French Regulators Sanction Banque Chaabi du Maroc After Years of Unresolved AML Weaknesses

A prolonged pattern of failures in anti-money-laundering controls has led the ACPR to impose a €250,000 penalty and issue a public reprimand against Banque Chaabi du Maroc, also operating under the name Banque Populaire du Maroc. Inspectors found entrenched deficiencies throughout the bank’s risk-management setup, customer oversight, alert treatment, and internal supervision. The case illustrates how long-standing AML shortcomings, left uncorrected despite warnings and multiple remediation efforts, can accumulate into systemic failures. It also shows how flaws in surveillance tools, client classification, and reporting processes magnify exposure to laundering risks, particularly within institutions managing heavy remittance activity.

Regulators concluded that years of unresolved issues had effectively created their own systemic threat. Massive backlogs of alerts, recurring misclassification of frequent users as occasional clients, irregular treatment of suspicious transactions, and inadequate control of foreign branches formed an environment where questionable activity was not escalated promptly. At the same time, problems in the setup and governance of monitoring platforms reduced the bank’s ability to detect and interpret high-risk behaviors. These vulnerabilities persisted even after a prior sanction, successive inspections and considerable investments aimed at rebuilding the compliance structure.

The case underscores the pressures faced by banks handling cross-border retail transfers and servicing expatriate communities, where repetitive flows and operational constraints can overwhelm compliance teams. Regulators in this space expect rapid alert treatment, continuously refreshed customer profiles and immediate escalation when activity deviates from established patterns. In this instance, those obligations were not met, and the cumulative effect led to formal enforcement action.

A central failure identified during supervision involved the bank’s inability to process monitoring-system alerts within acceptable delays. More than sixty percent of alerts generated during the review period had not been addressed, leaving tens of thousands of signals tied to account activity and transfers unexamined. Backlogs on this scale fundamentally impair a bank’s capacity to detect laundering schemes or catch abnormal fund movements. Authorities insist that all alerts must be analyzed promptly, regardless of perceived risk, because processing delays create blind spots that criminals may leverage.

The accumulation spanned more than a year, with many alerts not reviewed or improperly documented. While the institution argued that changes in detection scenarios temporarily inflated volumes and that many alerts centered on a limited set of clients, supervisors concluded that these explanations did not lessen the severity. Monitoring frameworks must be calibrated to produce workable volumes, and staff must be able to manage the load. The fact that the bank operated an additional pre-execution screening tool did not exempt it from post-event alert analysis; if transactions were genuinely risky, they should not have passed the preliminary filter to begin with.

When inspectors arrived, the majority of alerts remained unresolved. Although the bank later expanded staffing and eventually cleared the backlog months after the inspection window, regulators found that a material AML weakness had been allowed to persist far too long. Such delays contradict the purpose of regulatory safeguards meant to ensure early identification of suspicious patterns, proper escalation and timely reporting where necessary.

Weak monitoring routines also expose institutions to breach statutory duties requiring constant vigilance across the customer life cycle. In this case, scenarios had been producing unreviewed alerts for over a year, raising questions about the adequacy of modelling, scoring and threshold settings. When essential surveillance functions collapse, the entire AML architecture becomes unstable, as timely alert processing and reporting are foundational obligations.

Authorities stressed that the bank had been advised years earlier that its monitoring system was improperly calibrated. The continued presence of the defect showed that remediation had not been fully incorporated into risk-management practices. Even if operational hurdles or system migrations create temporary strain, institutions must maintain continuous oversight. A failure to do so results in the kind of systemic breakdown seen here.

Regulators also uncovered major shortcomings in customer classification and monitoring processes. The bank’s rules required upgrading any individual conducting a specific number of transfers within a twelve-month period to the status of a customer in an ongoing business relationship. That change triggered enhanced due diligence, updated financial information and more detailed monitoring. Yet numerous individuals exceeding these thresholds remained listed as occasional users, even though they engaged in multiple transfers with substantial cumulative amounts. None should have retained occasional-client status.

This misclassification meant the institution did not gather essential financial data—such as income and wealth indicators—necessary to assess legitimate sources of funds. Even when identity documents or partial details were collected, these did not meet legal standards for ongoing-relationship monitoring. Inspectors found that the internal-control team had previously detected this issue across a significant portion of reviewed files, yet the problem had not been resolved, indicating a deeper structural flaw. The bank attributed the errors to a configuration problem but could not demonstrate timely correction.

Such weaknesses heightened risk exposure, as frequent remittance users often present distinct laundering-risk characteristics. Persistent transfer patterns without full customer understanding increase the likelihood of informal value movements, third-party arrangements or complex cross-border schemes. Accurate classification ensures that monitoring intensity aligns with behavior, and failing to adjust classifications delays risk detection.

Regulators also recalled that this was not the bank’s first sanction linked to misapplication of the divide between occasional users and ongoing business relationships. Recurrence suggested that corrective steps were not firmly embedded. When foundational client-knowledge controls repeatedly fail, supervisors often interpret the situation as a sign of broader cultural and operational weaknesses.

These problems compounded the effect of other deficiencies. Misclassified customers may be subject to different monitoring rules than full-fledged clients, and when combined with sizeable alert backlogs, the bank faced prolonged periods where frequent-transfer activity might not be reviewed. For institutions processing community-driven transfers with high transaction volumes, such gaps significantly increase laundering vulnerabilities.

The review further identified serious shortcomings in suspicious-activity handling. Laws require immediate reporting of suspicious transactions once preventing them is no longer possible. Regulators treat promptness as essential because delays diminish the usefulness of intelligence for enforcement purposes.

During the examination, the bank submitted multiple belated reports concerning transactions that should have raised red flags years earlier. Average delays exceeded two years, with some cases remaining unreported for nearly five. These operations featured indicators that an experienced compliance unit would readily identify as suspicious. The institution provided no valid justification and did not show that analytical work demanded extraordinary time or resources. Instead, staffing shortages and stacked alerts were cited—explanations regulators deemed unacceptable, as banks must always maintain capacity to comply with statutory obligations.

Inspectors also found examples where no reports were filed at all, despite internal discussions acknowledging suspicious elements and decisions to close accounts. One case involved a personal account receiving significant transfers from an embassy account controlled exclusively by the client, suggesting possible misappropriation. Although the bank froze the account, it did not submit a suspicious-activity report until well after the inspection period.

In another instance, a client with multiple income sources and sensitive professional roles underwent enhanced scrutiny; the bank closed the account and denied certain reimbursements due to misuse concerns. Yet no immediate reporting occurred, despite the mandatory requirement to escalate when suspicion cannot be resolved.

Such failures undermine the central purpose of suspicious-activity reporting, which is to provide timely intelligence that can help detect criminal networks, trace cross-border flows and prevent further laundering stages. Reporting delays severely limit the window for intervention and can inadvertently allow additional misuse during periods of inaction.

Regulators emphasized that institutions must prioritize escalation once suspicion arises. Although detailed internal inquiries are welcome, they cannot postpone the legal obligation to report. In this case, misclassified clients, alert-processing failures and weak oversight of foreign branches collectively produced an environment where reporting duties were neither timely nor effective.

These shortcomings were decisive in the enforcement outcome because suspicious-activity reporting is among the most scrutinized components of an AML program. When institutions fall short here, supervisors typically view the lapses as demonstrating pervasive structural issues.

The investigation also revealed significant oversight gaps concerning AML operations across foreign branches. Headquarters teams lacked access to branch-level filtering and monitoring tools, relying instead on summaries and extracted data. Without direct visibility, central controls could not verify scenario settings, alert resolution or system reliability.

This lack of access created a fragmented control environment requiring robust harmonization to ensure consistent detection thresholds and uniform interpretation of risk indicators. Instead, central teams lacked the means to confirm whether branches applied comparable standards. Such arrangements generate vulnerabilities, especially when branches operate under differing regulatory regimes or serve diverse customer groups. Supervisors expect parent entities to maintain full AML oversight regardless of organizational or technological complexities.

Control plans during the relevant years also omitted checks on branch-tool configuration, and key enhanced-review processes were not covered by central testing. These omissions weakened the bank’s ability to guarantee consistent detection and escalation institution-wide.

The case highlights how fragmented systems across jurisdictions can mask weaknesses in AML design. When central compliance functions cannot verify branch-level surveillance, they cannot assure timely alert management or consistent risk scoring. Fragmentation also complicates remediation because fixes applied at headquarters may not translate across disparate systems.

Ultimately, the situation demonstrates why integrated oversight and unified access to monitoring tools are essential for banks operating in multiple countries. Lacking such integration allows systemic AML flaws to persist despite resource investments and organizational restructuring. Regulators consistently reaffirm that parent institutions bear full responsibility for AML standards across all branches and subsidiaries, regardless of structure or geography.

By fLEXI tEAM