French Banks Under Pressure as Transit Account Laundering Hits €661 Million: ACPR Calls for Urgent AML Overhaul

French banks are facing unprecedented challenges in the fight against financial crime, as the country’s top regulator, the ACPR (Autorité de Contrôle Prudentiel et de Résolution), reveals that €661 million in suspicious transactions passed through so-called “transit accounts” in 2023 alone.

These accounts—used primarily as temporary conduits for laundering the proceeds of fraud—have become key tools for illicit actors, exploiting weaknesses in remote onboarding and digital banking platforms.

The 2024 ACPR thematic review, which analyzed 13 major French financial institutions, exposed a growing and highly adaptive threat. The institutions selected for the review include a mix of traditional banks and digital-first challengers, chosen due to their disproportionate exposure to suspect funds. The report provides a rare and comprehensive window into systemic anti-money laundering (AML) vulnerabilities being exploited by criminal networks across France.

Transit accounts—also referred to as “taxi” or “transitional accounts”—are instrumental in the movement of scam-generated funds. These accounts receive money from victims and rapidly move it onwards, often across borders, effectively concealing the origin and frustrating law enforcement efforts. Although the tactic isn’t new, its scale and sophistication have grown rapidly, spurred on by France’s booming digital banking sector and a rise in payment fraud.

The data shows a staggering 45% increase in the total value of suspect transfers compared to 2022, when €457 million was recorded. The number of individual suspicious transfers also climbed nearly 50% year over year, with average transaction amounts holding steady between €870 and €900—indicative of a growing preference for low-value, high-frequency laundering.

A particularly striking finding is that 43% of these suspect accounts were opened in the last year alone, demonstrating the strong connection between remote customer acquisition and laundering risk. The institutions most aggressively expanding their customer base—especially those relying on remote onboarding—were shown to be the most vulnerable, bearing the brunt of criminal exploitation.

Among the key weaknesses the ACPR identified:

• Remote onboarding: A full 76% of flagged accounts were opened remotely, often with minimal checks. Many institutions were found to depend on limited identity verification processes, often failing to employ robust cross-referencing or biometric authentication.

• Mule recruitment tactics: Both natural persons and corporate entities were found to be exploited as account holders. Some were coerced or deceived into allowing their accounts to be used, while others were newly created shell companies, purpose-built for laundering.

• Weak risk profiling: A persistent failure to correlate transactional behavior with account risk profiles allowed many high-volume or abnormal transactions to proceed unchecked.

The ACPR’s forensic review of 650 high-risk cases revealed that the majority of illicit flows were quickly moved abroad, with over 60% of the money exiting France. Although some cash withdrawals were recorded, most laundering activity involved digital payments and cross-border SEPA transfers, often routed to Luxembourg, Lithuania, Germany, Belgium, and the UK.

The ACPR’s guidance lays out a detailed framework for responding to the risk posed by transit accounts, grounded in French and European regulatory law, including the French Monetary and Financial Code (CMF), EU payment rules, and EBA (European Banking Authority) guidelines on remote onboarding.

Among the key compliance and control measures expected:

1. Governance and Risk Oversight

• Executive boards must recognize and treat fraud-related laundering as a standalone, strategic risk category.

• Institutions are advised to pause or adapt vulnerable processes when evidence of systemic criminal exploitation arises.

  
  

2. Customer Onboarding and ID Verification

• Per Article R. 561-5-2 of the CMF, at least two independent ID checks must be used during remote onboarding.

• In high-risk cases, biometrics or third-party certification are strongly encouraged.

• Initial payment-based verification should be approached cautiously, particularly with cards and providers prone to identity fraud.

• For corporate clients, official registry documents should be certified by a third party, and the authenticity of company representatives must be verified rigorously.

  
  

3. KYC and Ongoing Client Monitoring

• Institutions must obtain and regularly update information on a client’s income, employment, and transaction behavior.

• For companies, detailed financial records and expected transaction patterns should be assessed, especially for newly incorporated entities.

  
  

4. Automated Transaction Surveillance

• Monitoring systems should dynamically adjust thresholds based on client profiles.

• Real-time or near-instant alerts and the ability to suspend suspicious transfers are critical for timely intervention.

• Automated systems should detect discrepancies between account holders and transaction beneficiaries, which may indicate account misuse.

  
  

5. Enhanced Due Diligence and Reporting

• If a transaction cannot be explained, banks must perform an in-depth review of related accounts and file a suspicious transaction report with Tracfin, France’s financial intelligence unit.

• Additional scrutiny is required for new accounts, those with repeated refund activity, or signs of mule usage.

  
  

6. Product and Service Design

• Transaction limits should reflect customer risk levels, with stricter controls for newer clients or those showing elevated risk.

• Contracts should allow banks to manually approve or halt suspect payments immediately.

  
  

7. Audit and Control Feedback

• Periodic audits of suspicious activity cases are essential for identifying weaknesses and updating controls in line with emerging laundering tactics.

The ACPR also flagged significant trends shaping the current profile of mule accounts:

• 70% of suspect accounts were less than a year old, with many closed soon after a suspicious transaction.

• In some digital banks, 80% of suspect accounts were terminated within three months.

• The average age of mule account holders was 39, but some institutions reported that one-third were under 25.

• 97% were French residents, though some institutions reported that up to 14% of flagged clients lived abroad. In many cases, residency checks were based on unverified self-declarations.

The ACPR further noted a disturbing uptick in identity fraud, with criminals using AI-generated deepfakes to bypass onboarding checks. The use of shell companies has also increased, correlating with higher-value transfers and pointing to a shift toward more organized, structured laundering operations.

In conclusion, France’s financial institutions are confronting a severe AML test. The ACPR’s findings confirm that transit accounts represent a major weakness, particularly for digital-native banks and firms using light-touch onboarding. The supervisory authority’s recommendations call for nothing less than a paradigm shift in AML strategy, where agility, automation, and robust identity verification become non-negotiable standards.

To rise to this challenge, financial institutions must:

• Integrate fraud typologies into enterprise risk frameworks.

• Rethink remote onboarding with layered, secure ID protocols.

• Build dynamic monitoring systems capable of instant escalation.

• Promote continuous review and audit to adapt quickly to new threats.

The financial and reputational stakes are massive. As France intensifies its AML push, the sector’s ability to keep up with the evolving sophistication of fraud will determine not just regulatory compliance, but the resilience of the entire financial ecosystem.

By fLEXI tEAM