FNC-RF: what does the decree of April 24, 2026 establish?

As the rollout of the National File of Accounts Reported for Fraud Risk (FNC-RF) approaches, the decree of April 24, 2026 clarifies the technical framework of the system for Payment Service Providers (PSPs).

This text, which follows the Labaronne law, sets out the obligations and rules PSPs must follow in managing the system on a day-to-day basis. Below is a summary of the key topics covered.

Which financial institutions are concerned by the system?

All PSPs operating in France are concerned, including credit institutions, payment institutions (excluding AISP/PISP), and electronic money institutions. This obligation also extends to French branches and subsidiaries of foreign PSPs.

The decree also specifies that the system applies in overseas territories, including New Caledonia and French Polynesia.

What is the role of the Banque de France in this system?

The FNC-RF file is administered by the Banque de France, which is responsible for its management and centralization. In practice, it acts as a trusted third party by aggregating reports submitted by PSPs and making them accessible to other connected participants.

What is the role of PSPs?

Each participating PSP must both contribute to the file by reporting suspicious accounts and responding to alerts related to its own accounts, while also leveraging the data within its own fraud detection systems. The system therefore relies on a logic of information sharing, where its value depends directly on the quality and responsiveness of contributions.

How can PSPs connect to the system?

Connection to the FNC-RF can be established either directly, through technical integration with the Banque de France, or indirectly, by relying on a mandated technical service provider.

The decree explicitly frames this second option, specifying that the provider acts on behalf of and under the responsibility of the PSP.

What information must be reported?

The content of alerts is defined. Each report must include an account identifier (IBAN), as well as the BIC code of the account-holding institution. This is complemented by the date of fraud detection, the identified fraud category (e.g. fake advisor scam), and the type of operation concerned (e.g. instant transfer).

The decree also introduces optional additional fields, such as the transaction channel or the source of the fraud. While not mandatory, this information significantly enhances the quality and usefulness of the reports.

When should an alert be created?

The triggering of a report is based on the identification of a suspicious event, as assessed within internal fraud detection systems. This means that each PSP remains responsible for defining its own detection criteria.

While the decree does not set precise conditions, it introduces a key rule: each fraud event must result in a single report.

In practice, if an IBAN has already been reported by another participant, the existing alert should be enriched rather than creating a new one, in order to avoid duplication.

How often must the file be consulted?

Participants are required to consult the central file at least once per day.

How should alerts be handled?

When a PSP is identified as the account-holding institution of a reported IBAN, it must carry out the necessary checks without delay. It must first indicate that an investigation is ongoing by adding a note to the alert, thereby informing the reporting PSP that the case is being handled.

The decree also specifies that, once the analysis is complete, the result must be shared as soon as possible. The account-holding PSP may confirm the fraudulent nature of the account, identify a case of identity theft, or reject the report, for example in cases of misattribution or legitimate accounts.

What should be done if an account has been reported by mistake?

If the reasons for suspecting fraud no longer apply, a deletion request must be submitted. The Banque de France will then remove the report in order to limit false positives and ensure the long-term reliability of shared data.

The decree formalizes an important requirement here: corrective declarations must be made without delay. Each PSP must also update or delete the information within its own local copy of the file.

How long is the data retained?

Data recorded in the FNC-RF is retained for a period of thirteen months from the initial report or its most recent update. The decree also specifies that each provider remains responsible for managing its local copy, particularly with regard to deleting data once this period has elapsed.

Additional archiving obligations may still apply, particularly in relation to anti-money laundering requirements.

What are the obligations towards customers?

The decree reiterates GDPR requirements. Participants must inform account holders of the possibility that their data may be recorded in this file in the event of suspected fraud, for example by updating their terms and conditions.

Finally, PSPs must also inform their customers of how to exercise their rights of access and rectification.