⚡ Key Takeaways

Bank of Algeria’s Instruction 06-2025 establishes three KYC tiers (DZD 100K/500K/1M), mandatory customer fund escrow, strong SCA, and AML monitoring for all licensed PSPs — backed by DZD 10M penalties under the July 2025 amendment to Algeria’s AML/CFT framework (Law 05-01).

Bottom Line: Bank of Algeria will inspect licensed PSPs. The five controls requiring immediate action: KYC tier enforcement at API layer, automated escrow reconciliation, AML transaction monitoring aligned to CTRF reporting, device-bound SCA, and an agent security policy.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
directly applies to every licensed PSP, digital-wallet operator, and fintech startup processing DZD payments in Algeria
Action Timeline
Immediate
KYC tier enforcement, SCA implementation, and escrow reconciliation should be in place before first Bank of Algeria inspection
Key Stakeholders
Licensed PSP CTOs and compliance officers, digital wallet startups (Banxy, UbexPay, ESREF Pay), Bank of Algeria supervision directorate, CTRF, ASSI
Decision Type
Strategic
This article provides strategic guidance for long-term planning and resource allocation.
Priority Level
Critical
Assessment: Critical. Review the full article for detailed context and recommendations.

Quick Take: Instruction 06-2025 is not a future compliance exercise — Bank of Algeria will inspect licensed PSPs, and the non-compliance penalties are existential. The five controls that require immediate action are: KYC tier enforcement at the API layer, automated escrow reconciliation, AML transaction monitoring aligned to CTRF reporting, SCA using device-bound authentication, and an agent security policy. PSPs that build these controls now gain a durable compliance posture and a competitive advantage in a market where trust is the primary differentiator.

Advertisement

Algeria’s First Binding PSP Security Rulebook

For years, Algeria’s fintech sector operated in a regulatory grey zone — innovative enough to produce companies like Yassir and UbexPay, but constrained by the absence of a formal licensing framework for non-bank payment operators. Bank of Algeria’s Instruction 06-2025 changes that permanently.

The regulation, published in 2025, establishes a comprehensive operational framework covering capital adequacy, KYC standards, customer fund protection, agent network governance, and consumer safeguards. For cybersecurity teams at Algerian fintech startups and licensed PSPs, Instruction 06-2025 is not primarily a business opportunity document — it is a compliance checklist with legal consequences.

The cybersecurity obligations embedded in the instruction operate alongside Algeria’s AML framework, which was substantially strengthened by a July 2025 amendment to the primary AML law (No. 05-01, 2005) that expanded oversight to digital assets and strengthened enforcement penalties to DZD 10 million for non-compliant entities. Bank of Algeria Regulation No. 24-03 (August 2024) further defines AML/CFT requirements for virtual asset providers.

This article unpacks the cybersecurity obligations, identifies the gaps most likely to cause compliance failures, and provides a structured hardening checklist.

What Instruction 06-2025 Actually Requires

The regulation establishes three tiers of KYC verification for payment accounts, each with progressively stricter identity assurance:

  • Level 1 accounts — maximum transaction threshold of DZD 100,000 (~USD 740) — require basic digital ID verification only
  • Level 2 accounts — maximum DZD 500,000 (~USD 3,700) — require scanned identity document plus income proof
  • Level 3 accounts — maximum DZD 1,000,000 (~USD 7,400) — require video-conference verification plus Level 2 documentation

Each tier represents a distinct technical requirement: Level 1 demands a functional digital identity API integration; Level 2 requires document verification and storage; Level 3 requires a real-time video KYC capability with biometric liveness detection.

Beyond KYC, the regulation mandates:

  • Segregated escrow accounts: all customer funds held by a PSP must be deposited in a dedicated account at a commercial bank, entirely separate from the PSP’s operational capital
  • Bank guarantee or professional liability insurance: as a baseline capital protection mechanism for consumers
  • Strong customer authentication (SCA): multi-factor verification for all transaction initiation, explicitly modelled on emerging global standards
  • Transaction restriction to Algerian Dinars: all services must operate within national territory and in DZD only — a significant constraint on cross-border payment features

LaunchBase Africa’s analysis of Instruction 06-2025 notes that the agent network provisions impose full liability on PSPs for all actions undertaken by their cash-in/cash-out agents, including AML compliance and anti-fraud monitoring — a requirement that pushes cybersecurity responsibilities downstream to the agent interface layer.

Advertisement

What PSPs Must Implement to Stay Compliant

1. Build a Three-Tier KYC Authentication Stack Before License Renewal

The tiered KYC system is not merely an onboarding feature — it is a live control that must be verifiable at every transaction point. A PSP that onboards a Level 1 user and then allows that account to make Level 2-scale transfers without triggering a KYC escalation is in violation. Implement KYC tier enforcement at the API layer: every payment initiation request must check the account’s current KYC tier against the requested transaction amount and return an error if the tier is insufficient. Log every tier escalation and rejection for Bank of Algeria audit access. Video KYC for Level 3 requires a real-time liveness-check component — budget for a certified biometric provider, as in-house solutions are unlikely to pass regulatory scrutiny.

2. Establish Cryptographic Segregation Between Customer Funds and Operating Capital

The escrow account requirement in Instruction 06-2025 is fundamentally a reconciliation and integrity control: at any point in time, the balance of the PSP’s customer escrow account must exactly match the aggregate of all customer wallet balances. Implement automated daily reconciliation with cryptographic audit trails — every debit and credit to the escrow account should be linked to a specific customer transaction hash. If the escrow balance ever diverges from the aggregate customer balance by more than a defined tolerance (e.g., DZD 1,000), trigger an immediate alert to the compliance team. Do not rely on manual accounting cycles for this — a manual process that runs weekly will fail to detect intra-week fraud.

3. Deploy AML Transaction Monitoring Aligned to CTRF Reporting Standards

Algeria’s CTRF (Cellule de Traitement du Renseignement Financier) requires PSPs to file suspicious activity reports for transactions that meet defined risk criteria. The practical implementation requires a real-time transaction monitoring engine that applies rule-based and behavioural screening against every payment — checking for structuring patterns (multiple transactions just below DZD 100,000 thresholds), high-velocity wallet activity, transactions to or from flagged account identifiers, and geographic anomalies. Customer records must be retained for a minimum of five years under Algeria’s AML/CFT framework (Law 05-01, as amended in July 2025). Penalties for non-compliance reach DZD 10 million — an existential risk for an early-stage PSP with limited capital.

4. Implement Strong Customer Authentication That Meets Bank of Algeria’s SCA Standard

The SCA requirement in Instruction 06-2025 mandates multi-factor verification for payment initiation. In practice, this means combining at least two independent authentication factors — typically a device-bound cryptographic key (something you have) and a biometric or PIN (something you are or know). SMS OTP alone does not meet the SCA standard because SIM-swap fraud can compromise it without the account holder’s involvement. Implement FIDO2/WebAuthn for mobile authentication where technically feasible, or at minimum use time-based OTP via an authenticator app (TOTP) rather than SMS. Document your SCA implementation in a technical compliance note and have it reviewed by a certified information security professional — Bank of Algeria inspections will ask for this evidence.

5. Extend Cybersecurity Requirements to Your Agent Network

The Instruction 06-2025 provision making PSPs fully liable for their agents’ actions has a direct cybersecurity implication: every cash-in/cash-out agent terminal is an extension of the PSP’s attack surface. An agent whose device is compromised can become a vector for account takeover, fraudulent cash-out, or AML evasion. Require all agents to complete an annual security awareness training, use PSP-provided hardware or a locked-down app with device integrity checking (jailbreak/root detection, certificate pinning), and connect to the PSP backend exclusively over an encrypted, mutually authenticated channel. Audit agent transaction logs weekly for anomalous patterns — an agent who processes 50 cash-out transactions in one hour is a red flag, not a sales achievement.

A PSP Compliance Readiness Checklist

Before Bank of Algeria conducts its first compliance inspection of licensed PSPs, assess your readiness against these controls:

  • KYC tier enforcement at the API layer for all transaction initiation
  • Real-time escrow reconciliation with cryptographic audit trail
  • AML transaction monitoring engine with CTRF-aligned suspicious activity reporting
  • SCA implementation using device-bound authentication (not SMS OTP alone)
  • Five-year customer record retention with encrypted, access-controlled storage
  • Agent security policy including device integrity checking and encrypted channels
  • Incident notification procedure for Bank of Algeria — the regulation implies a notification obligation; document your procedure before an incident occurs
  • Professional liability insurance or bank guarantee as specified in the regulation

Fintech Times’ 2026 overview of Algeria’s ecosystem notes that approximately 30-35 fintech startups currently operate in Algeria, with digital payment adoption still constrained by cash dominance. PSPs that build compliant, secure infrastructure now will be positioned to benefit from the next phase of adoption — but only if they survive the initial compliance inspection cycle.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What is Bank of Algeria’s Instruction 06-2025?

Instruction 06-2025 is Bank of Algeria’s first comprehensive licensing and operational framework for payment service providers and digital-wallet operators. It establishes three tiers of KYC verification linked to transaction limits (DZD 100,000 / 500,000 / 1,000,000), requires segregated customer fund escrow accounts, mandates strong multi-factor customer authentication, restricts services to Algerian Dinars within national territory, and makes PSPs fully liable for their agent networks’ compliance. It operates alongside Bank of Algeria Regulation No. 24-03 (August 2024) and the July 2025 amendment to Algeria’s AML/CFT framework (Law 05-01).

What are the penalties for PSPs that fail to comply with Algeria’s AML rules?

Under the July 2025 amendment to Algeria’s AML/CFT framework (Law 05-01), fines for AML non-compliance reach DZD 10 million. The CTRF — Algeria’s financial intelligence unit under the Ministry of Finance — investigates suspicious transactions, and Bank of Algeria oversees AML/CFT compliance for payment service providers. Non-compliant PSPs also risk licence suspension or revocation, which is an existential risk for startups that have built their business model on the payment licence.

Does Instruction 06-2025 require PSPs to report data breaches?

Instruction 06-2025 does not explicitly define a breach notification timeline comparable to GDPR Article 33. However, PSPs are subject to Algeria’s general cybersecurity framework coordinated by ASSI (Agence de la Sécurité des Systèmes d’Information), which requires operators of critical information systems to report significant incidents. PSPs handling DZD-denominated payments at scale should treat themselves as operators of critical payment infrastructure and establish an incident notification procedure aligned to ASSI requirements, even in the absence of an explicit regulatory deadline in the instruction itself.

Sources & Further Reading