Ondorse Breakfast Series: Overview of 12 months of ACPR enforcement

On November 30, 2023, Ondorse and Marble held a breakfast at the Galion House to debunk 12 months of ACPR enforcement actions.
Aymeric Boëlle


The decisions of the sanctions committee are a goldmine of information for anyone reflecting on whether they are compliant with AML-CFT requirements. Moreover, recent actions have shown evolving expectations from the ACPR. For these reasons, Ondorse and Marble organized a breakfast to debunk the latest trends in ACPR enforcement.

Specifically, we extracted relevant information for the last six enforcement actions: La Mutuelle de Poitiers, Abeille Vie, BMW Finance, Nickel, Axa Banque, CA Mutuel du Languedoc.

The panel was comprised of :

  • Nicolas Spitz, Member of the Paris Bar, Partner at Spitz, Poulle & Kannan
  • Arnaud Schwartz, Founder of Marble and Former COO of Shine
  • Aymeric Boëlle, Co-Founder of Ondorse and Former regulatory lawyer

Key takeaways

Managing an ACPR investigation

  • There’s no rule of thumb for an audit. It’s usually every three years, but some institutions can be audited even a few months after getting their license.
  • Properly organize your databases to generate exports based on filters quickly.
  • AML-CFT is key!
  • What’s not written does not exist.
  • Respond promptly to regulator requests.
  • Be fully transparent and collaborate with the regulators.
  • Remember that your counterparts at the regulators will change over time and might have varying objectives.
  • Being part of a large group was an aggravating circumstance in failing to remediate AML-CFT breaches promptly.

Know Your Customers

  • Make sure your KYC policy is explainable and understandable. The rules of your risk scoring matrix must be particularly clear and self-explanatory.
  • Obliged entities must check the UBO register when onboarding a new business. It is a compulsory requirement.
  • Make sure you can prove whatever diligence measures were conducted in an audit log. Example: For high-risk customers, you must be able to justify that the decision to establish or maintain the business relationship had been made by the executive body.
  • All KYCs need to be refreshed, even inactive accounts.
  • The ACPR confirms a strict liability regime (as opposed to the duty to take reasonable care) for identifying PEPs. Showing goodwill is not enough.
  • One single breach (eg: absence of PEP detection during the course of the relationship) can have a domino effect and trigger new related breaches (eg: absence of updated risk score, absence of enhanced due diligence and absence of appropriate decision level).

Transaction Monitoring

  • ACPR’s new data mining tool (LUCIA) makes them very efficient at detecting past loopholes in the monitoring scenarios.
  • Transaction monitoring scenarios should consider the KYC/KYB risk score and the customer’s financial profile (turnover, revenues…). And vice-versa.
  • Fixed detection thresholds should be avoided, or determined based on a homogeneous customer’s cluster.
  • The type of goods/services purchased is a key detection element to take into account
  • The gap in practices between banking and insurance is closing, and the expectations for sanction checks and AML detection are aligned.
  • 360° is the way to go: all transactions, no matter the type/scheme used must be encompassed into the detection mechanisms. As such, an automated detection system is mandatory if not for the smallest ventures.

Thank you 

Special thanks to Nicolas Spitz, who shared his rich experience in successfully conducting and resolving an ACPR audit, steps after steps!