PSAN: Becoming a Digital Asset Service Provider in France
Introduction
Obtaining your PSAN registration is the regulatory gateway to the French crypto market.
The Digital Asset Service Provider (PSAN - Prestataire de Services sur Actifs Numeriques) status is the regulatory key to legally operating crypto activities in France. With MiCA coming into force, the landscape is shifting toward a European license, but PSAN remains the entry point for French operators. This guide details the procedures, requirements, and best practices for obtaining and maintaining this status.
What you will learn:
- The different categories of PSAN services
- Registration and approval requirements
- The complete AMF procedure
- The transition to MiCA (CASP)
- Ongoing compliance obligations
Table of Contents
- Understanding PSAN Status
- Regulated Services
- Registration vs Approval
- Registration Procedure
- Organizational Requirements
- AML/CFT Compliance
- Cybersecurity and Asset Protection
- Ongoing Obligations
- Transition to MiCA (CASP)
- Costs and Timelines
- FAQ
1. Understanding PSAN Status
Since 2019, France has regulated crypto operators with a pioneering regime in Europe.
Legal Definition
The PSAN is defined by Article L. 54-10-2 of the French Monetary and Financial Code (Code monetaire et financier), introduced by the PACTE law of 2019:
"Digital asset service providers are legal entities that provide, on a regular professional basis, one or more of the following digital asset services..." -- Article L. 54-10-2 CMF
Regulatory History
| Date | Event |
|---|---|
| May 2019 | PACTE Law: creation of the PSAN status |
| December 2019 | First PSAN registrations |
| 2020-2022 | Ramp-up period, ~100 PSANs registered |
| June 2023 | Strengthened requirements (fit and proper tests) |
| December 2024 | MiCA enters into force |
| July 2026 | End of the PSAN transitional period |
PSAN in the European Landscape
Positioning of the French regime:
- France: pioneer with a dedicated regime since 2019
- Before MiCA: heterogeneous national regimes
- After MiCA: convergence toward the European CASP
- French advantage: advanced regulatory experience
2. Regulated Services
Custody and fiat buy/sell services require immediate PSAN registration.
List of Digital Asset Services
Article L. 54-10-2 defines the services requiring registration or approval:
| Service | Description | Registration | Approval |
|---|---|---|---|
| Custody | Safekeeping of cryptographic keys on behalf of third parties | Mandatory | Optional |
| Fiat buy/sell | Crypto-to-euro exchange | Mandatory | Optional |
| Crypto-to-crypto exchange | Trading between digital assets | No | Yes |
| Platform operation | Matching buyers and sellers | No | Yes |
| Order reception-transmission | Brokerage without execution | No | Yes |
| Portfolio management | Discretionary management | No | Yes |
| Advisory | Personalized recommendations | No | Yes |
| Guaranteed/non-guaranteed placement | Token underwriting | No | Yes |
Focus on Custody
Definition of custody:
"The custody on behalf of third parties of digital assets or access to digital assets, where applicable in the form of private cryptographic keys, for the purpose of holding, storing and transferring digital assets."
What is covered:
- Holding private keys for clients
- Custodial wallets
- Cold storage services
- Custody for exchanges
Focus on Fiat Buy/Sell
Definition:
"The purchase or sale of digital assets in legal tender currency."
Examples:
- Crypto exchange bureaus
- Bitcoin ATMs
- Direct purchase platforms
- On/off ramp services
3. Registration vs Approval
Registration is sufficient to get started; optional approval strengthens your credibility.
Comparison Table
| Aspect | Registration | Approval |
|---|---|---|
| Services covered | Custody, fiat buy/sell | All services |
| Nature | Mandatory | Optional |
| Authority | AMF (after ACPR opinion) | AMF |
| Average timeline | 6-12 months | 12-18 months |
| Requirements | AML/CFT, fit and proper, organization | Enhanced (capital, insurance...) |
| Public list | Yes (AMF website) | Yes (AMF website) |
Why Choose Approval?
Advantages of optional approval:
- Trust signal: higher level of compliance
- Broader scope: all services available
- MiCA preparation: requirements close to CASP
- Banking access: facilitated by the level of regulation
- European passport: prepared for MiCA
4. Registration Procedure
Nine to eighteen months of procedure -- prepare a complete application from the outset.
Step 1: File Preparation
Required documents:
| Document | Description |
|---|---|
| Application form | Cerfa form available on the AMF website |
| Company articles of association | Latest updated version |
| Kbis extract | Less than 3 months old |
| Organization chart | Legal and operational structure |
| Directors' CVs | Background and qualifications |
| Criminal records | Bulletin no. 3 for directors and shareholders |
| AML/CFT procedures | Complete documentation |
| Security policy | IT and asset protection |
| Business plan | Description of the projected activity |
Step 2: Filing and Review
AMF process:
File submission (AMF)
|
v
Acknowledgment of receipt (within 48h)
|
v
Completeness check (2 months max)
|
|---> Request for additional information (if needed)
|
v
Substantive review
|
v
ACPR opinion (AML/CFT)
|
v
AMF decision
|
|---> Registration approved
|
|---> Refusal (with reasoning)
Step 3: Key Considerations
Common reasons for rejection or requests for additional information:
- Fit and proper: background of directors/shareholders
- AML/CFT procedures: insufficiently detailed
- Human resources: undersized compliance team
- IT security: gaps in the cybersecurity policy
- Governance: insufficient separation of functions
Fit and Proper Criteria (since 2023)
Strengthened requirements:
"Must not have been the subject of a final conviction... for a crime, for certain offenses (money laundering, tax fraud, corruption...)"
Persons concerned:
- Effective directors
- Board members
- Shareholders holding 25%+ of the capital
- Compliance officers
5. Organizational Requirements
Two directors, a dedicated AML officer, and documented procedures are indispensable.
Minimum Structure
Mandatory functions:
| Function | Role | Requirement |
|---|---|---|
| Effective director | Operational management | 2 persons minimum |
| AML/CFT officer | Anti-money laundering compliance | Dedicated or shared |
| CISO/DPO | Security and data protection | Depending on size |
| TRACFIN correspondent | Suspicious activity reports | Mandatory |
Documented Policies and Procedures
Required documentation:
PSAN Compliance File
|
+-- Governance
| +-- Organization chart
| +-- Job descriptions
| +-- Delegations of authority
|
+-- AML/CFT
| +-- Risk classification
| +-- KYC/KYB procedure
| +-- Transaction monitoring
| +-- Asset freezing
| +-- TRACFIN reports
|
+-- Security
| +-- ISSP (Information Systems Security Policy)
| +-- Incident management
| +-- Business continuity
| +-- Key protection
|
+-- Client Relations
+-- Terms of service / Terms and conditions
+-- Complaints handling
+-- Consumer protection
Technical Resources
Required infrastructure:
- Transaction monitoring systems
- KYC scoring tools
- Sanctions screening solution
- Secure data storage
- Logging and audit trails
6. AML/CFT Compliance
Rigorous KYC, continuous monitoring, and TRACFIN reports form your anti-money laundering shield.
Regulatory Framework
Applicable texts:
- Monetary and Financial Code (L. 561-1 et seq.)
- 6th Anti-Money Laundering Directive (AMLD6)
- AMLR Regulation (forthcoming)
- AMF/ACPR guidelines
Main Obligations
1. Client Identification and Verification (KYC):
| Client type | Required documents |
|---|---|
| Natural person | Identity document, proof of address |
| Legal entity | Kbis, articles of association, UBO, legal representative |
| PEP | Enhanced due diligence mandatory |
2. Risk Classification:
Risk = f(Client, Product, Channel, Geography)
Levels:
+-- Low -> Simplified measures possible
+-- Standard -> Normal measures
+-- High -> Enhanced due diligence
+-- Very high -> Refusal or management authorization
3. Transaction Monitoring:
- Detection of atypical transactions
- Automated alerts
- Manual review of alerts
- Documentation of decisions
4. Suspicious Activity Reports (TRACFIN):
- Mandatory reporting in case of suspected money laundering or terrorist financing
- Deadline: without undue delay
- Absolute confidentiality
Asset Freezing
Freezing obligation:
- Consultation of sanctions lists (EU, UN, OFAC...)
- Immediate freezing of assets of listed persons
- Declaration to the DG Tresor (French Treasury)
- Prohibition from providing services
7. Cybersecurity and Asset Protection
Multi-signature, HSM, and hot-cold wallet separation protect your clients' assets.
Security Requirements
Security framework:
| Domain | Requirements |
|---|---|
| Governance | ISSP, security committee, CISO |
| Access | Strong authentication, access rights management |
| Networks | Segmentation, firewalls, intrusion detection |
| Data | Encryption, backup, pseudonymization |
| Private keys | HSM, multi-signature, separation of roles |
| Incidents | Response plan, ANSSI/AMF notification |
Cryptographic Key Protection
Recommended standards:
Custody Architecture
|
+-- Hot wallet (operational)
| +-- Multi-sig (2/3 minimum)
| +-- Amount limit
| +-- Real-time monitoring
|
+-- Warm wallet (intermediate)
| +-- Multi-sig (3/5)
| +-- Formalized access procedure
| +-- Regular audit
|
+-- Cold wallet (long-term storage)
+-- Multi-sig (4/7)
+-- HSM or paper wallet
+-- Geo-distribution
+-- Formalized signing ceremony
Business Continuity
Business Continuity Plan (BCP/DRP):
- Identified disaster scenarios
- Failover procedures
- Regular testing
- Recovery timelines (RTO/RPO)
8. Ongoing Obligations
Semi-annual reporting, incident management, and continuous training maintain your compliance.
Regular Reporting
Mandatory declarations:
| Declaration | Frequency | Recipient |
|---|---|---|
| Activity (volumes, clients) | Semi-annual | AMF |
| Major incidents | Immediate | AMF/ANSSI |
| Substantial modifications | Within 1 month | AMF |
| AML/CFT report | Annual | Management, AMF if requested |
Internal Controls
Control framework:
- Permanent controls (1st level operational)
- Periodic controls (2nd level compliance)
- Internal or external audit (depending on size)
Continuous Training
Training obligations:
- Initial training for all employees
- Annual AML/CFT refresher
- Function-specific training
- Training documentation
9. Transition to MiCA (CASP)
July 2026 marks the end of the PSAN regime -- begin your transition to the European CASP.
Transition Timeline
MiCA deadlines:
| Date | Event |
|---|---|
| December 30, 2024 | MiCA enters into application |
| Until July 1, 2026 | Transitional period for existing PSANs |
| July 1, 2026 | End of validity of PSAN registrations |
Transitional Regime
Options for existing PSANs:
- Continue under the PSAN regime until July 1, 2026
- Apply for CASP authorization as soon as possible
- Benefit from the simplified procedure (PSAN to CASP)
PSAN vs CASP Differences
| Aspect | PSAN | CASP (MiCA) |
|---|---|---|
| Scope | France | Entire EU (passport) |
| Minimum capital | Not specified | EUR 50,000 to EUR 150,000 depending on services |
| Professional liability insurance | Not mandatory | Mandatory or equivalent capital |
| Governance | General requirements | Detailed requirements |
| Conflicts of interest | Principles | Precise rules |
| Fee transparency | Limited | Enhanced |
| Complaints | Internal procedure | Harmonized procedure |
Recommended Preparation
PSAN to CASP transition checklist:
- Assess the gap between PSAN and CASP requirements
- Strengthen capital if necessary
- Subscribe to professional liability insurance
- Adapt governance policies
- Update client procedures
- Prepare the CASP authorization file
- Anticipate timelines (12+ months)
10. Costs and Timelines
Budget between EUR 150,000 and EUR 400,000 in the first year for your PSAN compliance.
Cost Estimates
Typical budget for a PSAN registration:
| Item | Estimate |
|---|---|
| Legal counsel | EUR 30,000 - 80,000 |
| Compliance advisory | EUR 20,000 - 50,000 |
| Cybersecurity audit | EUR 10,000 - 30,000 |
| KYC/AML tools | EUR 5,000 - 20,000/year |
| IT infrastructure | EUR 20,000 - 100,000 |
| Compliance recruitment | EUR 60,000 - 100,000/year |
| Total first year | EUR 150,000 - 400,000 |
Average Timelines
Observed statistics (2023-2024):
| Phase | Timeline |
|---|---|
| File preparation | 3-6 months |
| AMF review | 6-12 months |
| Total registration | 9-18 months |
| Optional approval | 12-24 months |
Acceleration Factors
Best practices:
- Complete file at the time of submission
- Responsiveness to requests for additional information
- Use of experienced advisors
- Anticipation of cybersecurity requirements
- Comprehensive documentation from the outset
11. FAQ
General Questions
Q: Can I operate without PSAN registration while awaiting approval?
A: No, operating without registration is prohibited and subject to criminal penalties (2 years imprisonment, EUR 30,000 fine). Certain services not on the list (blockchain development, non-personalized advice) do not require PSAN registration.
Q: Does PSAN registration allow operations across the entire EU?
A: No, PSAN registration is valid only in France. To operate in other EU countries, you either need a local license or must wait for the CASP authorization under MiCA, which provides a European passport.
Q: How many PSANs are registered in France?
A: Approximately 100 PSANs were registered by end of 2024. The list is public on the AMF website (Register of Financial Agents - REGAFI).
Practical Questions
Q: What legal structure should a PSAN have?
A: The legal form is unrestricted (SAS, SARL, SA...). The SAS (simplified joint-stock company) is the most common due to its flexibility. Sole proprietorship is theoretically possible but rare in practice.
Q: Is there a minimum capital requirement?
A: The PSAN regime does not set a minimum capital requirement. In practice, the AMF reviews the financial resources against the projected activity. MiCA will impose minimum thresholds (EUR 50,000-150,000).
Q: Can PSAN be combined with other licenses?
A: Yes, some entities combine PSAN with ISP (investment service provider), EMI (electronic money institution), or PI (payment institution) licenses.
Compliance Questions
Q: What happens in case of non-compliance?
A: The AMF can impose sanctions: warning, reprimand, temporary ban, fine (up to EUR 100 million or 15% of turnover), withdrawal of registration.
Q: Is the PSAN liable for client losses?
A: The PSAN must implement adequate protection measures. Its liability may be engaged in case of fault (security failure, negligence). Optional approval requires professional liability insurance.
Conclusion
PSAN registration remains the mandatory pathway for legally providing custody and fiat buy/sell crypto services in France. With the arrival of MiCA, the landscape is evolving toward a harmonized European license, but the compliance fundamentals remain the same.
Key takeaways:
- Mandatory registration for custody and fiat buy/sell services
- Substantial requirements: AML/CFT, cybersecurity, governance
- Long timelines: 9-18 months on average
- Significant costs: EUR 150,000-400,000 in the first year
- MiCA transition: start preparing now for the shift to CASP
- Competitive advantage: compliance as a differentiator
Recommendations for project founders:
- Anticipate timelines (start 18+ months before launch)
- Surround yourself with specialized advisors (lawyers, compliance experts)
- Budget compliance as a strategic investment
- Aim for excellence from the start (not the bare minimum)
- Prepare for the MiCA transition in parallel
- Comprehensively document all procedures
The PSAN status, despite its constraints, is a mark of seriousness and sustainability in an industry where trust is essential.
Related Articles - Professional Compliance
Complete your reading with our compliance series:
- Travel Rule: PSAN Compliance -- Traceability obligations
- AML/CFT Crypto: Professional Guide -- Anti-money laundering
- MiCA Compliance: CASP Preparation -- European transition
- Institutional Custody Comparison -- Custody solutions
Additional Resources
Topic Article Regulation Travel Rule: Transfer Tracing DAC8 DAC8: Automatic Exchange of Information AMLR AMLR: End of Anonymous Payments France 2026 Financial Sovereignty
Article updated in December 2025. The information presented is for educational purposes and does not constitute legal advice. Consult a qualified professional for your specific situation.