
Financial regulation: a barrier to entry or a lever for growth for start-ups?
Financial regulation as a barrier to entry
Financial regulation, and in particular the process of obtaining authorisations, presents a genuine challenge for most start-ups operating in the field of financial innovation (commonly known as fintechs). This constraint is nothing new.
The regulatory frameworks put in place following the 2008 financial crisis (the subprime crisis) considerably strengthened the requirements and standards applicable to financial intermediation (notably through the adoption of the MiFID II Directive and the prudential regulation resulting from the CRD IV Directive and the CRR Regulation).
The most recent trend, however, has not been the strengthening of existing legal frameworks but rather the relaxation or streamlining of certain rules. This trend has taken the form of legal frameworks designed to be proportionate to the size of start-ups, whose human and technical resources are particularly limited compared with those of established players. Examples include Regulation (EU) 2020/1503 (“Crowdfunding“), which established a harmonised legal framework for crowdfunding within the European Union, Regulation (EU) 2023/1114 (“MiCA“), governing crypto-asset service providers (“CASPs“), and Regulation (EU) 2020/858 (“Pilot Regime“), enabling the creation of trading and settlement platforms using distributed ledger technology.
The MiCA Regulation and the Crowdfunding Regulation remain deliberately less prescriptive and demanding than the MiFID II legal framework on certain points (notably as regards human resources, prudential rules and conduct-of-business rules). CASPs, for example, are subject to a lighter-touch framework in terms of own funds, risk management, market abuse and best execution. Similarly, product governance rules exist under neither MiCA nor Crowdfunding, unlike under MiFID II.
Nevertheless, while the new regulatory frameworks are better suited to the fintech model, they remain highly demanding on certain specific points.
Some regulatory frameworks impose compensatory measures in exchange for derogations from the legal framework governing traditional financial markets. This is notably the case under the Pilot Regime Regulation, which allows, among other things, the settlement-delivery of financial securities on a distributed ledger by way of derogation from ordinary law (Regulation (EU) 909/2014, the “CSDR” Regulation), but only in exchange for significant safeguards on the blockchain.
Furthermore, any company wishing to carry on a regulated activity must, from the very launch of its entrepreneurial project, invest in establishing a robust compliance framework, both in human and technical terms. This makes it possible to put in place key functions that quickly prove decisive to the company’s success.
In particular, all regulated financial services providers are subject to Regulation (EU) 2022/2554 (“DORA“). Regulators are particularly vigilant in enforcing cybersecurity obligations in innovative fields exposed to threats, such as crypto-assets. CASPs are accordingly subject to specific cybersecurity rules that are closely scrutinised during the processing of authorisation applications, with a view to limiting the risk borne by investors. Beyond the performance of audits, the high cybersecurity requirements call for trained staff capable of implementing and monitoring IT security arrangements.
In addition, it is necessary to put in place an organisation comprising a three-tier internal control structure, including a head of internal control and a head of anti-money laundering and counter-terrorist financing (AML-CTF). While certain compliance functions may be carried out by senior executives, they must be trained accordingly and devote sufficient time to both their managerial duties and their compliance responsibilities. It should also be recalled that AML-CTF requirements remain particularly stringent for CASPs, which are subject to specific rules, notably regarding the identification of the source of funds.
While it is possible to outsource certain of these functions, it should not be overlooked that responsibility for the organisation of compliance remains with the company notwithstanding such outsourcing.
Accordingly, given the very high compliance requirements involved, fintechs must prepare for a substantial compliance effort well before the operational launch of their activities.
The conclusion is clear: although the new legal frameworks are designed with the resources and specific characteristics of start-ups in mind, the underlying objective of financial regulation — and of the crypto-asset regulation inspired by it — remains unchanged. It is intended to ensure market integrity, financial stability, investor protection, and sound and prudent governance of companies providing such services, regardless of the category of authorisation the companies concerned seek to obtain.
Financial regulation as a lever for growth
The compliance effort involved can be viewed as a barrier to entry, but also as a competitive advantage, for several reasons:
- The market for companies operating in the sector is cleaned up
Obtaining an authorisation constitutes a selective filter that naturally weeds out players that are insufficiently prepared or lack seriousness. Companies that successfully complete the authorisation process thus operate within a healthier competitive environment, where their peers have demonstrated a minimum level of operational, financial and organisational robustness. This regulatory selection reduces the risk of unfair competition from non-compliant players and strengthens the overall credibility of the sector.
- The legal framework protects against threats (cybersecurity)
The requirements imposed by the DORA Regulation ultimately provide structural protection for companies that comply with them. By investing in robust cybersecurity arrangements, fintechs guard against operational risks liable to jeopardise their clients’ funds, their business and their reputation. This framework compels them to anticipate threats that they might otherwise have overlooked at the launch stage, in favour of product and commercial development.
- Regulation builds trust
Authorisation granted by a recognised regulator (such as the AMF in France) constitutes a strong signal of trust to clients, business partners and investors alike. It attests that the company meets high standards of governance and user protection. This represents a major differentiating advantage in sectors such as crypto-assets, whose image remains mixed among part of the general public and institutional investors.
Furthermore, from the standpoint of European-wide development, the MiFID II, MiCA and Crowdfunding regulations offer a European passport enabling firms to operate across all Member States of the Union on the basis of a single authorisation. This mechanism turns regulatory compliance into a lever for geographic expansion, avoiding the need for multiple applications before national competent authorities. In concrete terms, for a fintech operating under the Pilot Regime, this regulation opens up access to the entire European secondary market for tokenised securities, including SMEs across the Union seeking financing — a commercial potential that authorisation alone makes accessible.
Accordingly, while certain fintech-sector authorisations remain demanding in terms of human and financial investment, they open up, in return, access to high-potential markets that remain relatively uncompetitive. The small number of authorised players to date thus represents, for fintechs able to clear this hurdle, an opportunity to position themselves as pioneers in a market still under construction — with all the advantages that such status confers in terms of image, visibility, partnerships and capture of early flows.








