KYC Compliance in France (2026): Identity Verification Requirements for Fintechs and Regulated Businesses

France operates one of the more structured KYC environments in the EU — shaped by active AMF and ACPR supervision, a detailed risk-based framework under the Code Monétaire et Financier, and increasing enforcement pressure ahead of EU AML reform. For fintechs and regulated platforms, the challenge is not understanding that KYC is required — it's building verification workflows that actually meet French regulatory expectations in practice.

This guide covers the France-specific layer: accepted documents, risk classification, digital verification rules, and where onboarding breaks. For the underlying KYC system architecture and verification framework, see our KYC Requirements guide.

The Legal Foundation

French KYC obligations are anchored in the Code Monétaire et Financier (CMF), updated regularly to align with EU AML directives. The current framework reflects AMLD5 requirements, with France actively preparing for the EU AML Regulation (AMLR) and the new EU AML Authority (AMLA), expected to directly supervise high-risk entities from 2026.

Two regulators set KYC expectations in practice:

ACPR (Autorité de Contrôle Prudentiel et de Résolution) supervises banks, payment institutions, e-money institutions, and most fintechs. It conducts on-site and off-site inspections and has been increasingly active in KYC-related enforcement findings.

AMF (Autorité des Marchés Financiers) covers investment firms, fund managers, and VASPs/DASPs. AMF guidance DOC-2019-15 sets out the risk-based approach to customer due diligence that regulated entities are expected to follow.

Both regulators treat KYC as a lifecycle obligation — not a one-time onboarding check.

Who Must Comply

KYC obligations under the CMF apply to:

• Banks and credit institutions
• Payment service providers and e-money institutions
• Investment firms and financial advisors
• Insurance companies
• VASPs/DASPs — registered under AMF
• Real estate agents and notaries — scope significantly expanded in 2025
• DNFBPs: lawyers, accountants, auditors

For most fintechs and payment platforms, ACPR is the primary regulator.

Accepted Identity Documents

French nationals: The Carte Nationale d'Identité (CNI) is the standard document. It must be current and machine-readable. French passports are equally accepted.

Foreign nationals resident in France: Passport is the primary document. A valid titre de séjour (residence permit) may be required for longer-term or higher-value relationships, depending on the service and risk profile.

Remote verification: For digital onboarding, AMF and ACPR accept remote identity verification provided it meets the same evidentiary standard as in-person processes. Document capture, liveness detection, and face matching against the ID photo must be logged for audit purposes.

FranceConnect: France's national digital identity infrastructure. FranceConnect allows individuals to authenticate using government-verified credentials across connected services. Where available and applicable, it provides a high-assurance verification layer for digital onboarding — though its use in regulated financial services KYC is still evolving.

Risk Classification Under the CMF

French KYC operates on a risk-based approach — explicitly required under the CMF, not optional tiering. This means:

Standard due diligence (SDD) applies to typical low-to-medium risk relationships. Identity verification, document check, and basic screening are the baseline.

Simplified due diligence (SDD lite) is permitted for clearly low-risk entities — listed companies, public bodies, certain institutional relationships — but must be documented and defensible under ACPR review.

Enhanced due diligence (EDD) is mandatory for:

• Politically exposed persons (PEPs) and their close associates
• Clients from high-risk jurisdictions identified by the EU or FATF
• Relationships where the source of funds or business purpose is unclear
• Non-face-to-face onboarding with additional risk factors

Risk classification must be documented at onboarding and updated when the client's risk profile changes.

PEP Screening in France

France has a notably high concentration of PEPs relative to other EU jurisdictions — given the size of its public sector, state-owned enterprises, and political structures. PEP screening cannot be treated as a low-frequency edge case.

Beyond direct PEP status, proximity screening matters: close family members and known associates of PEPs trigger EDD requirements. AMF has been explicit that name-matching alone is insufficient — firms must document how they assessed PEP proximity, not just whether a name appeared on a list.

TRACFIN Reporting

Suspicious activity must be reported to TRACFIN (France's financial intelligence unit) via the ERMES platform. TRACFIN received over 165,000 suspicious transaction reports in 2022, with payment institutions and fintechs among the fastest-growing contributors.

KYC-related TRACFIN triggers include:

• Identity documents that cannot be verified or appear inconsistent
• Client behaviour inconsistent with declared purpose of the relationship
• Refusal to provide required documentation without reasonable explanation
• Patterns suggesting identity layering across multiple accounts

Records must be retained for 5 years after the relationship ends, available to TRACFIN within 30 days upon request.

Digital KYC Under French Regulatory Expectations

ACPR and AMF accept fully remote digital onboarding — but the evidentiary standard is the same as in-person. In practice, a compliant digital KYC flow in France requires:

• Document capture and authenticity verification (OCR + document integrity checks)
• Biometric liveness detection to confirm the person is present and not using a static image or deepfake
• Face matching against the ID photo, logged for audit
• Full audit trail of the verification process, accessible for ACPR and AMF review

This is where platforms like VOVE ID close the gap — OCR, liveness detection, and face matching in one API, with audit logging structured to meet French regulatory standards. France does not have a centralised identity database equivalent to some other EU jurisdictions, which means the quality of document and biometric verification matters more, not less.

Where KYC Breaks in Practice

Foreign nationals with non-EU documents. CNI works cleanly for French citizens. For non-EU clients — significant in Paris and other major financial centres — document diversity increases verification complexity. VOVE ID supports verification across 190+ countries, which matters for platforms with cross-border user flows.

PEP proximity. The scale of France's public sector means PEP-adjacent relationships are more common than firms expect. Proximity screening needs to be systematic, not manual.

Real estate and legal sectors. Since 2025, enhanced supervision applies to real estate agents and legal professionals. Platforms onboarding these as clients now face higher KYC expectations for the counterparty relationship itself.

VASPs and crypto. France's crypto compliance environment is increasingly active — AMF has denied or revoked registrations for platforms with inadequate KYC infrastructure. For crypto-specific KYC and KYB requirements, see our KYB for VASPs in France guide.

Ongoing re-verification. Many platforms build strong onboarding KYC but fail to connect it to lifecycle monitoring. French regulatory expectations explicitly cover the full relationship — not just account opening. This is a recurring ACPR finding.

Getting KYC Right in France

France's regulatory environment rewards platforms that treat KYC as a continuous, documented process — not a one-time check. Active ACPR and AMF supervision, combined with TRACFIN's expanding reach, means that audit-readiness is an operational requirement, not a compliance aspiration.

VOVE ID is used by fintechs operating under French supervision to build KYC workflows that meet this standard — identity verification, biometric checks, PEP and sanctions screening, and audit-ready logging aligned with ACPR and AMF expectations. If you're building or reviewing KYC operations in France, talk to our team.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.