AMF Gives Banque Chaabi du Maroc a €250k Penalty for Critical AML Deficiencies

chaabi maroc aml deficiencies transaction monitoring suspicious activity reporting

This image is AI-generated.

A long pattern of weaknesses in anti-money laundering controls led the ACPR to issue a €250k fine and a public reprimand against Banque Chaabi du Maroc, also known as Banque Populaire du Maroc, after inspectors uncovered persistent shortcomings in risk management, client monitoring, suspicious activity handling and internal oversight. The case shows how structural AML deficiencies can build up over time and ultimately expose a bank to sanctions when issues remain unresolved despite repeated warnings and remediation projects. It also illustrates how weaknesses in surveillance tools, customer classification and reporting obligations can combine to increase exposure to money laundering risks, particularly for institutions managing large volumes of remittance flows.

The findings surrounding the institution show how unaddressed AML deficiencies become a systemic risk in their own right. Large backlogs of alerts, misclassification of frequent users as occasional customers, inconsistent handling of suspicious operations, and limited oversight of foreign branches created an environment where suspicious transactions were not escalated on time. In parallel, flaws in the configuration and oversight of monitoring tools reduced the bank’s ability to detect and analyze high-risk behavior. These weaknesses materialized despite earlier sanctions, repeated inspections and significant investments in rebuilding the compliance framework.

The case illustrates challenges faced by institutions handling cross-border retail transfers and serving niche expatriate communities where volumes, repetitive flows and operational pressures can overwhelm under-resourced compliance functions. Regulatory expectations in this space emphasize prompt alert handling, fully updated customer profiles and rapid escalation when operations deviate from expected behavior. Here, those expectations were not met, and the cumulative impact triggered formal enforcement action.

AML Deficiencies in the Management of Transaction Alerts

The most critical issue highlighted during the supervisory review concerned the bank’s inability to process alerts generated by its monitoring systems within reasonable timeframes. Over sixty percent of alerts raised during the review period remained unresolved, representing tens of thousands of unexamined signals linked to transfers and account activity. A backlog of this scale directly compromises the bank’s ability to identify potential money laundering schemes or unusual fund movements. Regulators expect timely analysis of all alerts, regardless of the underlying risk rating, because delays effectively create blind spots that criminals can exploit.

The backlog covered a period of more than a year in which many alerts were left untouched or insufficiently documented. Although the bank argued that the surge was caused by temporary changes in scenario configuration and that a significant proportion related to a small cluster of clients, the regulator determined that these explanations did not diminish the severity of the risk. Alert systems must be calibrated to produce manageable, risk-proportionate signals, and staff must be equipped to handle the volume. The existence of a parallel screening tool designed to block suspicious transfers before execution did not relieve the bank of the obligation to analyze post-event alerts. If transactions were genuinely high risk, they should not have passed through the pre-execution filter in the first place.

By the time inspectors arrived, the backlog remained largely untouched. Although the bank later deployed additional staff and resolved the stock of alerts months after the inspection period, the regulator concluded that the institution had allowed a material AML deficiency to persist for an extended period. Such delays undermine the purpose of regulatory frameworks designed to prevent financial crime by ensuring that suspicious patterns are identified early, escalated appropriately and, when relevant, reported without delay.

Weak monitoring systems also create regulatory exposure because they conflict with statutory duties requiring continuous vigilance throughout the client relationship. In this case, the backlog also meant that underlying scenarios had been generating unreviewed alerts for more than a year, raising concerns about whether the bank’s modelling, risk scoring and thresholds were adequate to begin with. When core surveillance processes fail, the entire AML framework becomes compromised, as timely detection and reporting are fundamental pillars of compliance.

The regulator emphasized that the institution had already been warned years earlier that its monitoring tool was poorly calibrated. The persistence of the issue suggested that the bank had not fully embedded the necessary fixes within its risk management approach. Even when staffing constraints, operational pressures or scenario migrations create temporary challenges, institutions must ensure continuity of oversight. Failure to do so results in the type of systemic AML deficiencies observed here.

Client Due Diligence Failures Affecting Customer Classification and Monitoring

The regulator also identified significant issues in how Banque Chaabi du Maroc classified and monitored customers involved in frequent transfers. Internal policy required requalifying any individual performing a certain number of transfers within a rolling twelve-month period as a customer under an ongoing business relationship. Once that threshold was reached, additional due diligence, updated financial information and more detailed transaction monitoring became mandatory. However, multiple individuals exceeding these thresholds were still labelled as occasional users, meaning the bank should have applied far more comprehensive checks than those documented.

This misclassification affected clients who conducted several transfers with cumulative values reaching substantial amounts. None should have remained categorized as occasional customers. The error prevented the bank from obtaining essential financial information, including income and wealth data, which is indispensable for understanding whether users have legitimate sources of funds. Even when identity documents or partial information had been collected, reliance on these elements alone did not meet legal expectations for ongoing monitoring.

The regulator found that the internal control division had previously detected the misclassification issue in a significant proportion of files reviewed months before the inspection. Yet the matter had not been fully remediated, and the errors persisted during the supervisory mission. This indicated a structural problem rather than isolated mistakes. The bank attributed the issue to a technical error in its system parameters, but failed to demonstrate that corrections had been implemented within the necessary timeframe.

This deficiency created a heightened vulnerability because frequent remittance users often present distinct ML-risk profiles. When patterns of recurring transfers emerge without full client knowledge, the risk of misuse for informal value transfer, third-party funding arrangements or cross-border laundering schemes increases significantly. Proper classification ensures that monitoring intensity adapts to client behavior, and failing to adjust classification prevents risk detection at the earliest stages.

Moreover, the regulatory decision underscored that this was not the first time the bank was sanctioned for incorrectly applying the distinction between occasional users and ongoing business relationships. Repetition of the same deficiency over years reinforced the perception that corrective measures were not sufficiently embedded institution-wide. For supervisors, repeated control failures concerning basic client knowledge often signal deeper cultural or operational weaknesses in the compliance function.

These issues also interacted with other deficiencies. When clients are misclassified, the bank’s monitoring engine may apply different parameters, scenarios or thresholds than those used for business relationships. Combined with the significant alert backlog, this created a situation where frequent transfers involving these individuals could have gone unexamined for extended periods. From an AML standpoint, such gaps expose banks to complex cross-border laundering schemes, particularly when combined with community-based remittance flows and high-volume transaction patterns.

Suspicious Activity Handling Failures and Delayed Reporting Obligations

One of the most serious AML deficiencies identified was the institution’s handling of suspicious activity. Legal requirements mandate immediate reporting of suspicious operations once they cannot be prevented. Regulators consider timeliness an essential component of effective reporting frameworks, as delayed submissions undermine the utility of the information for intelligence and enforcement.

During the inspection, Banque Chaabi du Maroc submitted numerous delayed reports concerning operations that should have triggered suspicion years earlier. The average delay exceeded two years, with some cases remaining undeclared for nearly five years. These delays occurred even though the operations in question contained risk indicators that would be recognizable to any experienced compliance team. The institution did not document any valid reason for the delays, nor did it demonstrate that the investigations required unusual time or resources. Instead, the backlog of unprocessed alerts and insufficient staffing were cited as contributing factors. The regulator concluded that such factors were not acceptable justifications, because institutions are expected to maintain sufficient capacity to meet their statutory obligations at all times.

The review also identified instances where suspicious operations were not reported at all, despite evidence showing that internal teams had considered the transfers problematic and had even opted to close accounts. In one case, a client’s personal account received significant transfers originating from an embassy account over which he had exclusive control, raising concerns about potential misappropriation. Although the bank blocked the account, it failed to file a suspicious activity report until long after the inspection period.

Another case involved an individual engaged in multiple revenue-generating activities, including sensitive roles that could give rise to financial crime indicators. The bank carried out enhanced reviews, closed the account and refused certain fund restitutions due to concerns about potential misuse. Despite these actions, no immediate reporting occurred, contravening the legal requirement to escalate without delay when suspicion cannot be resolved.

Failures of this type undermine the core purpose of financial crime reporting frameworks, which rely on timely intelligence to detect criminal networks, identify cross-border movements and prevent the layering or integration stages of laundering. Delayed reporting significantly reduces law enforcement’s ability to intervene during critical windows. In some cases, prolonged inactivity can even facilitate further transactions or additional misuse of accounts while suspicion remains unresolved.

The regulator highlighted that institutions must ensure their internal processes prioritize escalation once suspicion arises. While detailed internal investigations are encouraged, they cannot delay the statutory obligation to report. The bank’s difficulties in handling alerts, combined with misclassified clients and insufficient oversight of foreign branches, created an environment where reporting obligations were not fulfilled in a legally compliant or operationally effective manner.

These deficiencies materially contributed to the enforcement action because suspicious activity reporting is one of the most scrutinized areas of AML programs. When institutions fail to meet these duties, regulators often view the issue as symptomatic of broader structural weaknesses rather than isolated lapses.

Towards Stronger Oversight of AML Frameworks

The case also exposed substantial weaknesses in the bank’s ability to oversee the AML work performed across its foreign branches. Compliance teams at headquarters could not access the monitoring and filtering tools used by certain branches, which meant they relied solely on reports and extracted data. Without direct access, second-level controls could not verify scenario settings, alert handling or the overall reliability of monitoring frameworks deployed in each jurisdiction.

This lack of direct visibility created a fragmented control environment. Branches using separate systems require robust harmonization mechanisms to ensure consistent detection thresholds and similar interpretations of risk indicators. Here, compliance officers at the central level lacked practical tools to confirm that branches applied consistent standards. Such decentralized arrangements can introduce vulnerabilities, especially when branches operate in distinct regulatory environments or service customers with varying profiles. Supervisors expect parent entities to maintain full oversight across all parts of the institution, regardless of technological or organizational structures.

Moreover, the central control plan for the relevant years did not include specific checks on the configuration of the tools used in branches. The absence of coverage over enhanced reviews conducted locally further weakened the global AML assurance framework. These gaps reduce the institution’s ability to guarantee that all branches identify and escalate suspicious activity in a consistent manner.

Structural deficiencies in control design often surface when entities operate across multiple jurisdictions with significant digital fragmentation. When central compliance teams cannot verify the reliability of branch-level monitoring tools, they cannot ensure timely alert review, adequate scenario configuration or consistent risk classification. Fragmentation also complicates remediation efforts, because fixes implemented at headquarters may not be replicated across all systems or may not be fully compatible with local branch infrastructure.

The case demonstrates why integrated control frameworks with unified access to monitoring systems are essential for financial institutions with multi-country operations. Without such integration, systemic AML weaknesses can persist despite significant investments and organizational restructuring. Supervisors consistently emphasize that parent companies remain fully responsible for the AML standards applied across their networks, whether branches or subsidiaries.

Source: ACPR

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.