What Is a Digital Bank in Iraq? – Copy

Annual Lifetime Nobis atque id hic neque possimus voluptatum voluptatibus tenetur, perspiciatis consequuntur. Lorem ipsum dolor sit amet, consectetur adipisicing elit. Minima incidunt voluptates nemo, dolor optio quia architecto quis delectus perspiciatis. Lorem ipsum dolor sit amet, consectetur adipisicing elit. Minima incidunt voluptates nemo, dolor optio quia architecto quis delectus perspiciatis. Nobis atque id hic neque possimus voluptatum voluptatibus tenetur, perspiciatis consequuntur. Section Title What Is a Digital Bank in Iraq? Byadmin April 17, 2026 Banking & Finance What Is a Digital Bank in Iraq? Overview Iraqi regulatory authorities have introduced a new… Read More Data Protection for Telecoms Operators in Iraq Byadmin April 13, 2026 Telecommunication Data Protection for Telecoms Operators in Iraq Telecoms operators occupy a unique position in the… Read More Joint Ventures in Iraqi Telecoms Byadmin April 13, 2026 Telecommunication Joint Ventures in Iraqi Telecoms Joint ventures between foreign telecoms operators and Iraqi… Read More Spectrum Allocation in Iraq Byadmin April 13, 2026 Telecommunication Spectrum Allocation in Iraq Fifth-generation mobile technology 5G represents the most significant… Read More Infrastructure Sharing Contracts in Iraq Byadmin April 13, 2026 Telecommunication Infrastructure Sharing Contracts in Iraq Infrastructure sharing contracts in Iraqi telecoms go… Read More Tower Sharing Agreements in Iraq Byadmin April 13, 2026 Telecommunication Tower Sharing Agreements in Iraq Tower sharing the arrangement by which multiple mobile network… Read More Telecoms Licence Renewal in Iraq Byadmin April 13, 2026 Telecommunication Telecoms Licence Renewal in Iraq Licence renewal is one of the most strategically significant events… Read More Legal Framework Every Operator Needs to Understand Byadmin April 13, 2026 Telecommunication Legal Framework Every Operator Needs to Understand Operating as a telecoms company in Iraq requires… Read More What MNOs and ISPs Must Know About CMC Requirements Byadmin April 13, 2026 Telecommunication What MNOs and ISPs Must Know About CMC Requirements Every mobile network operator and internet… Read More Wait. What is WordPress? Far far away, behind the word Mountains far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmark How long do I get support? Even the all-powerful Pointing has no control about the blind texts it is an almost unorthographic life One day however a small line Do I need to renew my license? Marks and devious Semikoli but the Little Blind Text didn’t listen. She packed her seven versalia, put her initial into the belt and made herself on the way. What Is a Digital Bank in Iraq?

Digital Bank – Capital Requirements

Digital Bank – Eligibility & Ownership Overview The ownership and eligibility rules governing Iraq’s digital banks are among the most legally significant aspects of the licensing framework. They determine who may establish a digital bank, what proportion of the institution each investor may own, what categories of investor are subject to enhanced requirements, and what legal consequences flow from non-compliance with ownership obligations. These rules are not merely administrative, they carry direct legal consequences, including the possibility of forced divestiture, restrictions on voting rights, and cancellation of the license itself. Any investor or founding group considering the establishment of a digital bank in Iraq must ensure that its proposed ownership structure is legally compliant before proceeding with any application. This article sets out the principal ownership and eligibility requirements under Iraq’s digital bank regulatory framework, with particular attention to the Qualified Institutional Investor (QII) requirement, the definition and treatment of related parties, the conditions under which ownership thresholds may be exceeded, and the legal obligations that attach to founders and institutional investors during the pilot operation phase. 1. General Ownership Cap: 9.99% Rule The foundational ownership rule under Iraq’s digital bank framework is that no individual or company including through interests held by related parties may hold a shareholding in a digital bank that exceeds 9.99% of the bank’s total shares. This cap applies to both direct and indirect holdings. Where a prospective investor holds shares through related parties, those related party holdings are aggregated with the investor’s direct holding for the purpose of calculating compliance with the 9.99% limit. The 9.99% threshold is therefore not assessed on an individual basis, it is assessed on a consolidated basis that encompasses the full network of related party interests. This aggregation rule has significant practical implications for corporate groups, family investors, and any structure involving multiple related entities or individuals. What Constitutes a Related Party Category Who Is Included Family Relationships Individuals connected by blood, marriage, or kinship up to the fourth degree including parents, children, siblings, grandparents, grandchildren, aunts, uncles, cousins, and their spouses Business Relationships Individuals or entities currently in a commercial partnership, holding shares in the same institution, serving together on the same board of directors, or where one party works for a company owned or controlled by the other Political Relationships Individuals or entities with family or business relationships with a person carrying political risk, or who are subject to the influence or control of any other party exercising power or influence The breadth of this definition means that investors with complex corporate structures, family groups with multiple members involved in the venture, or any party with political exposure must conduct a thorough related party analysis before determining their permissible ownership level. Legal advisers should note that the related party analysis is not limited to formal legal relationships, it extends to de facto control, influence, and shared economic interests. The substance of the relationship, not merely its legal form, governs the analysis. 2. Exceeding the 9.99% Threshold The framework provides a mechanism by which the 9.99% cap may be exceeded, subject to specific conditions and prior written approval from the CBI. This is not an automatic right, it is a discretionary approval that the CBI may grant or refuse. Two levels of permitted excess are established: Up to 20% General Investor Any investor other than a Qualified Institutional Investor may apply to the CBI for approval to hold up to 20% of a digital bank’s shares. The investor must submit a written application to the CBI and must satisfy the CBI that the proposed holding is appropriate in the context of the bank’s ownership structure and governance. A critical condition applies: the total aggregate shareholding of any single investor and their related parties must not exceed 20% at the time of submitting the application for increased ownership. This means that an investor who has already accumulated more than 20% through related party holdings cannot rely on this pathway. Up to 40% Qualified Institutional Investor A Qualified Institutional Investor (QII) may hold up to 40% of a digital bank’s shares. Where multiple QIIs are present in the ownership structure, and one seeks to exceed 20%, that QII’s shareholding must be larger than the shareholding of any other shareholder seeking the same exception. The 40% ceiling for QIIs is also subject to CBI approval on a case-by-case basis, and the CBI retains an absolute discretion to refuse any application regardless of whether the formal criteria are met. 3. Qualified Institutional Investor Requirement One of the most distinctive features of Iraq’s digital bank framework is the mandatory requirement for at least one Qualified Institutional Investor in the ownership structure of every digital bank. This is not optional, it is a condition of licensing. 3.1 The Mandatory QII Requirement Every digital bank in Iraq must have at least one shareholder that qualifies as a QII. That QII must hold no less than 9.999% of the bank’s shares. Failure to maintain a QII with the required minimum shareholding is a breach of the licensing conditions. 3.2 Who Qualifies as a Qualified Institutional Investor The framework sets out two categories of entity that may qualify as a QII, each subject to specific criteria: Category A: Financial Institution A financial institution qualifies as a QII if it satisfies all of the following conditions: It is licensed and not subject to any penalties, restrictions, or prohibitions, and is supervised by a financial regulatory authority in a jurisdiction that is not on the FATF grey list or black list It has operated as a financial technology company dealing directly with customers for a minimum of three years It has achieved annual revenues of not less than IQD 30 billion (or equivalent) in each of the three preceding financial years It has a minimum of 100,000 active users or customers Category B: Investment Fund An investment fund qualifies as a QII if it satisfies all of the following conditions: It manages an investment portfolio of not less

Electronic Fraud and Unauthorized Transactions in Iraqi Digital Banks

Tax Obligations of Digital Banks in Iraq Tax Planning for an Iraqi Digital Bank: Why It Must Begin Before Incorporation The tax obligations of a digital bank in Iraq are governed by the general corporate tax regime applicable to Iraqi joint stock companies, with specific considerations that arise from the nature of a digital bank’s revenue streams, its structural dependence on foreign technology vendors, and the typical profile of its investors. These considerations make early tax planning ideally as part of the pre-incorporation feasibility study significantly more valuable than tax advice sought after the structure is already locked in. The effective tax rate for an Iraqi digital bank may differ substantially from the statutory headline rate, depending on which expense categories qualify for deduction, how credit loss provisions are treated for tax purposes, how early-year losses are carried forward, and whether applicable double tax treaties reduce withholding on cross-border payments. None of these determinations can be made without a qualified tax adviser with specific experience in the Iraqi banking sector.   1. Corporate Income Tax: The Primary Tax Obligation The digital bank’s net profits are subject to corporate income tax at the rates prescribed under Iraqi income tax law for entities operating in the banking sector. The key elements of the corporate income tax position are: 1.1 Taxable Revenue Net interest margin: the difference between interest and similar income received on credit facilities extended during the pilot and full license phases, and interest and similar costs paid on deposits and any wholesale funding Fee and commission income: service charges, transaction fees, card fees, and other fee-based revenues from banking services Investment returns: income from CBI-approved investment instruments permitted during the pilot phase and from broader investment activities after full licensing 1.2 Deductible Expenses Employee salaries, benefits, and associated employment costs Depreciation and amortization of technology systems, software licenses, and other capital assets, the depreciation schedule applicable to banking technology assets should be confirmed with a tax adviser Licensing fees, regulatory fees, and deposit guarantee premiums paid to the Iraqi Deposit Guarantee Company AML/CFT compliance costs including the cost of external assessments, screening systems, and training Credit loss provisions recognized under IFRS 9 subject to any tax-specific rules governing the deductibility of provisioning in the Iraqi banking sector Professional fees: external audit, legal advisory, and compliance advisory costs 1.3 Loss Carry-Forward: Critical for Early-Stage Planning In the early phases of the bank’s operations particularly during the pilot phase when revenues are limited by deposit caps and credit restrictions, while establishment costs are at their peak, the bank is likely to generate tax losses. Under Iraqi tax law, these losses can generally be carried forward to offset taxable income in subsequent profitable years. This loss carry-forward benefit significantly affects the financial modeling of the bank’s early phases and should be explicitly incorporated into the five-year financial projections required as part of the licensing application.   2. Withholding Tax on Payments to Foreign Vendors A digital bank’s dependence on foreign technology vendors creates a specific and often underestimated tax exposure. Payments made to foreign companies for services rendered in connection with Iraq-sourced income including software licensing fees, technology royalties, professional service fees, and interest on foreign debt may be subject to Iraqi withholding tax on remittance outside Iraq. The categories most commonly affected are: Core banking system licensing fees paid to international software providers Royalties for proprietary technology incorporated in the bank’s platform Management fees or technical assistance fees paid to a parent company or affiliated entity Professional fees paid to foreign legal advisers, auditors, and consultants for services delivered remotely Interest payments on any foreign debt facility used to finance the bank’s capital or operations The applicable withholding tax rate on each payment category depends on: the nature of the payment (royalty, interest, service fee each may be treated differently), the country of residence of the recipient, and whether Iraq has a double tax treaty with that country that provides for a reduced rate or exemption. Failure to apply withholding tax where it is required creates a tax liability for the bank not the foreign vendor and may also trigger interest and penalties for late payment.   3. Foreign Investor Tax Considerations A foreign investor in an Iraqi digital bank faces a potential two-layer tax structure: corporate income tax in Iraq on the bank’s profits at the entity level, and tax in the investor’s home jurisdiction on distributions received and capital gains realized on eventual disposal of the shares. Effective tax planning for foreign investors involves analyzing four elements: Double tax treaty availability: whether Iraq has entered into a tax treaty with the investor’s home country, and what relief the treaty provides for dividends paid by Iraqi companies and capital gains realized on disposals of Iraqi company shares Foreign tax credit mechanism: whether the investor’s home jurisdiction allows Iraqi corporate taxes and withholding taxes to be credited against the home jurisdiction tax liability reducing the double-taxation effect Dividend distribution timing: the optimal timing of dividend distributions from a tax efficiency perspective for investors in countries with dividend participation exemptions, the holding period requirements and ownership thresholds required to access the exemption may influence the timing of distributions Investment structure: whether to invest directly as an individual or entity, or through an intermediate holding company jurisdiction that has favorable treaty arrangements with Iraq, the choice of structure can have a material impact on the effective tax rate on returns   4. Ongoing Tax Compliance Obligations In addition to the structural and planning considerations above, the digital bank has the following ongoing compliance obligations: Tax registration with the Iraqi tax authorities before commencing any revenue-generating operations Annual corporate income tax return filed within the deadlines prescribed under Iraqi tax law, supported by the bank’s audited financial statements Quarterly advance tax payments based on estimated annual liability failure to make timely advance payments may attract interest charges Withholding tax filing and payment on a monthly or quarterly basis for all payments to foreign vendors

Electronic Contracting and Digital Evidence for Digital Banks in Iraq

Electronic Contracting and Digital Evidence for Digital Banks in Iraq Electronic Contracting: The Legal Foundation That Every Digital Bank Builds On Every single customer relationship in a digital bank is created through electronic contracting. Account opening happens via a mobile application or website. Credit agreements are concluded by tapping an accept button. Card terms are accepted through a digital confirmation. Payment mandates are authorized by biometric authentication. There is no paper, no wet ink signature, no branch counter. This operating reality raises a set of legal questions that traditional banks simply do not face: when are these electronic contracts legally binding? How can they be proved in a dispute? How long must the records be kept? The answers matter enormously. A digital bank that cannot prove the existence and terms of its customer contracts in regulatory examinations, customer disputes, AML investigations, or litigation is in a fundamentally weak legal position, regardless of how commercially successful its operations may be.   1. When Is an Electronic Contract Legally Binding? Under the general principles of Iraqi contract law, a contract is formed by the meeting of offer and acceptance with the requisite legal capacity, lawful subject matter, and consideration. The medium through which offer and acceptance are communicated does not affect the validity of the contract unless the law specifically requires a particular form (such as a notarized document for certain property transactions). Electronic contracts are therefore legally binding under Iraqi law when four conditions are satisfied: Express manifestation of consent: the customer must have actively and demonstrably agreed to the material terms, a passive scroll-through of terms and conditions, or a pre-ticked checkbox that the customer must un-tick to opt out, does not constitute legally robust consent. Best practice and the approach most defensible in litigation is to present material terms prominently, require the customer to scroll through them before a confirmation button becomes active, and capture the confirmation as a timestamped event in the system’s audit log Verified identity: the customer’s identity must have been authenticated by a reliable method before the contract is concluded. The CBI’s mandatory biometric verification and liveness detection requirements for digital onboarding create a strong evidentiary foundation for identity at the point of account opening. For subsequent transactions, the strength of the authentication method used determines the evidentiary weight of the bank’s records Legal capacity: the bank must have verified that the customer is of legal age and has full legal capacity to enter into the contract. Age verification is an integral element of the digital KYC process Accurate timestamp: the date and time of contract conclusion must be recorded accurately through a trusted timestamp mechanism. This matters because the terms applicable to any given customer are those in force at the time of contract conclusion — and the bank must be able to prove which version of its terms was in force at any given date   2. Electronic Signatures: Three Levels of Legal Strength Not all electronic signatures carry the same evidentiary weight. The following hierarchy applies in practice: Basic electronic signature: any electronic indication of a person’s intent to be bound including a typed name, a clicked checkbox, or a digital confirmation button. Legally effective but carries limited evidentiary weight in a contested dispute, as it is difficult to prove that the specific individual signed rather than another person with access to their device Advanced electronic signature: based on asymmetric cryptography with a digital certificate issued by a recognized certification authority creates a strong technical link between the signature and the signatory’s identity. Carries substantially stronger evidentiary weight and is appropriate for high-value or legally sensitive transactions Biometric authentication: fingerprint, facial recognition, or voice biometrics linked to a verified identity document provides the strongest practical combination of identification and consent evidence for mass-market digital banking at scale. The combination of biometric authentication at onboarding and at transaction authorization creates a robust evidentiary chain for the full lifecycle of the customer relationship   3. Audit Trails as Legal Evidence Every transaction executed through a digital bank’s systems generates an audit trail: the identity of the person who initiated the transaction, the device and IP address used, the precise timestamp, the transaction parameters, any modifications made and by whom, and the system state at the time of execution. These audit trails are among the most valuable pieces of legal evidence available to a digital bank in any dispute, investigation, or proceeding. Their legal value is, however, entirely dependent on the technical integrity of the recording system. An audit trail that is technically capable of being modified after the fact has significantly diminished evidentiary value. A well-designed audit logging system must be: Tamper-evident: any modification to a log entry must be detectable and must itself be logged Immutable for the retention period: log entries must not be deletable or overwritable during the mandatory retention period Retrievable on demand: logs must be rapidly retrievable in a readable format for regulatory examinations, legal proceedings, or customer dispute resolution Comprehensive: the audit trail must capture all system events relevant to customer accounts and transactions not only successful transactions but also failed authentication attempts, blocked transactions, and system errors   4. Mandatory Record Retention Periods Record Category Minimum Retention Period Legal Basis Financial transaction records 7 years AML/CFT regulatory requirement Customer identification and account opening records 5 years after end of customer relationship Banking supervision requirement Credit decision records with supporting rationale 5 years after facility repayment Credit risk and consumer protection Complaint records and customer correspondence 5 years Consumer protection and dispute resolution Audit trails for all system events 5 years retrievable in real time Regulatory and forensic requirements Version-controlled terms and conditions Indefinitely each version with effective date Contract formation evidence

Outsourcing and Technology Providers for Digital Banks in Iraq

Outsourcing and Technology Providers for Digital Banks in Iraq Outsourcing in a Digital Bank: The Liability That Stays With the Bank A digital bank is structurally dependent on external vendors in a way that no traditional bank is. Its core banking system is operated by a software vendor. Its online platform may be built by a third-party development firm. Its cybersecurity defences are managed by a specialized security provider. Its KYC and identity verification capabilities are supplied by a fintech data company. This dependency is inherent to the digital bank model and it creates a legal liability structure that founders and boards consistently underestimate. The governing principle is straightforward and non-negotiable: the bank remains fully responsible to the CBI and to its customers for the performance of every function it has outsourced, regardless of what any commercial vendor contract says. A service level agreement, however comprehensive, does not transfer regulatory liability from the bank to the vendor. If a vendor failure causes the bank to breach a licensing condition, the bank not the vendor faces the regulatory consequences.   1. CBI’s Regulatory Framework for Outsourcing The CBI’s framework imposes the following specific requirements on outsourcing by digital banks: The bank must retain full control over decision-making in all core functions, even where operational execution has been delegated to an external provider Functions that directly affect the CBI’s ability to supervise the bank may not be outsourced in a manner that impedes the CBI’s access to information or its ability to conduct examinations The CBI has the right to conduct on-site inspections of vendor facilities and to request access to vendor records where this is necessary for its supervisory functions, vendor contracts must include provisions explicitly recognizing this right All vendor service level agreements must satisfy the technical and operational standards prescribed by the CBI, a vendor arrangement that produces availability or security levels below the CBI’s minimum standards places the bank in breach of its licensing conditions   2. Vendor Risk Classification Vendor Category Examples Required Oversight Level Critical vendors Core banking system provider, online banking platform provider Detailed SLA with financial penalties, CBI audit right, BCP integration, executable transition plan, 24-hour breach notification Security vendors Cybersecurity providers, SIEM operators, AML monitoring systems Strict data processing agreement, immediate breach notification, security certifications required Supporting vendors Digital KYC providers, identity verification services Periodic compliance review, AML compliance confirmation, data security standards verification General vendors Telecommunications providers, office software Standard commercial terms, data processing agreement if customer data is accessed   3. Mandatory Contractual Provisions for Critical Vendors 3.1 Service Level Agreements Every SLA with a critical vendor must specify: system availability guarantees consistent with CBI minimum requirements (99.5% for core banking systems, 98% for online platforms), incident severity classifications with defined maximum response and resolution times for each severity level, scheduled maintenance windows agreed in advance and notified to the bank with sufficient lead time, financial penalties that are meaningful and proportionate for availability or performance breaches, and mechanisms for the bank to escalate unresolved incidents to senior management at the vendor. 3.2 Audit and Inspection Rights Every critical vendor contract must include explicit provisions recognizing: the bank’s right to conduct or commission audits of the vendor’s facilities, systems, and records relevant to the services provided; the CBI’s right by extension of its supervisory authority over the bank to conduct inspections of vendor facilities; and the vendor’s obligation to cooperate fully with any such audit or inspection. A vendor that refuses to grant audit rights to the bank is not an appropriate vendor for a critical function in a regulated environment. 3.3 Data Protection and Security For any vendor that processes customer personal data, a Data Processing Agreement (DPA) is mandatory. The DPA must specify: the precise categories of data processed, the permitted purposes of processing, the technical and organizational security measures in place, the vendor’s obligation to notify the bank within 24 hours of discovering any security incident affecting bank data, the prohibition on sharing bank data with any other party without the bank’s prior written consent, and the obligations for data return or deletion upon termination of the arrangement. 3.4 Business Continuity and Transition Critical vendor contracts must include: a business continuity and disaster recovery plan specific to the services provided, which is consistent with and integrated into the bank’s own BCP/DRP; a transition plan specifying how services will be migrated to an alternative provider or brought in-house upon termination; a minimum transition period of not less than six months on termination for non-cause, giving the bank adequate time to migrate without service disruption.   4. Concentration Risk: The Single-Vendor Problem Complete reliance on a single vendor for any critical function creates concentration risk. Where the bank has only one vendor capable of providing a critical system or service, a failure by that vendor whether technical, commercial, or financial can cause a service disruption with no available alternative. The bank must: Maintain a documented assessment of concentration risk across its vendor portfolio Develop and maintain a practical exit strategy for every critical vendor, a plan that can realistically be executed within the transition period specified in the contract without material service disruption Report material concentration risks to the board of directors as part of the bank’s regular risk reporting cycle Consider diversification strategies for the highest-criticality functions where a single-vendor failure would cause the bank to breach its licensing conditions

Data Privacy and Banking Secrecy for Digital Banks in Iraq

Data Privacy and Banking Secrecy for Digital Banks in Iraq Data Privacy and Banking Secrecy: The Two Overlapping Legal Frameworks Every Digital Bank Must Navigate A digital bank generates more personal data per customer per day than almost any other type of financial institution. Every login, every transaction, every failed authentication attempt, every navigation path through the mobile application creates a data record. Managing this data legally and using it responsibly requires simultaneous compliance with two distinct but overlapping legal frameworks: the established principle of banking secrecy grounded in Iraqi banking legislation, and the data protection principles that govern how personal information may be collected, stored, processed, used, and protected. These two frameworks are complementary but not identical. Banking secrecy governs what information may be disclosed to third parties. Data protection principles govern how information may be used internally and externally across its full lifecycle. A bank that satisfies one without the other remains legally exposed.   1. Banking Secrecy: The Foundational Legal Obligation Banking secrecy is one of the most established principles in Iraqi banking law. It prohibits the digital bank from disclosing any information relating to its customers, their identity, their account details, their transaction history, their financial position, or any other information obtained in the course of the banking relationship to any third party, without the customer’s express written consent. Four specific exceptions to this prohibition are recognized under Iraqi law: A court order issued by a competent Iraqi court in the context of criminal or civil judicial proceedings that specifically identifies the information required A supervisory request from the Central Bank of Iraq in the exercise of its statutory oversight powers including requests made in the course of a regulatory examination or investigation A request from the competent anti-money laundering authority in the context of a formal AML/CFT investigation including requests related to suspicious transaction reports already filed by the bank Disclosure for the purpose of authorized external audit by the bank’s CBI-approved external auditor, limited to the information necessary for the audit Any disclosure outside these four exceptions regardless of the requestor’s identity or the apparent legitimacy of the purpose constitutes a serious violation of banking secrecy. This violation creates both civil liability to the affected customer for any harm caused by the disclosure, and regulatory liability to the CBI.   2. Six Principles of Lawful Data Processing Alongside banking secrecy, the digital bank must comply with the following data protection principles in all its processing of personal data. These principles govern how data is used not just whether it can be disclosed: Lawfulness and transparency: personal data may be processed only when there is a legitimate legal basis for doing so, the principal bases being the customer’s explicit consent, performance of the contract between the bank and the customer, compliance with a legal obligation, or a legitimate interest of the bank that is proportionate to the privacy intrusion and does not override the customer’s fundamental interests Purpose limitation: data collected for specified, explicit, and declared purposes may not subsequently be used for undisclosed secondary purposes using account transaction data to train a credit scoring model that was not disclosed to the customer at the time of data collection, for example, requires a fresh legal basis Data minimisation: the bank may collect only the minimum personal data necessary for the stated purpose collecting extensive lifestyle, behavioral, or social data beyond what is required for banking operations requires specific justification Accuracy: personal data must be kept accurate and up to date; inaccuracies must be corrected without undue delay, a bank that maintains demonstrably incorrect customer data and allows decisions to be made on that basis incurs liability for any resulting harm Storage limitation: personal data must not be retained for longer than is necessary for the purpose for which it was collected, or for longer than required by applicable law indefinite retention of inactive customer data without a legal basis is a data protection violation Integrity and confidentiality: appropriate technical and organizational measures must be implemented to protect personal data against unauthorized access, accidental loss, destruction, or damage the standard of protection required is proportionate to the sensitivity of the data and the potential harm from its compromise   3. Customer Rights Over Their Personal Data Every customer has the following rights with respect to their personal data held by the bank, and the bank must have operational mechanisms to respond to the exercise of these rights within a reasonable timeframe: The right of access: to obtain confirmation that the bank processes their personal data and to receive a copy of that data in a comprehensible format The right of rectification: to request correction of inaccurate personal data without undue delay The right to object: to object to the processing of their personal data in certain circumstances including processing for direct marketing purposes, where the objection is absolute The right to restriction: to request that the bank restricts its processing of their data in defined circumstances, for example, while the accuracy of the data is being contested The right to data portability: to receive their personal data in a structured, machine-readable format for the purpose of transferring it to another institution, this right is particularly significant in the banking context and directly supports competition   4. Data Classification and Iraq-Based Data Sovereignty The CBI’s Standards Booklet (Standard B7) imposes a mandatory tiered data classification system that overlays the general data protection principles with sector-specific technical requirements. Customer identity data, authentication credentials, account identifiers, and transaction data are classified at the highest sensitivity level and require mandatory encryption both at rest and in transit, with multi-layer access controls restricting access to authorized personnel only. The data sovereignty requirement is absolute: all data centres and servers used by the digital bank must be located within Iraq. Cloud hosting of core banking data outside Iraq is not permitted. This requirement directly limits the bank’s vendor choices and must be a primary criterion in any technology procurement decision.  

Digital Banking Consumer Protection in Iraq

Digital Banking Consumer Protection in Iraq Consumer Protection for Iraqi Digital Banks: A Legal Obligation, Not a Marketing Choice When a digital bank has no branches, no tellers, and no physical touchpoints, the legal framework for consumer protection becomes the primary mechanism through which customers are safeguarded. Every interaction is digital, every contract is electronic, and every service failure happens remotely. This reality makes consumer protection obligations more not less consequential for a digital bank than for its traditional counterpart. The Central Bank of Iraq’s digital bank framework grounds consumer protection in three legal sources: Iraqi banking legislation requiring honest, transparent, and fair dealings with customers; the CBI’s Standards Booklet specifically Standard B6 on customer service which establishes minimum mandatory service levels; and internationally recognized principles for financial consumer protection developed by bodies including the G20 and the World Bank.   1. Mandatory Pre-Contract Disclosure: What Must Be Disclosed and When Every digital bank in Iraq is legally required to make complete and clear disclosures to customers before any contract is entered into or any service is activated. This disclosure obligation is not satisfied by burying information in lengthy terms and conditions, it requires active, prominent, and intelligible communication of material information. The following must be disclosed before any contract: All fees and commissions applicable to the product or service including interest rates on deposits and credit facilities, card issuance and renewal fees, transaction charges, currency conversion fees, and any administrative or maintenance charges Full terms and conditions in Arabic, drafted in clear and accessible language for non-specialists, with material terms and risks including cancellation conditions and default consequences prominently highlighted rather than embedded in standard text The customer’s rights and obligations, including cancellation rights within any applicable cooling-off period, complaint rights and the mechanism for exercising them, and the right to access their personal data and account statements The dispute resolution mechanisms available to the customer, including the bank’s internal complaints procedure and the customer’s right to escalate to the CBI Banking Supervision Department The scope of deposit guarantee coverage applicable to the customer’s accounts specifically, which accounts are covered, up to what limit, and what is excluded   2. Prohibited Commercial Practices The combination of Iraqi banking legislation and the CBI’s consumer protection standards prohibits a digital bank from engaging in the following practices in its dealings with customers: Misleading marketing and advertising: any promotional content whether on the bank’s digital platform, mobile application, social media, or any other channel that contains false or misleading information, conceals material fees or charges, makes promises that cannot be delivered, or creates a false impression of the bank’s products or services constitutes a legal violation Tied selling: requiring a customer to subscribe to an additional product or service as a condition for accessing the core service they have requested for example, requiring the purchase of insurance as a condition for a credit facility Unjustified discrimination: refusing service, imposing harsher terms, or providing inferior service to customer categories without a legitimate and objectively justifiable basis Exploiting customer financial vulnerability: targeting financially stressed customers with unsuitable high-cost credit products, or marketing products that are clearly inappropriate for the customer’s financial situation and capacity   3. CBI Standard B6: The 24/7 Contact Centre Requirement Standard B6 of the CBI’s Standards Booklet requires every digital bank to provide the minimum customer support coverage specified by the CBI. Full compliance with this standard is required from Assessment Cycle 1 meaning the support infrastructure must be fully operational before the bank’s first assessment in H2 2027. The minimum requirement under Standard B6 includes: A telephone contact centre available 24 hours a day, 7 days a week digital-only support channels including in-app chat, email, and automated responses do not satisfy this requirement Immediate emergency response capability for critical situations including suspected fraud on a customer’s account, card blocking, account freezing, and system outages affecting customer access A complaint tracking system that notifies customers of the status of their complaint at each processing stage Support available in Arabic A digital bank that launches pilot operations without a fully functional 24/7 telephone contact centre is in breach of Standard B6 from its first day of customer-facing operations. This is not a transitional requirement , it is a day-one obligation.   4. Responsible Lending: The Legal Obligation Before Every Credit Decision The principle of responsible lending, embedded in Iraqi banking legislation and reinforced by the CBI’s framework requires the digital bank to assess a customer’s ability to repay before extending any credit facility. This assessment must be based on objective data: income information provided by the customer and verified where practicable, existing financial obligations and debt service commitments, and the customer’s credit history as retrieved from the Iraqi credit registry. A credit facility extended without this assessment creates two categories of legal exposure for the bank: regulatory liability to the CBI for breach of the responsible lending standard, and civil liability to the customer if the facility causes financial harm that the assessment would have identified and prevented. In the digital banking context where credit decisions may be made algorithmically at scale, the responsible lending obligation applies to every individual credit decision, not just to decisions above a certain threshold.   5. Consumer Protection in the Digital Environment: Specific Risks The digital-only operating model creates specific consumer protection risks that traditional banks do not face to the same degree. The CBI’s framework addresses these risks directly: Digital identity verification: account opening procedures must be sufficiently robust to prevent the opening of fraudulent accounts in a customer’s name synthetic identity fraud and account takeover at onboarding are particular risks in digital banking environments Transaction security and real-time notification: customers must receive immediate notification of every transaction executed on their account, enabling rapid identification of unauthorized activity Digital account closure and data portability: customers have the right to close their account through digital means and to request their data in a portable format for transfer to another institution, the bank may not

Digital Bank Agent

Digital Bank Agent Overview The CBI’s digital bank licensing regulations introduce a specific legal category for the digital bank agent, a third party authorized by the digital bank to provide defined financial services on the bank’s behalf. This is a legally distinct arrangement from a mere vendor or technology provider relationship: the agent acts as a regulated extension of the bank’s service delivery capability, primarily for cash-in and cash-out transactions. This article examines the legal status of the digital bank agent under Iraqi law and the CBI’s framework, the scope of activities that agents are authorized to perform, the liability framework that governs the relationship between the bank and its agents, and the ongoing compliance obligations that apply to agent management.   1. Legal Basis and Definition The concept of the digital bank agent is established in the digital bank licensing regulations issued by the CBI. The regulations define the digital bank agent (وكيل المصرف الرقمي) as a person authorized by and acting on behalf of the digital bank, designated and approved by the CBI, with their appointment confirmed by the relevant regulatory authority. The CBI’s regulations are explicit that the agent must not be from among the non-banking financial institutions licensed under this framework. The agent relationship is therefore a licensed, regulated arrangement not a commercial relationship that can be entered into freely. The digital bank cannot appoint an agent without CBI involvement in the designation and approval process, and the agent must satisfy the CBI’s applicable qualification and compliance requirements.   2. Permitted Scope of Agent Activities The CBI’s regulations define the scope of agent activities by reference to the primary function that agents serve: enabling customers to conduct cash transactions through the agent’s physical presence. The permitted activities of the digital bank agent are focused principally on: Cash-in operations: accepting cash deposits from the digital bank’s customers and crediting those amounts to the customer’s account with the digital bank in real time. The agent does not hold deposits, it acts as a conduit for the customer’s cash to reach the digital bank. Cash-out operations: enabling the digital bank’s customers to withdraw cash from their accounts through the agent, in accordance with the controls and limits established by the CBI. The agent disburses cash from its own float, which is reimbursed by the digital bank through the settlement process. The agent’s permitted activities are limited to what the CBI specifies. The agent is not authorized to make credit decisions, open accounts, conduct AML/CFT assessments on behalf of the bank, or provide financial advice. Any activity outside the defined scope is unauthorized and may expose both the agent and the bank to regulatory sanction.   3. Bank’s Full Legal Responsibility for Agent Conduct The most significant legal feature of the agent framework from the perspective of the digital bank and its founders is the allocation of regulatory liability. The CBI’s regulations state in express terms that the digital bank bears full and unrestricted responsibility and accountability for compliance with the AML/CFT obligations, and further that the digital bank bears full legal responsibility for all actions of its agents in the performance of their authorized activities. This means that: If an agent breaches AML/CFT procedures for example, by accepting a cash deposit without completing the required customer identification, the bank, not the agent, bears the regulatory consequences of that breach. The agent’s conduct is imputed to the bank for regulatory purposes. If an agent misappropriates customer funds, the bank is responsible for making the customer whole. The bank’s legal relationship with the agent, including its right of recourse against the agent, is a matter for the commercial agreement between them but this does not affect the bank’s primary liability to the customer and to the regulator. All agents must operate exclusively through the digital systems and applications that are under the bank’s control and that implement the bank’s transaction limits and monitoring rules. Agents may not use independent or unauthorized systems. All first-level complaints from customers arising from agent transactions must be handled directly by the digital bank. The bank may not require customers to resolve complaints through the agent, the bank is responsible for the entire customer service chain.   4. Agent Selection and Ongoing Oversight Obligations The digital bank’s responsibility for agent conduct creates a corresponding obligation to exercise rigorous oversight over agent selection and ongoing performance. The CBI’s regulations require that the bank be responsible for and supervise agents in a manner that ensures they operate in accordance with the bank’s approved procedures and with the CBI’s regulatory requirements. Specifically, the bank must: Apply appropriate AML/CFT controls to the agent network, including conducting risk assessments of each agent location, implementing transaction monitoring rules specific to agent channels, and providing AML/CFT training to agent personnel. Ensure that agents operate only within the digital systems provided by the bank, which must enforce all applicable transaction limits, customer verification requirements, and reporting obligations. Conduct regular performance reviews and compliance assessments of each agent, with documented findings and remediation actions for any identified deficiencies. Immediately terminate the appointment of any agent that fails to comply with the bank’s operational standards or that presents unacceptable compliance risk. Notify the CBI of any material compliance failure by an agent within the timeframes prescribed by the CBI’s instructions.   5. The Commercial Agreement Framework While the regulatory framework establishes the legal basis for the agent relationship, the commercial terms of the arrangement between the bank and its agents are governed by a formal agency agreement. This agreement must be consistent with the CBI’s requirements and must, at a minimum, address: The specific scope of authorized activities and any applicable transaction limits The bank’s right to audit the agent’s compliance with the agreement and with regulatory requirements The agent’s obligations in relation to AML/CFT, customer data protection, and record-keeping The indemnification arrangements between the bank and the agent in respect of losses arising from agent conduct Termination provisions — including the bank’s right to

Digital Bank – Credit Registry Obligations

Digital Bank – Credit Registry Obligations Overview Standard B11 of the CBI’s Standards Booklet imposes a mandatory obligation on every digital bank to participate in Iraq’s credit registry system. This obligation has two dimensions: the bank must report its credit exposures to the registry, and it must query the registry before extending credit to customers. Both obligations arise from Assessment Cycle 1 and reflect the CBI’s commitment  grounded in both Iraqi banking legislation and international supervisory principles to the responsible use of credit information in the lending process. This article examines the legal scope of the credit registry obligation, the specific requirements imposed by Standard B11 and Iraqi banking legislation, the bank’s data quality obligations, and the interaction of credit registry participation with the bank’s credit risk management framework. 1. Legal Basis The credit registry obligation arises from two legal sources. First, Iraqi banking legislation imposes obligations on all licensed banks to participate in credit information systems operated or designated by the CBI. Second, the digital bank framework’s Standard B11 reinforces and supplements these obligations with specific requirements calibrated to the digital bank model. The CBI operates or designates credit information services including the I-Score credit bureau through which lenders can access a borrower’s credit history across all regulated institutions. Participation in this system is not optional for licensed banks. The bank’s legal obligation extends both to querying the system before lending and to reporting its own exposures to the system so that other lenders can access accurate information. 2. Pre-Lending Inquiry Obligations Before extending any credit facility to a customer, the digital bank is legally required to query the credit registry and to obtain a credit report on the prospective borrower. This obligation applies regardless of the size or maturity of the credit product being offered. The legal significance of the pre-lending inquiry obligation is threefold: Risk management: the credit report informs the bank’s credit decision and pricing. A borrower with a poor credit history including defaults, restructured facilities, or multiple simultaneous credit exposures presents a materially higher credit risk. The bank’s credit policy must specify how credit history information is used in lending decisions. Responsible lending: the pre-lending inquiry obligation gives effect to the responsible lending principle embedded in Iraqi banking legislation, which requires banks to assess a borrower’s ability to repay before extending credit. A bank that extends credit without querying the registry cannot demonstrate compliance with this principle. Regulatory defence: in the event of a credit loss, a bank that failed to query the registry before extending the relevant facility may face supervisory action for breach of the lending standard. Evidence of registry queries maintained as part of the credit file is a key element of demonstrating compliance. All pre-lending queries must be documented in the customer’s credit file. The query result the credit report must be retained for the duration of the credit facility and for a defined period thereafter in accordance with data retention requirements. 3. Credit Data Reporting Obligations In addition to querying the registry, every digital bank must report its credit exposures to the registry on the schedule and in the format prescribed by the CBI. The reporting obligation covers: New credit facilities: every new credit facility extended by the bank must be reported to the registry within the timeframe prescribed by the CBI’s instructions. Late reporting is a breach of the credit registry obligations. Repayment performance: the bank must report on the repayment performance of each borrower including on-time payments, late payments, defaults, and partial payments. This reporting creates the credit history record that other lenders can access when the borrower seeks credit elsewhere. Facility changes: any material change to a credit facility including restructuring, extension of maturity, change of security, or write-off must be reported to the registry promptly. Closure of facilities: when a credit facility is repaid and closed, the bank must report the closure and the final repayment status to the registry. The registry record must accurately reflect the facility’s full lifecycle. Data accuracy is a legal obligation not merely a best practice. The bank is responsible for the accuracy of the data it reports to the registry. Inaccurate reporting whether through system failures, manual error, or intentional misreporting is a breach of both the credit registry obligations and the bank’s general obligation to maintain accurate records. 4. Interaction with the Credit Risk Framework The credit registry obligations are directly embedded in the digital bank’s credit risk management framework. The bank’s credit policy must specify how registry information is used in credit decisions, how registry query results are documented, and how the bank manages any discrepancy between the registry data and information provided by the borrower. During the pilot phase, where credit products are limited to small-value, short-term facilities subject to CBI case-by-case approval, the credit registry obligation applies in full from the first day the bank offers any credit product. The small value of permitted pilot phase credit facilities does not exempt them from the pre-lending query and reporting requirements. 5. International Standard Alignment The credit registry obligations reflect the internationally recognized importance of credit information systems in the sound management of bank credit risk. The World Bank’s General Principles for Credit Reporting Systems which represent the international benchmark for credit bureau governance require that credit reporting systems operate with comprehensive coverage, accurate data, fair access, and robust data protection. The CBI’s requirements are consistent with these principles. From a Basel perspective, the effective use of credit information including external credit assessments from recognized registries is a recognized component of the Internal Ratings-Based approach to credit risk measurement under the Basel Capital Framework. While Iraq’s digital banks will not initially apply advanced Basel approaches, the use of credit registry data as part of the credit assessment process aligns the bank with international credit risk management principles from day one.

Digital Bank – Deposit Protection

Digital Bank – Deposit Protection Overview Deposit protection is both a licensing condition and a structural feature of the digital bank framework in Iraq. Standard B10 of the CBI’s Standards Booklet makes participation in the national deposit protection system a mandatory requirement for every digital bank. This obligation is not aspirational and not phased full compliance must be demonstrated from Assessment Cycle 1, with the registration process completed before the bank commences pilot operations. This article examines the legal framework for deposit protection as it applies to digital banks in Iraq, the specific obligations imposed by Standard B10, the structure of the deposit guarantee system, and the critical distinction between the protections available to depositors and the absence of equivalent protection for investors and shareholders.   1. Legal Basis: CBI Standard B10 Under Standard B10, every digital bank is legally required to register with the Iraqi Deposit Guarantee Company and to comply with all applicable requirements of the deposit protection system. This requirement operates alongside and supplements the provisions of Iraqi banking legislation relating to depositor protection. The standard requires full compliance from Assessment Cycle 1 (H2 2027). In practice, because registration with the deposit guarantee company is itself a process that takes time, and because the bank must be registered before it can lawfully hold deposits from the public, registration must be initiated and completed well before the first assessment cycle at the point of preliminary approval at the latest.   2. Mandatory Participation Obligations Participation in the Iraqi deposit guarantee system imposes the following specific legal obligations on every digital bank: Registration: the digital bank must complete a formal registration with the Iraqi Deposit Guarantee Company. Registration requires the submission of specified organizational and financial information, including the bank’s ownership structure, paid-up capital, and corporate documents. Premium payments: the bank must pay monthly guarantee premiums to the Deposit Guarantee Company. The premium rate is calculated on the basis of the bank’s covered deposit base. These payments are a continuing legal obligation failure to pay premiums is a breach of the licensing conditions and may result in termination of coverage, which would itself be a ground for license cancellation. Depositor records: the digital bank must maintain depositor records in the format specified by the Deposit Guarantee Company, and must submit updated depositor data to the Company at the frequency and in the format prescribed. The accuracy of these records is a legal obligation inaccurate or incomplete depositor data is a compliance breach. Data sharing: the bank must share depositor data with the Deposit Guarantee Company on a regular basis in accordance with the Company’s instructions. This data-sharing obligation interacts with data protection requirements, the bank’s data sharing arrangements must be documented in its privacy policies and customer terms. Notification obligations: the bank must notify the Deposit Guarantee Company of any event that may affect the coverage of deposits, including changes in the bank’s financial position, changes in the category of accounts held, or any regulatory action taken against the bank.   3. Scope of Deposit Protection The deposit guarantee scheme protects retail depositors up to the limits established by the Iraqi Deposit Guarantee Company’s governing rules. The key legal features of the coverage are: Coverage limits: deposits are protected up to the guarantee limit per depositor per institution. Depositors with amounts above the limit are unprotected in respect of the excess above the limit. The guarantee limit is set by the Deposit Guarantee Company and may be adjusted by regulatory decision. Covered products: the scheme covers standard deposit accounts, current accounts, savings accounts, and term deposits. The coverage of other products, including accounts held in connection with payment services, depends on the specific rules of the scheme and how those products are classified under Iraqi law. Exclusions: certain categories of depositors and deposits are excluded from the scheme’s coverage. These typically include deposits held by financial institutions, deposits held by large corporate entities above a certain size threshold, and deposits that are themselves instruments of fraud. The specific exclusion categories are determined by the Deposit Guarantee Company’s rules. Timing of payout: in the event of a bank failure, the deposit guarantee fund pays out covered depositors within the timeframe specified in the Company’s rules. The fund’s ability to pay depends on the adequacy of the premiums collected from member banks.   4. Critical Legal Distinction: Depositors vs. Shareholders The most significant legal feature of the deposit protection system from the perspective of investors and founders is the distinction between depositor protection and shareholder protection. The deposit guarantee system protects depositors. It provides no equivalent protection to shareholders or equity investors. In the event of a digital bank’s license being cancelled and the bank being placed into liquidation, the legal priority of claims is as follows: Priority Claimant Category Protection First Secured creditors Secured claims paid from the assets over which security has been taken Second Covered depositors (up to guarantee limit) Paid from the Deposit Guarantee Fund, protected up to the guarantee limit Third Unsecured depositors above guarantee limit Claim as unsecured creditors in the liquidation, recovery depends on residual asset value Fourth Other unsecured creditors Paid from residual assets after depositors, no guarantee Fifth (last) Shareholders and equity investors Paid only from any remaining residual after all creditors, no guarantee, no protection mechanism   This priority structure means that in a distressed wind-up scenario which is precisely the scenario in which a digital bank is most likely to be in liquidation equity investors may recover little or nothing from their investment. The risks of this outcome are magnified where the bank’s failure occurs during the pilot phase, before substantial business has been built and before the bank’s asset base has grown to a level that could support meaningful recovery by shareholders.   5. International Standard Alignment The CBI’s mandatory deposit protection requirement aligns with the International Association of Deposit Insurers (IADI) Core Principles for Effective Deposit Insurance Systems, which are the internationally recognized benchmark for deposit guarantee