FRENCH GOVERNMENT WANTED TO COLLECT ALL BANK PAYMENT TRANSACTIONS
The Directorate General of Public Finances (DGFiP) is a directorate of the French public administration which depends on the Ministry of Economy and Finance at Bercy. This important direction of the government in France is in charge of tax payments, for example, as well as all public accounting.
Bercy has apparently requested direct and real-time access to all French bank account statements! This is what we learned this week thanks to Next Impact and was picked up on your favorite media Le Point, BFM TV and the entire crypto-sphere media.
But what is this matter really? Is the topic from last year closed today? Was there a real threat to privacy in France from the Minister Bruno Le Maire? And what fears does this project add to the Central Bank's digital currency called Digital Euro (D€)?
This is what we will see together in this new Valuechain article.
Let's start by how this story ended. Few days ago the french government responded and reassured us at the beginning that the Ministry of Economy and Finance had not requested access to the list of all real-time transactions, but only to the real-time balance status of 80 million people registered in France in their FICOBA database. Regarding single operations, they would only have requested real-time access to the numbers of these transactions on each account. We are therefore very reassured!
For those who do not know, the FICOBA file is the “National file of bank accounts and similar”. It is a database of the Ministry of the Economy to which all banks and financial institutions report information on accounts of all kinds (bank, postal, savings, etc.).
The CNIL (the liberty and privacy agency in France) has validated this file and reminds us that today it “provides no information on the transactions carried out on the account or on its balance”. It would therefore be in compliance with banking secrecy.
This database is used by the government to provide authorized persons with information on the accounts held by a person or a company. And who are these authorized persons? Apart from the DGFIP at the ministry, there are Customs, Justice, Judicial police officers, Notaries, Banks, the Bank of France, Bailiffs and even certain “Individuals” through the CNIL.
You may think that this database should therefore be used to secure French citizens and protect their accounts against fraud or other payment errors. For example, in the case of the numerous credit transfer errors to an wrong IBAN, a victim can ask his bank or a payment mediator to identify the real recipient behind this wrong destination in order to claim a return of the funds. However, banks and the central bank do not use this service to secure payments and help recover lost funds. Does this remind you of something? The criticisms made against blockchains and cryptopayments on the immediate irrevocability of cryptocurrency transactions even in the event of recipient errors, yes this same criticism is valid for the traditional banking system.
In reality, this FICOBA database in its current version contains very sensitive payment data. We find the surname, first name of the account holder and of any person with access to the account, their banks and agencies, their full IBAN and account numbers, their rented safes, their individual or company addresses, the Siren registration number if any, date and place of birth, even the gender is there. The depth of this database is 10 years officially but the FICOBA file has existed since 1971, and the current version of the FICOBA 2 database was put into use in 1982.
In view of the current state of batch feeding on monthly basis of this database by the banks, it is therefore not yet in real time, and given the sometimes insufficient quality of the data provided, the State has undertaken a modernization project called FICOBA 3. This project was even the winner in June 2020 of the public transformation fund and was even designated a “government priority”
Currently, information on this project is no longer made public, but we were able to obtain the latest version of the specifications from July 2022 at Valuechain. We will come back to this later. But let's talk first about the only official and public source that alerted us to this subject. This is the response to this request from Bercy by the DINUM digital department.
The interministerial digital department is in charge of the digital transformation of the State for the benefit of both citizens and agents. It manages and initiates projects to modernize the State information system, the quality of digital public services, the creation of innovative services for citizens and digital collaborative work tools for agents. This same department has been the last bastion for the protection of privacy regarding sensitive payment data.
On 10/15/2021 (so one year ago) this management sent an official letter to the Secretary General of the Ministry of the Economy in Bercy (email still online for info) in which she issued “an unfavorable assent for this part of the FICOBA 3 project". We can thank Nadi BOU HANNA, Interministerial Director of Digital for this decision. Since then, he left the DINUM at the beginning of 2022.
This same letter contradicts what Bercy said recently! DINUM revealed in its response that “the FICOBA 3 project aims to integrate the balances of bank accounts and ultimately the operations carried out on these bank accounts”.
The letter notes that it “is a very significant functional development, moving (…) to management of very sensitive dynamic data”. If it was only information on the existence of accounts going from a monthly rhythm to real time, would not have provoked such a response from the directions of the Prime Minister who judged that "the cases of use of these balances and these operations are not detailed and their compliance with the current legal framework does not seem to me to be sufficiently solid”
The DINUM even retorted that it had “not found any trace, either, of parliamentary debates allowing these substantial changes to be authorized”. It even specifies “that in order to secure the project, you should ensure their compliance with the competent authorities, in the first place the CNIL, before starting the construction work”.
The DINUM recommended to the DGFIP “to keep the initial modernization course of the project, even if it means adopting a gradual approach to deployment according to the capacities of the banks and the DGFiP” which implies that the DGFIP is invited to wait to make these changes in an incremental way after the opinion of the CNIL and the parliament. So the topic doesn't seem 100% closed yet!
We were able to obtain a version of the FICOBA 3 specifications. For information, this file was accessible on the internet but was removed from the public service site. However, the Internet does not forget quickly, a version in Google's cache remained accessible until October 5, 2022. This specification is the constrained version and complies with the Prime Minister's decision in which we no longer find the access to all balances and transactions. On the other hand, as it is a modification of the initial specifications, there are still remnants of this trend.
In a March 2022 presentation by the DGFIP to AMAFI, the French Financial Markets Association, we find that FICOBA 3 is waiting for “legal developments & opportunities” to improve the “Monitoring of data quality and flows by bank : Means of mass or unitary consultation of bank data for realignment”
“The legal framework may be adapted in particular: according to the needs of other projects in the context of the transposition of European directives”
These directives are not explicated, but if it concerns, for example, the PSD2 payment services directive, it is technically possible for the DGFiP to take advantage of the “open banking” services for aggregating payment initiation from all the accounts of a holder thanks to the APIs provided for this. Of course with the consent of the user. This is only a speculation on my part and I could be wrong on this assumption, but what gave me this impression is also the response of DINUM to Bercy who criticized the FICOBA 3 project which “did not sufficiently take into account the needs of users with the possibility for them to consult and share (tell us once) their Bank Identity Statements (RIB) via, for example, FranceConnect and FranceConnected APIs”.
In defense of the DGFiP in this case it would be a request that seems legitimate. Let me explain: in a case of legitimate use, taxes or inspectors can ask account holders to have access to all these bank accounts; to facilitate this technical access, the DGFiP must acquire the PSD2 technology used by fintechs and the banks themselves, such as Linxo or Bankin, for example. To ensure compliance and privacy, the holder must therefore give their consent to Bercy to do so. Bercy's request according to this hypothetical scenario could have been legitimate. But the poignant criticism of the DINUM against Bercy proves to us that this was not the case...
The European directives most likely concern the 5th Directive, known as AML, aims to transpose the fifth anti-money laundering directive and the financing of terrorism adopted thanks to an initiative led by France, following the attacks of November 13, 2015. This directive concerns reporting obligations for banking establishments, rental of safes, agents and beneficial owners, etc.
In conclusion, Bercy admitted that it has considered having direct and real-time access to the balances of more than 80 million individuals. In addition, it is almost certain that Bercy requested access without consent to all banking operations. The excuse to say that the request was only for the number of these transactions to confirm whether the account is still active or not is ridiculous because they already have this data in FICOBA 2! In any case, it seems that the subject is no longer relevant, as we have been able to attest this from our reading of the FICOBA 3 specifications of July 2022.
To go further, the crypto ecosystem has of course taken up this information and put it in the spotlight, recalling that cryptocurrencies can provide this privacy in the face of state and European projects. Moreover, FICOBA's sister files in Europe are already synchronized to cover all account information everywhere in Europe, so much more than the 80 million in France! The question about the guarantee of privacy protection becomes legitimate also with the centralization of the future Central Bank Digital Currency for individuals. The digital Euro is not yet here, and the European Central Bank has clearly understood the message that the citizen is primarily concerned with “privacy” and current work is moving in this direction. We are then invited to trust the central bankers ... who wish to delegate this access to the banks ... which in turn will report this sensitive information to the best trusted third party there is: the government! For those looking for an alternative, cryptocurrencies do not automatically provide this solution. The MiCA regulation has already ensured this result to protect the banking sector with the motto “same risk same rules”.
But for those who still value privacy, blockchain and crypto may be the best solutions for both citizens and even states. For this you have to train and you will find this information in the online Valuechain training which gives all the keys to adopting the current blockchain revolution in the most profitable way possible. The entire FICOBA ledger can be integrated with distributed ledger technologies, and its anti-money laundering and anti-terrorism functions can be automated to a distributed trusted third party through smart contracts but with all the privacy guarantees of tens of millions of people. If the real reason is the fight against terrorism and money laundering, the blockchain is a powerful weapon to be completely adopted by States but without the price to pay being our privacy!