KYC/eIDV compliance in France: AML/CFT, GDPR and eIDAS 2.0 in 2026
The regulatory panorama of KYC compliance in France
KYC compliance in banking, fintech or insurance sits inside a complex legal mesh. Each text carries a distinct purpose: personal data protection, anti-money-laundering, digital identity security, system resilience. Understanding how they articulate is the first step toward a robust setup.
The seven regulatory instruments applicable in France are:
- GDPR (EU Regulation 2016/679 — the EU's personal data law): the foundation of personal-data protection, applicable to any identity collection.
- AML/CFT (anti-money-laundering and counter-terrorism financing — in French, LCB-FT; French Monetary and Financial Code, art. L561-1 ff.): customer due-diligence duties, suspicious-activity reporting to Tracfin (the French financial intelligence unit).
- AMLD6 (the 6th EU Anti-Money Laundering Directive — EU Directive 2018/1673): EU harmonization of predicate offences for money laundering and terrorism financing.
- eIDAS 2.0 (the EU electronic ID regulation — EU Regulation 2024/1183): assurance levels for eID (electronic identity), the upcoming EUDI Wallet (EU digital identity wallet).
- PSD2 (EU Directive 2015/2366): strong authentication of payments and access to banking data.
- DORA (the EU digital operational resilience act — EU Regulation 2022/2554): digital operational resilience of financial entities, in application since January 2025.
- NIS2 (the EU cyber-resilience directive — EU Directive 2022/2555): cybersecurity duties for essential and important entities, transposed into French law.
Official sources. Texts are consolidated on EUR-Lex and Légifrance (the official French legal portal). Reference authorities are the ACPR (French banking and insurance regulator), Tracfin (French financial intelligence unit), the EBA (European Banking Authority), the AMF (French financial markets regulator), the ANJ (French online gambling authority) for iGaming and the CNIL (French data protection authority) for the GDPR side.
Many actors perceive a tension between the data minimization imposed by GDPR and the enhanced due diligence imposed by AML/CFT. The CNIL and ACPR have clarified this point: GDPR compliance does not exempt from AML/CFT duties, and vice versa. Concretely, you can keep data collected for customer identification for five years after the end of the business relationship, in line with article L561-12 of the Monetary and Financial Code.
The legal basis for processing is legal obligation (article 6.1.c of the GDPR) when collection is done under AML/CFT, and contract or legitimate interest when it is done for commercial customer knowledge. This distinction shapes the customer-information notice and retention duration. We systematically audit every source we mobilize: each one is compliant with GDPR and applicable local laws. Audited compliance is the cardinal value of our method.
The four regulatory pillars of KYC compliance
AML/CFT: the cornerstone of KYC compliance in banking
AML/CFT (anti-money-laundering and counter-terrorism financing) structures most of the obligations in France. Whether you operate a bank, an insurance company, a regulated fintech, an accounting or law firm, a real-estate agency, a crypto-asset service provider (CASP) or a licensed online-gambling operator under the ANJ (French online gambling authority), you apply a graduated setup based on the risk level, imposed by the Monetary and Financial Code.
Three levels of due diligence apply depending on the customer's risk profile:
1. Simplified due diligence — low-risk clients (listed entities, EU public authorities), lightened identification measures. 2. Standard due diligence — the default regime: identification, identity verification, knowledge of the purpose and nature of the business relationship. 3. Enhanced due diligence — high-risk clients: politically exposed persons (PEPs), high-risk third countries, complex or unusual operations. Additional measures: senior-management approval, documented source of funds, enhanced ongoing monitoring.
The annual Tracfin report publishes indicators every year: in 2023, more than 175,000 suspicious-activity declarations were received, in steady growth over five years. This rise illustrates the growing pressure on AML/CFT setups and the need to industrialize the detection of weak signals. We help you reinforce that detection by mobilizing transactional, government, telecom and media sources, audited one by one.
Concrete case. An online bank welcomes 60,000 new clients every year. Without an electronic identity verification (eIDV) flow embedded in the path, onboarding abandonment reaches 25%, meaning 15,000 lost clients. With a setup built on transactional data, abandonment drops to 5%, meaning 3,000 abandonments. The differential represents €39.4 million of net CLTV on the basis of a €300 acquisition cost and a €3,600 customer lifetime value.
AMLD6: criminal penalties for money laundering
The AMLD6 directive (the 6th EU Anti-Money Laundering Directive), transposed into French law in 2020, broadened the scope of predicate offences for money laundering. Twenty-two categories of offences are now recognized: drug trafficking, human trafficking, corruption, tax fraud, cybercrime, environmental offences. The directive also harmonizes the level of penalties: up to four years' imprisonment for individuals and dissuasive financial sanctions for legal entities.
AMLD6 also introduces the liability of legal entities: a bank, a fintech or a crypto-asset service provider can be prosecuted for failure in its anti-money-laundering setup. This extended liability makes the traceability of identity checks critical. Whether you operate in France or across the eurozone, we select for you sources whose processing chain is documented and auditable, compliant with GDPR and applicable local laws.
eIDAS 2.0: the silent revolution of EU digital identity
Adopted in 2024, the eIDAS 2.0 regulation (the EU electronic ID regulation) introduces the European Digital Identity Wallet (EUDI Wallet) by 2026. Three assurance levels structure the eID (electronic identity):
- Low level: simple authentication, low probability of identity misuse.
- Substantial level: factor combination, reduced probability of misuse.
- High level: strong authentication with verified documentary proof and biometric link, very low probability of misuse.
For customer knowledge, eIDAS 2.0 requires member states to mutually recognize notified identification schemes. You will be able to onboard a German resident through a French bank via their EUDI Wallet without asking for additional supporting documents, provided the assurance level is sufficient.
The PSD2 directive has imposed strong customer authentication (SCA) for most online payments since 2019. This duty articulates with KYC: payer identification must rest on at least two factors among knowledge, possession and inherence. PSD2 also opens access to payment data (open banking under PSD2), creating new opportunities to reinforce identity through transactional data. We mobilize this verified purchase data as a complement to the other KYC blocks.
DORA and NIS2: compliance extends to cybersecurity
Since January 2025, the DORA regulation (the EU digital operational resilience act) requires financial entities to operate a framework for managing IT-related risks. Four pillars structure the duty: ICT risk management, major-incident reporting, digital operational resilience testing and management of risks from critical third-party providers. For a setup relying on external providers (eIDV, biometrics, sanctions screening), DORA imposes enhanced due diligence on those partners.
The NIS2 directive (the EU cyber-resilience directive), transposed into French law, broadens the scope of entities subject to cybersecurity duties. Fintechs, payment service providers and crowdfunding platforms are now covered. You cannot think of customer knowledge independently of the cybersecurity of the information system that supports it. We audit every source we propose under the angle of operational resilience, in line with your chain of critical providers.
KYC compliance checklist: the six operational steps
The French KYC setup articulates six operational steps, governed by the Monetary and Financial Code (CMF). Each step matches a specific legal duty and an applicable article reference.
Identification
Duty: gather the customer's identity elements. Legal reference: Art. L561-5 CMF (French Monetary and Financial Code).
For natural persons: last name, first name, date and place of birth, address, and the nature of professional activity. For legal entities: company name, legal form, registered-office address, identity of ultimate beneficial owners (the French RBE register).
Verification
Duty: verify identity by any probative means. Legal reference: Art. R561-5 CMF.
You can rely on the ID document, on an eIDAS-notified electronic identification scheme, or on transactional, government and telecom data whose aggregation proves the real existence of the individual. This last approach, built on the philosophy "everything can be forged, except real life", smooths onboarding while securing the setup. We select for you, among 4,000 worldwide sources, the ones that cover your use case while remaining compliant with GDPR and applicable local laws.
Risk assessment
Duty: establish a risk profile (PEP, sanctions, third countries). Legal reference: Art. L561-4-1 CMF.
Cross-check against international sanctions lists (EU, UN, OFAC), PEP databases and high-risk third countries published by the FATF (Financial Action Task Force). A client classified high-risk triggers enhanced due-diligence measures.
Ongoing monitoring
Duty: monitor operations and update data. Legal reference: Art. L561-6 CMF.
Retention
Duty: keep records for five years. Legal reference: Art. L561-12 CMF.
Reporting
Duty: report suspicions to Tracfin. Legal reference: Art. L561-15 CMF.
Compliance obligations by regulated sector
Banking
Banking — AML/CFT, PSD2, AMLD6, DORA
Specifics: periodic KYC refresh, continuous sanctions screening.
Banking compliance combines due diligence at entry into relationship, monitoring of operations and periodic data update. The dedicated page Banking KYC details the method applied to bank onboarding.
Fintech
Fintech — PSD2, AMLD6, eIDAS 2.0, MiCA
Specifics: API-first onboarding, pan-European compliance.
PSD2 and MiCA (the EU crypto-assets regulation) players have enhanced obligations on electronic identification and continuous screening. See the page Fintech KYC for use-case detail.
Crypto / CASP
Crypto / CASP — MiCA, TFR, AMLD6
Specifics: Travel Rule, AMF authorization.
Since the gradual entry into application of MiCA and the TFR (Transfer of Funds Regulation), crypto-asset service providers (CASPs) are subject to a KYC regime aligned with that of banking institutions. Our article on crypto KYC regulation 2026 details the operational implications.
Insurance
Insurance — AML/CFT, distribution directive
Specifics: due diligence at subscription and at surrender.
iGaming
iGaming — AML/CFT, ANJ authorization
Specifics: age and identity check before the first bet.
Under the supervision of the ANJ (French online gambling authority), online-gambling operators must verify the player's identity and age before the first bet and trace flows to prevent money laundering.
Real Estate
Real Estate — AML/CFT, suspicious-activity reporting
Specifics: identification of ultimate beneficial owners.
Sanctions in case of non-compliance
Administrative sanctions
Issued by the ACPR, the AMF or the ANJ: warning, reprimand, financial sanction up to €100 million or 10% of annual turnover.
Criminal sanctions
Issued by criminal courts: up to ten years' imprisonment and €750,000 fine for aggravated money laundering.
GDPR sanctions
Issued by the CNIL (French data protection authority): up to €20 million or 4% of global turnover.
Reputational sanctions
ACPR decisions are published, loss of confidence among clients and partners.
Worth keeping — European precedents
Several European banks and fintechs have been sanctioned over the past three years for KYC setup failures, with fines totaling several hundred million euros. The traceability of checks and the quality of identity data are the first lines of defense — and that's exactly where we don't sell the data we recommend. That independence is the point: we don't sell you a database we publish, we select the one that holds up to an ACPR or CNIL audit.
Frequently asked questions on KYC compliance
Which entities are subject to the KYC duty?
Subject to the KYC duty are the regulated entities listed in article L561-2 of the French Monetary and Financial Code: banks, financing companies, payment institutions, portfolio-management companies, insurance companies, insurance intermediaries, crypto-asset service providers (CASPs), iGaming operators licensed by the ANJ, real-estate agents, notaries, lawyers, accountants, statutory auditors, and certain professions of audit and gaming.
What is the difference between standard and enhanced due diligence?
Standard due diligence is the default regime: identification, identity verification, knowledge of the purpose of the business relationship. Enhanced due diligence applies to high-risk clients (PEPs, high-risk third countries, complex operations) and imposes additional measures: senior-management approval, documented source of funds, enhanced ongoing monitoring.
How was AMLD6 transposed into French law?
AMLD6 was transposed into French law through the 2020 ordinance amending the Monetary and Financial Code. Operational implementation runs through the update of the risk mapping, the strengthening of predicate-offence detection (notably cybercrime and tax fraud) and the traceability of due-diligence decisions.
What is a politically exposed person (PEP)?
A politically exposed person (PEP) is someone exercising or having exercised an important public function: head of state, minister, member of parliament, judge, public-company executive, political-party leader. Close family members and known associates are also covered. You can detect these profiles through commercial PEP databases or through cross-checks with government and media sources that we audit for you.
Which sanctions are incurred for KYC non-compliance?
Sanctions cumulate administrative, criminal and GDPR layers. The ACPR can issue up to €100 million in fines, the criminal court up to ten years' imprisonment for aggravated money laundering, the CNIL up to 4% of global turnover for GDPR breaches.
How does AML/CFT articulate with GDPR?
The articulation rests on the principle that AML/CFT compliance is a legal obligation within the meaning of article 6.1.c of the GDPR. You can keep data collected under AML/CFT for five years after the end of the business relationship; this data is excluded from the right to erasure and benefits from a specific regime of transmission to Tracfin.
From regulation to operations
Customer knowledge is not an end in itself: it conditions your ability to enter into business relationships without friction and to protect the institution against fraud and sanctions. We mobilize transactional, government and telecom data to reinforce identification, cutting onboarding friction while meeting AML/CFT and eIDAS 2.0 expectations. Whether you operate as a bank, a fintech or a crypto-asset service provider, you access sources compliant with GDPR and applicable local laws, in line with MiCA, DORA and NIS2 when your sector requires it.
"Our job isn't to sell data at any cost. It's to find, for you, the data that resolves your specific case."
To go further: KYC pillar, eIDV pillar, Banking KYC, Fintech KYC.