Digital Bank - Assessment Cycles

Overview

The path from preliminary approval to a full digital bank license in Iraq is structured around a series of formal assessment cycles conducted by the CBI. Each cycle evaluates the bank’s compliance with a defined subset of the licensing standards, in a progression designed to test compliance incrementally before committing to a full, unrestricted license.

This article examines the legal structure of the assessment cycle framework, the specific standards assessed at each cycle, the evidence and verification requirements, the CBI’s assessment powers, and the legal consequences of failing an assessment cycle or failing to meet the prescribed compliance timelines.

1. Three Assessment Cycles

The framework establishes three formal assessment cycles:

The framework specifies, for each standard, which assessment cycle requires partial compliance and which requires full compliance. Legal advisers and compliance teams should construct a compliance matrix mapping each standard against the applicable assessment cycle requirement.

2. Standards and Compliance Requirements by Category

2.1 Ownership and Governance Standards

The ownership and governance standards are assessed across all three cycles, with increasing levels of completeness required:

• Ownership structure (A1): Full compliance including confirmation of the Qualified Institutional Investor is required from the Initial Assessment
• Owner due diligence (A2): Partial compliance (all requirements except external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new owners join, reassessment is required at Cycle 2
• Board governance (A3): Partial compliance (all governance requirements except committee formation) at Initial Assessment; full compliance at Cycle 1
• Board fit and proper (A4): Partial compliance (board member declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new board members are elected, reassessment is required at Cycle 2
• Governance structure (A5): Full compliance required from Cycle 1
• Senior management fit and proper (A6): Partial compliance (management declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new senior management is appointed, reassessment required at Cycle 2

2.2 Business Sustainability Standards

The business sustainability standards (covering technology, infrastructure, and operational requirements) follow a phased compliance schedule:

• Business plan (B1): Full compliance required from the Initial Assessment, including submission of the Technology Plan and Architecture
• Core banking system (B2): Partial compliance at Initial Assessment (detailed technology plan submitted including vendor names, software, preliminary contracts); partial compliance at Cycle 1 (full technical compliance excluding ISO certifications, tested by CBI-approved technology auditor); full compliance at Cycle 2 (including ISO certifications)
• Online banking platform (B3): Same phased schedule as the core banking system standard
• Physical headquarters (B4): Full compliance required from Cycle 1
• ATM coverage (B5): Full compliance required from Cycle 1 (partnership agreements with traditional banks may be used if the bank does not wish to own ATMs directly)
• Customer service (B6): Full compliance required from Cycle 1
• Data infrastructure (B7): Same phased schedule as the core banking system standard
• Payment systems (B8): Full compliance required from Cycle 1
• Business continuity (B9): Same phased schedule as the core banking system standard
• Deposit protection system (B10): Full compliance required at Cycle 1, including completion of registration with the Iraqi deposit guarantee company
• Credit registry (B11): Full compliance required from Cycle 1

2.3 Financial Standards

The financial standards are assessed at each cycle with increasing capital requirements:

• Capital and composition (C1): Partial compliance, IQD 30 billion at Initial Assessment; partial compliance, IQD 65 billion at Cycle 1; full compliance, IQD 100 billion at Cycle 2
• Capital adequacy ratio (C2): Full compliance (12.5% minimum) required from Cycle 1
• Liquidity ratio (C3): Full compliance (LCR and NSFR minimum 100%) required from Cycle 1

2.4 Risk and Regulatory Compliance Standards

The risk and compliance standards require full compliance from Cycle 1:

• Related party and conflicts of interest (D1): Full compliance required from Cycle 1
• AML/CFT and sanctions (D2): Full compliance required from Cycle 1
• Reporting transparency and audit (D3): Full compliance required from Cycle 1
• Internal controls (D4): Full compliance required from Cycle 1

3. Assessment Process: What the CBI Does

Before each assessment cycle, the CBI issues a formal letter specifying the timelines for submission of materials and the organizational details of the cycle. Compliance with these notifications is a legal obligation.

During each assessment cycle, the CBI conducts a structured evaluation that may include:

• Documentary review of all submitted materials against the applicable standards
• Verification by independent, CBI-approved firms for standards that require external verification
• On-site inspections and interviews with board members, senior management, and technical staff
• Testing of technology systems and controls
• Review of financial statements, capital calculations, and liquidity positions
• Assessment of AML/CFT programme effectiveness

The CBI has the power to require additional information or documentation at any point during an assessment cycle, and to commission additional independent assessments where it considers these necessary.

4. Path to Full License

The grant of a full digital bank license follows the successful completion of Assessment Cycle 2. The CBI evaluates the bank’s technical, operational, and financial readiness against the full set of required standards before making its licensing decision.

A full license is granted only to banks that have demonstrated complete compliance with all required standards, including the mandatory ISO certifications, full capital payment, and operational compliance across all categories. Banks that have not achieved full compliance by Assessment Cycle 2 will not receive a full license and will remain subject to the pilot phase restrictions.

Upon the grant of a full license, the operational restrictions that applied during the pilot phase deposit caps, credit product restrictions, card issuance limitations, investment constraints, and founder exit prohibitions are lifted. The bank becomes a fully licensed digital bank with the same operational rights as a conventional bank, subject to the ongoing regulatory obligations that apply to all licensed banks in Iraq.

5. Legal Consequence of Non-Compliance with the Assessment Timeline

The framework is unambiguous: failure to comply with the detailed timeline at any point results in cancellation of the license. This is stated as an explicit legal consequence not a discretionary sanction and not a trigger for a warning or remediation process.

The grounds for cancellation include:

• Failure to meet any capital payment tranche by its prescribed deadline
• Failure to satisfy the compliance requirements applicable to any assessment cycle by the prescribed date
• Failure to maintain compliance with any ongoing obligation at any point between assessment cycles
• Any other failure to comply with the prescribed timeline as detailed in the framework’s timeline document

Banks that have their authorization cancelled may not continue to conduct any banking activities from the date of the cancellation decision. The CBI’s powers upon cancellation are examined in Article 11 of this series.