ARTICLE
5 August 2025

The Liability Of Crypto-Asset Service Providers For Failure To Register With The AMF: Civil Consequences Of Regulatory Noncompliance

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
The judgment delivered by the Court of Appeal of Grenoble on 26 June 2025 marks a significant development in the jurisprudence concerning the liability of digital asset service providers (DASPs).
France Technology
Céline Moille

The judgment delivered by the Court of Appeal of Grenoble on 26 June 2025 marks a significant development in the jurisprudence concerning the liability of digital asset service providers (DASPs). In this case, the court found Bitstamp Europe, a major cryptocurrency exchange operating in the EU, liable, not on grounds of technical failure, negligence, or breach of contract, but solely because it had continued to operate a regulated business without being registered with the French Financial Markets Authority (AMF), which was in breach of the legal framework established by the PACTE Act (Plan d'Action pour la Croissance et la Transformation des Entreprises), enacted on 22 May 2019.

The ruling establishes a stand-alone fault of regulatory nature, sufficient to engage civil liability, independently of any operational or contractual failure. It arises within a transitional context between the former French regime under the PACTE Act and the newly implemented EU Markets in Crypto-Assets Regulation (MiCA), which fully took effect in 2024.

The decision is significant as it establishes that a DASP's failure to register, even absent operational fault, is sufficient to trigger civil liability and confirms that noncompliance during the PACTE Act's transitional period can result in unlawful conduct and compensable harm.

I. The Applicable Legal Framework at the Time: The French PACTE Act

Prior to the adoption of MiCA, France had anticipated the need to regulate digital asset services through the PACTE Act. This legislation introduced, for the first time in French law, a dedicated status for DASPs (or prestataire de services sur actifs numériques [PSANs]) under Title IV bis of Book V of the Monetary and Financial Code.

Pursuant to Articles L. 54-10-2 and L. 54-10-3 Code monétaire et financier, any provider offering

  • custody services for digital assets on behalf of third parties, or
  • services for the purchase or sale of digital assets in exchange for legal tender,

was subject to mandatory registration with the AMF. This was part of a broader effort to ensure regulatory oversight of the sector, particularly in the context of anti-money laundering and countering the financing of terrorism.

The transitional provision under Article 86 X of the PACTE Act granted service providers that were already active prior to the law a 12-month grace period from the entry into force of the implementing decrees, ending on 19 December 2020, to comply with the new registration requirement.

II. The Facts: A Theft Facilitated by an Illegally Operated Platform

According to the judgment, a long-standing user of the Bitstamp platform (since 2017), suffered, in November 2021, the unauthorized withdrawal of digital assets valued at €27,950, following a fraudulent connection to his account from an unfamiliar IP address located in Luxembourg.

Although Bitstamp had alerted the user via email on the morning of the breach (11:18 am), warning of unusual activity, the user failed to respond to the warning or freeze their account. Shortly thereafter, the same third party was able to log on again, disable withdrawal confirmations, and transfer crypto assets to an external wallet. The fraudster appears to have had access to the user's email inbox, enabling them to circumvent the platform's two-factor authentication (2FA) system.

The court of first instance (the Judicial Court of Grenoble) dismissed the claim, holding that Bitstamp's liability was excluded by its contractual terms and that the lawfulness of its operations under financial law was irrelevant to the outcome of the dispute.

The Court of Appeal of Grenoble took the opposite view.

III. The Fault Identified: Operating as a DASP/PSAN Without Registration

The appellate court found no technical or operational fault on Bitstamp's part. It noted that:

  • The platform had implemented an alert system for suspicious log-ons.
  • 2FA was properly triggered.
  • The user failed to act upon the warning email.

However, the court focused on the legal irregularity of Bitstamp's operations in France at the relevant time. It found that Bitstamp:

  • Was offering purchase/sale services of digital assets against legal tender.
  • Had not registered with the AMF until 7 February 2023.
  • Had continued to offer services in France after 19 December 2020, in violation of the transitional compliance deadline set by the PACTE Act.

The court concluded that Bitstamp was thus operating illegally when the fraudulent transfers occurred. It stated:

Bitstamp Europe operated this activity illegally. Its failure to suspend such irregular activity enabled [the user] to continue using the platform, thereby allowing the fraudulent withdrawal of his crypto assets. Accordingly, the court held that regulatory noncompliance constitutes a civil fault directly causative of the damage suffered by the client. This ruling affirms that violation of financial regulation alone can ground civil liability, even in the absence of technical negligence.

IV. Remedies Awarded: Compensation in Legal Tender Only

Based on this regulatory fault, the court:

  • Ordered Bitstamp Europe to pay €27,950 to the user, corresponding to the value of the stolen crypto assets at the time of the theft.
  • Rejected the user's request for restitution in Ethereum, on the grounds that cryptocurrencies do not have legal tender status in France.
  • Dismissed the claim for loss of opportunity to benefit from future appreciation of the assets' value, holding that such potential gains are too speculative and uncertain.
  • Awarded €3,000 under Article 700 of the Code of Civil Procedure (covering legal costs) and held Bitstamp liable for all legal expenses at trial and on appeal.

V. Legal Significance: From PACTE to MiCA, the Civil Consequences of Regulatory Breach

This decision is noteworthy in several respects.

First, it recognises a stand-alone regulatory breach — namely, the failure to comply with the mandatory registration requirement — as sufficient to engage civil liability of the DASP/PSAN. This approach decouples civil liability from operational or contractual faults and affirms that the public law obligations imposed on regulated entities have direct private law effects.

Second, the judgment highlights the consequences of noncompliance during the transitional period provided by the PACTE Act. The court's strict reading of the law implies that continued operation past the deadline without registration is not merely irregular — it is unlawful and gives rise to compensable harm.

Third, the ruling comes at a pivotal moment in the evolution of crypto-asset regulation, with the EU's MiCA now fully in force (as of 30 June 2024). MiCA replaces national regimes, such as the PACTE Act, and imposes:

  • A mandatory EU-wide licensing regime for crypto-asset service providers.
  • Harmonised rules on governance, transparency, cybersecurity, and consumer protection.
  • Supervisory responsibility assigned to national competent authorities, such as the AMF in France.

The case of Bitstamp illustrates the challenges posed by the transition from national frameworks to EU regulation, particularly when courts are called to rule on pre-MiCA events under national law.

Conclusion

By establishing that operating a regulated crypto-asset service without prior registration constitutes a civilly actionable fault, the Court of Appeal of Grenoble delivers a strong message: regulatory compliance is not optional, and failure to comply with financial law obligations can result in liability for losses, even in the absence of traditional negligence.

This judgment sets a notable precedent, likely to influence both future case law and the operational practices of DASPs/PSANs. It reaffirms that investor protection is rooted not only in technical safeguards but also strict regulatory adherence, especially in a sector marked by high volatility and low legal predictability.

As MiCA ushers in a new era of harmonised EU regulation, this decision serves as a reminder that violations under prior national frameworks continue to have real legal consequences and regulatory oversight is a cornerstone of legal security in the digital asset economy.

The role of legal counsel is thus essential — both upstream, to ensure full compliance with evolving regulatory regimes, and downstream, to secure the rights of clients affected by unlawful or irregular operations. In a fast-changing legal landscape, the need for specialised legal guidance has never been more pressing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Céline Moille
Céline Moille
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More