KYC Compliance in Morocco (2026): Regulatory Requirements for Fintechs and Payment Platforms

Morocco removed itself from the FATF grey list in February 2023 — and with that came a shift in how seriously regulators treat compliance gaps. Enforcement has increased, reporting obligations are broader, and the bar for "acceptable" onboarding has risen across the board.

This guide covers what KYC looks like specifically in Morocco: which laws apply, who enforces them, what documents are accepted, and where digital onboarding runs into friction. For the underlying KYC framework and system architecture, see our KYC Requirements guide.

The Legal Foundation

KYC in Morocco is built on Law No. 43-05, enacted in 2007 and substantially updated by Law No. 12-18 in 2021. The 2021 amendments are the ones that matter operationally: they introduced mandatory risk-based due diligence, strengthened UBO disclosure requirements, and expanded the list of covered entities.

The key shift from the original law: customer due diligence is no longer a uniform checklist applied to everyone. Businesses must now assess risk at the individual customer level and calibrate verification depth accordingly.

Who Enforces It

Bank Al-Maghrib (BAM) is the primary regulator for banks, payment institutions, and fintechs. In March 2025, BAM and the ANRF jointly published an updated AML/CFT operational guide covering KYC procedures, red flag indicators, and transaction monitoring expectations — this is the most current reference document for supervised entities.

ANRF (Autorité Nationale du Renseignement Financier) is Morocco's Financial Intelligence Unit. It receives suspicious transaction reports, coordinates with law enforcement, and has significantly expanded its cross-border activity since 2023 — in 2024, ANRF handled over 340 international data-sharing requests through Egmont Group and Interpol.

ACAPS covers insurance, AMMC covers capital markets. Both apply KYC requirements aligned with Law 43-05 to their respective sectors.

Who Must Comply

The scope of covered entities under Law 43-05 is broad:

• Banks and credit institutions
• Payment service providers and licensed fintechs
• Insurance companies (ACAPS-supervised)
• Capital markets participants (AMMC-supervised)
• Real estate agents — fully subject to AML/CFT obligations since Decree 2.21.708 (late 2023)
• DNFBPs: accountants, lawyers, notaries, auditors

For most fintechs and payment platforms, BAM is the regulator to align with.

What KYC Actually Requires in Morocco

Identity Documents

For Moroccan nationals: the Carte d'Identité Nationale (CIN) is the standard document. It needs to be current and machine-readable.

For foreign nationals: passport is the primary document. For long-term or high-value relationships, residency documentation may be required depending on the service type.

Risk Classification

Law 12-18 requires explicit risk classification — not just at onboarding, but documented and defensible. Businesses must assess:

• Purpose and nature of the customer relationship
• Source of funds for higher-risk profiles
• PEP status and proximity to politically exposed persons

Simplified due diligence (SDD) is permitted for clearly low-risk relationships, but must be documented. Enhanced due diligence (EDD) is mandatory for high-risk clients, PEPs, and clients from high-risk jurisdictions.

UBO Requirements

Beneficial owners controlling 25% or more of a legal entity must be identified and verified — including indirect ownership chains. This threshold is consistent with FATF standards. UBO data must be kept current; initial onboarding is not sufficient. The full UBO mapping workflow for business clients is covered in our KYB in Morocco guide.

Reporting Thresholds

Cash transactions exceeding MAD 200,000 (~$20,000) trigger mandatory reporting to the ANRF regardless of whether suspicion exists. Suspicious activity must be reported independently of any threshold.

Record-Keeping

Identity and transaction records must be retained for a minimum of 10 years.

Digital KYC in Morocco: What Works and What Doesn't

Morocco does not have a national eID infrastructure, which shapes how digital onboarding works in practice. There's no central identity database to query — verification relies entirely on document capture and biometric confirmation.

What this means operationally:

• Document verification (OCR + authenticity checks) is the primary trust layer
• Biometric liveness detection is needed to confirm the person is the document's rightful holder
• Face matching against the ID photo must be logged for audit purposes

This is exactly where a platform like VOVE ID closes the gap — OCR, liveness detection, and face matching in one API, with full audit logging aligned with BAM evidentiary standards. BAM accepts remote digital verification as equivalent to in-person processes, provided the evidentiary standard is met.

The 2025 BAM/ANRF guide includes specific red flag indicators for remote onboarding — worth reviewing if you're building or auditing a digital KYC flow.

One practical gap: outside major cities, corporate records aren't always fully digitized. For platforms onboarding business clients, registry data may need to be supplemented through Regional Investment Centers (CRIs) or authorized intermediaries.

Language: official documents are issued in Arabic or French. Any verification system needs to handle both.

Where Things Break in Practice

Foreign nationals. CIN works cleanly for Moroccan citizens. For foreign clients — increasingly common in Casablanca's financial sector and cross-border payment corridors — document diversity increases complexity significantly. Passports vary by issuing country, and residency documentation is inconsistent. VOVE ID supports document verification across 190+ countries, which matters for platforms with cross-border flows through Morocco.

PEP exposure. Morocco has a high proportion of family-connected business structures. PEP screening needs to go beyond name-matching to include proximity screening — the ANRF has flagged PEP-adjacent structures as a priority enforcement area.

Crypto. Cryptocurrencies remain domestically banned. A regulatory framework was expected by Q4 2025 — check current BAM guidance for status. Until legislation passes, any crypto-adjacent onboarding requires legal counsel before proceeding.

Real estate sector. Since Decree 2.21.708, real estate agents are now fully within the AML/CFT scope. This is a sector new to structured compliance, which means higher friction and less predictable documentation quality when onboarding real estate clients or partners.

Getting KYC Right in Morocco

Morocco's regulatory environment rewards platforms that treat KYC as an operational system rather than a one-time check. The combination of risk-based requirements, expanding enforcement, and no national eID means that digital verification infrastructure matters more here than in markets with centralized identity databases.

VOVE ID is built for exactly this kind of environment — multi-jurisdiction document support, biometric verification, and audit-ready logging that holds up under BAM scrutiny. If you're building or scaling KYC operations in Morocco, talk to our team to see how it works in practice.

This article is intended for general informational purposes only and does not constitute legal, financial, or regulatory advice. KYC requirements may vary depending on jurisdiction, industry, and specific business circumstances. For up-to-date and binding compliance obligations, readers should refer to the relevant regulatory authorities or consult qualified professionals.