Second part of French Legal Analysis of Payment in Crypto-currencies – Regulation of Actors Providing Crypto-payment Services (exchange and wallet) 1/2.
II. OBLIGATIONS OF CRYPTO-PAYMENT OPERATORS
Cryptopay operators are the platforms offering exchange services and crypto-assets transfer services. They must logically be subject to the obligations relating to payment service providers (A.), but also to those relating to the protection of personal data (B.).
A. REGULATION OF PAYMENT SERVICE PROVIDERS
Payment service providers are subject to numerous rules due to the handling and issuing of payment instruments, a right previously limited to banks. In addition to the regulations on institutions offering services based on money, these providers offer payment services that are familiar to them under monetary and financial law, which delimits their operation and the rights and prerogatives of each of the parties very precisely.
The obligation to combat money laundering and terrorist financing - The Banque de France has decided to apply the AML/CFT Directive to institutions providing crypto-assets[1]. Article L561-2 of the Monetary and Financial Code has been amended[2] to make "any person who, as a regular occupation, either acts as a counterparty itself or as an intermediary, with a view to the acquisition or sale of any instrument containing units of non-monetary value in numerical form that may be kept or transferred for the purpose of acquiring a good or service, but which does not represent a claim on the issuer" subject to the obligations prescribed by the AML/CFT regulations. As a result of this extensive wording, the Monetary and Financial Code regulates virtual currency exchange platforms.
Execution of payment orders - As payment service providers, platforms offering crypto-asset accounts must comply with the rules on payment transactions. Thus, the execution of such a transaction requires the consent of the holder, "the originator". The date of a payment order is the date of its receipt by the payment service provider and the amount is credited to the payee's account by the end of the first working day following that date at the latest[3]. While the timing does not require any particular questioning, since it is well known to banking institutions, the value requires more. Under the terms of Article L133-14 of the Monetary and Financial Code, the value date of an amount credited to the beneficiary's account may not be later than the business day on which the amount is credited to the account of the beneficiary's payment service provider. Since the price of crypto-assets is relatively stable, this element is important since, in the event of a rapid fall or rise in the price, operators may be responsible for delays in processing payment orders because they did not make it possible to sell an asset whose value is falling in time. Moreover, this provision would seem to be of public order, since "any provision to the contrary shall be deemed unwritten"[4].
Non-execution of the payment order - Despite this principle, a payment order is not immutable: the order can, in certain cases, be revoked and, if it cannot be revoked, the user has a right to object to certain transactions. Indeed, if the order for immediate execution, once received by the payer, can no longer be revoked, this is not the case when the transaction is to be carried out on a given date[5]. Thus, in the case of a direct debit, the account holder must in principle be able to revoke this order at the latest at the end of the business day preceding the day agreed for debiting the funds, without prejudice to the right to reimbursement mentioned in Article L133-25[6]. Thus, if a crypto-asset transfer order is transmitted for future execution, the holder of the crypto-asset account must be able to cancel his order under these conditions. In the same vein, which is more difficult to transpose to crypto-assets, the service user has a right of opposition when he is aware of the loss, theft, misappropriation or unauthorised use of the payment instrument or the data linked to it. Once informed, the service provider shall be obliged to prevent any use of the payment instrument. If the payment instrument has been used before the issuer has been informed, the payer shall bear the resulting loss up to a maximum limit[7], except in cases of fraudulent conduct by the payer or where the payer has failed to fulfil his obligations (including the obligation to ensure the security of the payment instrument) either intentionally or through gross negligence[8]. However, the holder shall not be liable if the unauthorised payment transaction was carried out without using the holder's secret codes or if the payment transaction was carried out by misappropriating the payment instrument or the data linked to it without the payer's knowledge[9].
Incorrect execution of the order - In the event of incorrect execution of the payment order received, the service provider may be held liable. Conversely, an order executed in accordance with the identifier provided by the Service User is deemed to be duly executed by the Provider, who cannot be held liable if the information transmitted is inaccurate. It must only endeavour to recover the funds committed. Where the payment order is given by the payer, his payment service provider shall be liable to the payer for the proper execution of the transaction until the amount of the transaction is received by the payee's payment service provider. Thereafter, the payee's payment service provider shall be liable to the payee for the correct execution of the payment transaction vis-à-vis the payee[10].
The obligation to ensure the security of the instrument issued - The provider is obliged to ensure the security of the payment instrument issued[11] by means of security features, including identification, so that the instrument is not accessible to persons other than the authorised user. The service provider bears the risk of sending a payment instrument or any personalised security features of a payment instrument to the payer. The service user[12] must take "all reasonable steps to maintain the security of his personalised security features and use the payment instrument in accordance with the conditions governing its issue and use"[13]. In the case of remote payment or any other type of payment method that could be used for fraudulent purposes, the service provider is required to apply strong customer authentication based on the use of two or more elements belonging to different categories[14]. The main foreign exchange platforms already seem to use this method of identification.
The provider's prerogatives over the instrument - If the deposit account agreement or the framework payment services contract so provides, the provider may reserve the right to block the payment instrument for objectively justified reasons relating either to the security of the payment instrument or to the risk of the payer being unable to fulfil his payment obligation. While the first hypothesis is the corollary of the security obligation, the second will be rarer in practice due to the nature of crypto-assets. Indeed, there can be no risk that the payer will be unable to fulfil his payment obligation since this verification is integrated into the functioning of the crypto-assets[15]. However, nothing being impossible, encryto-asset current accounts seem to exist: in this case, the service provider should in principle inform the payer of the blocking and the reasons for it[16]. If, in the case of crypto-assets, it is impossible to block the instrument itself, the account made available by the service provider may be blocked, making the full application of these provisions possible and necessary. In this respect, the charging of costs to the user as a result of a payment incident is exceptionally permitted, but must be agreed between the service provider and the user of the service[17]. The amount must be in relation to the costs actually incurred and is capped (except for cheque rejections) by decree[18].
Information to the service user - The Payment Service Provider must provide any information relating to a payment transaction, whether in the case of correct execution, incorrect execution or refusal of execution. Indeed, he is obliged to provide the user with all information relating to such execution[19]. The user may then report an unauthorised or incorrectly executed payment transaction to his Payment Service Provider at the latest within thirteen months of the debit date, failing which he shall be liable to foreclosure. In the event of refusal, the payment service provider must notify his decision and the reasons for it within a period which may not exceed that required for crediting the payee's account, i.e. by the end of the first working day following receipt of the order[20]. Article L133-26 of the Monetary and Financial Code excludes any remuneration for the fulfilment by the service provider of its information obligations and for the execution of corrective or preventive measures.
B. PROTECTION OF PERSONAL DATA
Difficulties in applying to the "blockchain" - Some particularities of the "blockchain" may complicate the implementation of the mandatory rules of the DPMR. For example, notification of a personal data breach may be difficult when participants in a public "blockchain" are anonymous[21]. The right to data portability may face the difficulty of extracting data from the "blockchain"[22]. Such an operation seems technically less complicated than the erasure of data under the right to oblivion[23], one of the characteristics of the "blockchain" being "to prevent such erasure in order to preserve the durability of the system"[24]. It follows that the "blockchain", on this point, "constitutes ... an instrument incompatible with the Directive but pursuing the same purpose[25]. The problem is the same for tokens issued at ICOs, but since the identity of the originator of the ICO has been determined, the AMF suggests applying certain provisions, particularly those allowing the persons concerned "to require the originator to facilitate access to their personal data or to erase them under the right to oblivion"[26].
Difficulty in repairing the damage - Furthermore, the right to seek compensation for the damage suffered as a result of the violation of the rules of the GDR may be impacted by the difficulty in identifying those responsible for the damage, particularly in the case of anonymity of the participants in the "blockchain"[33]. The introduction of the concept of joint controller[34] and the reinforcement of the obligations of processors (data security[35], register of data processing[36] and prior consent of the controller in case of recourse to another processor[37]) are all difficulties that will have to be overcome to define the scope of responsibilities of each party involved. As the "blockchain" is a form of decentralised automated data processing system, operators in the crypto-asset market could be seen as processors of personal data, or joint controllers, which would expose them to the penalties applicable in the event of failure to comply with security and information obligations. The mechanism of joint and several liability of the controller and the processor will make it more complex to determine the liability of each of the participants in the block chain, which will require a precise case-by-case analysis of the role of each of them[38].
All my posts are linked each other, so if you don't understand everything or you want to learn more about crypto-currencies in France please check the links below :
French Legal Aspects of Cryptocurrencies - Introduction 1/2 ;
The BlockChain, A Method of Issuing Dematerialized Securities 1/2;
French Legal Regulation of Crypto-assets Financing Mechanisms (or DeFi) - Lending and Borrowing;
French Legal Analysis of Crypto-payment – An Usefull Alternative Method of Payment 1/2.
[1] Banque de France, « L’émergence du bitcoin et autres crypto-actifs : enjeux, risques et perspective », Focus n°16, 5 mars 2018, p. 5.
[2] Art. 10, Ord. n°2017-1107, 22 June 2017, relating to markets in financial instruments and the separation of the legal regime of portfolio management companies from that of investment firms, JORF n° 0149, 27 June 2017.
[3] Art. L133-13, C. mon. fin.
[4] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 63.
[5] Art. L133-6, C. mon. fin.
[6] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 60.
[7] Initially set at 150 euros, the amount was reduced to 50 by Order no. 2017-1252 of 9 August 2017.
[8] Art. L133-19, C. mon. fin.
[9] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 67-68.
[10] Art. L133-22, I, C. mon. fin.
[11] Art. L133-15 à L133-17, C. mon. fin.
[12] Art. L133-4, C. mon. fin. créé par ord. n°2017-1252, 9 août 2017.
[13] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 66.
[14] At least three that fall into the following categories: "knowledge", which is something that only the user knows, "possession", which is something that only the user has, and "inherence", which is something that the user is.
[15] Voir infra. 111. Mécanisme de validation de bloc.
[16] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 61.
[17] Art L133-26, C. mon. fin.
[18] Art. D133-5 et D133-6, C. mon. fin.
[19] J-F. Riffard, « Synthèse 40. Services bancaire », Jurisclasseur Banque Crédit Bourse (Maj, 9 sept. 2017), par. 65.
[20] Idem, par. 69.
[21] Art. 33, Reg. No. 2016-679, 27 Apr. 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[22] Art. 20, Règl. UE n° 2016-679, 27 avr. 2016.
[23] Art. 17, Règl. UE n° 2016-679, 27 avr. 2016.
[24] Etude par le Cabinet d'avocats Simmons & Simmons LLP, « Le droit et la technologie blockchain : une approche sectorielle », Contrats Concurrence Consommation n° 10, oct. 2017, étude 10, par. 9.
[25] J. Deroulez, « Blockchain et données personnelles - Quelle protection de la vie privée ? », La Semaine Juridique Edition Générale n° 38, 18 sept. 2017, 973, par. 18-20.
[26] AMF, « Synthèse des réponses à la consultation publique portant sur les Initial Coin Offering (ICO) et point d’étape sur le programme « UNICORN » », 22 févr. 2018, p. 12.
[27] Art. 24, Règl. UE n° 2016-679, 27 avr. 2016.
[28] Art. 26. Règl. UE n° 2016-679, 27 avr. 2016.
[29] Art. 32, Règl. UE n° 2016-679, 27 avr. 2016.
[30] Art. 30, Règl. UE n° 2016-679, 27 avr. 2016.
[31] Art. 27 à 28, Règl. UE n° 2016-679, 27 avr. 2016.
[32] Etude par le Cabinet d'avocats Simmons & Simmons LLP, « Le droit et la technologie blockchain : une approche sectorielle », Contrats Concurrence Consommation n° 10, oct. 2017, étude 10, par. 9.
[33] Art. 24, Règl. UE n° 2016-679, 27 avr. 2016.
[34] Art. 26. Règl. UE n° 2016-679, 27 avr. 2016.
[35] Art. 32, Règl. UE n° 2016-679, 27 avr. 2016.
[36] Art. 30, Règl. UE n° 2016-679, 27 avr. 2016.
[37] Art. 27 à 28, Règl. UE n° 2016-679, 27 avr. 2016.
[38] Etude par le Cabinet d'avocats Simmons & Simmons LLP, « Le droit et la technologie blockchain : une approche sectorielle », Contrats Concurrence Consommation n° 10, oct. 2017, étude 10, par. 9.
To be frank and sincere with u pls try to.shorten ur articles this one is extremely long nd tiring but good luck though nice job