements the GDPR with national provisions enforced by the CNIL. This matters operationally for AML: customer data collected during KYC screening, transaction records, and SAR investigations all fall within GDPR's scope. Retention limits and purpose limitation rules directly constrain how long institutions can hold AML-related personal data.

France's framework maps to FATF Recommendation 1 on the risk-based approach and FATF Recommendation 10 on customer due diligence, both transposed through the CMF. The FATF's 2022 mutual evaluation awarded France high technical compliance ratings across most recommendations, while noting effectiveness gaps in beneficial ownership verification and real estate sector oversight. The full report is available at fatf-gafi.org.

What controls do France regulators expect?

The ACPR's supervisory approach is built around four control areas, all grounded in the CMF.

Customer due diligence. Under Article L.561-5, reporting entities must identify and verify customers before establishing a relationship. For legal entities, this means identifying Ultimate Beneficial Owners (UBOs) down to the 25% ownership threshold. Enhanced CDD applies to politically exposed persons, high-risk countries, and non-face-to-face relationships. Customer due diligence isn't a one-time exercise: Article L.561-6 requires ongoing monitoring throughout the relationship, and the ACPR expects documented refresh of customer profiles when risk indicators change.

Transaction monitoring. Institutions must monitor transactions for patterns inconsistent with the customer's declared profile. The ACPR expects written policies, calibrated alert thresholds, and documented investigation records for every alert. There's no statutory minimum transaction threshold that triggers a report; any transaction raising reasonable suspicion must go to Tracfin. Transaction monitoring systems must cover all products and channels, including cross-border payment flows, which the ACPR has scrutinised more closely since 2020.

Sanctions screening. France applies EU autonomous sanctions and UN Security Council measures. Institutions must screen against the EU consolidated list and freeze assets of designated persons immediately on designation. Sanctions screening failures draw both ACPR and EU-level attention; the European Banking Authority has been tightening expectations on screening frequency and name-matching quality.

Reporting and record-keeping. Suspicious transaction declarations go to Tracfin via its secure ERMES portal. Records of CDD, transactions, and reports must be retained for five years after the relationship ends, in line with FATF Recommendation 11. For STR filings, the ACPR expects complete documentation of the investigation: the alert trigger, investigation steps, and the decision rationale that led to the filing.

What is unique about compliance in France?

France has several features that catch foreign banks off guard.

The PSAN regime. France was an early mover on crypto-asset regulation. Under the Pacte Law (Loi n° 2019-486), digital asset service providers must register as PSANs (Prestataires de Services sur Actifs Numériques) with the AMF. Full AML obligations apply from registration, including CDD, transaction monitoring, and Tracfin reporting. The framework reflects FATF Recommendation 15 on new technologies. MiCA, in force from December 2024, is absorbing parts of the PSAN regime, but France's existing registrations are being grandfathered under transitional arrangements. Offering crypto services without registration carries criminal liability.

The beneficial ownership registry. France maintains a public Registre des Bénéficiaires Effectifs (RBE), filed with the commercial court registry (Greffe). Companies must disclose UBOs, with filings accessible through Infogreffe at infogreffe.fr. After the CJEU's November 2022 ruling (Joined Cases C-37/20 and C-601/20), France narrowed its public access layer while preserving access for reporting entities. In practice, institutions still query the RBE but must cross-check it against their own due diligence rather than treating it as definitive.

Cash transaction limits. The CMF caps cash payments by French residents at €1,000 for goods and services; non-residents may pay up to €15,000 in cash. Exceeding these limits triggers reporting obligations and can constitute a criminal offence. This creates specific monitoring requirements for any retail-facing institution.

PEP treatment. France defines PEPs in line with FATF Recommendation 12, but the ACPR has been explicit that enhanced scrutiny must continue after a PEP leaves public office for at least 12 months. The ACPR's 2021 thematic review of PEP management found widespread gaps in ongoing monitoring and inconsistent application of exit criteria. PEP screening must cover both domestic and foreign PEPs, including senior executives of state-owned enterprises.

FICOBA. The national bank account registry gives judicial and tax authorities visibility over all accounts held by any given person or entity. Banks are obligated to register accounts in FICOBA. This traceability layer is invisible to most foreign compliance teams until their first ACPR inspection.

Recent enforcement actions in France

France's enforcement record shows a regulator increasingly willing to use its full penalty range.

The most prominent case remains the BNP Paribas 2014 settlement with US authorities, where the bank pleaded guilty and paid $8.97 billion for processing transactions on behalf of Sudan, Iran, and Cuba in violation of US sanctions. The US action reshaped how French banks approach sanctions screening globally. The ACPR tightened its own expectations on sanctions risk in the years that followed, and the case remains a standard reference point in French compliance training.

Domestically, in 2019 the ACPR's Sanctions Commission fined UBS's French branch €4.5 million for AML control failures. The published decision cited deficiencies in transaction monitoring, inadequate CDD on high-risk clients, and insufficient governance around the compliance function. Then in 2021, the Paris Court of Appeal upheld a conviction of UBS AG for unlawful banking solicitation and money laundering, setting a total penalty of €1.8 billion. Reduced from the trial court's €4.5 billion, the final figure still represents the largest financial crime penalty in French legal history.

Correspondent banking has also drawn ACPR scrutiny. The control failures documented in the Deutsche Bank 2017 mirror trading case and the cross-border flow breakdowns central to Danske Bank's 2018 Estonia case have shaped the ACPR's expectations around monitoring of correspondent relationships, even though those were not French enforcement actions. The ACPR publishes all enforcement decisions on its website. Recent decisions have targeted weaknesses in automated alert triage, crypto-related flows, and inadequate STR investigation documentation.

What foreign banks operating in France need to know

Foreign banks can enter France through three structures: a direct branch (requiring ACPR authorisation), an EEA passport (for European Economic Area banks), or a standalone subsidiary. Third-country branches face the most thorough licensing process: the ACPR reviews governance, financial soundness, and AML programme design as part of authorisation.

Local compliance officer. The ACPR requires every institution to appoint a dedicated RCSI (Responsable de la Conformité, de la Sécurité et du Contrôle Interne). For foreign branches, this person must have adequate seniority and independence, and must be formally notified to the ACPR. Outsourcing compliance functions to the parent group is permitted, but the RCSI retains full personal accountability.

Tracfin reporting. All STRs must be submitted in French via Tracfin's ERMES portal. There's no statutory deadline, but the ACPR expects declarations promptly once suspicion forms. For straightforward cases, 24 to 48 hours is the working expectation. Certain transaction types require a déclaration systématique even without a specific suspicion trigger.

Language. ACPR correspondence, regulatory reports, and AML policy documentation must all be in French. English-language policies from a parent institution require certified translations before they satisfy ACPR inspection standards. This catches many foreign banks by surprise during their first on-site review.

Data governance. GDPR applies in full, and the CNIL has issued specific guidance on AML data retention and intra-group sharing. Cloud-based compliance systems are acceptable under both ACPR and CNIL frameworks, provided the provider meets EU data residency and access standards.

Group reliance. Foreign bank branches can rely on group KYC and monitoring systems, but the local RCSI must demonstrate that the group system covers French-specific risks: cash thresholds, PSAN flows, the domestic PEP population, and FICOBA-registered accounts. ACPR inspectors routinely test whether group tools are calibrated for French client profiles rather than those of the parent bank's home market. For how comparable markets handle group compliance arrangements, see United Kingdom AML compliance and Singapore AML compliance.

How FluxForce supports France compliance

FluxForce's real-time transaction monitoring, automated SAR drafting, and continuous sanctions and PEP screening address the exact controls the ACPR examines on inspection. Every decision comes with a complete audit trail, ready for Tracfin disclosure or an ACPR on-site review. Adverse media screening runs on continuous refresh, directly addressing the ongoing-monitoring gaps the ACPR identified in its 2021 thematic review. Regulatory compliance automation cuts the manual work of alert investigation and case documentation across the CMF obligations framework. To see how FluxForce maps to France's specific requirements, request a demo.