Digital Bank- Payment Systems Integration
Digital Bank- Reporting Transparency, External Audit & Internal Controls Overview Two of the most consequential governance obligations imposed on digital banks in Iraq and among the least understood by founding groups are the related party transaction regime and the supermajority board approval requirement. These obligations are grounded in Iraqi banking legislation, reinforced by the CBI’s digital bank regulatory framework, and designed to prevent a class of institutional failure that is well documented internationally: the subordination of a bank’s interests to those of its controlling shareholders. This article examines both obligations in precise legal terms, sets out the CBI’s specific requirements as issued in its regulatory instruments, and explains how these requirements interact with international standards for related party governance in supervised financial institutions. 1. Legal Basis The digital bank framework expressly grounds its related party and governance requirements in Iraqi banking legislation. Standard D1 of the CBI’s Standards Booklet which governs related parties and conflicts of interest applies to all digital banks and must be in full compliance from Assessment Cycle 1. This standard operates in addition to, not instead of, the requirements under Articles 22 and 17 of Iraqi banking legislation, which set out foundational rules on bank ownership and board conduct. The framework’s instruction is explicit: its requirements supplement existing Iraqi law and do not displace it. A digital bank must therefore comply with both layers, the baseline requirements of Iraqi banking legislation and the additional, more demanding requirements of the CBI’s digital bank framework. 2. Definition of Related Party: CBI’s Comprehensive Scope The CBI has adopted a deliberately broad definition of related party, one that goes beyond conventional legal ownership concepts. Under the framework, a related party includes any individual or legal entity connected through family, business, or political relationships defined as follows: Family relationships: individuals connected by blood, marriage, or kinship to the fourth degree. The framework enumerates all four degrees explicitly: first degree (parents, children), second degree (siblings, grandparents, grandchildren), third degree (aunts, uncles), and fourth degree (first cousins). This means that shareholding and board membership analysis must extend across the full family network of each founder, director, and senior executive. Business relationships: individuals or entities currently in a commercial partnership, holding shares in the same institution, serving together on the same board, or where one party works for a company owned or controlled by the other party. Business connections are assessed on a substantive basis, formal corporate separation does not sever a related party relationship where common control or shared economic interest exists. Political relationships: individuals or entities connected by family or business ties to any person carrying political risk, or subject to the influence or control of any party exercising power or influence. This category is particularly significant given the specific political risk considerations applicable in Iraq. The legal consequence of this definition is material: all shareholding limits, board independence requirements, and transaction approval thresholds must be assessed on a consolidated basis that aggregates the holdings and positions of all related parties, not merely those of the individual or entity acting alone. 3. Related Party Transaction Obligations The framework requires that all digital banks maintain comprehensive internal policies governing transactions with related parties. These policies must address conflict of interest controls, market abuse and inside information procedures, professional conduct standards, and arrangements for approving and notifying transactions involving the personal accounts of directors and senior management. 3.1 Credit Facilities to Related Parties Credit extended to related parties is subject to the limits established under Iraqi banking legislation and the CBI’s regulatory framework. The key legal requirements are: All credit facilities to related parties must be approved by a supermajority of the board defined as approval by a proportion of votes equal to or exceeding two-thirds of board members. Credit extended to related parties must be reported to the CBI on a quarterly basis. The report must include a full list of all related party exposures, the terms of each facility, and the basis on which the board approved the transaction. Related party credit must be extended on market terms, no preferential pricing, security, or covenant arrangements are permitted. Any deviation from arm’s length terms requires enhanced board scrutiny and specific CBI notification. The aggregate exposure to all related parties must be maintained within the limits established by Iraqi banking legislation and any supplementary instructions issued by the CBI. Digital banks must monitor these limits continuously and have board-approved procedures for managing proximity to and breaches of such limits. 4. Supermajority Board Approval Requirement The CBI’s framework introduces a supermajority board approval requirement for a defined category of significant decisions. This requirement means that certain decisions cannot be taken by a simple majority of the board, they require the approval of at least two-thirds of all board members. The CBI defines supermajority approval as a proportion of votes equal to or exceeding two-thirds. The decisions that require supermajority board approval are: Removal of a board member Appointment or removal of the CEO, CTO, CFO, Chief Risk Officer, Compliance Officer, MLRO, or Head of Internal Audit subject to CBI approval for all relevant appointments Approval of mergers, acquisitions, or significant asset sales exceeding a threshold set by the CBI Changes to the bank’s internal regulations or articles of association, and the issuance of new shares Capital restructuring, or any action that would dilute existing shareholders Approval of any transaction with a related party, in accordance with Standard D1 of the framework 4.1 International Standard Background The supermajority requirement reflects a well-established international governance principle. The Basel Committee on Banking Supervision’s guidance on corporate governance for banks, and the Financial Stability Board’s principles on risk governance, both emphasize the importance of board-level controls that cannot be circumvented by a controlling shareholder acting through a simple majority of appointed directors. By requiring supermajority approval for related party transactions and key personnel decisions, the CBI has implemented a structural protection aligned with these international standards. For founders and investors, the practical implication
Digital Bank – License Suspension and Revocation
Digital Bank – License Suspension and Revocation Overview The checklist is not a substitute for specific legal advice, the requirements are complex, the details matter, and the consequences of non-compliance are severe. It is, however, a framework for ensuring that the principal legal obligations have been identified, assigned, and tracked throughout the establishment process. Phase 1: Pre-Application (Before 30 June 2026) Corporate Structure Decision on corporate structure confirmed Iraqi joint stock company to be established or used as the licensing vehicle Articles of association and internal regulations drafted to include all mandatory framework provisions (nomination restrictions, pledge prohibitions, tag-along rights, rights of first refusal) Shareholder agreement prepared with all mandatory provisions Related party mapping exercise completed all related party relationships identified and holdings confirmed within applicable limits QII confirmed in ownership structure with qualifying shareholding of minimum 9.999%; QII eligibility documentation compiled Capital IQD 30 billion initial capital tranche paid and evidence of payment available for submission Funding commitments in place for second tranche (IQD 35 billion, due H2 2027) and third tranche (IQD 35 billion, due H2 2028) Capital structure confirmed to include at least 50% Tier 1 capital 15% non-releasable reserve mechanism understood and reflected in investor documentation Governance Nine proposed board members identified; composition confirms at least six independent directors with at least three nominated by QII(s) At least three board members confirmed to have qualifying technical expertise in digital banking Board member qualifications and credentials compiled for fit and proper assessment Fit and proper assessment commissioned with CBI-approved independent firm All five mandatory board committees identified with proposed chairs confirmed as independent directors Senior management team identified; all positions filled or in active recruitment MLRO candidate identified confirmed as Iraqi national with required qualifications and certifications Senior management qualifications and credentials compiled for fit and proper assessment Business Plan and Documentation Comprehensive business plan completed in Arabic and English covering strategy, products and pricing, target customers, operational model, five-year financial projections, technology plan, risk framework, and compliance programme Technology Plan and Architecture document completed with Tier 1 vendor names, software details, and preliminary contracts Policy framework completed: information security policy, risk management policy, compliance policy, AML/CFT policy, anti-fraud and anti-corruption policy AML/CFT and sanctions programme structure documented Physical headquarters within Iraq identified and confirmed to be for administrative use only Application Preparation Application form completed and signed by all founders Commitment and declaration document signed by all founders Full application package assembled, all required documents compiled and reviewed Pre-submission review conducted by legal advisers against all documented requirements Application submitted to CBI banking supervision department by 30 June 2026 Phase 2: Preliminary Approval Stage (June–September 2026) No use of bank name, brand, or banking activity prior to receipt of preliminary approval Response to any CBI requests for additional information prepared and submitted within specified timelines Board and management team engaged and briefed on implications of preliminary approval Compliance programme for pilot phase designed and implementation commenced Vendor selection for core banking system and online banking platform finalized or in advanced negotiation Phase 3: Pilot Operation Assessment Cycle 1 (H2 2026 to H2 2027) Capital Second capital tranche (IQD 35 billion) paid by H2 2027 deadline Capital adequacy ratio maintained at minimum 12.5% monthly monitoring and quarterly reporting to CBI LCR maintained at minimum 100% monthly calculation and quarterly reporting NSFR maintained at minimum 100% quarterly calculation and reporting CAR independently verified by CBI-approved firm Technology Core banking system deployed and operational Online banking platform (web and mobile) deployed and operational for retail customers; web platform operational for corporate customers Core banking system independently assessed by CBI-approved technology auditor Integration with all mandatory national payment and regulatory platforms completed and tested Data classification framework implemented; encryption controls in place for Level 0/1 data Data centres confirmed within Iraq meeting Level 3 Uptime Institute specifications Cybersecurity framework operational including multilayered defences and Zero Trust model Payment systems independently assessed by CBI-approved technology auditor ISO 27001 and ISO 22301 implementation programmes underway BCP and DRP completed, board-approved, and tested Governance Board fully constituted with all nine members in place; fit and proper assessments completed All five mandatory board committees constituted and operational All senior management positions filled; fit and proper assessments completed MLRO appointed and operational Board meeting schedule maintained, minimum six meetings per calendar year with CBI observer invited Board meeting audio-visual recordings and minutes provided to CBI Operations and Compliance Pilot phase deposit caps (IQD 30M retail / IQD 50M corporate) actively monitored and enforced Credit product approvals obtained from CBI for any credit products being offered Card issuance limited to debit and prepaid cards only Investment activity restricted to permitted instruments within pilot phase limitations Founder and institutional investor share transfer prohibition maintained Any public offering limited to final capital tranche only with prior CBI approval AML/CFT programme fully operational, customer risk classification, KYC/EDD, transaction monitoring, sanctions screening all active MLRO filing STRs/SARs as required Deposit protection system registration completed; monthly guarantee premiums being paid Credit registry reporting operational ATM access arrangements operational minimum five ATMs accessible to customers Customer service centre operational 24/7 contact centre available Related party credit exposures within limits; quarterly reporting to CBI Phase 4: Pilot Operation – Assessment Cycle 2 (H2 2027 to H2 2028) Third capital tranche (IQD 35 billion) paid by H2 2028 deadline cumulative capital reaches IQD 100 billion ISO 27001 certification obtained ISO 22301 certification obtained Core banking system full compliance certified by CBI-approved technology auditor (including ISO certifications) Online banking platform full compliance certified Data infrastructure full compliance certified Business continuity plan annually tested and results reported to board and CBI Second year external audit completed by CBI-approved independent auditor under IFRS standards All governance standards in full compliance All AML/CFT standards in full compliance independent assessment completed All internal controls assessment completed by CBI-approved firm All outstanding compliance requirements addressed and evidence of full compliance prepared for submission to CBI Phase 5: Full License and Post-License Operations Licensing fee of USD 200,000 paid at
Digital Bank – Assessment Cycles
Digital Bank – Assessment Cycles Overview The path from preliminary approval to a full digital bank license in Iraq is structured around a series of formal assessment cycles conducted by the CBI. Each cycle evaluates the bank’s compliance with a defined subset of the licensing standards, in a progression designed to test compliance incrementally before committing to a full, unrestricted license. This article examines the legal structure of the assessment cycle framework, the specific standards assessed at each cycle, the evidence and verification requirements, the CBI’s assessment powers, and the legal consequences of failing an assessment cycle or failing to meet the prescribed compliance timelines. 1. Three Assessment Cycles The framework establishes three formal assessment cycles: Cycle Timing Purpose Initial Requirements Assessment Application deadline: 30 June 2026 Assessment of foundational conditions, first capital tranche, basic governance declarations, technology planning, initial policy framework, QII confirmation Assessment Cycle 1 H2 2027 Assessment of partial compliance with all standards, operational technology systems deployed and tested, full governance constituted, AML programme operational, second capital tranche paid Assessment Cycle 2 H2 2028 Assessment of full compliance with all standards, ISO certifications obtained, all capital paid, full operational compliance across all categories, gateway to full license grant The framework specifies, for each standard, which assessment cycle requires partial compliance and which requires full compliance. Legal advisers and compliance teams should construct a compliance matrix mapping each standard against the applicable assessment cycle requirement. 2. Standards and Compliance Requirements by Category 2.1 Ownership and Governance Standards The ownership and governance standards are assessed across all three cycles, with increasing levels of completeness required: Ownership structure (A1): Full compliance including confirmation of the Qualified Institutional Investor is required from the Initial Assessment Owner due diligence (A2): Partial compliance (all requirements except external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new owners join, reassessment is required at Cycle 2 Board governance (A3): Partial compliance (all governance requirements except committee formation) at Initial Assessment; full compliance at Cycle 1 Board fit and proper (A4): Partial compliance (board member declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new board members are elected, reassessment is required at Cycle 2 Governance structure (A5): Full compliance required from Cycle 1 Senior management fit and proper (A6): Partial compliance (management declarations including names and qualifications, excluding external auditor assessment) at Initial Assessment; full compliance at Cycle 1. Where new senior management is appointed, reassessment required at Cycle 2 2.2 Business Sustainability Standards The business sustainability standards (covering technology, infrastructure, and operational requirements) follow a phased compliance schedule: Business plan (B1): Full compliance required from the Initial Assessment, including submission of the Technology Plan and Architecture Core banking system (B2): Partial compliance at Initial Assessment (detailed technology plan submitted including vendor names, software, preliminary contracts); partial compliance at Cycle 1 (full technical compliance excluding ISO certifications, tested by CBI-approved technology auditor); full compliance at Cycle 2 (including ISO certifications) Online banking platform (B3): Same phased schedule as the core banking system standard Physical headquarters (B4): Full compliance required from Cycle 1 ATM coverage (B5): Full compliance required from Cycle 1 (partnership agreements with traditional banks may be used if the bank does not wish to own ATMs directly) Customer service (B6): Full compliance required from Cycle 1 Data infrastructure (B7): Same phased schedule as the core banking system standard Payment systems (B8): Full compliance required from Cycle 1 Business continuity (B9): Same phased schedule as the core banking system standard Deposit protection system (B10): Full compliance required at Cycle 1, including completion of registration with the Iraqi deposit guarantee company Credit registry (B11): Full compliance required from Cycle 1 2.3 Financial Standards The financial standards are assessed at each cycle with increasing capital requirements: Capital and composition (C1): Partial compliance, IQD 30 billion at Initial Assessment; partial compliance, IQD 65 billion at Cycle 1; full compliance, IQD 100 billion at Cycle 2 Capital adequacy ratio (C2): Full compliance (12.5% minimum) required from Cycle 1 Liquidity ratio (C3): Full compliance (LCR and NSFR minimum 100%) required from Cycle 1 2.4 Risk and Regulatory Compliance Standards The risk and compliance standards require full compliance from Cycle 1: Related party and conflicts of interest (D1): Full compliance required from Cycle 1 AML/CFT and sanctions (D2): Full compliance required from Cycle 1 Reporting transparency and audit (D3): Full compliance required from Cycle 1 Internal controls (D4): Full compliance required from Cycle 1 3. Assessment Process: What the CBI Does Before each assessment cycle, the CBI issues a formal letter specifying the timelines for submission of materials and the organizational details of the cycle. Compliance with these notifications is a legal obligation. During each assessment cycle, the CBI conducts a structured evaluation that may include: Documentary review of all submitted materials against the applicable standards Verification by independent, CBI-approved firms for standards that require external verification On-site inspections and interviews with board members, senior management, and technical staff Testing of technology systems and controls Review of financial statements, capital calculations, and liquidity positions Assessment of AML/CFT programme effectiveness The CBI has the power to require additional information or documentation at any point during an assessment cycle, and to commission additional independent assessments where it considers these necessary. 4. Path to Full License The grant of a full digital bank license follows the successful completion of Assessment Cycle 2. The CBI evaluates the bank’s technical, operational, and financial readiness against the full set of required standards before making its licensing decision. A full license is granted only to banks that have demonstrated complete compliance with all required standards, including the mandatory ISO certifications, full capital payment, and operational compliance across all categories. Banks that have not achieved full compliance by Assessment Cycle 2 will not receive a full license and will remain subject to the pilot phase restrictions. Upon the grant of a full license, the operational restrictions that applied during
Digital Bank – AML, Sanctions & Compliance
Digital Bank – AML, Sanctions & Compliance Overview Anti-money laundering, counter-terrorist financing, and sanctions compliance are among the most consequential legal obligations imposed on any licensed bank. For digital banks in Iraq, these obligations are defined in detail by the regulatory framework, which requires the establishment of a comprehensive AML/CFT and sanctions programme, structured governance oversight, rigorous customer due diligence procedures, systematic transaction monitoring, and specific reporting obligations to Iraqi regulatory authorities. This article examines the principal AML, sanctions, and compliance legal obligations, the governance and programme structure required, the customer due diligence framework, transaction monitoring requirements, sanctions screening obligations, the specific legal role and obligations of the Money Laundering Reporting Officer, and the legal consequences of programme failures. 1. AML/CFT Programme: A Mandatory Legal Obligation Every digital bank in Iraq is legally required to establish, maintain, and operate a comprehensive AML/CFT and sanctions programme. This programme must cover three interconnected dimensions: 1.1 Governance and Organisation The programme must be supported by a formal governance structure including a dedicated AML/CFT oversight committee, chaired or supervised by senior management, with clearly defined escalation, reporting, and decision-making arrangements. The committee must meet at defined intervals, with agendas, minutes, and charters maintained and subject to review. A Compliance Officer and a Money Laundering Reporting Officer (MLRO) must be appointed, each operating with sufficient independence and authority. Both must report directly to a board-level committee or the committee chair, with a secondary (dotted-line) reporting relationship to the CEO or CFO. The independence of these functions must be genuine, the framework requires structural independence, not merely nominal separation. The programme must be governed by formal, board-approved policies covering AML/CFT, sanctions, customer due diligence, transaction monitoring, investigation procedures, and training. These policies must be consistent with the requirements issued by Iraqi regulatory authorities and with applicable international standards. They must be updated regularly and embedded in operational manuals and business unit procedures. 1.2 Procedures and Controls The programme must include risk-based procedures covering customer risk classification, KYC/CDD processes, enhanced due diligence for high-risk customers, transaction monitoring and investigation, sanctions screening, and escalation and reporting protocols. These procedures must be proportionate to the bank’s risk profile, customer base, product offering, and delivery channels. 1.3 Enabling Systems and Data The programme must be supported by integrated technology systems capable of performing KYC, transaction monitoring, sanctions screening, and regulatory reporting functions. These systems must be integrated with the core banking system and must maintain comprehensive, auditable data records for a minimum of seven years, consistent with the data retention requirements established by Iraqi regulatory authorities. 2. Customer Due Diligence and KYC The framework requires a risk-based approach to customer due diligence. All customers must be risk-classified at onboarding and throughout the relationship, with the level of due diligence applied calibrated to the assessed risk level. 2.1 Standard Customer Due Diligence Standard CDD must be applied to all customers and must include identity verification, beneficial ownership determination for legal entities, and the collection of information sufficient to understand the customer’s expected transaction profile and source of funds. Digital onboarding is permitted and specifically contemplated by the framework. The bank must implement advanced verification technologies including optical character recognition for document data extraction, biometric verification against identity documents, liveness detection to confirm the customer’s physical presence during registration, and anti-fraud safeguards against deepfake technology and synthetic identities. 2.2 Enhanced Due Diligence Enhanced due diligence must be applied to all customers assessed as presenting elevated risk. The framework specifically identifies the following categories as requiring EDD: Politically Exposed Persons (PEPs) and their family members and close associates High-net-worth customers Customers involved in cross-border transactions Customers with complex ownership structures EDD measures must include verification of the source of funds, enhanced transaction scrutiny, and periodic reassessment of the customer’s risk profile. 2.3 Customer Risk Classification The risk classification methodology must incorporate factors including geographic risk, product and service type, transaction behaviour patterns, and shareholder or ownership structure. The methodology must be documented, consistently applied, and subject to regular review and calibration. 3. Transaction Monitoring Digital banks must deploy specialized electronic transaction monitoring systems designed to detect patterns of suspicious activity. These systems must support dynamic rule configuration, automated alert generation, and investigation workflow management, with regular calibration and quality assurance controls. All transaction monitoring alerts must be investigated by qualified staff. Investigation records must be maintained with clear audit trails, reflecting the escalation path, the decision reached, and where applicable, the determination of whether the matter is reportable. Investigations must be initiated and concluded within timeframes proportionate to the level of risk identified. 4. Sanctions Screening Digital banks must implement real-time sanctions screening tools covering customers, counterparties, and transactions. The screening must be conducted against the sanctions lists and requirements established by Iraqi regulatory authorities, and must comply with the timelines prescribed for resolution of potential matches. Where a potential match is identified, the bank must follow documented escalation procedures consistent with its internal protocol. All screening results, escalation decisions, and resolution outcomes must be recorded and available for regulatory review. 5. The Money Laundering Reporting Officer: Legal Role and Obligations The MLRO is a position of specific legal significance. The MLRO is the individual within the bank who bears primary legal responsibility for the bank’s AML/CFT reporting obligations to the relevant Iraqi authorities. 5.1 Qualification Requirements The MLRO must satisfy the following requirements: Must be an Iraqi national, this is an absolute requirement with no exceptions Must be at least 30 years of age Must hold a university degree in law, public administration, financial management, accounting, financial and banking sciences, statistics, bank management, quality management, investment and resources management, or financial and accounting supervision or a related specialization Must have at least five years of experience in banking, financial, or regulatory fields Must have completed a minimum of 75 hours of formal training in AML/CFT practices Must be proficient in English Must hold one of the following certifications: the Certified Anti-Money Laundering and Counter-Terrorism Financing Specialist
Digital Bank – Governance & Board Obligations
Digital Bank – Governance & Board Obligations Overview Governance is one of the most legally demanding areas of the digital bank licensing framework. The requirements go significantly beyond what is prescribed by general Iraqi banking legislation, imposing specific rules on board composition, director independence, the qualifications required for technical roles, the structure and functioning of board committees, the conduct of board meetings, and the personal liability of directors and senior management for the bank’s compliance failures. This article examines these governance obligations in legal terms, with particular focus on the elements that are most significant for founders, investors, and their advisers, the board composition requirements, the fit and proper assessment process, the committee structure, and the consequences of governance failures. 1. Board Composition: The Legal Requirements The board of directors of a digital bank in Iraq must satisfy the following composition requirements: The board must consist of exactly nine members All board members must be non-executive directors meaning they must not hold any full-time or part-time employment with the bank with the sole exception of the CEO (Managing Director) At least six of the nine board members must be independent directors Of the six independent directors, at least three must be nominated by the Qualified Institutional Investor(s) in the ownership structure Where there is more than one QII in the ownership structure, the board must include at least one representative of each QII At least three board members must have sufficient technical expertise in the field of digital banking If the chairman of the board is not an independent director, the chairman may not hold membership of any board committee 1.1 Independence Requirement An independent director is one who has no current or recent affiliation, financial relationship, or material connection with the bank or its subsidiaries, other than affiliations or connections expressly permitted by the CBI. The independence criteria are defined in detail in the CBI’s ESG and institutional governance guidelines for banks. Legal advisers preparing governance documentation should ensure that the independence analysis is conducted on a substantive basis, not merely a formal one. 1.2 Technical Expertise in Digital Banking The requirement for at least three board members with technical expertise in digital banking is defined in detail in the assessment guidelines. To satisfy this requirement, a board member must have a demonstrable practical or academic background in one or more of the following areas: Banking information technology systems Digital payment systems Banking cybersecurity Development and operation of platforms and applications related to digital banking Management and operation of electronic banking services This expertise must be evidenced by a minimum of seven years of relevant experience, during which the individual held a senior leadership or supervisory position (such as department head, unit chief, or equivalent) at a licensed financial institution or licensed fintech company. 2. Board Tenure and Term Limits Board members are appointed by the bank’s general assembly for a term not exceeding four years. Board members may be reappointed for one additional term of equal duration, meaning the maximum total tenure of a board member is eight years (two four-year terms). Reappointment for a third or subsequent term is not permitted. The board must hold a minimum of six meetings per calendar year. A meeting counts toward the minimum only if two conditions are satisfied: the legally required quorum is present (at minimum 50% of members, including at least three independent directors), and an audio-visual recording of the meeting is provided to the CBI by the board secretary, together with copies of the meeting minutes and an invitation to the CBI’s designated observer to attend. 3. Fit and Proper Requirements All board members are subject to a fit and proper assessment. This assessment must be conducted by an independent, CBI-approved firm. The assessment covers: Criminal record and history of disciplinary proceedings Character, integrity, and professional conduct including personal and professional behaviour, reputation, and transparency in previous appointments Confirmation that the board member is at least 30 years of age Confirmation that the board member has not previously been convicted of a criminal offence or an offence involving dishonesty or breach of trust, and is not subject to local or international sanctions Absence of conflicts of interest that could compromise the integrity of management or create risks to the separation of shareholder and management functions Academic qualifications, all board members must hold at minimum a university degree (bachelor’s level) consistent with the standards prescribed by the CBI Professional experience, board members must have at least 10 years of leadership or management experience in relevant fields (finance, law, accounting, technology), preferably at institutions of comparable size and complexity Financial soundness, including personal financial position, history of insolvency or bankruptcy, and compliance with tax and debt obligations Regulatory and legal compliance history Future board members must obtain approval through the fit and proper assessment before they are formally appointed. Board members must also undergo the fit and proper assessment upon re-election at the end of each term. 4. Board Committee Requirements In addition to the audit committee mandated by Iraqi banking legislation, digital banks must establish the following board-level committees: Committee Legal Basis / Purpose Audit Committee Required by Iraqi banking legislation; oversees financial reporting integrity, compliance with applicable laws, and the internal audit function Risk Management Committee Responsible for identifying, assessing, and mitigating risks across the institution; oversees risk management policies and the maintenance of financial stability ICT Governance Committee Oversees the bank’s technology direction; ensures effective use of technology with appropriate risk management and regulatory compliance ESG & Sustainability Committee Oversees the bank’s compliance with sustainable practices, environmental and social regulatory requirements, and integration of sustainability into strategic decision-making Nominations & Remuneration Committee Responsible for nominating and approving new members of the management team (excluding internal and Sharia auditors); reviewing all board candidates; overseeing new independent directors and the approval process All committees must be constituted and organized in accordance with the CBI’s ESG and institutional governance guidelines. The chair of each
Digital Bank – Pilot Operation Phase
Digital Bank – Pilot Operation Phase Overview The pilot operation phase is the period between the grant of a preliminary approval and the award of a full digital bank license. It is a legally distinct operational phase, the digital bank is authorized to operate, but its activities are subject to specific restrictions that would not apply to a fully licensed bank. The pilot phase serves a defined regulatory purpose: it allows the CBI to monitor the bank’s real-world performance across governance, technology, financial management, and compliance before committing to a full, unrestricted license. For the digital bank, it is the period during which remaining licensing standards must be progressively satisfied. This article sets out the legal framework for the pilot operation phase, the restrictions on deposits, credit, cards, and investments that apply during this period, the restrictions on share transfers and capital raising, the assessment cycles that govern the path to full licensing, and the legal consequences of non-compliance during the pilot phase. 1. Duration of the Pilot Phase The pilot operation phase is planned to run for approximately two years from the date of preliminary approval. Based on the framework’s timeline, preliminary approvals are expected to be issued by September 2026, with the pilot phase running until approximately late 2028. The framework contemplates two assessment cycles during the pilot phase, the first in the second half of 2027 and the second in the second half of 2028. Successful completion of the second assessment cycle is the gateway to the grant of a full license. 2. Restrictions on Deposit-Taking During the pilot phase, a digital bank’s deposit-taking activities are subject to specific caps: Individual (retail) deposits: the maximum deposit that may be held by a single individual customer is IQD 30 million (thirty million Iraqi dinars) Corporate deposits: the maximum deposit that may be held by a single corporate customer is IQD 50 million (fifty million Iraqi dinars) These caps are per-customer limits, not aggregate limits. The bank may accept deposits from an unlimited number of customers, but no individual customer’s total deposits may exceed the applicable cap. These restrictions are lifted upon the successful completion of the pilot phase and the grant of a full license. 3. Restrictions on Credit and Lending Credit activities during the pilot phase are significantly restricted. The framework imposes both product restrictions and a case-by-case approval requirement: 3.1 Permitted Credit Products During the pilot phase, only small-value, short-term credit products are permitted. These products must be: Loans of small value and short maturity Limited to maturities of between three and six months Subject to CBI approval on a case-by-case basis before any credit product is offered The case-by-case approval requirement means that the bank cannot simply design a credit product and offer it to customers, each product or product category requires specific CBI authorization before it can be launched. The approval is valid for six months and must be renewed by the CBI for the bank to continue offering the approved product. 3.2 Prohibited Credit Products The following credit products are prohibited during the pilot phase: Complex credit services, including documentary letters of credit (LCs) and letters of guarantee (LGs) Credit cards, the issuance of credit cards is expressly prohibited during the pilot phase 3.3 Credit Limits All credit extended during the pilot phase must be funded from the bank’s paid-up capital. The framework limits credit products to those consistent with the bank’s capital base, preventing over-extension during the establishment period. 4. Card Issuance: Permitted and Prohibited During the pilot phase, card issuance is restricted to: Debit cards Prepaid cards Credit card issuance is expressly prohibited during the pilot phase. International usage of permitted cards is subject to the controls established by the CBI. An important legal condition applies to cards issued during the pilot phase: all cards issued during this period expire at the end of the pilot phase, unless renewed following the bank’s successful completion of the pilot phase. This means that if the bank fails to progress to a full license, all cards issued to customers become invalid at the end of the pilot period. 5. Investment Restrictions During the pilot phase, the bank’s investment activities are significantly restricted. Permitted investments are limited to: Instruments issued or approved by the CBI, including CBI bills and government treasury instruments Instruments whose maturity does not exceed the duration of the pilot phase Deposit-type investments only, no equity or ownership investments are permitted With the exception of these permitted instruments, the only investments permitted during the pilot phase are investments in technology development and the building of institutional capabilities and capacity. Capital and equity investments of any other kind are not permitted. 6. Restrictions on Share Transfers and Capital Raising As examined in Article 2 of this series, the pilot phase imposes significant restrictions on the mobility of equity: 6.1 Prohibition on Founder Exits Founders and institutional investors are prohibited from selling shares, reducing their shareholdings, or exiting their investment fully or partially during the pilot phase. Only the entry of new investors is permitted. This restriction applies regardless of the CBI’s discretion. 6.2 Public Share Offerings Public share offerings during the pilot phase are restricted to the purpose of completing the final capital tranche only. Offerings to complete the first or second tranches are not permitted. All public offerings require prior CBI approval before the offering is opened. 7. The Assessment Cycles: Progressive Compliance The path from preliminary approval to full license is structured around three assessment cycles, each of which evaluates compliance with a defined subset of the framework’s standards: Assessment Cycle Timing Focus Initial Requirements Assessment June 2026 (application deadline) Basic conditions, capital first tranche, foundational governance, technology planning, initial policy framework Assessment Cycle 1 H2 2027 Partial compliance with all standards, technology systems operational but not yet ISO certified, governance fully constituted, AML programme in place Assessment Cycle 2 H2 2028 Full compliance with all standards, ISO certifications obtained, all capital
Digital Bank Application Process
Digital Bank Application Process Overview The application for a digital bank license in Iraq is a formal legal process conducted by the CBI’s banking supervision department. It involves the submission of a comprehensive application package, a structured assessment by the CBI against defined criteria, and the issuance or refusal of a preliminary approval decision. This article describes the application process from submission through to the preliminary approval decision, including the formal requirements for submission, the CBI’s assessment methodology, the powers the CBI exercises during the process, the grounds on which an application may be refused, and the legal status and conditions attached to a preliminary approval. 1. Who May Submit an Application An application for a digital bank license may be submitted by any individual or legal entity that wishes to establish a digital bank in Iraq. The applicant must be the proposed legal owner or founder of the bank, or a person legally authorized to act on their behalf. Corporate applicants must submit the application through their duly authorized representative. The application form prescribed by the CBI must be completed and signed by the founders. Where there are multiple founders, all must sign the application and the accompanying commitment and declaration document. Applicants who do not yet meet all pre-license conditions may not submit a complete application. The CBI will not assess incomplete applications, and the mere act of submission does not preserve any right to participate in the first assessment cycle if the application is materially deficient. 2. Application Package: Required Documentation The application must be submitted together with a comprehensive package of supporting documentation. The required documents include: 2.1 Corporate and Identity Documents Names, nationalities, and signatures of all proposed founders and shareholders or their authorized legal representatives Contact details including telephone numbers and electronic mail addresses The proposed administrative address of the bank A copy of the company’s articles of association and internal regulations (for entities already incorporated, or a draft for those in the process of incorporation) A document establishing the commercial name of the bank in both Arabic and English, confirmed by the relevant competent authority 2.2 Financial Documentation Evidence of the initial capital payment of IQD 30 billion A detailed economic feasibility study incorporating the business plan, strategic plans, budgets, financial projections, and financial indicators for the four-year period following the intended launch of services Proposed organizational chart for the bank and the expected number of employees 2.3 Technology Documentation A detailed technology plan including the proposed core banking system, online banking platform, and data infrastructure — including vendor names, software details, preliminary contracts, and all other relevant planning elements A technology plan and architecture document (Technology Plan and Architecture) in sufficient detail to demonstrate technical feasibility 2.4 Governance and Compliance Documentation Proposed organizational chart showing management hierarchy and principal management committees The governance handbook covering required internal policies Declaration of proposed board members including names and qualifications for the position Declaration of proposed senior management including names and qualifications for the position Evidence of QII status for the qualifying institutional investor in the ownership structure The shareholder agreement including all mandatory provisions required by the framework 2.5 The Commitment and Declaration All founders must sign a commitment and declaration document in which they confirm that they have read and understood the digital bank licensing regulations and all applicable laws and instructions in Iraq, that they commit to full compliance with all licensing conditions, that all information and documents submitted are accurate and complete, and that they accept personal legal liability for any inaccurate or untruthful information provided. 3. CBI’s Assessment Process Upon receipt of a complete application, the CBI’s banking supervision department commences a formal assessment. The assessment is conducted against the standards and criteria established in the licensing framework, including the Standards Booklet and the Detailed Assessment Guidelines described in Article 1 of this series. 3.1 Application Review Powers The CBI has broad powers during the application assessment process. These include: The right to request additional information or amendments to the application at any point during the assessment The right to conduct interviews with proposed board members, senior management, and significant shareholders The right to commission independent assessments of any aspect of the application The right to reject an application at any stage if it determines that the applicant does not meet the required conditions An absolute discretion to refuse any application, regardless of whether the formal criteria appear to be met 3.2 Assessment Timeline The deadline for submission of applications for the first assessment cycle is 30 June 2026. The CBI has indicated that preliminary approval decisions will be issued by 30 September 2026. These timelines are indicative for the assessment process — the application deadline is a binding cut-off. 3.3 Grounds for Refusal The CBI may refuse an application on any of the following grounds: The application is based on false, misleading, or incomplete information or documents The applicant does not satisfy the licensing conditions prescribed by the framework The proposed ownership structure does not comply with the ownership and eligibility requirements The proposed board or management does not satisfy the fit and proper requirements The CBI determines, in its absolute discretion, that granting the license would not be appropriate for any other reason Where an application is refused, the CBI issues a decision specifying the grounds for refusal. Applicants are notified in writing of the refusal and the reasons. There is no automatic right of appeal, though applicants may seek legal advice regarding their options. 4. Preliminary Approval: Legal Status and Conditions A preliminary approval is a conditional authorization, it is not a full license and does not grant the same rights as a full digital bank license. It authorizes the applicant to commence pilot operations subject to the specific conditions and restrictions that apply during the pilot phase. 4.1 What a Preliminary Approval Authorizes A preliminary approval authorizes the digital bank to: Commence operations as a digital bank on a pilot basis
Digital Bank – Pre-License Stage
Digital Bank – Pre-License Stage Overview Before any application for a digital bank license can be submitted to the CBI, a substantial body of legal, financial, governance, and technical work must be completed. The framework establishes a defined set of conditions precedent requirements that must be met, or meaningfully commenced, before the application will be assessed. This article sets out those pre-license conditions in legal terms, organized by category. It is intended to serve as a practical guide for founders, legal advisers, and compliance teams preparing for the application process. It is important to note that the pre-license conditions are assessed against a defined timeline. The deadline for submitting an application for preliminary approval together with the required documentation demonstrating compliance with initial conditions is 30 June 2026. Applications submitted after this date, or applications that are materially deficient in their supporting documentation, will not be processed in the first assessment cycle. 1. Capital The first and most fundamental pre-license condition is financial: the founding shareholders must have paid up the initial tranche of IQD 30 billion before the application is submitted. This is not a commitment or an undertaking to pay it is a requirement for actual payment. The application must be accompanied by evidence that this initial capital has been received and is available to the bank. The CBI will not process an application that does not demonstrate satisfaction of this condition. The full capital requirements including the phased payment schedule, capital composition, and adequacy ratios are examined in Article 3 of this series. 2. Legal Incorporatio A digital bank in Iraq must be established as a joint stock company under Iraqi company law. Before an application can be submitted, the founding entity must be legally constituted or be in an advanced stage of constitution in the required corporate form. The application must include a copy of the company’s articles of association and internal regulations. These documents must reflect the mandatory provisions required by the digital bank framework, including the shareholder agreement conditions relating to nominee arrangements, pledge prohibitions, tag-along rights, and rights of first refusal. The CBI will assess whether the corporate structure of the applicant is consistent with the licensing requirements. Any corporate structure that would result in non-compliance with ownership, governance, or related party rules will need to be restructured before the application can proceed. 3. Business Plan The application must include a comprehensive business plan. This is not an optional supporting document, it is a mandatory legal requirement. The business plan must cover the following elements: A detailed strategic analysis incorporating both short-term and long-term requirements, principal products and services with associated pricing, target customer demographics, and planned investment commitments A description of the operational model, including workforce planning, detailed organizational structure, remuneration and incentives policy, and job descriptions for critical roles A financial plan demonstrating a clear path to profitability, supported by five-year financial projections with full income statements, balance sheets, and cash flow statements A technology plan and architecture document identifying proposed core banking system providers and vendors, software to be used, preliminary contracts or agreements, and all other relevant planning elements A detailed risk management framework covering governance, risk appetite, identification and assessment methodologies, monitoring systems, and mitigation controls A compliance monitoring framework addressing the structure of the compliance function, risk identification and assessment, escalation procedures, reporting mechanisms, and training arrangements A comprehensive AML/CFT and sanctions programme aligned with requirements issued by Iraqi regulatory authorities 4. Governance: Pre-License Board and Management Requirements The application must demonstrate that the governance structure required by the framework has been established, or is in an advanced state of establishment. The key pre-license governance requirements are: 4.1 Board of Directors The proposed board of directors must be identified and its composition must comply with the framework’s requirements nine members, all non-executive except the CEO, at least six independent directors, with at least three board members having sufficient technical expertise in digital banking. At the pre-license stage, the application must declare the proposed board members including their names and qualifications for the position. An external assessment of board members’ fitness and propriety is required, but the full independent audit is completed at a later assessment cycle. 4.2 Senior Management Similarly, the proposed senior management team must be identified, with names and qualifications declared. Fit and proper assessments for senior management are required at the pre-license stage, with the same phased verification approach applying. 4.3 Required Committees The framework requires that the bank establish, in addition to the audit committee mandated by Iraqi banking legislation, the following board-level committees: a risk management committee, an ICT governance committee, an ESG and sustainability committee, and a nominations and remuneration committee. The existence and proper constitution of these committees must be demonstrated in the application. 5. Pre-License Planning Technology Requirements While full technology deployment and certification is assessed at later stages, the pre-license application must include detailed technology planning documentation. This must cover: A detailed technical plan for the proposed core banking system, including the names of proposed vendors and software, preliminary contracts or agreements, and all other relevant planning elements The proposed online banking and mobile banking platforms, with similar vendor and planning information The proposed data infrastructure and cybersecurity framework at a planning level The proposed payment systems integration approach The proposed business continuity and disaster recovery arrangements at a planning level The technology plan must demonstrate that the applicant has engaged with reputable, internationally recognized vendors and has a credible implementation roadmap. Vague or undeveloped technology plans will not satisfy the CBI’s requirements. 6.: Pre-License Policy Framework Documentation The application must include a governance handbook covering the bank’s internal policies and procedures as required by the framework. At the pre-license stage, the following policies must be in place: Information security policy Risk management policy Compliance policy Anti-money laundering and counter-terrorist financing policy Anti-fraud, corruption, and bribery policy Any other policies covering the activities and services to be launched These policies must
Digital Bank – Eligibility & Ownership
Digital Bank – Eligibility & Ownership Overview The ownership and eligibility rules governing Iraq’s digital banks are among the most legally significant aspects of the licensing framework. They determine who may establish a digital bank, what proportion of the institution each investor may own, what categories of investor are subject to enhanced requirements, and what legal consequences flow from non-compliance with ownership obligations. These rules are not merely administrative, they carry direct legal consequences, including the possibility of forced divestiture, restrictions on voting rights, and cancellation of the license itself. Any investor or founding group considering the establishment of a digital bank in Iraq must ensure that its proposed ownership structure is legally compliant before proceeding with any application. This article sets out the principal ownership and eligibility requirements under Iraq’s digital bank regulatory framework, with particular attention to the Qualified Institutional Investor (QII) requirement, the definition and treatment of related parties, the conditions under which ownership thresholds may be exceeded, and the legal obligations that attach to founders and institutional investors during the pilot operation phase. 1. General Ownership Cap: 9.99% Rule The foundational ownership rule under Iraq’s digital bank framework is that no individual or company including through interests held by related parties may hold a shareholding in a digital bank that exceeds 9.99% of the bank’s total shares. This cap applies to both direct and indirect holdings. Where a prospective investor holds shares through related parties, those related party holdings are aggregated with the investor’s direct holding for the purpose of calculating compliance with the 9.99% limit. The 9.99% threshold is therefore not assessed on an individual basis, it is assessed on a consolidated basis that encompasses the full network of related party interests. This aggregation rule has significant practical implications for corporate groups, family investors, and any structure involving multiple related entities or individuals. What Constitutes a Related Party Category Who Is Included Family Relationships Individuals connected by blood, marriage, or kinship up to the fourth degree including parents, children, siblings, grandparents, grandchildren, aunts, uncles, cousins, and their spouses Business Relationships Individuals or entities currently in a commercial partnership, holding shares in the same institution, serving together on the same board of directors, or where one party works for a company owned or controlled by the other Political Relationships Individuals or entities with family or business relationships with a person carrying political risk, or who are subject to the influence or control of any other party exercising power or influence The breadth of this definition means that investors with complex corporate structures, family groups with multiple members involved in the venture, or any party with political exposure must conduct a thorough related party analysis before determining their permissible ownership level. Legal advisers should note that the related party analysis is not limited to formal legal relationships, it extends to de facto control, influence, and shared economic interests. The substance of the relationship, not merely its legal form, governs the analysis. 2. Exceeding the 9.99% Threshold The framework provides a mechanism by which the 9.99% cap may be exceeded, subject to specific conditions and prior written approval from the CBI. This is not an automatic right, it is a discretionary approval that the CBI may grant or refuse. Two levels of permitted excess are established: Up to 20% General Investor Any investor other than a Qualified Institutional Investor may apply to the CBI for approval to hold up to 20% of a digital bank’s shares. The investor must submit a written application to the CBI and must satisfy the CBI that the proposed holding is appropriate in the context of the bank’s ownership structure and governance. A critical condition applies: the total aggregate shareholding of any single investor and their related parties must not exceed 20% at the time of submitting the application for increased ownership. This means that an investor who has already accumulated more than 20% through related party holdings cannot rely on this pathway. Up to 40% Qualified Institutional Investor A Qualified Institutional Investor (QII) may hold up to 40% of a digital bank’s shares. Where multiple QIIs are present in the ownership structure, and one seeks to exceed 20%, that QII’s shareholding must be larger than the shareholding of any other shareholder seeking the same exception. The 40% ceiling for QIIs is also subject to CBI approval on a case-by-case basis, and the CBI retains an absolute discretion to refuse any application regardless of whether the formal criteria are met. 3. Qualified Institutional Investor Requirement One of the most distinctive features of Iraq’s digital bank framework is the mandatory requirement for at least one Qualified Institutional Investor in the ownership structure of every digital bank. This is not optional, it is a condition of licensing. 3.1 The Mandatory QII Requirement Every digital bank in Iraq must have at least one shareholder that qualifies as a QII. That QII must hold no less than 9.999% of the bank’s shares. Failure to maintain a QII with the required minimum shareholding is a breach of the licensing conditions. 3.2 Who Qualifies as a Qualified Institutional Investor The framework sets out two categories of entity that may qualify as a QII, each subject to specific criteria: Category A: Financial Institution A financial institution qualifies as a QII if it satisfies all of the following conditions: It is licensed and not subject to any penalties, restrictions, or prohibitions, and is supervised by a financial regulatory authority in a jurisdiction that is not on the FATF grey list or black list It has operated as a financial technology company dealing directly with customers for a minimum of three years It has achieved annual revenues of not less than IQD 30 billion (or equivalent) in each of the three preceding financial years It has a minimum of 100,000 active users or customers Category B: Investment Fund An investment fund qualifies as a QII if it satisfies all of the following conditions: It manages an investment portfolio of not less
What Is a Digital Bank in Iraq?
What Is a Digital Bank in Iraq? Overview Iraqi regulatory authorities have introduced a new licensing category specifically for digital banks, a development that represents the most significant structural change to Iraq’s banking framework in recent years. For investors, founders, and their legal advisers, understanding precisely what this new category means in legal terms is the essential starting point. This article sets out the legal definition of a digital bank under Iraq’s regulatory framework, the scope of activities that a digital bank is and is not authorized to perform, the regulatory basis on which this new category was created, and the key legal implications that flow from these definitions. This is the first article in Etihad Law Firm’s 12-part legal guide to establishing a digital bank in Iraq. Subsequent articles address eligibility, capital obligations, the licensing process, permitted activities during the pilot phase, governance requirements, and the legal conditions that must be satisfied at each stage of the licensing journey. 1. Legal Definition of a Digital Bank Under Iraq’s banking regulatory framework, a digital bank is legally defined as a bank that provides its services exclusively through modern digital channels primarily internet-based platforms and mobile applications and that operates under the full supervisory authority of the Central Bank of Iraq (CBI). Full Banking Authorization A digital bank is not a payment institution, an electronic money issuer, or a fintech company. It is a bank in the full legal sense authorized to accept deposits, extend credit, and provide payment services subject to the same regulatory obligations as any other licensed bank in Iraq. This means that a digital bank must meet the same foundational legal requirements that apply to all banks operating under Iraqi banking legislation: minimum capital, governance standards, fit and proper requirements, anti-money laundering obligations, and ongoing supervisory obligations to the CBI. The digital nature of the institution does not reduce or modify these core banking obligations. It adds to them, digital banks carry additional specific obligations relating to technology infrastructure, cybersecurity, digital onboarding, and data protection that go beyond what is required of traditional banks. No-Branch Requirement The legal requirement that a digital bank provide its services exclusively through digital channels is absolute. A digital bank in Iraq is prohibited from opening branches whether inside Iraq or abroad that are accessible to the public for the provision of banking services. The only physical presence permitted is a single administrative headquarters located within Iraqi territory. This headquarters is restricted to internal administrative functions and may not be used to provide banking services to members of the public. This prohibition is a defining legal characteristic of the digital bank license. Any institution wishing to operate a branch network must seek a different category of license, the digital bank framework is not available to hybrid models. Regulatory Oversight A digital bank operates under the complete supervisory jurisdiction of the Central Bank of Iraq. This is not qualified or partial oversight, the CBI has full authority to set requirements, conduct examinations, issue instructions, impose conditions, and revoke licenses. The supervisory relationship with the CBI is continuous and begins from the point of preliminary approval, not from the point at which a full license is granted. Founders and investors should be aware that the CBI’s oversight applies throughout the pilot phase, and that non-compliance at any stage of the licensing journey carries legal consequences up to and including cancellation of the authorization. 2. Legal Basis for Licensing Framework The digital bank licensing framework has been issued by the Central Bank of Iraq in exercise of its statutory authority under Iraqi banking legislation. This legislation grants the CBI the authority to license and supervise banking activity in Iraq, to prescribe the conditions for the grant of licenses, and to issue binding regulatory instruments governing the conduct of licensed institutions. The framework does not create a new legal entity type, a digital bank is constituted as a joint stock company under Iraqi company law, in the same manner as a conventional bank. What the framework creates is a new licensing category, with its own specific conditions, authorized scope of activity, and regulatory obligations. This legal architecture has important practical implications: The digital bank must be incorporated as a joint stock company under Iraqi law before a full license can be granted All provisions of Iraqi banking legislation that apply to banks generally also apply to digital banks, unless expressly modified by the digital bank framework Where the digital bank framework imposes requirements that differ from or are additional to the general banking legislation, the more specific digital bank requirements take precedence The framework does not override or modify existing Iraqi law, it operates as a layer of specific requirements that sit on top of the existing legal architecture Regulatory Instruments That Govern a Digital Bank A digital bank in Iraq is governed by a suite of regulatory instruments issued by the CBI. Understanding the relationship between these instruments is important for legal advisers working on licensing applications and compliance programmes. The primary regulatory instrument sets out the conditions for the grant of a digital bank license, the requirements that must be met before and during the pilot phase, the authorized scope of activities, the governance requirements, and the grounds on which a license may be suspended or revoked. This is the foundational legal document for any digital bank licensing exercise. The Standards Booklet sets out all quantitative and qualitative standards that a digital bank must meet covering ownership structure, governance, technology and infrastructure, financial metrics, and compliance obligations. Each standard is numbered and forms part of the formal assessment framework that the CBI applies when evaluating compliance. The Assessment Guidelines explain, standard by standard, precisely how the CBI will assess compliance. They set out what evidence is required, what tests will be applied, and what the CBI expects to see in terms of documentation, policies, systems, and practices. For legal advisers preparing a licensing application, these guidelines are the primary technical reference. The Timeline