Electronic Contracting and Digital Evidence for Digital Banks in Iraq
Electronic Contracting and Digital Evidence for Digital Banks in Iraq Electronic Contracting: The Legal Foundation That Every Digital Bank Builds On Every single customer relationship in a digital bank is created through electronic contracting. Account opening happens via a mobile application or website. Credit agreements are concluded by tapping an accept button. Card terms are accepted through a digital confirmation. Payment mandates are authorized by biometric authentication. There is no paper, no wet ink signature, no branch counter. This operating reality raises a set of legal questions that traditional banks simply do not face: when are these electronic contracts legally binding? How can they be proved in a dispute? How long must the records be kept? The answers matter enormously. A digital bank that cannot prove the existence and terms of its customer contracts in regulatory examinations, customer disputes, AML investigations, or litigation is in a fundamentally weak legal position, regardless of how commercially successful its operations may be. 1. When Is an Electronic Contract Legally Binding? Under the general principles of Iraqi contract law, a contract is formed by the meeting of offer and acceptance with the requisite legal capacity, lawful subject matter, and consideration. The medium through which offer and acceptance are communicated does not affect the validity of the contract unless the law specifically requires a particular form (such as a notarized document for certain property transactions). Electronic contracts are therefore legally binding under Iraqi law when four conditions are satisfied: Express manifestation of consent: the customer must have actively and demonstrably agreed to the material terms, a passive scroll-through of terms and conditions, or a pre-ticked checkbox that the customer must un-tick to opt out, does not constitute legally robust consent. Best practice and the approach most defensible in litigation is to present material terms prominently, require the customer to scroll through them before a confirmation button becomes active, and capture the confirmation as a timestamped event in the system’s audit log Verified identity: the customer’s identity must have been authenticated by a reliable method before the contract is concluded. The CBI’s mandatory biometric verification and liveness detection requirements for digital onboarding create a strong evidentiary foundation for identity at the point of account opening. For subsequent transactions, the strength of the authentication method used determines the evidentiary weight of the bank’s records Legal capacity: the bank must have verified that the customer is of legal age and has full legal capacity to enter into the contract. Age verification is an integral element of the digital KYC process Accurate timestamp: the date and time of contract conclusion must be recorded accurately through a trusted timestamp mechanism. This matters because the terms applicable to any given customer are those in force at the time of contract conclusion — and the bank must be able to prove which version of its terms was in force at any given date 2. Electronic Signatures: Three Levels of Legal Strength Not all electronic signatures carry the same evidentiary weight. The following hierarchy applies in practice: Basic electronic signature: any electronic indication of a person’s intent to be bound including a typed name, a clicked checkbox, or a digital confirmation button. Legally effective but carries limited evidentiary weight in a contested dispute, as it is difficult to prove that the specific individual signed rather than another person with access to their device Advanced electronic signature: based on asymmetric cryptography with a digital certificate issued by a recognized certification authority creates a strong technical link between the signature and the signatory’s identity. Carries substantially stronger evidentiary weight and is appropriate for high-value or legally sensitive transactions Biometric authentication: fingerprint, facial recognition, or voice biometrics linked to a verified identity document provides the strongest practical combination of identification and consent evidence for mass-market digital banking at scale. The combination of biometric authentication at onboarding and at transaction authorization creates a robust evidentiary chain for the full lifecycle of the customer relationship 3. Audit Trails as Legal Evidence Every transaction executed through a digital bank’s systems generates an audit trail: the identity of the person who initiated the transaction, the device and IP address used, the precise timestamp, the transaction parameters, any modifications made and by whom, and the system state at the time of execution. These audit trails are among the most valuable pieces of legal evidence available to a digital bank in any dispute, investigation, or proceeding. Their legal value is, however, entirely dependent on the technical integrity of the recording system. An audit trail that is technically capable of being modified after the fact has significantly diminished evidentiary value. A well-designed audit logging system must be: Tamper-evident: any modification to a log entry must be detectable and must itself be logged Immutable for the retention period: log entries must not be deletable or overwritable during the mandatory retention period Retrievable on demand: logs must be rapidly retrievable in a readable format for regulatory examinations, legal proceedings, or customer dispute resolution Comprehensive: the audit trail must capture all system events relevant to customer accounts and transactions not only successful transactions but also failed authentication attempts, blocked transactions, and system errors 4. Mandatory Record Retention Periods Record Category Minimum Retention Period Legal Basis Financial transaction records 7 years AML/CFT regulatory requirement Customer identification and account opening records 5 years after end of customer relationship Banking supervision requirement Credit decision records with supporting rationale 5 years after facility repayment Credit risk and consumer protection Complaint records and customer correspondence 5 years Consumer protection and dispute resolution Audit trails for all system events 5 years retrievable in real time Regulatory and forensic requirements Version-controlled terms and conditions Indefinitely each version with effective date Contract formation evidence
Outsourcing and Technology Providers for Digital Banks in Iraq
Outsourcing and Technology Providers for Digital Banks in Iraq Outsourcing in a Digital Bank: The Liability That Stays With the Bank A digital bank is structurally dependent on external vendors in a way that no traditional bank is. Its core banking system is operated by a software vendor. Its online platform may be built by a third-party development firm. Its cybersecurity defences are managed by a specialized security provider. Its KYC and identity verification capabilities are supplied by a fintech data company. This dependency is inherent to the digital bank model and it creates a legal liability structure that founders and boards consistently underestimate. The governing principle is straightforward and non-negotiable: the bank remains fully responsible to the CBI and to its customers for the performance of every function it has outsourced, regardless of what any commercial vendor contract says. A service level agreement, however comprehensive, does not transfer regulatory liability from the bank to the vendor. If a vendor failure causes the bank to breach a licensing condition, the bank not the vendor faces the regulatory consequences. 1. CBI’s Regulatory Framework for Outsourcing The CBI’s framework imposes the following specific requirements on outsourcing by digital banks: The bank must retain full control over decision-making in all core functions, even where operational execution has been delegated to an external provider Functions that directly affect the CBI’s ability to supervise the bank may not be outsourced in a manner that impedes the CBI’s access to information or its ability to conduct examinations The CBI has the right to conduct on-site inspections of vendor facilities and to request access to vendor records where this is necessary for its supervisory functions, vendor contracts must include provisions explicitly recognizing this right All vendor service level agreements must satisfy the technical and operational standards prescribed by the CBI, a vendor arrangement that produces availability or security levels below the CBI’s minimum standards places the bank in breach of its licensing conditions 2. Vendor Risk Classification Vendor Category Examples Required Oversight Level Critical vendors Core banking system provider, online banking platform provider Detailed SLA with financial penalties, CBI audit right, BCP integration, executable transition plan, 24-hour breach notification Security vendors Cybersecurity providers, SIEM operators, AML monitoring systems Strict data processing agreement, immediate breach notification, security certifications required Supporting vendors Digital KYC providers, identity verification services Periodic compliance review, AML compliance confirmation, data security standards verification General vendors Telecommunications providers, office software Standard commercial terms, data processing agreement if customer data is accessed 3. Mandatory Contractual Provisions for Critical Vendors 3.1 Service Level Agreements Every SLA with a critical vendor must specify: system availability guarantees consistent with CBI minimum requirements (99.5% for core banking systems, 98% for online platforms), incident severity classifications with defined maximum response and resolution times for each severity level, scheduled maintenance windows agreed in advance and notified to the bank with sufficient lead time, financial penalties that are meaningful and proportionate for availability or performance breaches, and mechanisms for the bank to escalate unresolved incidents to senior management at the vendor. 3.2 Audit and Inspection Rights Every critical vendor contract must include explicit provisions recognizing: the bank’s right to conduct or commission audits of the vendor’s facilities, systems, and records relevant to the services provided; the CBI’s right by extension of its supervisory authority over the bank to conduct inspections of vendor facilities; and the vendor’s obligation to cooperate fully with any such audit or inspection. A vendor that refuses to grant audit rights to the bank is not an appropriate vendor for a critical function in a regulated environment. 3.3 Data Protection and Security For any vendor that processes customer personal data, a Data Processing Agreement (DPA) is mandatory. The DPA must specify: the precise categories of data processed, the permitted purposes of processing, the technical and organizational security measures in place, the vendor’s obligation to notify the bank within 24 hours of discovering any security incident affecting bank data, the prohibition on sharing bank data with any other party without the bank’s prior written consent, and the obligations for data return or deletion upon termination of the arrangement. 3.4 Business Continuity and Transition Critical vendor contracts must include: a business continuity and disaster recovery plan specific to the services provided, which is consistent with and integrated into the bank’s own BCP/DRP; a transition plan specifying how services will be migrated to an alternative provider or brought in-house upon termination; a minimum transition period of not less than six months on termination for non-cause, giving the bank adequate time to migrate without service disruption. 4. Concentration Risk: The Single-Vendor Problem Complete reliance on a single vendor for any critical function creates concentration risk. Where the bank has only one vendor capable of providing a critical system or service, a failure by that vendor whether technical, commercial, or financial can cause a service disruption with no available alternative. The bank must: Maintain a documented assessment of concentration risk across its vendor portfolio Develop and maintain a practical exit strategy for every critical vendor, a plan that can realistically be executed within the transition period specified in the contract without material service disruption Report material concentration risks to the board of directors as part of the bank’s regular risk reporting cycle Consider diversification strategies for the highest-criticality functions where a single-vendor failure would cause the bank to breach its licensing conditions
Data Privacy and Banking Secrecy for Digital Banks in Iraq
Data Privacy and Banking Secrecy for Digital Banks in Iraq Data Privacy and Banking Secrecy: The Two Overlapping Legal Frameworks Every Digital Bank Must Navigate A digital bank generates more personal data per customer per day than almost any other type of financial institution. Every login, every transaction, every failed authentication attempt, every navigation path through the mobile application creates a data record. Managing this data legally and using it responsibly requires simultaneous compliance with two distinct but overlapping legal frameworks: the established principle of banking secrecy grounded in Iraqi banking legislation, and the data protection principles that govern how personal information may be collected, stored, processed, used, and protected. These two frameworks are complementary but not identical. Banking secrecy governs what information may be disclosed to third parties. Data protection principles govern how information may be used internally and externally across its full lifecycle. A bank that satisfies one without the other remains legally exposed. 1. Banking Secrecy: The Foundational Legal Obligation Banking secrecy is one of the most established principles in Iraqi banking law. It prohibits the digital bank from disclosing any information relating to its customers, their identity, their account details, their transaction history, their financial position, or any other information obtained in the course of the banking relationship to any third party, without the customer’s express written consent. Four specific exceptions to this prohibition are recognized under Iraqi law: A court order issued by a competent Iraqi court in the context of criminal or civil judicial proceedings that specifically identifies the information required A supervisory request from the Central Bank of Iraq in the exercise of its statutory oversight powers including requests made in the course of a regulatory examination or investigation A request from the competent anti-money laundering authority in the context of a formal AML/CFT investigation including requests related to suspicious transaction reports already filed by the bank Disclosure for the purpose of authorized external audit by the bank’s CBI-approved external auditor, limited to the information necessary for the audit Any disclosure outside these four exceptions regardless of the requestor’s identity or the apparent legitimacy of the purpose constitutes a serious violation of banking secrecy. This violation creates both civil liability to the affected customer for any harm caused by the disclosure, and regulatory liability to the CBI. 2. Six Principles of Lawful Data Processing Alongside banking secrecy, the digital bank must comply with the following data protection principles in all its processing of personal data. These principles govern how data is used not just whether it can be disclosed: Lawfulness and transparency: personal data may be processed only when there is a legitimate legal basis for doing so, the principal bases being the customer’s explicit consent, performance of the contract between the bank and the customer, compliance with a legal obligation, or a legitimate interest of the bank that is proportionate to the privacy intrusion and does not override the customer’s fundamental interests Purpose limitation: data collected for specified, explicit, and declared purposes may not subsequently be used for undisclosed secondary purposes using account transaction data to train a credit scoring model that was not disclosed to the customer at the time of data collection, for example, requires a fresh legal basis Data minimisation: the bank may collect only the minimum personal data necessary for the stated purpose collecting extensive lifestyle, behavioral, or social data beyond what is required for banking operations requires specific justification Accuracy: personal data must be kept accurate and up to date; inaccuracies must be corrected without undue delay, a bank that maintains demonstrably incorrect customer data and allows decisions to be made on that basis incurs liability for any resulting harm Storage limitation: personal data must not be retained for longer than is necessary for the purpose for which it was collected, or for longer than required by applicable law indefinite retention of inactive customer data without a legal basis is a data protection violation Integrity and confidentiality: appropriate technical and organizational measures must be implemented to protect personal data against unauthorized access, accidental loss, destruction, or damage the standard of protection required is proportionate to the sensitivity of the data and the potential harm from its compromise 3. Customer Rights Over Their Personal Data Every customer has the following rights with respect to their personal data held by the bank, and the bank must have operational mechanisms to respond to the exercise of these rights within a reasonable timeframe: The right of access: to obtain confirmation that the bank processes their personal data and to receive a copy of that data in a comprehensible format The right of rectification: to request correction of inaccurate personal data without undue delay The right to object: to object to the processing of their personal data in certain circumstances including processing for direct marketing purposes, where the objection is absolute The right to restriction: to request that the bank restricts its processing of their data in defined circumstances, for example, while the accuracy of the data is being contested The right to data portability: to receive their personal data in a structured, machine-readable format for the purpose of transferring it to another institution, this right is particularly significant in the banking context and directly supports competition 4. Data Classification and Iraq-Based Data Sovereignty The CBI’s Standards Booklet (Standard B7) imposes a mandatory tiered data classification system that overlays the general data protection principles with sector-specific technical requirements. Customer identity data, authentication credentials, account identifiers, and transaction data are classified at the highest sensitivity level and require mandatory encryption both at rest and in transit, with multi-layer access controls restricting access to authorized personnel only. The data sovereignty requirement is absolute: all data centres and servers used by the digital bank must be located within Iraq. Cloud hosting of core banking data outside Iraq is not permitted. This requirement directly limits the bank’s vendor choices and must be a primary criterion in any technology procurement decision.
Digital Banking Consumer Protection in Iraq
Digital Banking Consumer Protection in Iraq Consumer Protection for Iraqi Digital Banks: A Legal Obligation, Not a Marketing Choice When a digital bank has no branches, no tellers, and no physical touchpoints, the legal framework for consumer protection becomes the primary mechanism through which customers are safeguarded. Every interaction is digital, every contract is electronic, and every service failure happens remotely. This reality makes consumer protection obligations more not less consequential for a digital bank than for its traditional counterpart. The Central Bank of Iraq’s digital bank framework grounds consumer protection in three legal sources: Iraqi banking legislation requiring honest, transparent, and fair dealings with customers; the CBI’s Standards Booklet specifically Standard B6 on customer service which establishes minimum mandatory service levels; and internationally recognized principles for financial consumer protection developed by bodies including the G20 and the World Bank. 1. Mandatory Pre-Contract Disclosure: What Must Be Disclosed and When Every digital bank in Iraq is legally required to make complete and clear disclosures to customers before any contract is entered into or any service is activated. This disclosure obligation is not satisfied by burying information in lengthy terms and conditions, it requires active, prominent, and intelligible communication of material information. The following must be disclosed before any contract: All fees and commissions applicable to the product or service including interest rates on deposits and credit facilities, card issuance and renewal fees, transaction charges, currency conversion fees, and any administrative or maintenance charges Full terms and conditions in Arabic, drafted in clear and accessible language for non-specialists, with material terms and risks including cancellation conditions and default consequences prominently highlighted rather than embedded in standard text The customer’s rights and obligations, including cancellation rights within any applicable cooling-off period, complaint rights and the mechanism for exercising them, and the right to access their personal data and account statements The dispute resolution mechanisms available to the customer, including the bank’s internal complaints procedure and the customer’s right to escalate to the CBI Banking Supervision Department The scope of deposit guarantee coverage applicable to the customer’s accounts specifically, which accounts are covered, up to what limit, and what is excluded 2. Prohibited Commercial Practices The combination of Iraqi banking legislation and the CBI’s consumer protection standards prohibits a digital bank from engaging in the following practices in its dealings with customers: Misleading marketing and advertising: any promotional content whether on the bank’s digital platform, mobile application, social media, or any other channel that contains false or misleading information, conceals material fees or charges, makes promises that cannot be delivered, or creates a false impression of the bank’s products or services constitutes a legal violation Tied selling: requiring a customer to subscribe to an additional product or service as a condition for accessing the core service they have requested for example, requiring the purchase of insurance as a condition for a credit facility Unjustified discrimination: refusing service, imposing harsher terms, or providing inferior service to customer categories without a legitimate and objectively justifiable basis Exploiting customer financial vulnerability: targeting financially stressed customers with unsuitable high-cost credit products, or marketing products that are clearly inappropriate for the customer’s financial situation and capacity 3. CBI Standard B6: The 24/7 Contact Centre Requirement Standard B6 of the CBI’s Standards Booklet requires every digital bank to provide the minimum customer support coverage specified by the CBI. Full compliance with this standard is required from Assessment Cycle 1 meaning the support infrastructure must be fully operational before the bank’s first assessment in H2 2027. The minimum requirement under Standard B6 includes: A telephone contact centre available 24 hours a day, 7 days a week digital-only support channels including in-app chat, email, and automated responses do not satisfy this requirement Immediate emergency response capability for critical situations including suspected fraud on a customer’s account, card blocking, account freezing, and system outages affecting customer access A complaint tracking system that notifies customers of the status of their complaint at each processing stage Support available in Arabic A digital bank that launches pilot operations without a fully functional 24/7 telephone contact centre is in breach of Standard B6 from its first day of customer-facing operations. This is not a transitional requirement , it is a day-one obligation. 4. Responsible Lending: The Legal Obligation Before Every Credit Decision The principle of responsible lending, embedded in Iraqi banking legislation and reinforced by the CBI’s framework requires the digital bank to assess a customer’s ability to repay before extending any credit facility. This assessment must be based on objective data: income information provided by the customer and verified where practicable, existing financial obligations and debt service commitments, and the customer’s credit history as retrieved from the Iraqi credit registry. A credit facility extended without this assessment creates two categories of legal exposure for the bank: regulatory liability to the CBI for breach of the responsible lending standard, and civil liability to the customer if the facility causes financial harm that the assessment would have identified and prevented. In the digital banking context where credit decisions may be made algorithmically at scale, the responsible lending obligation applies to every individual credit decision, not just to decisions above a certain threshold. 5. Consumer Protection in the Digital Environment: Specific Risks The digital-only operating model creates specific consumer protection risks that traditional banks do not face to the same degree. The CBI’s framework addresses these risks directly: Digital identity verification: account opening procedures must be sufficiently robust to prevent the opening of fraudulent accounts in a customer’s name synthetic identity fraud and account takeover at onboarding are particular risks in digital banking environments Transaction security and real-time notification: customers must receive immediate notification of every transaction executed on their account, enabling rapid identification of unauthorized activity Digital account closure and data portability: customers have the right to close their account through digital means and to request their data in a portable format for transfer to another institution, the bank may not
Digital Bank Agent
Digital Bank Agent Overview The CBI’s digital bank licensing regulations introduce a specific legal category for the digital bank agent, a third party authorized by the digital bank to provide defined financial services on the bank’s behalf. This is a legally distinct arrangement from a mere vendor or technology provider relationship: the agent acts as a regulated extension of the bank’s service delivery capability, primarily for cash-in and cash-out transactions. This article examines the legal status of the digital bank agent under Iraqi law and the CBI’s framework, the scope of activities that agents are authorized to perform, the liability framework that governs the relationship between the bank and its agents, and the ongoing compliance obligations that apply to agent management. 1. Legal Basis and Definition The concept of the digital bank agent is established in the digital bank licensing regulations issued by the CBI. The regulations define the digital bank agent (وكيل المصرف الرقمي) as a person authorized by and acting on behalf of the digital bank, designated and approved by the CBI, with their appointment confirmed by the relevant regulatory authority. The CBI’s regulations are explicit that the agent must not be from among the non-banking financial institutions licensed under this framework. The agent relationship is therefore a licensed, regulated arrangement not a commercial relationship that can be entered into freely. The digital bank cannot appoint an agent without CBI involvement in the designation and approval process, and the agent must satisfy the CBI’s applicable qualification and compliance requirements. 2. Permitted Scope of Agent Activities The CBI’s regulations define the scope of agent activities by reference to the primary function that agents serve: enabling customers to conduct cash transactions through the agent’s physical presence. The permitted activities of the digital bank agent are focused principally on: Cash-in operations: accepting cash deposits from the digital bank’s customers and crediting those amounts to the customer’s account with the digital bank in real time. The agent does not hold deposits, it acts as a conduit for the customer’s cash to reach the digital bank. Cash-out operations: enabling the digital bank’s customers to withdraw cash from their accounts through the agent, in accordance with the controls and limits established by the CBI. The agent disburses cash from its own float, which is reimbursed by the digital bank through the settlement process. The agent’s permitted activities are limited to what the CBI specifies. The agent is not authorized to make credit decisions, open accounts, conduct AML/CFT assessments on behalf of the bank, or provide financial advice. Any activity outside the defined scope is unauthorized and may expose both the agent and the bank to regulatory sanction. 3. Bank’s Full Legal Responsibility for Agent Conduct The most significant legal feature of the agent framework from the perspective of the digital bank and its founders is the allocation of regulatory liability. The CBI’s regulations state in express terms that the digital bank bears full and unrestricted responsibility and accountability for compliance with the AML/CFT obligations, and further that the digital bank bears full legal responsibility for all actions of its agents in the performance of their authorized activities. This means that: If an agent breaches AML/CFT procedures for example, by accepting a cash deposit without completing the required customer identification, the bank, not the agent, bears the regulatory consequences of that breach. The agent’s conduct is imputed to the bank for regulatory purposes. If an agent misappropriates customer funds, the bank is responsible for making the customer whole. The bank’s legal relationship with the agent, including its right of recourse against the agent, is a matter for the commercial agreement between them but this does not affect the bank’s primary liability to the customer and to the regulator. All agents must operate exclusively through the digital systems and applications that are under the bank’s control and that implement the bank’s transaction limits and monitoring rules. Agents may not use independent or unauthorized systems. All first-level complaints from customers arising from agent transactions must be handled directly by the digital bank. The bank may not require customers to resolve complaints through the agent, the bank is responsible for the entire customer service chain. 4. Agent Selection and Ongoing Oversight Obligations The digital bank’s responsibility for agent conduct creates a corresponding obligation to exercise rigorous oversight over agent selection and ongoing performance. The CBI’s regulations require that the bank be responsible for and supervise agents in a manner that ensures they operate in accordance with the bank’s approved procedures and with the CBI’s regulatory requirements. Specifically, the bank must: Apply appropriate AML/CFT controls to the agent network, including conducting risk assessments of each agent location, implementing transaction monitoring rules specific to agent channels, and providing AML/CFT training to agent personnel. Ensure that agents operate only within the digital systems provided by the bank, which must enforce all applicable transaction limits, customer verification requirements, and reporting obligations. Conduct regular performance reviews and compliance assessments of each agent, with documented findings and remediation actions for any identified deficiencies. Immediately terminate the appointment of any agent that fails to comply with the bank’s operational standards or that presents unacceptable compliance risk. Notify the CBI of any material compliance failure by an agent within the timeframes prescribed by the CBI’s instructions. 5. The Commercial Agreement Framework While the regulatory framework establishes the legal basis for the agent relationship, the commercial terms of the arrangement between the bank and its agents are governed by a formal agency agreement. This agreement must be consistent with the CBI’s requirements and must, at a minimum, address: The specific scope of authorized activities and any applicable transaction limits The bank’s right to audit the agent’s compliance with the agreement and with regulatory requirements The agent’s obligations in relation to AML/CFT, customer data protection, and record-keeping The indemnification arrangements between the bank and the agent in respect of losses arising from agent conduct Termination provisions — including the bank’s right to
Digital Bank – Credit Registry Obligations
Digital Bank – Credit Registry Obligations Overview Standard B11 of the CBI’s Standards Booklet imposes a mandatory obligation on every digital bank to participate in Iraq’s credit registry system. This obligation has two dimensions: the bank must report its credit exposures to the registry, and it must query the registry before extending credit to customers. Both obligations arise from Assessment Cycle 1 and reflect the CBI’s commitment grounded in both Iraqi banking legislation and international supervisory principles to the responsible use of credit information in the lending process. This article examines the legal scope of the credit registry obligation, the specific requirements imposed by Standard B11 and Iraqi banking legislation, the bank’s data quality obligations, and the interaction of credit registry participation with the bank’s credit risk management framework. 1. Legal Basis The credit registry obligation arises from two legal sources. First, Iraqi banking legislation imposes obligations on all licensed banks to participate in credit information systems operated or designated by the CBI. Second, the digital bank framework’s Standard B11 reinforces and supplements these obligations with specific requirements calibrated to the digital bank model. The CBI operates or designates credit information services including the I-Score credit bureau through which lenders can access a borrower’s credit history across all regulated institutions. Participation in this system is not optional for licensed banks. The bank’s legal obligation extends both to querying the system before lending and to reporting its own exposures to the system so that other lenders can access accurate information. 2. Pre-Lending Inquiry Obligations Before extending any credit facility to a customer, the digital bank is legally required to query the credit registry and to obtain a credit report on the prospective borrower. This obligation applies regardless of the size or maturity of the credit product being offered. The legal significance of the pre-lending inquiry obligation is threefold: Risk management: the credit report informs the bank’s credit decision and pricing. A borrower with a poor credit history including defaults, restructured facilities, or multiple simultaneous credit exposures presents a materially higher credit risk. The bank’s credit policy must specify how credit history information is used in lending decisions. Responsible lending: the pre-lending inquiry obligation gives effect to the responsible lending principle embedded in Iraqi banking legislation, which requires banks to assess a borrower’s ability to repay before extending credit. A bank that extends credit without querying the registry cannot demonstrate compliance with this principle. Regulatory defence: in the event of a credit loss, a bank that failed to query the registry before extending the relevant facility may face supervisory action for breach of the lending standard. Evidence of registry queries maintained as part of the credit file is a key element of demonstrating compliance. All pre-lending queries must be documented in the customer’s credit file. The query result the credit report must be retained for the duration of the credit facility and for a defined period thereafter in accordance with data retention requirements. 3. Credit Data Reporting Obligations In addition to querying the registry, every digital bank must report its credit exposures to the registry on the schedule and in the format prescribed by the CBI. The reporting obligation covers: New credit facilities: every new credit facility extended by the bank must be reported to the registry within the timeframe prescribed by the CBI’s instructions. Late reporting is a breach of the credit registry obligations. Repayment performance: the bank must report on the repayment performance of each borrower including on-time payments, late payments, defaults, and partial payments. This reporting creates the credit history record that other lenders can access when the borrower seeks credit elsewhere. Facility changes: any material change to a credit facility including restructuring, extension of maturity, change of security, or write-off must be reported to the registry promptly. Closure of facilities: when a credit facility is repaid and closed, the bank must report the closure and the final repayment status to the registry. The registry record must accurately reflect the facility’s full lifecycle. Data accuracy is a legal obligation not merely a best practice. The bank is responsible for the accuracy of the data it reports to the registry. Inaccurate reporting whether through system failures, manual error, or intentional misreporting is a breach of both the credit registry obligations and the bank’s general obligation to maintain accurate records. 4. Interaction with the Credit Risk Framework The credit registry obligations are directly embedded in the digital bank’s credit risk management framework. The bank’s credit policy must specify how registry information is used in credit decisions, how registry query results are documented, and how the bank manages any discrepancy between the registry data and information provided by the borrower. During the pilot phase, where credit products are limited to small-value, short-term facilities subject to CBI case-by-case approval, the credit registry obligation applies in full from the first day the bank offers any credit product. The small value of permitted pilot phase credit facilities does not exempt them from the pre-lending query and reporting requirements. 5. International Standard Alignment The credit registry obligations reflect the internationally recognized importance of credit information systems in the sound management of bank credit risk. The World Bank’s General Principles for Credit Reporting Systems which represent the international benchmark for credit bureau governance require that credit reporting systems operate with comprehensive coverage, accurate data, fair access, and robust data protection. The CBI’s requirements are consistent with these principles. From a Basel perspective, the effective use of credit information including external credit assessments from recognized registries is a recognized component of the Internal Ratings-Based approach to credit risk measurement under the Basel Capital Framework. While Iraq’s digital banks will not initially apply advanced Basel approaches, the use of credit registry data as part of the credit assessment process aligns the bank with international credit risk management principles from day one.
Digital Bank – Deposit Protection
Digital Bank – Deposit Protection Overview Deposit protection is both a licensing condition and a structural feature of the digital bank framework in Iraq. Standard B10 of the CBI’s Standards Booklet makes participation in the national deposit protection system a mandatory requirement for every digital bank. This obligation is not aspirational and not phased full compliance must be demonstrated from Assessment Cycle 1, with the registration process completed before the bank commences pilot operations. This article examines the legal framework for deposit protection as it applies to digital banks in Iraq, the specific obligations imposed by Standard B10, the structure of the deposit guarantee system, and the critical distinction between the protections available to depositors and the absence of equivalent protection for investors and shareholders. 1. Legal Basis: CBI Standard B10 Under Standard B10, every digital bank is legally required to register with the Iraqi Deposit Guarantee Company and to comply with all applicable requirements of the deposit protection system. This requirement operates alongside and supplements the provisions of Iraqi banking legislation relating to depositor protection. The standard requires full compliance from Assessment Cycle 1 (H2 2027). In practice, because registration with the deposit guarantee company is itself a process that takes time, and because the bank must be registered before it can lawfully hold deposits from the public, registration must be initiated and completed well before the first assessment cycle at the point of preliminary approval at the latest. 2. Mandatory Participation Obligations Participation in the Iraqi deposit guarantee system imposes the following specific legal obligations on every digital bank: Registration: the digital bank must complete a formal registration with the Iraqi Deposit Guarantee Company. Registration requires the submission of specified organizational and financial information, including the bank’s ownership structure, paid-up capital, and corporate documents. Premium payments: the bank must pay monthly guarantee premiums to the Deposit Guarantee Company. The premium rate is calculated on the basis of the bank’s covered deposit base. These payments are a continuing legal obligation failure to pay premiums is a breach of the licensing conditions and may result in termination of coverage, which would itself be a ground for license cancellation. Depositor records: the digital bank must maintain depositor records in the format specified by the Deposit Guarantee Company, and must submit updated depositor data to the Company at the frequency and in the format prescribed. The accuracy of these records is a legal obligation inaccurate or incomplete depositor data is a compliance breach. Data sharing: the bank must share depositor data with the Deposit Guarantee Company on a regular basis in accordance with the Company’s instructions. This data-sharing obligation interacts with data protection requirements, the bank’s data sharing arrangements must be documented in its privacy policies and customer terms. Notification obligations: the bank must notify the Deposit Guarantee Company of any event that may affect the coverage of deposits, including changes in the bank’s financial position, changes in the category of accounts held, or any regulatory action taken against the bank. 3. Scope of Deposit Protection The deposit guarantee scheme protects retail depositors up to the limits established by the Iraqi Deposit Guarantee Company’s governing rules. The key legal features of the coverage are: Coverage limits: deposits are protected up to the guarantee limit per depositor per institution. Depositors with amounts above the limit are unprotected in respect of the excess above the limit. The guarantee limit is set by the Deposit Guarantee Company and may be adjusted by regulatory decision. Covered products: the scheme covers standard deposit accounts, current accounts, savings accounts, and term deposits. The coverage of other products, including accounts held in connection with payment services, depends on the specific rules of the scheme and how those products are classified under Iraqi law. Exclusions: certain categories of depositors and deposits are excluded from the scheme’s coverage. These typically include deposits held by financial institutions, deposits held by large corporate entities above a certain size threshold, and deposits that are themselves instruments of fraud. The specific exclusion categories are determined by the Deposit Guarantee Company’s rules. Timing of payout: in the event of a bank failure, the deposit guarantee fund pays out covered depositors within the timeframe specified in the Company’s rules. The fund’s ability to pay depends on the adequacy of the premiums collected from member banks. 4. Critical Legal Distinction: Depositors vs. Shareholders The most significant legal feature of the deposit protection system from the perspective of investors and founders is the distinction between depositor protection and shareholder protection. The deposit guarantee system protects depositors. It provides no equivalent protection to shareholders or equity investors. In the event of a digital bank’s license being cancelled and the bank being placed into liquidation, the legal priority of claims is as follows: Priority Claimant Category Protection First Secured creditors Secured claims paid from the assets over which security has been taken Second Covered depositors (up to guarantee limit) Paid from the Deposit Guarantee Fund, protected up to the guarantee limit Third Unsecured depositors above guarantee limit Claim as unsecured creditors in the liquidation, recovery depends on residual asset value Fourth Other unsecured creditors Paid from residual assets after depositors, no guarantee Fifth (last) Shareholders and equity investors Paid only from any remaining residual after all creditors, no guarantee, no protection mechanism This priority structure means that in a distressed wind-up scenario which is precisely the scenario in which a digital bank is most likely to be in liquidation equity investors may recover little or nothing from their investment. The risks of this outcome are magnified where the bank’s failure occurs during the pilot phase, before substantial business has been built and before the bank’s asset base has grown to a level that could support meaningful recovery by shareholders. 5. International Standard Alignment The CBI’s mandatory deposit protection requirement aligns with the International Association of Deposit Insurers (IADI) Core Principles for Effective Deposit Insurance Systems, which are the internationally recognized benchmark for deposit guarantee
Digital Bank- Payment Systems Integration
Digital Bank- Reporting Transparency, External Audit & Internal Controls Overview Two of the most consequential governance obligations imposed on digital banks in Iraq and among the least understood by founding groups are the related party transaction regime and the supermajority board approval requirement. These obligations are grounded in Iraqi banking legislation, reinforced by the CBI’s digital bank regulatory framework, and designed to prevent a class of institutional failure that is well documented internationally: the subordination of a bank’s interests to those of its controlling shareholders. This article examines both obligations in precise legal terms, sets out the CBI’s specific requirements as issued in its regulatory instruments, and explains how these requirements interact with international standards for related party governance in supervised financial institutions. 1. Legal Basis The digital bank framework expressly grounds its related party and governance requirements in Iraqi banking legislation. Standard D1 of the CBI’s Standards Booklet which governs related parties and conflicts of interest applies to all digital banks and must be in full compliance from Assessment Cycle 1. This standard operates in addition to, not instead of, the requirements under Articles 22 and 17 of Iraqi banking legislation, which set out foundational rules on bank ownership and board conduct. The framework’s instruction is explicit: its requirements supplement existing Iraqi law and do not displace it. A digital bank must therefore comply with both layers, the baseline requirements of Iraqi banking legislation and the additional, more demanding requirements of the CBI’s digital bank framework. 2. Definition of Related Party: CBI’s Comprehensive Scope The CBI has adopted a deliberately broad definition of related party, one that goes beyond conventional legal ownership concepts. Under the framework, a related party includes any individual or legal entity connected through family, business, or political relationships defined as follows: Family relationships: individuals connected by blood, marriage, or kinship to the fourth degree. The framework enumerates all four degrees explicitly: first degree (parents, children), second degree (siblings, grandparents, grandchildren), third degree (aunts, uncles), and fourth degree (first cousins). This means that shareholding and board membership analysis must extend across the full family network of each founder, director, and senior executive. Business relationships: individuals or entities currently in a commercial partnership, holding shares in the same institution, serving together on the same board, or where one party works for a company owned or controlled by the other party. Business connections are assessed on a substantive basis, formal corporate separation does not sever a related party relationship where common control or shared economic interest exists. Political relationships: individuals or entities connected by family or business ties to any person carrying political risk, or subject to the influence or control of any party exercising power or influence. This category is particularly significant given the specific political risk considerations applicable in Iraq. The legal consequence of this definition is material: all shareholding limits, board independence requirements, and transaction approval thresholds must be assessed on a consolidated basis that aggregates the holdings and positions of all related parties, not merely those of the individual or entity acting alone. 3. Related Party Transaction Obligations The framework requires that all digital banks maintain comprehensive internal policies governing transactions with related parties. These policies must address conflict of interest controls, market abuse and inside information procedures, professional conduct standards, and arrangements for approving and notifying transactions involving the personal accounts of directors and senior management. 3.1 Credit Facilities to Related Parties Credit extended to related parties is subject to the limits established under Iraqi banking legislation and the CBI’s regulatory framework. The key legal requirements are: All credit facilities to related parties must be approved by a supermajority of the board defined as approval by a proportion of votes equal to or exceeding two-thirds of board members. Credit extended to related parties must be reported to the CBI on a quarterly basis. The report must include a full list of all related party exposures, the terms of each facility, and the basis on which the board approved the transaction. Related party credit must be extended on market terms, no preferential pricing, security, or covenant arrangements are permitted. Any deviation from arm’s length terms requires enhanced board scrutiny and specific CBI notification. The aggregate exposure to all related parties must be maintained within the limits established by Iraqi banking legislation and any supplementary instructions issued by the CBI. Digital banks must monitor these limits continuously and have board-approved procedures for managing proximity to and breaches of such limits. 4. Supermajority Board Approval Requirement The CBI’s framework introduces a supermajority board approval requirement for a defined category of significant decisions. This requirement means that certain decisions cannot be taken by a simple majority of the board, they require the approval of at least two-thirds of all board members. The CBI defines supermajority approval as a proportion of votes equal to or exceeding two-thirds. The decisions that require supermajority board approval are: Removal of a board member Appointment or removal of the CEO, CTO, CFO, Chief Risk Officer, Compliance Officer, MLRO, or Head of Internal Audit subject to CBI approval for all relevant appointments Approval of mergers, acquisitions, or significant asset sales exceeding a threshold set by the CBI Changes to the bank’s internal regulations or articles of association, and the issuance of new shares Capital restructuring, or any action that would dilute existing shareholders Approval of any transaction with a related party, in accordance with Standard D1 of the framework 4.1 International Standard Background The supermajority requirement reflects a well-established international governance principle. The Basel Committee on Banking Supervision’s guidance on corporate governance for banks, and the Financial Stability Board’s principles on risk governance, both emphasize the importance of board-level controls that cannot be circumvented by a controlling shareholder acting through a simple majority of appointed directors. By requiring supermajority approval for related party transactions and key personnel decisions, the CBI has implemented a structural protection aligned with these international standards. For founders and investors, the practical implication
Digital Bank – License Suspension and Revocation
Digital Bank – License Suspension and Revocation Overview The checklist is not a substitute for specific legal advice, the requirements are complex, the details matter, and the consequences of non-compliance are severe. It is, however, a framework for ensuring that the principal legal obligations have been identified, assigned, and tracked throughout the establishment process. Phase 1: Pre-Application (Before 30 June 2026) Corporate Structure Decision on corporate structure confirmed Iraqi joint stock company to be established or used as the licensing vehicle Articles of association and internal regulations drafted to include all mandatory framework provisions (nomination restrictions, pledge prohibitions, tag-along rights, rights of first refusal) Shareholder agreement prepared with all mandatory provisions Related party mapping exercise completed all related party relationships identified and holdings confirmed within applicable limits QII confirmed in ownership structure with qualifying shareholding of minimum 9.999%; QII eligibility documentation compiled Capital IQD 30 billion initial capital tranche paid and evidence of payment available for submission Funding commitments in place for second tranche (IQD 35 billion, due H2 2027) and third tranche (IQD 35 billion, due H2 2028) Capital structure confirmed to include at least 50% Tier 1 capital 15% non-releasable reserve mechanism understood and reflected in investor documentation Governance Nine proposed board members identified; composition confirms at least six independent directors with at least three nominated by QII(s) At least three board members confirmed to have qualifying technical expertise in digital banking Board member qualifications and credentials compiled for fit and proper assessment Fit and proper assessment commissioned with CBI-approved independent firm All five mandatory board committees identified with proposed chairs confirmed as independent directors Senior management team identified; all positions filled or in active recruitment MLRO candidate identified confirmed as Iraqi national with required qualifications and certifications Senior management qualifications and credentials compiled for fit and proper assessment Business Plan and Documentation Comprehensive business plan completed in Arabic and English covering strategy, products and pricing, target customers, operational model, five-year financial projections, technology plan, risk framework, and compliance programme Technology Plan and Architecture document completed with Tier 1 vendor names, software details, and preliminary contracts Policy framework completed: information security policy, risk management policy, compliance policy, AML/CFT policy, anti-fraud and anti-corruption policy AML/CFT and sanctions programme structure documented Physical headquarters within Iraq identified and confirmed to be for administrative use only Application Preparation Application form completed and signed by all founders Commitment and declaration document signed by all founders Full application package assembled, all required documents compiled and reviewed Pre-submission review conducted by legal advisers against all documented requirements Application submitted to CBI banking supervision department by 30 June 2026 Phase 2: Preliminary Approval Stage (June–September 2026) No use of bank name, brand, or banking activity prior to receipt of preliminary approval Response to any CBI requests for additional information prepared and submitted within specified timelines Board and management team engaged and briefed on implications of preliminary approval Compliance programme for pilot phase designed and implementation commenced Vendor selection for core banking system and online banking platform finalized or in advanced negotiation Phase 3: Pilot Operation Assessment Cycle 1 (H2 2026 to H2 2027) Capital Second capital tranche (IQD 35 billion) paid by H2 2027 deadline Capital adequacy ratio maintained at minimum 12.5% monthly monitoring and quarterly reporting to CBI LCR maintained at minimum 100% monthly calculation and quarterly reporting NSFR maintained at minimum 100% quarterly calculation and reporting CAR independently verified by CBI-approved firm Technology Core banking system deployed and operational Online banking platform (web and mobile) deployed and operational for retail customers; web platform operational for corporate customers Core banking system independently assessed by CBI-approved technology auditor Integration with all mandatory national payment and regulatory platforms completed and tested Data classification framework implemented; encryption controls in place for Level 0/1 data Data centres confirmed within Iraq meeting Level 3 Uptime Institute specifications Cybersecurity framework operational including multilayered defences and Zero Trust model Payment systems independently assessed by CBI-approved technology auditor ISO 27001 and ISO 22301 implementation programmes underway BCP and DRP completed, board-approved, and tested Governance Board fully constituted with all nine members in place; fit and proper assessments completed All five mandatory board committees constituted and operational All senior management positions filled; fit and proper assessments completed MLRO appointed and operational Board meeting schedule maintained, minimum six meetings per calendar year with CBI observer invited Board meeting audio-visual recordings and minutes provided to CBI Operations and Compliance Pilot phase deposit caps (IQD 30M retail / IQD 50M corporate) actively monitored and enforced Credit product approvals obtained from CBI for any credit products being offered Card issuance limited to debit and prepaid cards only Investment activity restricted to permitted instruments within pilot phase limitations Founder and institutional investor share transfer prohibition maintained Any public offering limited to final capital tranche only with prior CBI approval AML/CFT programme fully operational, customer risk classification, KYC/EDD, transaction monitoring, sanctions screening all active MLRO filing STRs/SARs as required Deposit protection system registration completed; monthly guarantee premiums being paid Credit registry reporting operational ATM access arrangements operational minimum five ATMs accessible to customers Customer service centre operational 24/7 contact centre available Related party credit exposures within limits; quarterly reporting to CBI Phase 4: Pilot Operation – Assessment Cycle 2 (H2 2027 to H2 2028) Third capital tranche (IQD 35 billion) paid by H2 2028 deadline cumulative capital reaches IQD 100 billion ISO 27001 certification obtained ISO 22301 certification obtained Core banking system full compliance certified by CBI-approved technology auditor (including ISO certifications) Online banking platform full compliance certified Data infrastructure full compliance certified Business continuity plan annually tested and results reported to board and CBI Second year external audit completed by CBI-approved independent auditor under IFRS standards All governance standards in full compliance All AML/CFT standards in full compliance independent assessment completed All internal controls assessment completed by CBI-approved firm All outstanding compliance requirements addressed and evidence of full compliance prepared for submission to CBI Phase 5: Full License and Post-License Operations Licensing fee of USD 200,000 paid at
Digital Bank – Assessment Cycles
Digital Bank – Assessment Cycles Overview The path from preliminary approval to a full digital bank license in Iraq is structured around a series of formal assessment cycles conducted by the CBI. Each cycle evaluates the bank’s compliance with a defined subset of the licensing standards, in a progression designed to test compliance incrementally before committing to a full, unrestricted license. This article examines the legal structure of the assessment cycle framework, the specific standards assessed at each cycle, the evidence and verification requirements, the CBI’s assessment powers, and the legal consequences of failing an assessment cycle or failing to meet the prescribed compliance timelines. 1. Three Assessment Cycles The framework establishes three formal assessment cycles: Cycle Timing Purpose Initial Requirements Assessment Application deadline: 30 June 2026 Assessment of foundational conditions, first capital tranche, basic governance declarations, technology planning, initial policy framework, QII confirmation Assessment Cycle 1 H2 2027 Assessment of partial compliance with all standards, operational technology systems deployed and tested, full governance constituted, AML programme operational, second capital tranche paid Assessment Cycle 2 H2 2028 Assessment of full compliance with all standards, ISO certifications obtained, all capital paid, full operational compliance across all categories, gateway to full license grant The framework specifies, for each standard, which assessment cycle requires partial compliance and which requires full compliance. Legal advisers and compliance teams should construct a compliance matrix mapping each standard against the applicable assessment cycle requirement. 2. Standards and Compliance Requirements by Category 2.1 Ownership and Governance Standards The ownership and governance standards are assessed across all three cycles, with increasing levels of completeness required: Ownership structure (A1): Full compliance including confirmation of the Qualified Institutional Investor is required from the Initial Assessment Owner due diligence (A2): Partial compliance (all requirements except external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new owners join, reassessment is required at Cycle 2 Board governance (A3): Partial compliance (all governance requirements except committee formation) at Initial Assessment; full compliance at Cycle 1 Board fit and proper (A4): Partial compliance (board member declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new board members are elected, reassessment is required at Cycle 2 Governance structure (A5): Full compliance required from Cycle 1 Senior management fit and proper (A6): Partial compliance (management declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new senior management is appointed, reassessment required at Cycle 2 2.2 Business Sustainability Standards The business sustainability standards (covering technology, infrastructure, and operational requirements) follow a phased compliance schedule: Business plan (B1): Full compliance required from the Initial Assessment, including submission of the Technology Plan and Architecture Core banking system (B2): Partial compliance at Initial Assessment (detailed technology plan submitted including vendor names, software, preliminary contracts); partial compliance at Cycle 1 (full technical compliance excluding ISO certifications, tested by CBI-approved technology auditor); full compliance at Cycle 2 (including ISO certifications) Online banking platform (B3): Same phased schedule as the core banking system standard Physical headquarters (B4): Full compliance required from Cycle 1 ATM coverage (B5): Full compliance required from Cycle 1 (partnership agreements with traditional banks may be used if the bank does not wish to own ATMs directly) Customer service (B6): Full compliance required from Cycle 1 Data infrastructure (B7): Same phased schedule as the core banking system standard Payment systems (B8): Full compliance required from Cycle 1 Business continuity (B9): Same phased schedule as the core banking system standard Deposit protection system (B10): Full compliance required at Cycle 1, including completion of registration with the Iraqi deposit guarantee company Credit registry (B11): Full compliance required from Cycle 1 2.3 Financial Standards The financial standards are assessed at each cycle with increasing capital requirements: Capital and composition (C1): Partial compliance, IQD 30 billion at Initial Assessment; partial compliance, IQD 65 billion at Cycle 1; full compliance, IQD 100 billion at Cycle 2 Capital adequacy ratio (C2): Full compliance (12.5% minimum) required from Cycle 1 Liquidity ratio (C3): Full compliance (LCR and NSFR minimum 100%) required from Cycle 1 2.4 Risk and Regulatory Compliance Standards The risk and compliance standards require full compliance from Cycle 1: Related party and conflicts of interest (D1): Full compliance required from Cycle 1 AML/CFT and sanctions (D2): Full compliance required from Cycle 1 Reporting transparency and audit (D3): Full compliance required from Cycle 1 Internal controls (D4): Full compliance required from Cycle 1 3. Assessment Process: What the CBI Does Before each assessment cycle, the CBI issues a formal letter specifying the timelines for submission of materials and the organizational details of the cycle. Compliance with these notifications is a legal obligation. During each assessment cycle, the CBI conducts a structured evaluation that may include: Documentary review of all submitted materials against the applicable standards Verification by independent, CBI-approved firms for standards that require external verification On-site inspections and interviews with board members, senior management, and technical staff Testing of technology systems and controls Review of financial statements, capital calculations, and liquidity positions Assessment of AML/CFT programme effectiveness The CBI has the power to require additional information or documentation at any point during an assessment cycle, and to commission additional independent assessments where it considers these necessary. 4. Path to Full License The grant of a full digital bank license follows the successful completion of Assessment Cycle 2. The CBI evaluates the bank’s technical, operational, and financial readiness against the full set of required standards before making its licensing decision. A full license is granted only to banks that have demonstrated complete compliance with all required standards, including the mandatory ISO certifications, full capital payment, and operational compliance across all categories. Banks that have not achieved full compliance by Assessment Cycle 2 will not receive a full license and will remain subject to the pilot phase restrictions. Upon the grant of a full license, the operational restrictions that applied during