The fight against money laundering and terrorist financing has never been static. Its regulations are evolving and adapting to the pace of technological innovations and criminal tactics. 

In 2025, the ACPR and TRACFIN will update their joint guidelines on due diligence and reporting obligations .

An overhaul expected since 2018, which does not impose a change of direction on those subject to the law but rather a reminder: vigilance is not just a theoretical requirement, it must be exercised, continuously, with lucidity and method, in the face of new threats dictated by reality.

‍

Understanding the weight of guidelines

The ACPR-TRACFIN guidelines are interpretative standards intended to inform professionals subject to AML/CFT regulations and ACPR supervision. In principle, they are not binding. 

But in practice, their compliance largely determines your assessment of compliance. During ACPR inspections, our experience shows that they constitute both a basis for assessment and a positive lever. Their rigorous monitoring is often valued as a criterion for good control of the system. Conversely, ignoring their requirements exposes you to an increased risk of grievances.

In terms of AML/CFT, the ACPR has numerous guidelines (identification and verification of customers, freezing of assets, third-party introduction, group system, etc.)

In this respect, since 2010, the ACPR and TRACFIN have defined the practical outlines of two major obligations imposed by AML-CFT regulations: vigilance ^[1] , which covers all measures for the identification, verification and continuous monitoring of customers and their transactions, and the declaration of suspicion ^[2] , which requires professionals to report, without delay, any suspicious transaction likely to constitute an offence of money laundering or terrorist financing.

The latest version from 2018, aging, required an update in order to integrate legislative developments, such as the subjection of PSANs ^[3] , the new obligations arising from the 5th anti-money laundering directive and the AML package, or the decree of January 6, 2021.

They also had to integrate the numerous principles established by the ACPR's case law, nor pretend to ignore the massive emergence of crypto-assets and finally artificial intelligence techniques to combat money laundering and the financing of terrorism.

^[1] Articles L.561-5 of the CMF

^[2] Article L.561-15 of the CMF

^[3] Digital Asset Service Provider,

‍

Vigilance that must be constant

The ACPR and TRACFIN guidelines recall a fundamental principle: AML/CFT vigilance cannot be static or fixed.

No more risk grids filled out mechanically, no more empty risk classifications that make the term "simplified vigilance " or " low risk" a "lazy totem " in order to justify not having to implement anything. 

The vigilance required in 2025 is dynamic vigilance. Each business relationship must be subject to an evolving assessment, based on concrete criteria. Each transaction must be compared to the client's risk profile. It is not possible to set a default level of vigilance, upstream of any business relationship without taking into account the risk criteria specific to it.

‍

The atypical operation at the heart of the system

The simple fact that a transaction appears particularly complex, of an abnormally high amount, without apparent economic justification or without an identifiable lawful purpose requires the initiation of a reinforced examination ^[4] . Without procrastination. Without waiting for formal proof.

The enhanced review cannot be an empty formality. It requires a rigorous, substantiated, and documented analysis. Questioning the client is not an option: it is a legal obligation. 

And if cooperation is not forthcoming, if doubt persists, then reporting suspicion becomes a compliance reflex.

Here again, the guidelines dispel any confusion; the enhanced review targets the transaction, while the enhanced vigilance focuses on the entire business relationship.

In this regard, the following reflexes must be anchored:

• Analyze: Who is the customer? What is the economic coherence of the operation? 
• Question: Ask for specific supporting documents 
• Document: Add comments to the risk file, even if the operation ultimately seems justified  

Many taxpayers still maintain confusion between "enhanced scrutiny" and "enhanced vigilance" . However, these two concepts respond to distinct logics.

The enhanced review specifically targets the risk carried by a given transaction: it involves an in-depth analysis of this transaction and, where appropriate, of the business relationship as a whole.
Increased vigilance is triggered when the risk profile of the business relationship presents risk criteria relating to the client, product, country, operation or finally the distribution channel ^[5] which justifies increased and continuous monitoring. 

^[4] Article L.561-10-2 of the Monetary and Financial Code

^[5] In accordance with article L.561-4-1 of the CMF

‍

New risks, new threats

In this respect, the guidelines highlight one obvious fact: your entity's 2025 risk classification must necessarily have evolved compared to that of 2018. 

Cryptoassets, now fully integrated into the AML/CFT field, are attracting considerable attention. The anonymity offered by certain digital currencies and the concealment techniques used in certain complex or less-than-transparent financial products are all minefields that institutions must be able to detect and analyze.

But the threat isn't limited to the virtual. Transnational flows and opaque arrangements involving shell companies, transit accounts, and trusts spread across high-risk jurisdictions are on the rise. 

Criminal typologies are evolving as quickly as detection tools: abuse of subsidized loans, networks of financial mules, structuring of flows in small amounts... Those subject to the law must be able to integrate these changing patterns into their alert system in real time.

‍

Artificial intelligence: an ally under surveillance

The massive growth of financial data makes the use of automated tools essential. Machine learning, generative AI, big data: the guidelines explicitly recognize the value of these technologies in refining anomaly detection.
But they remind us of a fundamental truth: the tool does not exonerate. 

Each institution remains fully responsible for the parameters chosen, the interpretation of results, and the regular evaluation of models. The temptation to delegate human discernment to machines is not only illusory, it is dangerous.

Explainability is becoming imperative. It's not enough to have efficient algorithms; you also need to understand why they report a particular operation. 

The auditability of systems will be scrutinized by the authorities, in the wake of the European regulation on AI.

‍

The declaration of suspicion: a central act

The heart of the system remains the declaration of suspicion.
It is not just another formality to tick.

Sending a sloppy, vague report without supporting evidence just to reassure yourself and have something to pass on to the authorities is now counterproductive and risky. 

The guidelines insist: the statement must precisely describe the facts, identify the parties, explain the doubt and, if possible, support it with tangible documents.

The suspicion must be reported even if the operation has not been carried out. 

Even if the business relationship was terminated during the review. 

As soon as reasonable doubt arises, action must be taken.

‍

COSI, freezing of assets, TRACFIN opposition, the latest details:

Certain transactions are subject to systematic communication to TRACFIN (COSI), without suspicion being necessary. Massive cash deposits or withdrawals, cash transfers or electronic money: these flows must be reported automatically. Taxable persons must integrate this additional layer into their system without confusing it with the classic suspicious transaction report .

The guidelines finally recall the subtle link between the declaration of suspicion, the obligations to freeze assets and the right to object to TRACFIN.

A freeze on assets in the event of international sanctions does not exempt you from reporting to TRACFIN if other indications of money laundering exist. 

The use of the right of opposition requires careful management, with strict respect for professional secrecy.

‍

A new balance to be found...

With this overhaul, the ACPR and TRACFIN are requiring those subject to the law to truly increase their skills in order to strengthen and adapt their AML-CFT systems.

More than just a regulatory update, these guidelines reflect a desire to adapt the system to contemporary challenges.

Faced with constantly changing threats, only rigor in execution and agility in adapting their systems will allow professionals to stay on track.

Marc Lafin
Student Lawyer
Astrée Lawyers

Astrée is available to answer any questions you may have about these guidelines and their application in your business.

Contact Marc Lafin