What lessons to learn from the ACPR’s decision regarding AXA Banque on KYC/KYB?

On February 27, 2023, the French banking regulator ("ACPR") announced a fine against AXA Banque for issues in their KYC and KYB processes, publishing a 15-page decision. We highlight here 3 key learnings for any institutions looking to improve their KYC/KYB processes.
Aymeric Boëlle

The ACPR audited KYC/KYB files on a randomized sample of customers

This randomized sample was based on risk criteria like the customer nationality, the country of residence, the presence of adverse media, or the use of crypto-assets.

Here are the findings for individuals (KYC):

  • Significant delays in some KYC refreshes
  • Missing proof of funds for some high-risk customers
  • Absence of enhanced due diligence for some customers residing in high-risk jurisdictions (listed by GAFI and EU commission)

Here are the findings for businesses (KYB):

  • Significant delays in some KYB refreshes
  • Missing proofs of incorporation and by-laws
  • Missing financial information

👉 Regulated institutions must keep relevant information on their customers and update them according to a frequency that depends on the level of risk each customer presents throughout the business relationship - even if a customer's account is inactive.

The only way to stop KYC/KYB obligations is to take steps to close a customer account.

On customer due diligence

AXA Banque did not undertake additional due diligence measures for high-risk customers, such as those politically exposed or residing in high-risk jurisdictions.

Further, high-risk customers must be approved by a senior executive of the institution or an authorized agent.

Here are the findings:

  • Missed flagging politically exposed persons (PEPs)
  • Absence of enhanced due diligence for customers that were appropriately identified as PEPs
  • Lack of specific approval by senior executives for customers residing in high-risk jurisdictions

👉 Identifying the presence of PEPs at any time during a customer relationship is not a best-efforts obligation. Instead, it is a strict liability regime (obligation de résultat).

Said otherwise, the financial institution is liable even if its provider misses a PEP. It is also liable, if its compliance officer misses a true hit. Finally, it is also liable, if it misses a PEP hidden behind a shell company.

On enhanced customer due diligence

Here are the findings:

  • Some customers were erroneously labeled low or medium risk despite showing money laundering risks (adverse media mentioning indictment or criminal conviction).
  • Some customers subject to judicial warrants (réquisitions judiciaires), and some customers who were requested to return funds for fraud suspicions were also erroneously labeled low or medium risk.

👉 There is no strict liability regime for adverse media checks, only a best-effort obligation. However, if a provider misses an adverse media, the institution will still be liable if the negative news was of such a big magnitude (important press coverage) that the institution should have known.


The downside risk of not managing compliance properly is severe. AXA Banque spent 13.2 million euros over 4 years on compliance providers and full-time employee salaries for AML-CFT. Of this, 9 million euros were invested in the remediation plan, which was only found partially satisfactory by the ACPR.

The ACPR also found the fact that Axa Banque belongs to a large group to be an aggravating circumstance in the failure to remediate AML-CFT breaches promptly.

🔎 ACPR’s decision 2022-01 regarding AXA Banque is available here.

If you want to learn more about how the Ondorse platform can help you meet the above requirements, contact us here.