AML & KYC Obligations for Electronic Payment Providers

AML & KYC Obligations for Electronic Payment Providers Electronic Payment Service Providers (EPSPs) handle transactions that can be exposed to money laundering, terrorist financing, fraud, and sanctions risks. For this reason, CBI imposes mandatory Anti-Money Laundering (AML) and Know-Your-Customer (KYC) obligations on EPSPs similar to those applied to banks, with additional expectations for digital onboarding and transaction monitoring. Compliance is essential for maintaining regulatory approval and protecting the digital payment ecosystem. AML/KYC Requirements Customer identification and verification procedures Enhanced Due Diligence (EDD) for high-risk users Continuous monitoring of transactions and behavior Sanctions and PEP list screening Suspicious transaction reporting Record-keeping and audit trails Operational Requirements for Digital KYC Secure digital onboarding channels Document verification tools or manual controls Data retention and privacy protections CBI compliance Maintain written AML/KYC policies and manuals Establish an AML Compliance Officer and team Integrate technology for real-time monitoring Report suspicious activities in prescribed formats Submit periodic AML compliance reports Cooperate with supervisory inspections How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Establish a Bank in Iraq

Establish a Bank in Iraq Establishing a bank in Iraq involves a structured licensing process supervised by the Central Bank of Iraq. Investors must demonstrate financial capacity, provide a viable business model, and establish governance, risk, and compliance frameworks before receiving authorization. Banking establishment may be pursued through incorporation of a new entity or via entry as a foreign branch or subsidiary. The process is multi-stage and requires alignment with regulatory, capital, ownership, and AML standards before commencing operations. Steps in the establishment process: Submission of initial application and feasibility/business plan Review of ownership structure and capital sources Fit & proper assessment of controllers and management Approval of governance and risk management frameworks Issuance of preliminary and final CBI authorizations Registration with relevant Iraqi authorities Documentation required from investors: Corporate registration and identification documents Business plan and financial projections Capital and source-of-funds evidence Shareholder disclosures Proposed Board & senior management profiles Risk, audit, and compliance documentation AML/KYC policies CBI compliance expectations Satisfy minimum capital requirements Meet ownership suitability standards Establish risk, audit, and compliance functions Implement AML/CFT systems Maintain reporting and prudential ratios Appoint approved Board and senior management Obtain full authorization before commercial activity How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Digital Banking Transformation and Regulatory Readiness in Iraq – Copy

Credit Facilities and Collateralization Practices in Iraq Credit facilities are a core component of corporate banking in Iraq, with lending typically supported by collateral to mitigate credit risk. Collateral may include real estate, equipment, receivables, inventory, shares, and personal or corporate guarantees. Key Concepts in Credit Transactions Structuring bilateral and syndicated loans Collateral valuation and security perfection Registration of security interests Enforcement of guarantees and mortgages Priority of security rights Insolvency implications Common Security Instruments Registered mortgages Pledges over movable assets and shares Assignment of receivables Letters of guarantee Personal guarantees How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Cybersecurity & Incident Reporting Requirements

Cybersecurity & Incident Reporting Requirements Cybersecurity is a core regulatory concern for electronic payment operations due to the sensitivity of financial data and the systemic impact of cyber incidents. EPSPs must protect platforms, user data, and transaction networks against breaches, fraud, hacks, and unauthorized access. Regulators also require timely incident reporting to limit supervisory and market risks. Cybersecurity Controls Firewalls and intrusion prevention systems Encryption of sensitive data Access controls and multi-factor authentication Incident Reporting Requirements Timely notification to the CBI for material incidents Documentation of breach details and impact Implementation of corrective actions and mitigation steps CBI compliance Maintain cybersecurity policies and frameworks Conduct periodic risk assessments Monitor systems for anomalies and threats Implement incident reporting and escalation procedures How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Senior Leadership Appointments in Banks

Senior Leadership Appointments in Banks Appointments to senior leadership positions in Iraqi banks require regulatory clearance due to the impact these roles have on governance, risk oversight, and compliance. Positions such as Board Members, CEO, CFO, Chief Risk Officer, and Compliance/AML Officers are subject to CBI review to ensure competence, integrity, and suitability (“fit and proper”) of appointees. The process aims to strengthen governance and reduce financial stability risks. In practice, banks cannot finalize key appointments without CBI approval, making planning and documentation essential for regulatory compliance. Positions typically requiring CBI approval Board of Directors (Executive & Non-Executive) Chief Executive Officer (CEO / GM) Chief Financial Officer (CFO) Head of Internal Audit Head of Risk Management Compliance & AML Officers Senior Management with control functions Documentation typically required: Curriculum Vitae and qualifications Professional certificates (if applicable) No-criminal-record certificates Experience statements Declaration of financial soundness Conflict of interest declarations Identification and corporate approvals CBI compliance expectations Conduct internal fit & proper checks Ensure adequate experience in banking/finance Verify integrity and financial standing Submit documents for regulatory review Notify CBI of changes in leadership roles Maintain governance structures aligned with supervisory expectations How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Outsourcing & Third-Party Service Provider Requirements

Outsource & Third-Party Service Provider Requirements EPSPs frequently rely on third-party providers for technology infrastructure, cloud hosting, cybersecurity tools, POS hardware, payment gateways, and customer support. Outsourcing arrangements introduce risk if not properly managed, which is why the Central Bank of Iraq requires providers to maintain control over outsourced functions and ensure supervisory access. Outsourcing risk management is a core regulatory expectation for electronic payment providers in Iraq. Outsource Categories Technology infrastructure and cloud services Software development and maintenance Card processing and switching systems Call center and customer support functions Operational Requirements Written outsourcing agreements Data confidentiality and privacy protections Termination and exit planning Performance and uptime SLAs Audit and access rights for regulators CBI compliance Notify or seek approval for material outsourcing arrangements Ensure outsourced functions meet CBI technical standards Maintain accountability for compliance and risk Ensure no outsourcing impairs supervision or operations How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Capital and Ownership Requirements for EPSPs in Iraq

Capital and Ownership Requirements for EPSPs in Iraq Electronic Payment Service Providers (EPSPs) must meet capital and ownership requirements imposed by the Central Bank of Iraq to ensure financial strength, transparency, and sustainable operations. These requirements protect the integrity of the payment ecosystem and ensure that only qualified and suitable investors can control regulated entities. Both domestic and foreign applicants must demonstrate financial capacity, proper governance, and lawful sources of funds before obtaining a license. Capital Requirements Minimum paid-up capital thresholds set by the CBI. Capital must be contributed in cash and from legitimate sources. Adequate capital must be maintained throughout operations not only at licensing. Additional capital buffers may be required for expansion of activities. Ownership & Shareholder Requirements Shareholders and ultimate beneficial owners must be disclosed. Controlling shareholders undergo suitability (fit & proper) assessment. Foreign ownership may be permitted subject to regulatory review. Transfers of ownership or changes in control require prior approval. Source of Funds CBI will verify the legitimacy of investor funds. Documentation may include bank statements, financial records, and net worth statements. Corporate shareholders must provide audited financials and legal documentation. CBI compliance Maintain required capital levels on a continuous basis. Notify CBI of changes in ownership or capital structure. Seek approval for restructuring or capital increases. Ensure shareholder financial soundness and transparency. Comply with reporting and inspection requirements. How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Foreign Investor Entry into the Iraqi EPSP Market

Foreign Investor Entry into the Iraqi EPSP Market Iraq’s electronic payment sector has attracted interest from foreign payment companies, fintechs, and technology firms. Foreign investors must navigate licensing, localization, data residency, ownership rules, and compliance requirements to operate legally. The market offers significant growth opportunities but requires structured market entry planning to align with CBI regulations and Iraqi operating conditions. Foreign Investor Considerations Licensing requirements and permitted activities Local incorporation vs. branch vs. joint venture structures Ownership approvals and capital requirements Local data hosting and IT infrastructure expectations Merchant network development Regulatory Compliance Requirements Engage with the CBI for licensing procedures Demonstrate technical adequacy and cybersecurity capacity Establish AML/KYC capabilities suitable for Iraq Maintain local governance and oversight mechanisms CBI compliance Transparency of ownership and control Financial soundness of parent company Source of funds verification Knowledge transfer and local capacity building How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

AML Reporting Requirements for Banks

AML Reporting Requirements for Banks Anti-Money Laundering (AML) reporting is a mandatory compliance function for banks operating in Iraq. The regulatory framework—shaped by the Central Bank of Iraq (CBI) and aligned with FATF international standards—requires banks to monitor, detect, and report suspicious financial activities. The system aims to mitigate risks associated with financial crime, terrorist financing, sanctions breaches, and illicit cross-border movements of funds. In practical terms, AML compliance is not only a regulatory obligation but a condition for maintaining correspondent banking relationships, international credibility, and access to foreign payment channels. Core AML reporting obligations: Suspicious Transaction Reports (STR) High-value cash or threshold transaction reporting Cross-border transfers (when applicable) Customer due diligence (initial & ongoing) Internal controls required within banks: Designated AML Compliance Officer Written AML/CFT policies and procedures Enhanced due diligence for high-risk cases Sanctions, PEP and watchlist screening Automated monitoring systems (if available) Mandatory staff training Audit and record retention requirements CBI compliance expectations Establish risk-based AML frameworks File reports in accordance with deadlines Provide records during regulatory audits Cooperate with supervisory inspections Maintain transaction data for prescribed retention periods Implement minimum technology and screening capabilities How Etihad Can Assist Etihad provides legal and regulatory advisory services to banks, financial institutions, and businesses, supporting compliance with applicable laws, regulations, and regulatory guidance issued by any competent authorities.  

Foreign Banks in Iraq: Branch vs Subsidiary vs Representative Office

Foreign Banks in Iraq: Branch vs Subsidiary vs Representative Office Foreign financial institutions entering Iraq may structure their presence as a branch, subsidiary, or representative office, each with distinct regulatory and commercial implications. Market Entry Models Branch: operational presence allowing regulated banking activities; requires CBI licensing and minimum capital allocation. Subsidiary: locally incorporated company fully subject to Iraqi banking regulations, tax, and corporate governance laws. Representative Office: non-operational structure limited to market research, promotional and liaison functions; does not conduct financial transactions. Strategic Considerations Regulatory supervision & reporting Capital adequacy & prudential requirements Taxation and profit repatriation Local management & staffing obligations Long-term market strategy