KYC, KYB & AML compliance checklist
Morocco KYC, KYB & AML
A practical implementation checklist for regulated businesses operating in Morocco, with a focused overlay for banks, payment institutions and other entities supervised by Bank Al-Maghrib. It converts customer due diligence, beneficial ownership, remote onboarding, suspicious reporting, sanctions, monitoring, records and data-protection duties into operational controls and audit evidence.
- Reviewed
- 15 July 2026
- Version
- 1.0
- control areas
- 7
- implementation checks
- 42
Direct answer
What does the Morocco compliance checklist cover?
The Morocco checklist translates primary KYC, KYB and AML rules into 7 control areas and 42 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Financial intelligence unit
- Autorite Nationale du Renseignement Financier (ANRF)
- Banking and payments supervisor
- Bank Al-Maghrib
- BAM beneficial-owner threshold
- More than 25%, plus effective control
- Suspicion reporting
- Immediately once suspicion exists
- Record retention
- 10 years under the AML framework
- FATF public list
- Not listed as of 19 June 2026
Implementation detail
Morocco compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Applicability and governanceMap every regulated activity, assign accountable governance and operate an appropriately resourced AML/CFT control framework.6 items+
Map the national and sector perimeter
- Implementation action
- Document every reporting entity and activity subject to Law No. 43-05. Map credit institutions, assimilated bodies and supervised financial conglomerates to Bank Al-Maghrib; currency-exchange companies to the Office des Changes; capital-market entities to AMMC; and insurance, reinsurance, insurance intermediaries, qualifying pension institutions and supervised financial conglomerates to ACAPS. Map lawyers, notaries and adouls to the governmental authority responsible for justice; offshore holding companies, chartered and accredited accountants to the governmental authority responsible for finance; casinos and gambling establishments jointly to the governmental authorities responsible for interior and finance; real-estate agents to the governmental authority responsible for housing; and dealers in precious metals, stones, antiquities and art to Customs and Indirect Tax Administration. ANRF supervises entities for which no other authority is designated. Apply Article 5's activity-specific DNFBP scope and its MAD 30,000 casino and MAD 150,000 cash-dealer thresholds.
- Evidence to retain
- Entity-perimeter memo, licence inventory, activity and threshold matrix, supervisor mapping and named obligations owner
- Primary citation
- Law 43-05, arts. 5 and 13.1, as amended by Law 12-18
Apply the correct Bank Al-Maghrib overlay
- Implementation action
- For a Bank Al-Maghrib-supervised institution, map Circular 5/W/2017, Directive 2/W/2019 on customer and beneficial-owner identification, Directive 3/W/2019 on the risk-based approach and applicable product, agent, outsourcing, control and reporting rules.
- Evidence to retain
- BAM obligations register, control mapping, legal-change process and implementation owners
- Primary citation
- BAM Circular 5/W/2017; Directives 2/W/2019 and 3/W/2019
Make governance responsible for effectiveness
- Implementation action
- Require the governing and executive bodies to approve the AML/CFT framework, risk appetite, customer-acceptance rules and material remediation; receive meaningful management information; and ensure the control function has sufficient authority, independence, people, systems and access.
- Evidence to retain
- Approved framework, committee terms, minutes, resource assessment, dashboards and remediation log
- Primary citation
- Law 43-05; BAM Circular 5/W/2017; BAM/ANRF AML/CFT Guide
Maintain an independent vigilance structure
- Implementation action
- For a Bank Al-Maghrib-supervised institution, maintain an independent structure with sufficient qualified resources to administer vigilance and internal monitoring. It must centralise agency reports, examine unusual or complex transactions within a reasonable period, maintain enhanced monitoring of suspicious and higher-risk relationships, keep executive management continuously informed, liaise with ANRF and have timely access to all required customer and transaction information. Communicate to ANRF the directors and employees authorised to liaise and submit reports, together with the required description of the internal vigilance framework.
- Evidence to retain
- Appointment, organisation chart, mandate, resources, access profile, ANRF liaison notifications, framework description and filing authority
- Primary citation
- Law 43-05, art. 9; BAM Circular 5/W/2017, arts. 7-8
Maintain current policies and procedures
- Implementation action
- Document customer acceptance, identification, beneficial ownership, customer risk, EDD, PEPs, sanctions, unusual activity, ANRF reporting, wires, agents, outsourcing, records, training, assurance and CNDP controls. Update them after legal, product, technology or risk change.
- Evidence to retain
- Policy suite, approvals, regulatory mapping, version history and staff attestations
- Primary citation
- Law 43-05; BAM Circular 5/W/2017
Train, test and remediate
- Implementation action
- Provide continuous, role-appropriate AML/CFT training and regularly assess its effectiveness. For a Bank Al-Maghrib-supervised institution, perform the permanent and periodic controls required over the vigilance framework, policies, procedures, systems and staff implementation, and submit results and remediation plans to the audit committee. Apply independent assurance where required by the institution's control framework or another binding sector rule; otherwise treat independent testing as a recommended control rather than a universal statutory duty.
- Evidence to retain
- Training plan and effectiveness results, permanent and periodic control reports, audit-committee reporting, issue register and closure proof
- Primary citation
- BAM Circular 5/W/2017, arts. 9-11
02KYC and remote onboardingIdentify customers and representatives from reliable sources, understand the relationship and make remote onboarding equivalent to physical presence.6 items+
Identify and verify every relationship
- Implementation action
- Before establishing a relationship, identify and verify the customer, representative and persons acting on the customer's behalf using current, reliable and independent documents, data or information. Prohibit anonymous or manifestly fictitious accounts.
- Evidence to retain
- Identity record, document and database checks, representative authority, verification result and quality review
- Primary citation
- Law 43-05; BAM Circular 5/W/2017, arts. 14-15 and 25
Apply the occasional-customer rule
- Implementation action
- For a Bank Al-Maghrib-supervised institution, identify and verify an occasional customer and the beneficial owner of the transaction regardless of transaction amount, as required by the amended circular. Do not substitute an unsupported general threshold.
- Evidence to retain
- Occasional-customer workflow, identity and beneficial-owner checks, transaction record and exception report
- Primary citation
- BAM Circular 5/W/2017, art. 14, as amended
Understand purpose and expected activity
- Implementation action
- Record the purpose and intended nature of the relationship, occupation or business, products, expected volumes, channels, counterparties, geographies and source of funds where risk requires. Use the profile as the baseline for monitoring.
- Evidence to retain
- Customer profile, expected-activity fields, source evidence, risk rationale and review triggers
- Primary citation
- Law 43-05; BAM Circular 5/W/2017; Directive 2/W/2019
Stop and report failed CDD
- Implementation action
- When identification data are incomplete or manifestly fictitious, do not establish the relationship or execute the operation and immediately submit a suspicion report. If appropriate vigilance cannot be completed for an existing relationship, stop operations, terminate the relationship and immediately report to ANRF.
- Evidence to retain
- Rejected or restricted case, reason code, closure decision, ANRF report and non-tipping-off controls
- Primary citation
- BAM Circular 5/W/2017, art. 26
Make remote identification equivalent to presence
- Implementation action
- Before a bank or payment institution opens accounts remotely, deploy reliable and secure technology that provides risk-based equivalence to physical presence, verifies the authenticity of identity documents, mitigates impersonation and fraud and protects personal data.
- Evidence to retain
- Remote-onboarding design, document-authenticity result, biometric or equivalent control, fraud signals, security testing and privacy assessment
- Primary citation
- BAM Letter Circular 1/DSB/2020, arts. 1-3
Document remote-onboarding compliance
- Implementation action
- Maintain a formal demonstration that the remote-account-opening system complies with Law No. 43-05, Letter Circular 1/DSB/2020 and the relevant FATF new-technology and CDD principles. Reassess after material technology, vendor or fraud-pattern change.
- Evidence to retain
- Compliance assessment, control mapping, approval, test results, change review and vendor oversight
- Primary citation
- BAM Letter Circular 1/DSB/2020, art. 3
03KYB and beneficial ownershipVerify legal existence, authority, ownership and effective control, and reconcile institution-held information with official records.6 items+
Verify the legal person and representatives
- Implementation action
- Verify legal name, form, registration, registered office, principal activity, tax identifiers, licences, constitutional documents, directors or managers, authorised representatives and each representative's authority using reliable independent sources, including OMPIC records where available.
- Evidence to retain
- Registry extract, constitutional records, tax and licence checks, representative authority and discrepancy log
- Primary citation
- Law 43-05; BAM Circular 5/W/2017, art. 15; OMPIC services
Identify natural-person beneficial owners
- Implementation action
- For a company under the Bank Al-Maghrib circular, identify and verify every natural person who directly or indirectly holds more than 25% of capital or voting rights, or exercises effective control by any other means over management, direction, administration or the general meeting. Identify the natural person for whose account an activity or transaction is conducted.
- Evidence to retain
- Ownership chart to natural persons, percentages, control analysis, identity verification and account-beneficiary assessment
- Primary citation
- BAM Circular 5/W/2017, art. 1, as amended
Apply ownership tests beyond companies
- Implementation action
- For another legal person or legal arrangement, identify the natural persons with rights over more than 25% of assets, those expected to acquire such rights under a legal instrument, and every person who ultimately controls the structure. Apply the trust or arrangement-party requirements relevant to the legal form.
- Evidence to retain
- Legal-form analysis, constitutional or trust instruments, asset-rights map, controllers and verification records
- Primary citation
- BAM Circular 5/W/2017, arts. 1 and 15
Use the beneficial-owner register as a source, not a substitute
- Implementation action
- Obtain available beneficial-owner information through the OMPIC-managed register and compare it with the customer's declaration and ownership evidence. Resolve missing, stale or inconsistent information before approval and do not treat registry access as replacing independent AML verification.
- Evidence to retain
- RBE request or result, customer declaration, reconciliation, supporting ownership documents and resolved discrepancy
- Primary citation
- Law 43-05 transparency framework; OMPIC Beneficial Owners Register
Verify the licensed business and operating reality
- Implementation action
- Confirm each required licence and compare the stated business to websites, premises, contracts, settlement accounts, customers, counterparties and transaction activity. Escalate shell characteristics, nominee control, unexplained ownership layers and inconsistent revenue or payment flows.
- Evidence to retain
- Regulator and licence check, operating-footprint evidence, website review, account match and escalation decision
- Primary citation
- Law 43-05; BAM Circular 5/W/2017; applicable sector licence
Keep corporate CDD current
- Implementation action
- Refresh registration, ownership, control, representative, licence and business-profile information periodically according to risk and immediately after a material trigger. Re-screen new owners and controllers and recalculate the risk rating.
- Evidence to retain
- Review calendar, registry-change alerts, updated chart, screening, risk decision and overdue restrictions
- Primary citation
- BAM Circular 5/W/2017; Directive 2/W/2019
04Risk, PEPs and targeted financial sanctionsOperate documented institutional and customer risk assessment, enhanced PEP controls and immediate CNASNU sanctions implementation.6 items+
Assess institutional ML/TF risk
- Implementation action
- For a Bank Al-Maghrib-supervised institution, analyse and evaluate ML/TF risk at least annually across customer categories, countries and geographic areas, products, services, operations and distribution channels. Document results, present them to the governing body and implement proportionate limits and controls by product, service, period, transaction, channel and geography. Update sooner after a material risk, product, technology or business change.
- Evidence to retain
- Approved methodology, annual assessment, governing-body record, limits, residual-risk decisions, update log and remediation plan
- Primary citation
- BAM Circular 5/W/2017, art. 5; Directive 3/W/2019
Assign and explain customer risk
- Implementation action
- Classify every relationship using documented factors and defensible data. Ensure higher-risk ratings drive senior approval, deeper source checks, stronger monitoring and more frequent review; control and document overrides.
- Evidence to retain
- Scoring methodology, input data, risk rating, override record, approver and next review date
- Primary citation
- BAM Circular 5/W/2017; Directive 3/W/2019
Identify politically exposed persons
- Implementation action
- Screen customers, beneficial owners, representatives, family members and close associates to determine whether PEP risk applies under the current national and sector definitions. Repeat screening throughout the relationship and after ownership change.
- Evidence to retain
- PEP screening, relationship map, source data, alert decision and periodic rescreening
- Primary citation
- Law 43-05; BAM Circular 5/W/2017
Apply mandatory PEP measures
- Implementation action
- Before establishing or continuing a PEP relationship, obtain the required senior-management approval, take reasonable measures to establish source of wealth and source of funds and apply enhanced ongoing monitoring proportionate to risk.
- Evidence to retain
- Senior approval, source-of-wealth and source-of-funds corroboration, EDD file and monitoring plan
- Primary citation
- Law 43-05; BAM Circular 5/W/2017
Screen current CNASNU and UN lists
- Implementation action
- Register the institution and its permanent correspondents for the applicable CNASNU platform, list-update and notification services. Permanently and systematically screen prospective, existing and occasional customers, beneficial owners, controllers, representatives and every transaction party before onboarding, before executing a transaction and immediately after each CNASNU or UN list update.
- Evidence to retain
- CNASNU registration, correspondent appointments, authoritative-list inventory, update log, screening results, alert decisions and quality assurance
- Primary citation
- Law 43-05, art. 32; Decree 2-21-484; CNASNU Practical Guide
Freeze, prohibit and report without delay
- Implementation action
- For a confirmed or unresolved suspected match, act immediately and without prior notice. Freeze all funds, assets and economic resources owned or controlled directly or indirectly, wholly or jointly, including generated income and assets held through an entity owned or controlled by the designated person or by a person acting on that person's behalf or direction. Prohibit transfer, conversion, disposition, movement, access, establishment of a relationship and direct or indirect provision or availability of funds, assets, economic resources, financial services or related services. Notify CNASNU concomitantly through its prescribed platform of the analysis and measures; maintain them until CNASNU issues the applicable confirmation, exemption, delisting or unfreezing decision. Record attempted transactions and make any separate ANRF suspicion report required by the facts.
- Evidence to retain
- Match validation, freeze and prohibition record, attempted activity, concomitant CNASNU notification, asset-scope analysis, ANRF decision and release authority
- Primary citation
- Law 43-05, art. 32; Decree 2-21-484; CNASNU Practical Guide
05Enhanced due diligenceApply proportionate additional measures to higher-risk customers, products, structures, geographies and counterparties.5 items+
Apply EDD to higher-risk relationships
- Implementation action
- Collect additional identity, ownership, business, purpose, source-of-funds and source-of-wealth information; obtain management approval; increase the frequency and depth of monitoring; and document why residual risk is acceptable.
- Evidence to retain
- EDD checklist, corroborating records, approval, monitoring plan and review date
- Primary citation
- Law 43-05; BAM Circular 5/W/2017, art. 40; Directive 3/W/2019
Control correspondent banking
- Implementation action
- Before opening a foreign correspondent relationship, understand the institution's activities, reputation, quality of supervision, ownership and AML controls; establish responsibilities; obtain required approval; and prohibit shell-bank relationships and uncontrolled payable-through access.
- Evidence to retain
- Correspondent questionnaire, public-source checks, control assessment, approval, agreement and periodic review
- Primary citation
- BAM Circular 5/W/2017, arts. 41-44
Control non-face-to-face and anonymity risk
- Implementation action
- Apply dedicated policies and additional safeguards to products, practices or technologies that do not involve physical presence or may facilitate anonymity. Tie control strength to documented impersonation, fraud, laundering and evasion risk.
- Evidence to retain
- Channel risk assessment, fraud and liveness controls, transaction limits, monitoring and exception review
- Primary citation
- BAM Circular 5/W/2017, art. 37; BAM Letter Circular 1/DSB/2020
Govern agents and outsourced providers
- Implementation action
- Perform pre-appointment due diligence; contract for AML, security, confidentiality, records, incident reporting and audit rights; include agents in the institution's AML/CFT system; monitor compliance; and retain accountability for outsourced controls.
- Evidence to retain
- Due diligence, contract, agent register, training, monitoring, audit results and termination process
- Primary citation
- BAM Circular 5/W/2017, as amended; applicable outsourcing and agent rules
Investigate unusual or complex activity
- Implementation action
- Promptly examine complex, unusually large, linked or otherwise unusual transactions and patterns with no apparent lawful or economic purpose. Document the background and purpose, escalate to the responsible structure and immediately report when suspicion exists.
- Evidence to retain
- Alert, investigation chronology, customer explanation, independent corroboration, decision and ANRF receipt where filed
- Primary citation
- Law 43-05; BAM Circular 5/W/2017, art. 39
06Ongoing monitoring, payments and fintech controlsKeep customer knowledge current, monitor behaviour and preserve complete payment information across the transaction chain.6 items+
Monitor throughout the relationship
- Implementation action
- Monitor transactions against the customer's purpose, expected activity, business, risk and source-of-funds profile. Use scenarios suited to products and channels, link related activity and provide investigators with complete data and case context.
- Evidence to retain
- Monitoring coverage, data lineage, scenario inventory, alerts, tuning, quality assurance and management metrics
- Primary citation
- Law 43-05; BAM Circular 5/W/2017; BAM/ANRF AML/CFT Guide
Refresh on schedule and trigger
- Implementation action
- Update identity, beneficial ownership, business, expected activity, PEP, sanctions and risk information regularly according to risk and after a material trigger, including unusual behaviour, ownership change, new product use, adverse information or document expiry.
- Evidence to retain
- Risk-based review schedule, trigger feed, updated CDD, rescreening, risk decision and overdue dashboard
- Primary citation
- BAM Circular 5/W/2017; Directive 2/W/2019
Carry complete cross-border and domestic transfer information
- Implementation action
- For every cross-border wire or funds transfer sent or received in a relationship or for an occasional customer, regardless of amount, include the required names or legal names of the originator and beneficiary and, where applicable, the beneficial owner; account numbers or traceable unique reference; originator address, customer identifier or date and place of birth; and transaction purpose. Intermediaries must preserve all accompanying information and detect missing fields. Domestic transfers must carry the same information unless it can be made available to the beneficiary institution or competent authority by another method within three business days after request; at minimum carry the originator account or unique reference permitting retrieval.
- Evidence to retain
- Payment-message fields, validation rules, sample domestic and cross-border transfers, three-business-day retrieval test, batch traceability and exception report
- Primary citation
- BAM Circular 5/W/2017, arts. 27-29, as amended
Control incomplete payment information
- Implementation action
- Beneficiary and intermediary institutions must apply risk-based procedures to transfers received without required information. Suspend and request repair within a reasonable period; reject where information is not received within the permitted period; and terminate a correspondent relationship where the originating institution cannot comply. Submit an immediate suspicion report when missing information or surrounding facts create suspicion.
- Evidence to retain
- Repair and reject rules, exception queue, counterparty escalation, termination decision, ANRF report and response-time logs
- Primary citation
- BAM Circular 5/W/2017, arts. 28-29, as amended
Assess new products and technology before use
- Implementation action
- Before launch or material change, assess customer-identification, fraud, cyber, anonymity, sanctions, monitoring, outsourcing, privacy and record risks. Approve proportionate controls and test that compliance evidence is complete and retrievable.
- Evidence to retain
- Pre-launch risk assessment, control design, approval, test results, monitoring plan and post-launch review
- Primary citation
- Law 43-05; BAM Circular 5/W/2017, art. 37; Directive 3/W/2019
Do not infer permission for virtual-asset activity
- Implementation action
- Do not treat draft Law No. 42.25 or announced reform as present authorisation. The 5 April 2022 joint warning by Bank Al-Maghrib, AMMC and the Office des Changes states that use of virtual currencies remains unauthorised in Morocco and may violate current foreign-exchange rules. Do not offer, facilitate or accept virtual-currency activity unless the competent authority confirms the proposed activity is lawful under an enacted and effective framework. Reassess immediately if Law No. 42.25 or another binding framework is enacted and published.
- Evidence to retain
- Current legal opinion, regulator confirmation, product restriction, regulatory-change trigger and monitoring rules
- Primary citation
- Joint Moroccan Financial Authorities Warning, 5 April 2022
07Reporting, records, privacy and assuranceReport suspicion immediately, preserve reconstructable records and obtain the required CNDP clearance before processing personal data.7 items+
Report suspicion immediately
- Implementation action
- Submit a suspicion report to ANRF immediately when the institution knows, suspects or has reasonable grounds under the applicable rule, including linked or attempted activity where reportable. Do not wait for a monetary threshold or proof of predicate crime.
- Evidence to retain
- Case chronology, responsible-person decision time, ANRF report, submission receipt and escalation record
- Primary citation
- Law 43-05, arts. 9-11; BAM Circular 5/W/2017
Prevent tipping off and protect confidentiality
- Implementation action
- Restrict access to reporting information and prevent disclosure to the customer or third parties that a suspicion report or related information has been submitted or is being considered. Use controlled customer communications during holds, exits and information requests.
- Evidence to retain
- Access controls, confidentiality procedure, communication templates, audit log and training
- Primary citation
- Law 43-05, art. 29
Retain AML records for ten years
- Implementation action
- Keep customer and beneficial-owner identity records, transaction data, correspondence, analyses, reports, governance, training and control evidence for the applicable ten-year AML period, measured from the relationship end or transaction as required, and longer under a lawful hold.
- Evidence to retain
- Retention schedule, repository controls, sample retrieval, legal-hold process and deletion evidence
- Primary citation
- Law 43-05 recordkeeping provisions; BAM Circular 5/W/2017
Obtain CNDP processing and transfer clearance
- Implementation action
- Before implementing processing, submit the applicable CNDP prior declaration unless excluded, exempt or subject to prior authorisation. Obtain prior authorisation for sensitive data, change of purpose, offence or conviction data, use of the CIN number and interconnection of files having different purposes. Obtain the CNDP receipt or authorisation for the underlying processing before a foreign-transfer request. Before transferring or hosting data abroad, submit the required transfer filing and document the applicable route: an adequate destination, a specific Article 44 exception, an international agreement, or express reasoned CNDP authorisation supported by appropriate contractual or intra-group safeguards. Do not treat consent alone as a blanket solution for routine or systematic international KYC hosting.
- Evidence to retain
- Processing inventory, CNDP declaration, receipt or authorisation, CIN and sensitive-data assessment, transfer filing, legal route and safeguards
- Primary citation
- Law 09-08, arts. 12 and 43-44; CNDP Conditions and Notification Procedures
Apply purpose, proportionality and transparency
- Implementation action
- Give the required collection notice, specify legitimate purposes, collect only necessary and proportionate data, keep it accurate and current, define retention, support access, rectification and opposition rights and document any AML-law restriction on ordinary rights handling.
- Evidence to retain
- Privacy notices, lawful-purpose register, field minimisation, rights log, retention mapping and AML exception decision
- Primary citation
- Law 09-08; CNDP Conditions
Secure data and govern processors
- Implementation action
- Apply appropriate physical and logical security, confidentiality, access, audit and incident controls. Use contracts and audits to ensure processors and recipients comply with Law 09-08 and the approved purpose, security and transfer conditions.
- Evidence to retain
- Security assessment, access review, processor contract, audit, incident register and remediation
- Primary citation
- Law 09-08; CNDP Conditions
Maintain evidence-led regulatory assurance
- Implementation action
- For Bank Al-Maghrib-supervised institutions, operate the required permanent and periodic controls across onboarding, ownership, customer risk, PEPs, sanctions, remote verification, monitoring, wires, reporting, records, agents and outsourcing. Test CNDP status and privacy controls under the applicable governance framework. Report exceptions and remediation to the audit committee and verify closure; use independent assurance where separately required or adopted by the institution.
- Evidence to retain
- Control inventory, permanent and periodic test scripts, sampled files, metrics, audit-committee reporting and closure proof
- Primary citation
- BAM Circular 5/W/2017, arts. 9-11; Law 09-08

7 control areas and 42 implementation checks, with direct regulatory sources.
Download the Morocco KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Morocco implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.0, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
16 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Consolidated legislative and regulatory texts governing credit institutions, including Law 43-05 and Circular 5/W/2017Bank Al-Maghrib · primary
- AML/CFT public guide, March 2025Bank Al-Maghrib · primary
- Letter Circular No. 1/DSB/2020 on remote account openingBank Al-Maghrib · primary
- National Financial Intelligence Authority official pageMinistry of Economy and Finance · primary
- Beneficial Owners RegisterOMPIC · primary
- Law No. 09-08 on personal-data processingCNDP · primary
- Conditions for processing personal dataCNDP · primary
- Personal-data notification proceduresCNDP · primary
- Law No. 12-18 amending Law No. 43-05CNASNU / Ministry of Justice · primary
- CNASNU reference textsCNASNU · primary
- CNASNU Practical Implementation GuideCNASNU · primary
- Joint warning against use of virtual currencies, 5 April 2022Office des Changes · primary
- National Personal Data Protection RegisterCNDP · primary
- Jurisdictions under Increased Monitoring, 19 June 2026FATF · primary
- KYC Compliance in Morocco 2026VOVE ID · contextual
- Navigating KYB in MoroccoVOVE ID · contextual
Direct answers
Morocco KYC, KYB and AML questions
Who receives suspicious transaction reports in Morocco?+
The Autorite Nationale du Renseignement Financier, or ANRF, is Morocco's financial intelligence unit. Reports must follow its current prescribed channel and format.
What beneficial-owner threshold applies under Bank Al-Maghrib's circular?+
For a company, identify a natural person who directly or indirectly holds more than 25% of capital or voting rights, and anyone exercising effective control by other means. The control test applies even when no one crosses the percentage threshold.
Can banks and payment institutions onboard customers remotely?+
Yes, subject to Bank Al-Maghrib Letter Circular 1/DSB/2020. The technology must provide risk-based equivalence to physical presence, authenticate identity documents, mitigate fraud and protect personal data.
Must a business notify the CNDP before KYC processing?+
A controller must complete the applicable prior declaration or obtain written authorisation before implementing processing. The underlying processing must be cleared before a foreign-transfer request, which must rely on an adequate destination, Article 44 exception, international agreement or express reasoned CNDP authorisation with appropriate safeguards.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.0
This checklist is general compliance information, not legal advice. Law No. 43-05 provides the national baseline, while the Bank Al-Maghrib material used here applies specifically to credit institutions and assimilated bodies, including payment institutions. Capital-markets, insurance, real-estate, legal, accounting and other covered sectors must add the current AMMC, ACAPS or other competent-supervisor rules. Confirm amendments, forms, thresholds, reporting channels and CNASNU decisions against current official Arabic or French texts before implementation.