Etihad Law

Facebook X-twitter Linkedin Instagram Icon-mail

Digital Bank - AML, Sanctions & Compliance

Overview

Anti-money laundering, counter-terrorist financing, and sanctions compliance are among the most consequential legal obligations imposed on any licensed bank. For digital banks in Iraq, these obligations are defined in detail by the regulatory framework, which requires the establishment of a comprehensive AML/CFT and sanctions programme, structured governance oversight, rigorous customer due diligence procedures, systematic transaction monitoring, and specific reporting obligations to Iraqi regulatory authorities.

This article examines the principal AML, sanctions, and compliance legal obligations, the governance and programme structure required, the customer due diligence framework, transaction monitoring requirements, sanctions screening obligations, the specific legal role and obligations of the Money Laundering Reporting Officer, and the legal consequences of programme failures.

 

1. AML/CFT Programme: A Mandatory Legal Obligation

Every digital bank in Iraq is legally required to establish, maintain, and operate a comprehensive AML/CFT and sanctions programme. This programme must cover three interconnected dimensions:

1.1 Governance and Organisation

The programme must be supported by a formal governance structure including a dedicated AML/CFT oversight committee, chaired or supervised by senior management, with clearly defined escalation, reporting, and decision-making arrangements. The committee must meet at defined intervals, with agendas, minutes, and charters maintained and subject to review.

A Compliance Officer and a Money Laundering Reporting Officer (MLRO) must be appointed, each operating with sufficient independence and authority. Both must report directly to a board-level committee or the committee chair, with a secondary (dotted-line) reporting relationship to the CEO or CFO. The independence of these functions must be genuine, the framework requires structural independence, not merely nominal separation.

The programme must be governed by formal, board-approved policies covering AML/CFT, sanctions, customer due diligence, transaction monitoring, investigation procedures, and training. These policies must be consistent with the requirements issued by Iraqi regulatory authorities and with applicable international standards. They must be updated regularly and embedded in operational manuals and business unit procedures.

1.2 Procedures and Controls

The programme must include risk-based procedures covering customer risk classification, KYC/CDD processes, enhanced due diligence for high-risk customers, transaction monitoring and investigation, sanctions screening, and escalation and reporting protocols. These procedures must be proportionate to the bank’s risk profile, customer base, product offering, and delivery channels.

1.3 Enabling Systems and Data

The programme must be supported by integrated technology systems capable of performing KYC, transaction monitoring, sanctions screening, and regulatory reporting functions. These systems must be integrated with the core banking system and must maintain comprehensive, auditable data records for a minimum of seven years, consistent with the data retention requirements established by Iraqi regulatory authorities.

 

2. Customer Due Diligence and KYC

The framework requires a risk-based approach to customer due diligence. All customers must be risk-classified at onboarding and throughout the relationship, with the level of due diligence applied calibrated to the assessed risk level.

2.1 Standard Customer Due Diligence

Standard CDD must be applied to all customers and must include identity verification, beneficial ownership determination for legal entities, and the collection of information sufficient to understand the customer’s expected transaction profile and source of funds.

Digital onboarding is permitted and specifically contemplated by the framework. The bank must implement advanced verification technologies including optical character recognition for document data extraction, biometric verification against identity documents, liveness detection to confirm the customer’s physical presence during registration, and anti-fraud safeguards against deepfake technology and synthetic identities.

2.2 Enhanced Due Diligence

Enhanced due diligence must be applied to all customers assessed as presenting elevated risk. The framework specifically identifies the following categories as requiring EDD:

  • Politically Exposed Persons (PEPs) and their family members and close associates
  • High-net-worth customers
  • Customers involved in cross-border transactions
  • Customers with complex ownership structures

EDD measures must include verification of the source of funds, enhanced transaction scrutiny, and periodic reassessment of the customer’s risk profile.

2.3 Customer Risk Classification

The risk classification methodology must incorporate factors including geographic risk, product and service type, transaction behaviour patterns, and shareholder or ownership structure. The methodology must be documented, consistently applied, and subject to regular review and calibration.

 

3. Transaction Monitoring

Digital banks must deploy specialized electronic transaction monitoring systems designed to detect patterns of suspicious activity. These systems must support dynamic rule configuration, automated alert generation, and investigation workflow management, with regular calibration and quality assurance controls.

All transaction monitoring alerts must be investigated by qualified staff. Investigation records must be maintained with clear audit trails, reflecting the escalation path, the decision reached, and where applicable, the determination of whether the matter is reportable. Investigations must be initiated and concluded within timeframes proportionate to the level of risk identified.

 

4. Sanctions Screening

Digital banks must implement real-time sanctions screening tools covering customers, counterparties, and transactions. The screening must be conducted against the sanctions lists and requirements established by Iraqi regulatory authorities, and must comply with the timelines prescribed for resolution of potential matches.

Where a potential match is identified, the bank must follow documented escalation procedures consistent with its internal protocol. All screening results, escalation decisions, and resolution outcomes must be recorded and available for regulatory review.

 

5. The Money Laundering Reporting Officer: Legal Role and Obligations

The MLRO is a position of specific legal significance. The MLRO is the individual within the bank who bears primary legal responsibility for the bank’s AML/CFT reporting obligations to the relevant Iraqi authorities.

5.1 Qualification Requirements

The MLRO must satisfy the following requirements:

  • Must be an Iraqi national, this is an absolute requirement with no exceptions
  • Must be at least 30 years of age
  • Must hold a university degree in law, public administration, financial management, accounting, financial and banking sciences, statistics, bank management, quality management, investment and resources management, or financial and accounting supervision or a related specialization
  • Must have at least five years of experience in banking, financial, or regulatory fields
  • Must have completed a minimum of 75 hours of formal training in AML/CFT practices
  • Must be proficient in English
  • Must hold one of the following certifications: the Certified Anti-Money Laundering and Counter-Terrorism Financing Specialist certification, or the Certified International Sanctions and Prohibition Specialist certification

5.2 Reporting Obligations

The MLRO is legally obligated to file Suspicious Transaction Reports (STRs) or Suspicious Activity Reports (SARs) with the relevant Iraqi authority whenever the bank identifies a transaction or activity that may be connected to money laundering, terrorist financing, or sanctions violations. These reports must be filed promptly and must be supported by complete investigation records.

The MLRO must also provide regular reports to senior management and the board covering AML/CFT risk indicators, trends in STR/SAR filings, findings from regulatory examinations, and the status of remediation actions. These reports must be substantive documents containing key risk indicators and analysis not merely statistical summaries.

 

6. Internal Audit and Independent Assessment

The bank’s AML/CFT programme must be subject to regular independent assessment by an approved external firm. The assessment must evaluate the presence and effectiveness of all core programme elements, governance and organization, customer due diligence procedures, transaction monitoring systems, sanctions screening, and data management. Findings must be documented in a detailed report specifying areas of full compliance, partial compliance, and non-compliance, with clear timelines and remediation action plans.

The bank must implement remedial measures identified in assessment reports within the timelines prescribed by the CBI. Remediation plans must be shared with the board and the CBI within defined periods following the assessment.

 

7. Compliance with Related Party and Conflict of Interest Obligations

As a complement to the AML programme, the bank must maintain comprehensive internal policies covering conflicts of interest. These must include market abuse and inside information controls (including information barriers), professional conduct rules, and arrangements for approving and notifying personal account dealings.

The bank must also comply with the related party credit limits and reporting obligations described in Article 2 and Article 3 of this series. All related party credit decisions require supermajority board approval, and all related party exposures must be reported to the CBI on a quarterly basis.

Tagged , , , ,