KYC regulations in France

What exactly are they and how to meet them?

Background

Establishing a strong, long-lasting relationship with a financial institution requires trust on both sides. Just like customers do their research before approaching a banking service provider, companies need a system to evaluate risks related to their potential clients. In such cases, KYC (know your customer) requirements offer a well-founded system for identification of natural persons. It allows financial service providers to assess risks related to source of funds and check if the subject is politically exposed or on a sanctions list. What is more, in cases where companies are involved, it offers a reliable way to identify who the beneficial owner is. 

The majority of EU states already have national anti-money laundering systems and KYC requirements in place, but most licensed companies struggle to meet them. This problem is especially common in remote digital environments. 

Establishment of reliable digital KYC guidelines in France has been a major concern for financial service providers in recent years. In line with evolving market needs, the ACPR, french financial regulator, effectively addressed the topic in 2021 with the introduction of a PVID option.

The certification process performed by the French ANSSI is now a reality! 

This option is fully compliant with eIDAS and is designed to meet the requirements of AML, eIDAS qualified services, and eIDAS eID. In this article, we would like to break down the requirements that were put in place, discuss compliance with eIDAS regulations, and outline what the future looks like for French KYC. 

What are the remote identification requirements of French KYC? 

Based on AML Law Article R561-5-2 of the Code monétaire et financier

  • 1° Obtain a copy of a document 
  • 2° Implement measures to verify and certify the copy of an official document or extract from an official register by a third party independent of the person to be identified 
  • 3° Require that the first payment of transactions be made from or to an account opened in the customer's name with a financial institution that is established in a Member State of the European Union or in a State party to the Agreement on the European Economic Area or in a third country that imposes equivalent obligations with regard to the fight against money laundering and terrorist financing 
  • 4° Obtain direct confirmation of the customer's identity from a third party 
  • 5° Use a service that is certified by the Agence nationale de la sécurité des systèmes d'information, or a certification body that this agency authorises, as meeting the substantial guarantee level of the requirements relating to proof and verification of identity
  • 6° Collect a valid advanced or qualified electronic signature or advanced or qualified electronic seal based on a qualified certificate or use a qualified electronic registered mail service including the identity of the signatory or the creator of the seal and issued by a qualified trust service provider registered on a national trust list pursuant to Article 22 of Regulation (EU) No 910/2014 of 23 July 2014.

According to the new remote identification requirements, licensed parties have three options by which they can identify:

  1. Physical meeting (branch)
  2. eIDAS Qualified Certificate based services (qualified signature) or eIDAS eID
  3. PVID

Here is a short overview of their main pros and cons:

Zealid_French_KYC_Blog

What more is required in AML Law?

In addition, any institution that takes part in financial activities needs to follow and comply with the French Monetary and Financial Code (CMF). It also has to apply at least two measures of vigilance out of the six proposed in Article R561-5-2 (cited above).

Want to get a free consultation?

Can eIDAS qualified certificates meet the French AML requirements on KYC?

The answer is yes. The eIDAS regulation is fully compliant with French law, which allows for creation of a qualified certificate by using other identification methods recognised at national level which provide assurance that is equivalent to physical presence. This is especially useful in cases when an in-person meeting or an identity proofing process is not possible

As long as a qualified trust service provider is on the EU trusted list with a registration method that is certified and confirmed by a member state supervisory body, the qualified certificate and signature meets the requirements of French AML. The EU has a common market and France is obligated to recognize, for example, German certificates and signatures. There is no requirement in eIDAS or French law that the qualified trust service provider must be French.

What are the French laws and standards for integration of qualified signatures?

eIDAS regulates how qualified certificates can be created (article 24) and - if on the trusted list - they are compliant with French law. Before any qualified trust service providers can identify users remotely, they need to comply with national regulations similar to PVID. A good example is German VDG §11 and all guidelines issued by the Bundesnetzagentur.

How does German VDG relate to PVID?

The German Bundesnetzagentur implemented the “VDG”, which was similar to the PVID, years ago. It was recently updated with guidance on machine identification, removing the human agent in the actual video conference. Much like PVID, VDG requires manual vetting and carefully outlines all the requirements involved in every identification process. More specifically, VDG addresses how to treat identity cards and related requirements for an identity vetting center.

VDG and PVID are related in the following aspects:

  • Both regulations require information security management systems of the highest level (based on ETSI standards)
  • Both regulations require liveness technology
  • Both regulations require specific ID document examination methodology
  • PVID certification is not done by CAB but by ANSSI, which places much weight on systems testing once the documentation review stage is complete

ZealiD offers a modern solution to match the newest requirements

 

We are a leading EU provider of qualified certificates to natural persons on the EU trusted list. ZealiD users can register remotely with either an eIDAS certified identity proofing method involving bank identification, or an eIDAS certified video conference. Following a short registration on the ZealiD app, users can generate remote qualified signatures in accordance with French law. For a financial institution regulated in France, ZealiD is a fully legally viable KYC option. ZealiD’s remote identification is eIDAS certified under relevant provisions of German VDG and, as such, it already meets most of PVID requirements. 

Staying up to date with the newest requirements is at the core of our mission. As a result, ZealiD will include PVID certification in its upcoming re-certification under eIDAS. By taking this step forward, ZealiD will become the first organization in the EU to run a combined super compliance scheme. It is fully compliant with the following regulations and standards on remote identification certification: 

  1. German regulation (VDG)
  2. French regulation (PVID)
  3. ETSI standard

With KYC and base remote identification purposes in mind, this framework suits the highest legal and compliance standards. And, as an added benefit, all of our users receive qualified signatures, which are an emerging requirement for financial, insurance, health care and labour- related contracts. 



References:

https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000041577229/

 

Want to get a free consultation?