AMF [FRA] ¦ AMF Enforcement in AML/CFT: What French Supervisory Findings Reveal Between 2022 and 2025

A sharp reminder that compliance must be real, not just written down

The French financial markets authority, the AMF, has published a synthesis of its inspections and follow-up actions in the area of anti-money laundering and counter-terrorist financing, covering cases closed between 1 January 2022 and 31 December 2025. Many firms still have AML/CFT frameworks that exist on paper but do not operate effectively in practice.

The review covers portfolio management companies and financial investment advisers, two of the largest groups supervised by the AMF. Across the period reviewed, 46 inspections addressed AML/CFT and tax transparency issues, leading to 16 sanctions decisions, 16 settlement agreements and 16 letters of follow-up. In other words, nearly two thirds of the cases resulted in a formal enforcement outcome.

The cumulative financial amount linked to sanctions and settlement commitments reached €8.79 million. That figure should not be read as tied only to AML/CFT breaches, since it covers all findings in the relevant cases, but it still shows how seriously the AMF is treating deficiencies in this area.

The AMF’s core message: a framework must work in real life

The AMF’s analysis is not limited to isolated mistakes. It points to recurring structural weaknesses in the way firms design, implement and monitor their AML/CTF controls. The recurring issue is not a missing sentence in a procedure, but a lack of operational substance.

The authority expects firms to identify and assess their money laundering and terrorist financing risks, document a suitable framework, apply risk-based customer due diligence (CDD), monitor transactions and relationships, file suspicious reports when needed, train staff, maintain tax residency and automatic exchange of information processes, and run a genuine internal control system. When these requirements are not demonstrated with evidence, the AMF tends to treat the issue as a real deficiency rather than an administrative omission.

Bastian Schwind-Wagner _Follow

"The AMF’s latest synthesis shows that AML/CFT failures are still often rooted in weak design and weak execution. Firms are expected to prove that their procedures, risk assessments and controls are not only documented, but actually used in daily operations.

The regulator’s message is consistent and direct: traceability, regular updates and effective oversight are essential. In practice, that means firms must be able to evidence every key step of their AML framework, from onboarding to monitoring, reporting and internal control."

Procedures that are generic, outdated or not operational

One of the most common weaknesses identified by the AMF concerns the procedural framework itself. Many firms have no dedicated AML/CFT procedure, or they rely on a document that is too generic to guide staff in practice. Templates taken from professional associations, undated documents, or procedures copied from standard models without tailoring to the firm’s activity are repeatedly cited as insufficient.

The AMF also stresses that procedures must be complete and precise. They should describe how risks are defined, how onboarding is carried out, what ongoing monitoring looks like, what enhanced due diligence (EDD) means in practice, how asset freezing is checked, and when a business relationship should be refused or a suspicious activity report (SAR) considered. A document that lacks these elements cannot be treated as operational.

Timing matters too. Procedures written after the start of an inspection do not prove that the framework existed and worked during the period under review. The same applies to outdated documents that do not reflect current risks, current products or the real business model of the firm.

Risk mapping is not a formality

The AMF’s findings show the same pattern for risk mapping. A cartography of money laundering and terrorist financing risks is meant to be a practical tool, not a theoretical appendix.

Generic risk maps that do not reflect the client base, transaction channels, relevant jurisdictions, asset classes or the use of remote onboarding are repeatedly criticised. In several cases, the AMF also found risk maps that systematically lowered the assessed risk without a convincing explanation, or that failed to create a clear link between the level of risk and the due diligence measures to be applied.

The authority also pays attention to the scoring logic used for individual clients. If a firm uses a risk questionnaire, it must be able to explain how answers translate into the client’s risk profile and what follow-up measures each risk level triggers. Without that link, the risk-based approach remains theoretical.

A further weakness appears when the risk map is incomplete or not updated over time. The AMF expects firms to cover the full scope of their business, including relevant asset transactions, counterparties and other factual risk factors. A stale or partial risk map undermines the whole control structure.

Third parties do not transfer responsibility

Another recurring issue concerns outsourcing, delegation and distribution networks. The AMF is explicit on this point: using a delegate, distributor or other third party never transfers responsibility away from the supervised entity.

A firm must define in its procedures which checks are performed by the third party, how those checks are supervised, what controls the firm retains, and how any weaknesses are detected and corrected. It is not enough to say that a third party has a KYC process of its own. The supervised firm must still verify the quality and completeness of the work performed on its behalf.

The same applies where a group entity or another external party assists with customer due diligence. The AMF expects documented oversight, evidence of follow-up, and a real ability to identify gaps in the outsourced process.

Customer due diligence failures remain widespread

On the customer side, the findings are persistent and familiar. Many files were incomplete, missing identity documents, proof of address, subscription forms, beneficial ownership information, source-of-funds evidence or recent company extracts. The AMF also highlighted files where the relevant documents were not collected at the right time, or where information was added later in an attempt to regularise an already deficient onboarding process.

That is a key point in the AMF’s reasoning. Due diligence must be carried out before entering into the relationship, or exceptionally at the time of onboarding when the rules allow it, and the process must be documented. Evidence created after the fact generally does not cure the initial failure.

Ongoing review is just as important. The AMF found repeated cases where customer files remained unchanged for years, contained obsolete documents or were never formally updated. Informal conversations with clients are not a substitute for a documented update of customer information.

Enhanced diligence must be tied to the risk profile

The AMF also flagged cases where firms did not adapt their measures to risk. This included missing questionnaires, misclassified clients, weak handling of clients from higher-risk jurisdictions, and a failure to apply enhanced checks when the profile of the client or the transaction warranted it.

Source of funds checks, beneficial ownership verification, politically exposed person screening and sanctions list screening are all essential parts of that assessment. The findings show that firms still struggle to evidence these controls. In several cases, the AMF noted that it was impossible to tell whether the checks had been performed at all.

The lesson is simple. A risk-based approach only works if it leads to different levels of scrutiny depending on the client and the transaction. If the same process is applied mechanically in every case, the framework loses its purpose.

Asset-side controls are a specific weakness for portfolio managers

For portfolio management companies, the AMF also examined controls on the asset side of funds and managed portfolios. This is a specific feature of the French framework, and it requires firms to assess the money laundering and terrorist financing risks of investment and divestment transactions involving identifiable counterparties.

The findings show that many firms failed to identify sellers or buyers, failed to review beneficial ownership properly, failed to check the economic rationale of transactions, or failed to perform due diligence on disposals. In some cases, firms relied on the involvement of a notary, a custodian or another intermediary and assumed that this reduced their own obligations. The AMF rejects that approach.

The asset-side review must be documented, risk-based and traceable. If a firm cannot show what it checked, when it checked it and why the transaction was acceptable, the AMF may treat the file as if no effective diligence was done.

Suspicious activity reporting and declarations to the AMF

The report also confirms that declaration requirements remain a separate area of risk. Some firms had not formally designated the TRACFIN contact person or reporting officer, or had failed to notify the AMF and TRACFIN properly. That is not merely an administrative oversight. It reflects weak internal organisation.

The AMF also found inaccurate information in annual reporting to the authority, including errors about the existence of subsidiaries, the date of risk map updates or the frequency of training. Repeated inaccuracies matter because they undermine the reliability of the firm’s interactions with the supervisor.

The synthesis notes that, in the reviewed cases, the AMF did not identify a concrete example where a suspicious activity report should have been filed but was not. Even so, the absence of formal designation and the transmission of inaccurate information were enough to create enforcement exposure.

Training must be regular, specific and proven

The AMF continues to view staff training as a core control. The issue is not just whether training exists, but whether it is regular, relevant and documented.

Several cases showed long periods without any training, a single training session over several years, or a lack of evidence that all relevant staff had attended. The authority also criticised overly general training content that did not reflect the firm’s business model or the staff’s operational responsibilities.

This is an important practical point. Training is not effective if it is generic and detached from real-life scenarios. The content should help staff recognise risk, understand red flags and know how to escalate concerns.

Internal control must be structured and followed through

The AMF’s findings on internal control are equally direct. Control plans were sometimes incomplete, did not cover all relevant AML/CFT risks or failed to distinguish planned controls from those actually performed. In some cases, the sampling method was not clearly defined and did not show a risk-based approach.

Permanent controls were often too limited, poorly documented or unable to detect significant weaknesses in customer files and asset-side checks. Periodic controls could identify deficiencies, but their impact was reduced when recommendations were not followed up or when the firm could not prove that corrective actions had been completed.

The AMF’s point is straightforward: an internal control framework only exists if it is executed, tracked and used to fix problems.

Tax transparency and automatic exchange of information are part of the same picture

The synthesis also covers obligations linked to the fight against tax evasion and fraud, including automatic exchange of information (AEOI). For portfolio managers, this means collecting self-certifications on tax residence and tax identification numbers, ensuring that the required declarations are made, and refusing to establish a relationship where the relevant information cannot be obtained.

The AMF indicates that these obligations are closely related to customer due diligence and can be integrated into the broader AML/CFT framework. As with other parts of the system, the main weakness is often the absence of formal procedures and controls.

What remediation looks like from the AMF’s perspective

Where the AMF has accepted settlements or issued letters of follow-up, firms were typically required to rebuild their procedures, strengthen risk mapping, improve due diligence, reinforce training, formalise internal control and better supervise third parties. In some cases, firms were also asked to commission external audits, introduce new screening tools or redesign their governance model.

The common thread is that remediation is expected to be structural, not cosmetic. The AMF wants complete, dated, traceable and operational documentation, plus proof that the framework is actually used by staff and control functions.

A clear enforcement direction for 2026 and beyond

The overall lesson from the AMF’s 2022 to 2025 review is that AML/CFT compliance must be demonstrable at every stage, from risk assessment to onboarding, from monitoring to reporting, and from training to internal control. Missing documents, weak traceability, generic procedures and unmanaged third-party reliance remain the main sources of enforcement risk.

The AMF has signalled that this remains a supervisory priority. With the European anti-money laundering authority, AMLA, in place, expectations are likely to rise further. For firms in France, the message is already unmistakable: if the framework cannot be shown to work, the regulator may treat it as if it does not exist.

Dive deeper

• Autorité des marchés financiers (AMF), France ¦ Synthèse des constats des contrôles de l’AMF en matière de lutte contre le blanchiment de capitaux et le financement du terrorisme (AML/CFT) ayant donné lieu à des suites (2022-2025) ¦ Link