Spain – Man in the Middle fraud and EU Regulation 2024/886: a paradigm shift

3 November 2025

  • Spain
  • Banking
  • Financing and securities
  • Litigation

The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

Man in the Middle scam: how it works

This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

  • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
  • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
  • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

 

This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

Regulation (EU) 2024/886: a paradigm shift

And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

The new features of this regulation are

  • mandatory application to all instant transfers within the SEPA area,
  • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
  • increased liability for financial institutions in the event of fraud or error due to lack of verification.

In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

Summary – Whereas cryptocurrency emerged outside of the legal framework thus favouring cyber criminality, France has recently set out rules ensuring investors’ and traders’ security.

Far from being a drawback, this set of rules insures the balance between innovation incentive and investor security.

A recent study published by the French AMF underlined the danger of cyber criminality and its impact on the global market.

The AMF targeted especially, bitcoins scams and cyberattacks aiming online platforms trading cryptocurrency.

This cyber criminality is supposed to be one of the most expensive ones worldwide, close to 0.5 % of the world GDP.

Nevertheless, cryptocurrencies continue to attract the interest of private individuals, due to potential gains and due to the lack of state regulation. In the meantime, the extreme instability of the exchange rate and online fraudulent behaviours (especially in the case of alternative cryptocurrency such as altcoins) often prove disastrous for small investors.

To shield investors, the AMF recently published recommendations and warnings for consumers, as well as several blacklists of websites selling cryptocurrencies.

Cryptocurrency is defined by the AMF as “digital asset relying on blockchain technology, through a decentralized registry and an encrypted protocol”.

A digital asset is neither a currency (its value is not determined by a central bank but through supply and demand) nor a financial instrument.

Faced with the multiplication of new digital assets, France (pioneer in this area) has implemented a legal framework for digital assets.

The Law 2019-486 dated 22 May 2019 relating to companies’ growth and transformation (“PACTE Law”) entered into force 24 May 2019, provides for the general definition of digital assets: “a digital representation of value which is not issued nor guaranteed by a central bank nor a public authority, which is not necessarily attached to a currency with an exchange rate and which does not fall within the legal definition of a currency but which is accepted by natural or legal persons as a means of exchange and which can be transferred, stored or traded electronically” (Article L. 54-10-1 of the French Monetary and Financial Code).

Any DASP will need to abide by the legal rules set up by the Monetary and Financial Code and will be placed under the authority of the AMF.

The Digital Assets Services Provides’ new legal status

The PACTE Law defines a DASP as the one providing, amongst others, the following services:

“1° The service of safekeeping digital assets or the access to digital assets (including through the means of private cryptographic keys) for a third party, for the purposes of holding, storing or trading digital assets;

2° The service of purchasing and selling digital assets in exchange for legal tender currencies;

3° The service of trading digital assets for other digital assets;

4° The service of operating a digital platform trading digital assets (…)

Providers wishing to attract investors can file for registration and/or optional AMF visa.

In which cases is the registration with the AMF mandatory?

Registration is mandatory for two activities:

  • The service of safekeeping digital assets;
  • The service of purchasing and selling digital assets in exchange for legal tender currencies.

How to register?

Pursuant to article D. 54-10-2 of the Monetary and Financial Code and AMF instruction 2019-23, any supplier wishing to register as digital assets services supplier, will have to submit a registration application file.

The provider will be required to provide certain information relating, amongst others, to the identity, competence and honourability of its officers and shareholding.

The company’s officers are expected to have an experience relating to digital assets, of 6 months minimum, or any equivalent training.

Besides, they must comply with the honourability requirements and must not have been prohibited to practice, according to article L. 500-1 of the Monetary and Financial Code (“MFC).

Information relating to the anti-money laundering and terrorist financing system

The applicant shall provide details relating to its target clients (characteristics, legal nature, geographical aspects, etc.) and the distribution channel planned for each service. If the company belongs to a group, it shall present the group’s organisation chart, indicating in particular the capital links between the various entities of the group and, for each entity, its company name, the country in which its registered office is located and the nature of its business.

It shall provide:

  • a classification of the money laundering and terrorist financing risks, in accordance with Article L. 561-4-1 of the MFC, taking into account in particular the risks associated with clients, the nature of the products and services provided, the distribution channels planned and the geographical areas of operation; and, where appropriate,
  • the risk classification established at the group level.

One will have to be very careful regarding operations over € 1,000 and operations relating to sums which they know, suspect (or have good reasons for suspecting) are the proceeds of an offence punishable by a custodial sentence of more than one year or are destined for terrorist financing (article L. 561-15 of the MFC).

To this respect, the supplier will be required to provide the name and contact of the persons in charge of reporting the operations to TRACFIN and the devices set up to potentially froze the assets.

What are the delays?

Within 6 months following the filing of the complete documentation by the applicant, the AMF will render its decision.

Within this timeframe, the AMF will consult the Autorité de Contrôle Prudentiel et de Résolution in order to make sure the DASP is compliant with the above-mentioned regulation.

Optional visa

If you provide one or more digital asset services and your company is established in France, you may apply for approval via by the AMF.

This approval is granted for a great number of services, such as safekeeping digital assets, purchasing and selling digital assets in exchange for legal tender currencies, operating a digital platform trading digital assets, etc.

Operators seeking the AMF visa, will be placed under the supervision of the AMF.

The visa procedure before the AMF is similar to the registration one. However, the applicant will have to prove it abides by additional requirements, relating especially to the safety of operations (strengthened internal control, resilient computing security, report of activity for the next two years).

Besides, the applicant will have to provide a professional insurance or a minimum amount of own funds.

To be fully transparent, the DASP will then have to publish, on a regular basis, the volume of transactions and the average price of each transaction.

The publication will have to be made on the operator’s website, no later than the second business day of the following trimester.

Following each procedure, the AMF will publish a list of DASPs which obtained the visa or the registration, for the security of the investors.

Any digital asset supplier has one year to abide by the new requirements set up by the PACTE Law.

The first registration has been delivered by the AMF in March 2020.

The author of this post is Iuliana Babei.

Javier Gaspar

Practice areas

  • Distribution
  • Arbitration
  • Franchising
  • Litigation
  • Sport
Contact Javier

Contact Javier





    Read the privacy policy of Legalmondo.
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    France – New rules applicable to digital assets services providers (DASP)

    30 April 2020

    • France
    • Financing and securities

    The increase in so-called cybercrime in recent years is so significant that it requires strong legislative and judicial responses. Losses from online fraud in Europe exceed $100 billion, according to Nasdaq Ventures, of which $5 billion correspond to Spain.

    In Spain, 192,375 cases of computer fraud were reported in 2019, but by 2023 this figure had risen to 427,448. According to the latest official data available, computer fraud accounts for 90.4% of all cybercrimes, with growth of 378% between 2016 and 2023.

    There are many different types of computer fraud, and they are named in English (after all, the lingua franca of our time), including, among other ingenious methods used by skilled fraudsters, those with curious and amusing names (except for those who suffer from them) such as phishing, pharming, juice jacking, tabnabbing, bluesnarfing, catfishing, spoofing, vishing, smishing, whaling, carding, and the one we are interested in today, man in the middle (MITM).

    Man in the Middle scam: how it works

    This MITM fraud involves intercepting communications between two devices connected to a network, allowing the attacker to alter and divert messages exchanged between users. The fraudster intercepts a communication in which one user requests a payment from another and then modifies the IBAN of the bank account to which the transfer should be made in order to obtain the money. The process generally unfolds as follows:

    • Without the company noticing, an attacker intercepts and manipulates an email, changing the IBAN number of the account to which the payment should be made.
    • The cybercriminal impersonates the supplier, sending the message from an email address that is almost identical to the original, but with a slight alteration that is almost imperceptible.
    • The receiving company, trusting the authenticity of the message, makes the transfer to the fraudulent account.

     

    This results in a transfer of assets to the detriment of the person ordering the transfer and in favor of the cyber thief, so that when the person ordering the transfer notices the error, their first reaction is to try to contact the receiving bank in the hope that the funds can be blocked in time. However, in most cases, the cybercriminal has been quicker: the money has already been transferred to another account or withdrawn, leaving little room for maneuvering, except for the initiation of legal proceedings, which we will discuss below.

    The immediate question is what responsibility the bank that has received the transfer order from the deceived user and credits the cyber fraudster’s account with the amount in question has in cases where the payer identifies not only the (fraudulent) IBAN but also the name of the beneficiary of the payment order, which obviously does not match the name of the holder of the bank account receiving the funds.

    The common-sense answer would be that the bank receiving the transfer should confirm that the holder of the account to which the funds are credited and the individual or entity identified as the beneficiary in the transfer order match; if this is not the case, it should suspend the payment and request clarification from the payer. However, this is not the case in light of EU legislation and its transposition into Spanish law, as we will see below.

    Until October 9, the European banking system operated under the premise that the validity of a transfer was based exclusively on the correctness of the IBAN. In other words, if the account number was correct, the transaction was considered valid, even if the beneficiary’s name did not match. This practice has led to numerous cases of fraud, unintentional errors, and loss of funds, especially in instant transfers, where speed can compromise security.

    The most reasonable option for the defrauded payer to recover their money is to sue the bank receiving the payment order (with which they have no contractual relationship) for non-contractual liability under Article 1124 of the Civil Code; in fact, criminal proceedings against the account holder, who is usually referred to in slang as a “mule,” do not usually have a satisfactory outcome, both because the bird usually flies away and because of its lack of solvency.

    The case law of the Provincial Courts has been divided between rulings that strictly and faithfully applied Article 59 of Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, dismissing the claims of those defrauded, and others in which arguments were sought under the premise of lack of diligence to condemn the bank to compensate the payer.

    This has led to the establishment of quasi-objective liability for banks in relation to digital fraud, imposing a higher standard of diligence on them and transferring the risk inherent in online banking to them, except in cases of willful misconduct or gross negligence on the part of the customer. This line of reasoning, which has been developed from lower court rulings (AP Madrid 178/2015; AP Alicante 107/2018; AP Valencia 212/2021) to the Supreme Court itself (STS 571/2025, among others), is in line with the idea that it is up to the bank to prove that its systems were secure, up to date, and sufficient to prevent the crime from being committed.

    In this context, the concept of bonus argentarius takes on renewed relevance. This is a principle that was included in Law 57/68 to protect home buyers in the real estate sector, but the Supreme Court has ruled on several occasions that it can also be applied to other financial investments. This means that, in the event of losses due to negligence on the part of the financial institution, the customer can file a claim under Law 57/68 and hold the institution liable.

    The bonus argentarius is based on the presumption of fault on the part of the financial institution, which means that even if the customer has no concrete evidence of negligence, it is assumed due to the duty of care that the institution must exercise in the management of investments.

    Based on this principle, the diligence required of financial professionals is not that of the average trader or pater familias, but that of a qualified expert who assumes the obligation to protect the funds entrusted to them by implementing “necessary and renewable” security mechanisms. This implies not only maintaining basic technical measures for enhanced authentication, but also proactively adopting internationally recognized anti-fraud solutions, such as name-IBAN verification (Confirmation of Payee or IBAN-Naam Check), which have proven effective in comparable jurisdictions.

    In line with that doctrine and case law, it can be said that the omission of beneficiary verification measures today constitutes a breach of the contractual duty of diligence and good faith (Articles 1104 and 1258 of the Civil Code), giving rise to civil liability for the damage caused, such that MITM fraud cannot be considered a residual risk attributable to the customer, but rather a systemic security failure attributable to the financial institution, as the designer and custodian of the electronic payment channel.

    In this state of affairs, the Supreme Court, in its recent ruling of March 27, 2025, opted for the alternative of strict application of Article 59, arguing that “if the payment service user provides additional information to that required (specification of the information or unique identifier that the payment service user must provide for the correct initiation or execution of a payment order), the payment service provider shall only be liable for the execution of payment transactions in accordance with the unique identifier provided by the payment service user… and that the liability of the payment service provider, both at Community and national level, is such that it fulfills its obligation by executing the payment transaction in accordance with the unique identifier, without the addition of further information implying a higher standard of diligence

    It is true that, in conclusion, the Supreme Court offered a glimmer of hope to defrauded users when it stated that “the interpretation set out above does not exempt the payment service provider from liability when circumstances, unrelated to the provision of additional data, are found to have contributed to the defective execution of the transaction, either because an additional requirement or demand (e.g., the identification of the beneficiary), or because the payment service provider of the payer or the beneficiary had taken advantage of the error for their own benefit, or because, once the existence of the error had been communicated without delay, one or the other had not taken the measures required by the diligence of an expert trader to allow retroaction or, where appropriate, to minimize the damage.”

    Regulation (EU) 2024/886: a paradigm shift

    And in this scenario fraught with doubts, Regulation (EU) 2024/886 bursts onto the scene, representing a 180-degree turn and a paradigm shift: the new European Regulation, approved in April 2024 and coming into force on October 9, 2025, establishes a clear obligation for banks: they must verify that the name of the beneficiary provided by the payer matches the IBAN holder before executing an immediate transfer in euros.

    The new features of this regulation are

    • mandatory application to all instant transfers within the SEPA area,
    • the new name matching system: if there is a discrepancy between the name and the IBAN, the bank must alert the customer before executing the transaction, and
    • increased liability for financial institutions in the event of fraud or error due to lack of verification.

    In short, the aim is to reduce the risk of fraud, protect consumers, and increase confidence in digital payments.

    This means that Law 19/2018, which regulates payment services in Spain and does not require verification of the beneficiary’s identity, is now outdated, underscoring the need for a national legislative review to harmonize the legal framework with European requirements.

    In conclusion, the obligation to verify the beneficiary of transfers represents a significant step forward in consumer protection and the fight against financial fraud. Regulation (EU) 2024/886 marks a turning point in banking operations, imposing an active responsibility on institutions to ensure the authenticity of transfers.

    In any case, the question remains open regarding the solution to MITM frauds executed before October 9, 2025, and the responsibility of the banking institution. For the time being, the aforementioned Supreme Court ruling of March 27 closes the door to claims against banks, but it cannot be ruled out that the entry into force of Regulation 2024/886 and the paradigm shift will lead to a rethinking of the Supreme Court’s position in line with the quasi-objective liability that lower courts have been maintaining. We will have to wait and see, but such a change would be a great success for bank users who have suffered from this MITM fraud and all other types of cyber fraud.

    Summary – Whereas cryptocurrency emerged outside of the legal framework thus favouring cyber criminality, France has recently set out rules ensuring investors’ and traders’ security.

    Far from being a drawback, this set of rules insures the balance between innovation incentive and investor security.

    A recent study published by the French AMF underlined the danger of cyber criminality and its impact on the global market.

    The AMF targeted especially, bitcoins scams and cyberattacks aiming online platforms trading cryptocurrency.

    This cyber criminality is supposed to be one of the most expensive ones worldwide, close to 0.5 % of the world GDP.

    Nevertheless, cryptocurrencies continue to attract the interest of private individuals, due to potential gains and due to the lack of state regulation. In the meantime, the extreme instability of the exchange rate and online fraudulent behaviours (especially in the case of alternative cryptocurrency such as altcoins) often prove disastrous for small investors.

    To shield investors, the AMF recently published recommendations and warnings for consumers, as well as several blacklists of websites selling cryptocurrencies.

    Cryptocurrency is defined by the AMF as “digital asset relying on blockchain technology, through a decentralized registry and an encrypted protocol”.

    A digital asset is neither a currency (its value is not determined by a central bank but through supply and demand) nor a financial instrument.

    Faced with the multiplication of new digital assets, France (pioneer in this area) has implemented a legal framework for digital assets.

    The Law 2019-486 dated 22 May 2019 relating to companies’ growth and transformation (“PACTE Law”) entered into force 24 May 2019, provides for the general definition of digital assets: “a digital representation of value which is not issued nor guaranteed by a central bank nor a public authority, which is not necessarily attached to a currency with an exchange rate and which does not fall within the legal definition of a currency but which is accepted by natural or legal persons as a means of exchange and which can be transferred, stored or traded electronically” (Article L. 54-10-1 of the French Monetary and Financial Code).

    Any DASP will need to abide by the legal rules set up by the Monetary and Financial Code and will be placed under the authority of the AMF.

    The Digital Assets Services Provides’ new legal status

    The PACTE Law defines a DASP as the one providing, amongst others, the following services:

    “1° The service of safekeeping digital assets or the access to digital assets (including through the means of private cryptographic keys) for a third party, for the purposes of holding, storing or trading digital assets;

    2° The service of purchasing and selling digital assets in exchange for legal tender currencies;

    3° The service of trading digital assets for other digital assets;

    4° The service of operating a digital platform trading digital assets (…)

    Providers wishing to attract investors can file for registration and/or optional AMF visa.

    In which cases is the registration with the AMF mandatory?

    Registration is mandatory for two activities:

    • The service of safekeeping digital assets;
    • The service of purchasing and selling digital assets in exchange for legal tender currencies.

    How to register?

    Pursuant to article D. 54-10-2 of the Monetary and Financial Code and AMF instruction 2019-23, any supplier wishing to register as digital assets services supplier, will have to submit a registration application file.

    The provider will be required to provide certain information relating, amongst others, to the identity, competence and honourability of its officers and shareholding.

    The company’s officers are expected to have an experience relating to digital assets, of 6 months minimum, or any equivalent training.

    Besides, they must comply with the honourability requirements and must not have been prohibited to practice, according to article L. 500-1 of the Monetary and Financial Code (“MFC).

    Information relating to the anti-money laundering and terrorist financing system

    The applicant shall provide details relating to its target clients (characteristics, legal nature, geographical aspects, etc.) and the distribution channel planned for each service. If the company belongs to a group, it shall present the group’s organisation chart, indicating in particular the capital links between the various entities of the group and, for each entity, its company name, the country in which its registered office is located and the nature of its business.

    It shall provide:

    • a classification of the money laundering and terrorist financing risks, in accordance with Article L. 561-4-1 of the MFC, taking into account in particular the risks associated with clients, the nature of the products and services provided, the distribution channels planned and the geographical areas of operation; and, where appropriate,
    • the risk classification established at the group level.

    One will have to be very careful regarding operations over € 1,000 and operations relating to sums which they know, suspect (or have good reasons for suspecting) are the proceeds of an offence punishable by a custodial sentence of more than one year or are destined for terrorist financing (article L. 561-15 of the MFC).

    To this respect, the supplier will be required to provide the name and contact of the persons in charge of reporting the operations to TRACFIN and the devices set up to potentially froze the assets.

    What are the delays?

    Within 6 months following the filing of the complete documentation by the applicant, the AMF will render its decision.

    Within this timeframe, the AMF will consult the Autorité de Contrôle Prudentiel et de Résolution in order to make sure the DASP is compliant with the above-mentioned regulation.

    Optional visa

    If you provide one or more digital asset services and your company is established in France, you may apply for approval via by the AMF.

    This approval is granted for a great number of services, such as safekeeping digital assets, purchasing and selling digital assets in exchange for legal tender currencies, operating a digital platform trading digital assets, etc.

    Operators seeking the AMF visa, will be placed under the supervision of the AMF.

    The visa procedure before the AMF is similar to the registration one. However, the applicant will have to prove it abides by additional requirements, relating especially to the safety of operations (strengthened internal control, resilient computing security, report of activity for the next two years).

    Besides, the applicant will have to provide a professional insurance or a minimum amount of own funds.

    To be fully transparent, the DASP will then have to publish, on a regular basis, the volume of transactions and the average price of each transaction.

    The publication will have to be made on the operator’s website, no later than the second business day of the following trimester.

    Following each procedure, the AMF will publish a list of DASPs which obtained the visa or the registration, for the security of the investors.

    Any digital asset supplier has one year to abide by the new requirements set up by the PACTE Law.

    The first registration has been delivered by the AMF in March 2020.

    The author of this post is Iuliana Babei.