Digital Transformation in Moroccan Banking

Digital transformation in Moroccan banking is the redesign of a financial institution's core systems, payments, customer relationship and decision-making around data and AI, executed inside a regulatory framework run by Bank Al-Maghrib, the AMMC and the CNDP. It is not an IT project. It is a strategy of compliance, data sovereignty and competitiveness.

For a CEO, CIO or CISO at a Moroccan bank, payment institution or financing company, the difficulty is rarely a shortage of technology. It is sequencing the right investments in a sector where every building block (cybersecurity, payments, scoring, data opening) is governed by a specific regulator. This guide translates that Morocco-specific regulatory stack into concrete decisions: what to build, what to buy, what to defer.

Quick answer: succeeding at a bank's digital transformation in Morocco means mapping every initiative against the BAM framework (cyber directive 3/W/16, the CROE reference), Law 09-08 (CNDP), the PCI DSS standard, and the emerging Open Banking and crypto-asset frameworks (draft law 42-25) before you build. Compliance is not a late constraint. It is the first deliverable of the architecture.

What does banking digital transformation in Morocco actually mean?

It is the alignment of four inseparable workstreams. First, modernizing the core banking system and payment rails toward an API-oriented architecture that is ISO 20022-ready. Second, putting data and AI to work for fraud detection, scoring and customer service. Third, compliance, which runs through everything: data protection, cybersecurity, card security. Fourth, change management, without which no tool takes root in daily practice.

What makes Morocco distinctive is the density of its institutional environment. Bank Al-Maghrib (BAM) is the central bank and prudential supervisor of credit institutions, on the foundation of Law 103-12 on credit institutions and similar bodies, which also placed participative (Islamic) banks under its supervision. The AMMC regulates capital markets; the CNDP governs personal data. A transformation that ignores this map fails, not for lack of engineering, but for lack of compliance. For the broader strategic framing, our digital transformation roadmap for Moroccan businesses lays the methodological foundations.

Which regulatory framework must you master before building?

Moroccan banking compliance turns on four pillars that every CIO or CISO should map at the design stage, not after delivery.

Cybersecurity. BAM acts as the sectoral cyber-coordinator for banking under Morocco's cybersecurity Law 05-20 and its implementing decree. The central bank identified the sector's vital infrastructures and reported their list to the DGSSI, and issued directive n 3/W/16 setting minimum cyber rules for financial institutions. To assess the cyber maturity of market infrastructures, BAM adopted the European Central Bank's CROE (Cyber Resilience Oversight Expectations) framework.

Personal data. Customer data is governed by Law 09-08 of 2009, supervised by the CNDP. Any data controller must declare or obtain CNDP authorization, inform data subjects, secure the data, and obtain special authorization for any cross-border transfer. That last point directly shapes cloud and AI-hosting choices. Our Law 09-08 compliance guide details the procedure.

Cards. The PCI DSS standard, maintained by the PCI Security Standards Council and required by Visa and Mastercard, applies to any entity that stores, processes or transmits cardholder data. Moroccan banks, merchants and payment service providers must demonstrate compliance through annual assessment (ROC/AOC).

Should you re-platform your core banking or wrap it?

This is the heaviest decision in the program, and the riskiest. Two paths coexist.

The first is re-platforming: replacing the legacy core with a modern, API-oriented, ISO 20022-ready platform. Credit du Maroc, part of Credit Agricole, took this path in 2021 by selecting Temenos to modernize its core banking and payments, deploying Temenos Transact and an API-first, ISO 20022-ready payments stack supporting instant and real-time payments. This approach maximizes future agility but concentrates migration risk.

The second path wraps the existing core behind an integration and middleware layer, exposing APIs without touching the kernel. Migration risk is lower and the timeline shorter, but the technical debt remains.

| Criterion | Re-platforming (Temenos-style) | Wrapping (middleware/API) | |---|---|---| | Migration risk | High | Low | | Time to value | Long | Short | | Future product agility | Maximal | Bounded by legacy | | Upfront cost | High | Moderate | | Best fit | Universal bank in structural overhaul | Institution prioritizing time-to-market |

The right choice depends on your horizon. A structural overhaul justifies re-platforming; a need to launch a service quickly justifies wrapping, with the option to re-platform later.

Which AI use cases offer the most defensible ROI?

Not all AI promises are equal in a regulated banking context. The most defensible use cases are those where value is measurable and where the regulator expects rigor, not opacity.

Fraud detection and AML transaction monitoring lead: the cost of fraud is tangible, and automation reinforces compliance obligations that already exist. KYC and identity automation cuts onboarding times while securing the entry into relationship. Credit scoring for underbanked populations opens a real market, in the logic of the National Financial Inclusion Strategy. Finally, customer-service automation (bilingual French/Arabic) absorbs volume without degrading the relationship.

The discipline is to stay at the level regulators will accept: a scoring or fraud model must be explainable and auditable. Deployments must be designed for CNDP requirements from the outset. To frame these choices, our AI transformation offering always starts from the regulator-compatible use case, never from the tool.

How do you build on customer data without breaching the CNDP?

This is where most AI programs derail. Training a model on customer data requires a legal basis, and Law 09-08 imposes precise obligations: prior CNDP declaration or authorization, informing data subjects, securing the data, and special authorization for any cross-border transfer.

That last rule has a direct architectural consequence. If your AI vendor or your cloud hosts the data outside Morocco, you enter the cross-border transfer regime, which requires specific authorization. The Maroc Digital 2030 agenda, presented in September 2024 by the Ministry of Digital Transition and Administrative Reform, also points toward a sovereign-cloud direction. For the most sensitive data, local hosting becomes a design criterion, not a mere preference.

The practical rule: govern the data before you exploit it. Map which data may leave the territory, which must stay local, and document the legal basis for every processing operation. Our enterprise data security and compliance guide details this governance.

What does the opening of CMI acquiring change for your payments strategy?

The Moroccan payments market is in the middle of a major reshuffle. The Centre Monetique Interbancaire (CMI), created in 2001 by Moroccan banks to operate card-payment processing and the national card switch, was long quasi-monopolistic in merchant acquiring. It is now being opened to competition: its merchant portfolio is being transferred to several payment institutions.

In December 2025, Morocco's Conseil de la concurrence was notified of the transfer of CMI's merchant portfolio to six payment institutions: Maroc Traitement de Transactions (M2T, BCP), Al Filahi Cash (Credit Agricole du Maroc), CDM Pay (Credit du Maroc), Lana Cash (CIH Bank), Attijari Payment and Naps, with transfer deadlines extended into early-to-mid 2026.

In parallel, mobile payment was officially launched on 13 November 2018 by BAM and the telecom regulator ANRT, with interoperable wallets (M-Wallet). Telecom operators followed: inwi launched "inwi money" on 3 September 2019, and Orange Maroc launched Orange Money after BAM approval. Card and mobile interoperability runs on HPS Switch, operated by Hightech Payment Systems (HPS), the vendor behind the PowerCARD platform; the mobile-payment switch has been operational since December 2018. For a bank or a merchant, this means rethinking acquiring, switching and wallet strategy in a market that is now competitive.

How do you prepare for Open Banking and the crypto framework?

Two frameworks under construction are redrawing the medium-term horizon. Anticipating them now means not having to rebuild in eighteen months.

Open Banking is advancing. BAM announced the designation, by end-2025, of a specialized firm to oversee its implementation via a dedicated legal framework, and in December 2025 published an official guide on the approval pathway for fintech project holders (payments, credit, fund transfers, fundraising). Open Banking is not yet live or mandatory in Morocco; it is in regulatory design. The right posture is to treat your compliance APIs, starting now, as future product channels rather than cost centers.

On crypto-assets, Morocco is preparing draft law 42-25, elaborated by the Ministry of Economy and Finance with BAM and the AMMC. Modelled on the EU's MiCA regulation, it would put stablecoin issuance under BAM and crypto markets and service providers under the AMMC, while excluding NFTs, DeFi, mining and central bank digital currency (CBDC) from scope. A caution: this is a bill under legislative process, not enacted law. BAM also launched exploratory CBDC studies in 2021, but no "digital dirham" exists to date.

Financial inclusion: regulatory burden or revenue line?

Financial inclusion is too often seen as an obligation. It is in fact a market. The National Financial Inclusion Strategy (Strategie Nationale d'Inclusion Financiere, SNIF), adopted in 2019 as a joint initiative of the Ministry of Economy and Finance and Bank Al-Maghrib, is organized around seven strategic pillars and targets youth, women, rural populations and very small enterprises.

The levers already exist: interoperable mobile payment, M-Wallet, and the HPS Switch for interoperability. A bank that designs low-cost, smartphone-distributed products can profitably reach the rural, female, youth and very-small-enterprise segments that the traditional branch network serves poorly. The three large groups, Attijariwafa Bank (ranked first in Morocco and North Africa by market value), Banque Centrale Populaire (BCP) and Bank of Africa, have the networks and the payment subsidiaries to do this at scale.

The strategic calculation is simple: turn an inclusion obligation into low-marginal-cost customer acquisition, through digital. Our digital consulting engagement helps model these revenue lines.

Build, buy or partner to ship faster?

The final decision is organizational. Three paths: build in-house, buy a vendor solution, or partner with a local specialist. Success rests on change management as much as on technology; resistance to change remains the leading cause of failure, as covered in our guide on overcoming resistance to change.

| Institution profile | Recommended approach | Why | |---|---|---| | Large group with mature IT | Re-platforming + AI partner | Risk-absorption capacity, need for durable agility | | Mid-cap bank, time-to-market critical | Buy + wrap the legacy | Fast value, controlled migration risk | | Payment institution / fintech | Local AI-first partner | Regulator-aligned delivery faster than internal IT | | Cautious explorer | Targeted pilot (fraud or KYC) | Low-risk learning before scale |

A local AI-first partner often delivers regulator-aligned solutions faster than internal IT, with bilingual (FR/AR) deployment and genuine change management. The rule is not to build everything or buy everything, but to sequence.

FAQ

Which regulators supervise a bank's digital transformation in Morocco? Bank Al-Maghrib supervises banks, credit institutions, participative banks and payment institutions, and coordinates sector cybersecurity. The AMMC regulates capital markets. The CNDP enforces Law 09-08 on personal data. The DGSSI is the national cybersecurity authority, the ANRT the telecom regulator, and the Conseil de la concurrence reviews market operations in payments, such as the CMI acquiring redistribution.

Is Open Banking mandatory in Morocco today? No. Open Banking is in regulatory design, not live or mandatory. BAM announced the designation of a specialized firm to oversee its implementation via a dedicated legal framework, and in December 2025 published an approval guide for fintech project holders. The recommended posture is to anticipate by treating compliance APIs as future product channels rather than cost centers.

Is the crypto-asset law 42-25 in force? No. Law 42-25 is a draft bill under legislative process, elaborated by the Ministry of Economy and Finance with BAM and the AMMC, modelled on the EU's MiCA regulation. It would put stablecoins under BAM and crypto markets under the AMMC. No digital dirham (CBDC) exists; BAM only conducted exploratory studies in 2021, and CBDC is explicitly excluded from the bill.

Should you replace your core banking or wrap it? It depends on your horizon. Re-platforming (for example via Temenos, the path Credit du Maroc took in 2021, with an API-first, ISO 20022-ready architecture) maximizes agility but concentrates migration risk. Wrapping the core behind an API layer reduces risk and time at the cost of lingering technical debt. A structural overhaul justifies re-platforming; a time-to-market imperative justifies wrapping.

Which customer data may leave Morocco to train an AI model? Law 09-08 subjects any cross-border transfer of personal data to special CNDP authorization. If your AI vendor or cloud hosts the data outside Morocco, you enter that regime. For sensitive data, and given the sovereign-cloud direction of Maroc Digital 2030, local hosting becomes a design criterion, to be documented alongside the legal basis for each processing operation.

Sources

Last verified: 17 June 2026.

• Bank Al-Maghrib (bkam.ma): Law n 103-12 on credit institutions, National Financial Inclusion Strategy (SNIF, 2019 report), Open Banking and the fintech approval guide.
• Ministry of Economy and Finance (finances.gov.ma).
• AMMC (ammc.ma): capital-markets regulation.
• CNDP (cndp.ma/loi-09-08): personal-data protection.
• FNH.ma (Finances News Hebdo): banking cybersecurity, BAM directive 3/W/16, adoption of the CROE framework.
• Medias24 and Le360.ma: redistribution of CMI's merchant portfolio (December 2025); draft law 42-25; "inwi money" launch (3 September 2019).
• CIO Mag and Jeune Afrique: M-Wallet mobile-payment launch (13 November 2018).
• Orange Group Newsroom: Orange Money Morocco.
• Wikipedia FR and Le360.ma / FNH.ma: Centre Monetique Interbancaire; Hightech Payment Systems and HPS Switch.
• Temenos (temenos.com): Credit du Maroc core-banking modernization.
• PCI Security Standards Council (pcisecuritystandards.org): PCI DSS standard.
• CGEM.ma and Le Desk: Maroc Digital 2030 launch (September 2024).
• Barlamane.com and Zonebourse: crypto draft law 42-25 and BAM CBDC studies.

The takeaway: in Moroccan banking, compliance is not the brake on transformation, it is the architecture; start sequencing your regulator-compatible investments today by talking to our consultants.