In this legal column, Valentine Baudouin, Partner Compliance & Regulatory at Regvantage, analyses the proposed "law to ensure the legal security of economic structures against the risks of money laundering".

Tabled in the Senate on 19 August 2025, the proposed "law to ensure the legal security of economic structures against the risks of money laundering" aims to develop a "new doctrine" against money laundering. It follows on from the extensive work carried out by the Senate committee of enquiry, published in June 2025, which indicated that " the emergence of FinTech companies, particularly neo-banks, also presents a major AML/CFT risk ".

Other summer publications, such as the EBA's opinion on the money laundering and terrorist financing risks affecting the EU financial sector, and the ACPR's report on the prevention of rebound accounts for the laundering of scams and other fraud, also point to the specific risks of the digital financial sector. Nevertheless, the proposed law raises some legitimate questions.

A major risk

The Senate investigation report establishes that the criminal flows recycled in the French economy amount to between 38 and 58 billion euros per year, for a public recovery rate limited to 2 %. Adopted unanimously by the committee, it emphasises the role played by new forms of financial intermediation. According to the report, the rise of so-called "FinTech" companies, particularly neo-banks, represents a major risk for the fight against money laundering. According to the senators, these banks are characterised by an activity centred on mobile applications, the absence of physical branches and a multi-State presence - all factors that weaken traditional controls.

In its report of 17 July 2025, the Autorité de contrôle prudentiel et de résolution (French supervisory authority) corroborates this diagnosis by analysing the phenomenon of "rebound accounts". These accounts are used as transitional vehicles for receiving funds and then transferring them quickly, with no apparent economic justification. Not all of these accounts are opened online, but their vulnerability is heightened when the relationship is dematerialised and very rapid, with no physical contact - which facilitates identity theft and the use of financial "mules", according to the ACPR. In 2023, this authority has identified €661 million in suspicious transfers (+45 % compared with 2022), with 70 % of these accounts being less than one year old, and 60 % of outgoing flows being directed abroad.

In its Opinion of 28 July 2025, the European Banking Authority confirms the increased vulnerability of the digital financial sector. It notes that 69 % of national authorities rate FinTech risks as "high or very high", that 277 failures were recorded in 2023-2024 due to misuse of RegTech solutions, and that the number of digital asset servicers has increased 2.5-fold in two years. The EBA also warns of the explosion in fraud facilitated by artificial intelligence, whether in the form of false documents or deepfakes used to circumvent KYC procedures.

One conclusion can be drawn from these national and European findings: the digital financial sector faces major challenges in the fight against money laundering and terrorist financing.

Composed of five titles and nine articles, several of them attract attention, as much for their practical application as for their theoretical contribution, or even for their inconsistency or redundancy with existing systems.

A paradigm shift to regulate FinTechs?

The term is used several times, both in the explanatory memorandum (which refers to both "unauthorised neobanks" and "neobanks") and in two articles of the text (Article 1 and Article 7). The main innovation is that a definition is proposed in the following terms: "any authorised credit institution or payment service provider whose activity is carried out exclusively online, without any physical point of contact, and whose procedures for entering into a relationship are entirely automated".

While it is difficult to identify precisely which players are covered by these cumulative criteria, this attempt at categorisation clashes with the position expressed by the ACPR in its April 2021 publication on the use of the term "neobank" as well as Article L. 511-8 of the Monetary and Financial Code, which states that ". any undertaking other than a credit institution or finance company is prohibited from using a name, company name, advertising or, in general, expressions that give the impression that it is authorised as a credit institution or finance company respectively, or from creating confusion in this respect ".

It is all the more difficult to understand how "the use [.....] of a neobank, as defined in article L. 561-32-1 [i.e. the proposed new article], which does not have European authorisation" could be used as a criterion for identifying a short-lived business. If "neobanks" are indeed credit institutions or payment service providers, the latter (including digital ones) are necessarily authorised, with the possibility of operating under the European passport. In addition, Article 1 refers to the suspicious transaction reports that should be made by registrars, particularly when registering a company suspected of being short-lived. It should be remembered that the capital deposited when a company is registered can only be deposited with a credit institution, a notary or the Caisse des Dépôts - and not with a payment institution. Is this an opening or an inconsistency?

More broadly, the proposed definition departs from the French way of regulating digital companies in the financial world, which is based on the principle of the "level playing field", which implies that the same rules apply to all players, whatever their profile. In the financial sphere, this principle refers to an environment in which all companies in the same market are treated identically, whether they are digital or not. This equitable treatment is based in particular on the uniformity of legal constraints: subjecting players to the same rules means enabling them to retain an equivalent ability to compete. To this end, however, "neobanks" should be subject to "an annual external audit, carried out by an independent third party, of the compliance of their operational, technical and organisational systems with the requirements of this Title". Isn't this simply a matter of periodic control?

Framework for bounce-back accounts

Articles 5 and 6 deal with rebound accounts. Article 5 introduces a definition of this type of account and imposes greater vigilance. Article 6 creates a national register of rebound accounts, managed by the Directorate General of Public Finances, and requires that "any new bank or payment account opened by a natural or legal person must be activated within 72 hours before any outgoing transfer is authorised" and that "institutions must implement enhanced monitoring for the first 30 days following activation of the account".

These prescriptive and systematic delays seem unnecessary and may prove counter-productive. They will uniformly delay the activation of all legitimate accounts by 72 hours, creating a distortion of competition at European level, whereas the data provided by the ACPR shows that the real challenge lies in speeding up the processing of suspicious cases, which currently take between 29 and 65 days on average. Wouldn't the implementation of a risk-based approach, with the integration into operational compliance systems of the points of vigilance or good practice identified by the ACPR, already make it possible to address rebound accounts? The ACPR report also details effective detection scenarios: "Many-to-One" typology (multiple transfers to a single account), rapid post-opening cash withdrawals, discrepancies between volumes transited and income declared, or even detection of "mule accounts" by analysing behavioural changes and recent changes to connection devices. The ACPR also recommends enhanced identity verification measures, as well as detailed knowledge of socio-economic profiles, to detect atypical transactions.

These technical recommendations, in the presence of sophisticated schemes, contrast with the apparent simplicity of the uniform 72-hour deadline, revealing the inadequacy of the legislative approach in the face of the criminal typologies identified, such as ephemeral companies using generative AI and deep-fakes to bypass identity checks, or networks of young 'mules' (under 25) managing up to 68 multiple accounts. In a digital environment, however, it is the granularity of behavioural alerts (and not the uniform temporality) that makes it possible to discriminate between fraudulent activities and legitimate uses. 

At the same time, Article 6 discreetly introduces a (very) significant change by reversing the civil liability regime established by PSD2: the cost of fraud is shifted from the issuing institution to the receiving account holder. This inversion of the liability regime could expose French institutions to a major legal and competitive risk in the SEPA area. At the very least, such a change would merit an impact assessment (particularly in terms of the capital that might be required) coordinated with the European supervisory authorities.

A laudable intention, a text to be reread

Other provisions could also be improved. One thinks of the ex post file of fictitious identities and nominees, or the obligation imposed on deed drafters to receive proof of the origin of funds when they intervene in any deed recording an amicable transfer of a business or recording the transfer of company shares or shares leading to the acquisition of control of a company within the meaning of article L. 233-3. However, these "drafters of deeds" should be included in the list of persons authorised to draft private deeds in accordance with article 54 of law no. 71-1130 of 31 December 1971, and are therefore all already subject to the provisions relating to the AML/CFT. Does this mean that the risk-based approach is being called into question, with systematic prior justification, turning every transfer into an anti-money laundering due diligence exercise? Criminal networks will also have fairly obvious ways of circumventing the regulations, such as splitting up acquisitions below the regulatory thresholds, or setting up indirect arrangements to avoid being classified as a takeover within the meaning of Article L. 233-3, etc.

The report of the commission of enquiry did, however, pave the way for a text commensurate with the complex risks identified. The present draft law, although motivated by a laudable intention and shared by the entire sector, contains numerous inconsistencies, regulatory redundancies and a worrying misalignment with the tools already available. Do we now have to wait for a third legislative attempt to reconcile political ambition, effectiveness and legal coherence? This is not to dispute the political will to secure flows, but to point out that the effectiveness of a compliance mechanism depends above all on its ability to articulate regulations and operational reality.