Know Your Customer (KYC) and Customer Due Diligence (CDD) are the foundational elements of any effective AML compliance programme. For Iraqi banks, implementing robust KYC and CDD processes is both a legal requirement under AML Law No. 39 of 2015 and CBI instructions, and a commercial necessity for maintaining the correspondent banking relationships that underpin international operations. This article provides a comprehensive guide to KYC and CDD requirements for Iraqi banks, examining the regulatory framework, key compliance elements, and best practices for building an effective programme.

The Regulatory Framework for KYC in Iraq

KYC requirements in Iraq are primarily governed by: AML Law No. 39 of 2015 which establishes the mandatory CDD obligations for financial institutions, including banks, exchange houses, and insurance companies; CBI AML instructions which provide detailed operational guidance on how banks must implement their CDD obligations; and FATF Recommendation 10 which sets the international standard for CDD that Iraqi banks are expected to meet as part of Iraq’s FATF commitments. The AMLCFT Office supervises compliance with AML Law No. 39 obligations, while the CBI supervises the implementation of its instructions by licensed banks through on-site and off-site examination.

Customer Identification — The First Step

Customer identification is the process of collecting information about a customer before establishing a business relationship or conducting a transaction. For individual customers, Iraqi banks must collect and verify: full name; date and place of birth; nationality; national identification number or passport number; residential address; and profession or business activity. For corporate customers, banks must collect: legal name and trading name; registered address and principal place of business; date and jurisdiction of incorporation; company registration number; nature of business; names of directors and authorised signatories; and beneficial ownership information. All identification information must be verified against reliable, independent source documents.

Risk-Based Approach to CDD

FATF recommendations and CBI instructions require Iraqi banks to apply a risk-based approach to CDD calibrating the intensity of due diligence to the money laundering risk posed by the specific customer, product, and transaction. The risk-based approach involves: risk assessment categorising customers into risk tiers (low, medium, high) based on factors including country of origin, business type, product used, and transaction patterns; simplified due diligence for low-risk customers and products, reduced documentation and monitoring requirements may apply; standard due diligence, the baseline level of CDD applied to typical customers; and enhanced due diligence more intensive due diligence applied to high-risk customers, including PEPs, non-resident customers, high-risk jurisdictions, and complex corporate structures.

Enhanced Due Diligence — High Risk Customers

Enhanced due diligence (EDD) is required for certain categories of higher-risk customers. Under CBI AML instructions and FATF recommendations, EDD must be applied to: politically exposed persons (PEPs) including their family members and close associates; customers from countries with high money laundering risk as assessed by FATF, the Basel AML Index, or the bank’s own risk assessment; customers with complex beneficial ownership structures including multiple layers of holding companies or trust arrangements; high-risk business activities including businesses dealing in cash, precious metals, real estate, or other sectors with elevated money laundering risk; and non-face-to-face customers including online and remote customers where identity verification is more challenging.

Ongoing Monitoring — KYC is Not a One-Time Exercise

CDD is not a one-time exercise conducted when the customer relationship is established, it is an ongoing obligation. CBI AML instructions require Iraqi banks to: conduct periodic reviews of existing customer relationships the frequency depending on the customer’s risk profile; update customer information when material changes occur such as changes in beneficial ownership, business activities, or risk profile; monitor transactions on an ongoing basis to identify patterns inconsistent with the customer’s known risk profile and business activities; and re-verify customer identification where doubts arise about the accuracy or currency of previously obtained information. Failure to conduct ongoing monitoring means that changes in customer risk profile including designations under sanctions regimes may not be detected.

Building a Compliant KYC Programme

An effective KYC programme for an Iraqi bank should include: a comprehensive written KYC policy approved by the board of directors; a risk assessment methodology for customer risk rating; documented procedures for customer identification, verification, and ongoing monitoring; technology systems capable of supporting KYC processes at scale including automated screening and case management; a team of trained compliance officers responsible for KYC reviews; quality assurance processes to ensure KYC standards are consistently applied; and independent internal and external audit of the KYC programme. The programme must be capable of demonstrating compliance to both the CBI and international correspondent banks.

How Etihad Law Firm Assists

Etihad advises Iraqi banks on KYC programme development and implementation, drafts KYC policies and procedures compliant with AML Law No. 39 and CBI instructions, advises on EDD for specific high-risk customer categories, and represents banks in CBI examinations and AMLCFT Office inquiries related to KYC compliance.