grey concrete building

Circulation of information covered by banking secrecy

By Charlotte GAUCHON20 March 2025

Table of contents

Banking secrecy, the cornerstone of the relationship of trust between a bank and its customer, is governed by article L. 511-33 of the French Monetary and Financial Code. This principle protects confidential information entrusted to the bank. However, the increasing complexity of financial transactions and the need to combat certain abuses have led the legislator to make exceptions and define the conditions for the circulation of this sensitive information. Understanding these mechanisms is essential for both customers and professionals in the sector.

Banking secrecy within financial groups

The organisation of banks into groups of companies raises specific questions about the circulation of information internally. French and European law has had to adapt to reconcile the need for consolidated risk management with respect for customer confidentiality.

Exchanges between establishments in the same group

Within a banking group, the need for global management, in particular for accounting consolidation (required by EU Regulation 575/2013) and risk assessment (Directive 2013/36/EU - CRD IV), implies exchanges of information between the various entities (parent company, subsidiaries). The Conseil d'Etat has validated this internal sharing when it meets legitimate management purposes, considering that the group's interest may justify a controlled circulation of data (CE, 20 June 2018, no. 408185). However, these exchanges must remain limited to the information strictly necessary for these management and prudential control purposes.

Notion of "shared secret

The concept of "shared secrecy" allows, under strict conditions, the communication of confidential information between professionals subject to the same obligation of secrecy, without requiring the customer's prior consent. This concept, clarified by case law (Cass. com., 28 April 2004, no. 02-15.054) and regulated by the regulatory authorities (ACPR, CNIL), assumes that the professionals involved are working towards the same legitimate and defined goal. Article L. 511-33 of the French Monetary and Financial Code sets out the cases in which such sharing is authorised. Apart from these specific cases, customer consent remains the rule. The concept of banking secrecy in France is based on this delicate balance.

Legal cases of communication without customer consent

Article L. 511-33 of the French Monetary and Financial Code lists seven specific situations in which information covered by confidentiality may be circulated without the customer's explicit consent. These exceptions are to be interpreted strictly.

Credit transactions

The very nature of credit transactions justifies certain sharing of information:

  • Risk assessment : Banks may exchange information on a borrower's creditworthiness to assess the risk associated with a new loan (Cass. com., 11 April 2018, no. 16-13.107).
  • Loan syndication (banking pools) : In the context of syndicated loans, the information necessary for the smooth running of the pool may circulate between the participating banks, in compliance with prudential rules (Decree of 3 November 2014 on internal control).
  • Securitisation of receivables EU Regulation 2017/2402 allows the transmission of data relating to securitised receivables, but strictly regulates this information to protect the privacy of debtors.

Acquisitions of participating or controlling interests

When an entity plans to acquire a stake in or control of a credit institution, investment firm or finance company, the information needed to assess the target may be disclosed. This arises from the acquirer's duty of due diligence (Article L. 511-12-1 CMF) and the requirements of the regulatory authorities (ECB, ACPR) for approval of the transaction.

Disposal of assets or business goodwill

The sale of a financial institution's assets or business may require the disclosure of information covered by confidentiality to enable the purchaser to assess what he is buying.

Assignment or transfer of receivables or contracts

Similar to securitisation, the simple assignment of receivables or the transfer of contracts (such as a loan portfolio) authorises the disclosure of the information necessary for the acquirer to assess the value and risks of the assets transferred.

Major service contracts (outsourcing)

When a bank outsources an important operational function (IT management, debt collection, etc.), it can pass on the necessary information to the service provider. Three strict conditions apply: a robust contractual confidentiality clause, limitation to strictly essential data, and a clearly defined and legitimate purpose (Decree of 3 November 2014, art. 104; RGPD, art. 5.1.b). The banker may be held liable if these conditions are not met. Consult a lawyer for the protection of banking data can be judicious in case of doubt.

When studying or drawing up contracts or intra-group transactions

Within the same group, entities can exchange information when preparing contracts or joint operations. The aim of this facility is to enable effective collaboration while maintaining confidentiality outside the group.

Communication to rating agencies

Banks may disclose information to CRAs for the specific purpose of rating financial products (Article L. 511-33, I, para. 3 CMF). This disclosure is subject to certain restrictions: it must be used exclusively for rating purposes (EU Regulation 462/2013), with a preference for aggregated data where possible (ESMA Recommendation), and the CRA is prohibited from retransmitting this information.

Conditions for customer consent

Apart from the seven legal cases provided for in article L. 511-33, the communication of information covered by banking secrecy requires the prior, express and specific consent of the customer.

Free, specific, informed and unambiguous consent

The General Data Protection Regulation (GDPR), applicable to personal data held by banks, has strengthened the requirements for consent (Article 4, 11) and information (Article 13). To be valid, consent must be:

  • Free The customer must not be subjected to any constraints.
  • Specific Given for a specific purpose. A general consent for any future communication is not valid.
  • Illuminated The customer must receive complete and comprehensible information on :
    • The precise nature of the data to be communicated.
    • The exact identity of the recipients or categories of recipients.
    • The exact purpose of the communication.
    • The possibility of withdrawing consent at any time.
  • Unambiguous Manifested by a clear declaration or positive act (tick box not pre-ticked, dedicated signature). The absence of opposition does not constitute consent.

Recent case law (Cass. com., 12 June 2012, no. 11-18.852; CA Paris, 21 March 2019, no. 17/01328) and CNIL recommendations (Délib. no. 2018-303) confirm this strict interpretation. Failure to comply with these conditions renders the communication unlawful and may render the user liable to prosecution. banker's liability.

Problems of general clauses in adhesion contracts

Banks' general terms and conditions often contain clauses that allow information to be passed on widely. These clauses pose a problem in terms of the requirements of consent:

  • Risk of unfair terms A clause that is too general, authorising the indiscriminate sharing of information for no specific purpose, may be deemed unfair within the meaning of Article L. 212-1 of the Consumer Code (CCA Recommendation no. 2019-01).
  • Lack of sufficient information Information buried in voluminous general terms and conditions may not satisfy the requirement for informed consent (TGI Paris, 28 May 2019, no. 18/03996).
  • No specific, unambiguous character : A general clause accepted globally when the account is opened does not correspond to a specific consent "on a case-by-case basis" required by Article L. 511-33 for communications apart from legal exceptions. The Court of Cassation invalidates consents not specifically obtained (Cass. civ. 1ère, 3 July 2018, no. 17-15.884).

It is therefore essential for customers to be vigilant about the scope of the authorisations they sign and for banks to review their practices in order to obtain consents that comply with current legal and regulatory requirements, in particular by detailing the legal division information.

For a specific analysis of your situation or if you suspect that your banking information has been disclosed inappropriately, our firm can assist you.

Sources

  • Monetary and Financial Code, in particular article L. 511-33
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD)
  • Law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms Order of 3 November 2014 relating to the internal control of companies in the banking sector.
  • Case law cited by the Cour de cassation and Courts of Appeal
  • Deliberations and recommendations of the CNIL and the ACPR
Avatar of Charlotte GAUCHON

Charlotte GAUCHON

A founding partner of our firm, Charlotte assists creditors and debtors with any enforcement measures that may be taken. Her practice focuses on property seizures, guarantees and securities law, and banking law. She also represents clients wishing to buy at property auctions. With a view to disseminating her knowledge, she also gives professional training courses in her preferred areas (the practice of contestation of seizure-attribution - the practice of mortgages - the distribution procedure).

View publications

Would you like to talk?

Our team is at your disposal and will get back to you within 24 to 48 hours.

07 45 89 90 90

Contact

Are you a lawyer?

See our dedicated editorial offer.

Files

> The practice of seizing property> Defending against property seizures

Professional training

> Catalogue> Programme

Continue reading

en_GBEN
fr_FRFR en_GBEN