France’s top financial regulator has published new rules regarding the licensing of digital asset service providers (DASPs) as well as guidelines for firms applying for the non-mandatory license and informing the regulator about internal cybersecurity practices.
The Autorité des marchés financiers (AMF) or Financial Markets Authority released the rules on Wednesday and the guidelines on Thursday last week, opening up the opportunity for firms to apply. The rules and guidelines expand upon France’s PACTE law, one of the first crypto legislative packages passed in Europe. PACTE passed in May 2019.
To apply, each DASP has to send the AMF a two-year business plan, a list of digital assets the firm is going to service, the list of geographies the firm will operate in and the firm’s organizational chart among other things.
Licensed DASPs are required to have professional indemnity insurance or a minimum amount of reserve funds, at least one effective senior manager, resilient IT systems, an internal control system, a claims handling procedure, an organization enabling it to avoid conflicts of interests and procedures to prevent money laundering and terrorist financing.
The license is optional for crypto firms operating in France, however. The French government only mandates that crypto custodians and any firm dealing with fiat-to-crypto or crypto-to-fiat services register with the AMF for anti-money laundering and anti-terrorist financing reasons.
The French regulator also released specific rules for crypto custodians, crypto exchanges, crypto broker-dealers, and crypto custodians.
“To the best of my knowledge it’s the first time we’ve seen precisely how a custodian has to maintain the key to assets on blockchain, and what is the role and liability of the custodian,” said Hubert de Vauplane, a partner at law firm Kramer Levin Naftalis & Frankel.
The French government, with the help of the AMF, has defined crypto-asset custody service as “mastering” the “means of access” (cryptographic keys) for a third party’s digital assets and keeping track of their positions, said Emilien Bernard-Alzias, a partner at law firm Simmons & Simmons in Paris. New rules for licensed custodians under its general regulations include multi-validation for customers’ transactions and compensating clients if the custodian cannot restore control of those assets.
In its guidelines, the AMF notes the security risks that blockchain poses and asks crypto firms to provide the regulator with a detailed cybersecurity program that mitigates risks and complies with Europe’s general data protection regulation. Crypto firms are responsible for the cybersecurity of the digital asset service they provide and must undergo regular technical audits.
“The AMF is trying to take crypto firms by the hand to help them comply,” Bernard-Alzias said. “For other financial service providers there are requirements for a strong IT system, but the AMF guidance does not have many details for them as they do for crypto firms … For this, the AMF is having crypto firms explain at the beginning what they are going to do, and this is new for us in France.”