Morocco has released a draft framework to bring crypto and broader digital asset activity into a supervised environment. For operators, banks, and partners looking at North Africa, this is the signal to prepare governance and controls so you can move quickly once rules are final.
Snapshot of the draft:
- Licensing and supervision for virtual asset service providers operating in or from Morocco.
- AML and CFT obligations with stronger record keeping and risk management.
- Consumer protection and disclosures to raise conduct standards.
- Custody and safeguarding expectations for client assets.
- Inspection and enforcement powers for regulators.
Who this affects:
- Exchanges, brokers, custodians, payment and transfer providers.
- Tokenization and platform teams serving Moroccan users or using Moroccan partners.
- Banks, fintech's, and corporate treasuries evaluating digital asset products.
Why it matters:
Clear rules reduce counterparty risk, unlock bank relationships, and make it easier to work with auditors and international partners. Teams that treat this as a readiness window now will be able to launch faster when the framework is in force.
Core obligations to plan for:
- Licensing: eligible entity type, fit and proper requirements, governance, local presence, and ongoing conditions.
- AML and CFT: KYC flows, sanctions screening, monitoring, investigations, and SAR processes.
- Client asset protection: segregation, reconciliation, insurance where applicable, and incident response.
- Disclosures and conduct: fair marketing, risk statements, conflicts management, and complaints handling.
- Record keeping and reporting: data retention, audit trails, and periodic returns to regulators.
Practical readiness checklist:
-
Confirm scope and entity form
Map your products against the draft definitions. Confirm the company form you will use and any need for a local presence. - Design your licensing pack Prepare governance charts, key policies, risk and compliance programs, and board approvals.
-
Tighten AML and CFT controls
Standardize KYC data, sanctions lists, monitoring rules, case management, and escalation paths.
-
Safeguard client assets
Set up segregation, entitlement models, reconciliation routines, and insurance. Document how keys, whitelists, and approvals are handled. -
Build inspection-ready records
Define how you store evidence of onboarding, transaction reviews, valuations, and customer communications. -
Align with banks and auditors
Share your control set, reporting packs, and incident playbooks so onboarding does not stall later. -
Run a limited pilot
Test end to end with small balances. Validate that reports reconcile and that approvals work as designed.
What banks and partners should consider:
- Counterparty due diligence should include licensing status, AML and CFT effectiveness, asset segregation, and recovery planning.
- Update product governance to reflect digital asset custody, valuation, and disclosures.
- Align incident response and customer communications across the value chain.
Risks and pitfalls to avoid:
- Treating compliance as a paperwork exercise rather than a daily control environment.
- Weak evidence for KYC decisions and transaction monitoring.
- Missing segregation or poor entitlement controls for client assets.
- Vague marketing and risk disclosures that create conduct exposure.
Key watch items:
- Final definitions of in-scope services and any exemptions.
- Timelines for license applications and transitional arrangements.
- Specific reporting formats and thresholds for AML and consumer protection.
- Coordination between financial and market conduct regulators.