Area of Expertice

Central Bank of Iraq (CBI) Digital Banking Compliance Handbook

Introduction: Mandate for Reform and Compliance

This handbook is an essential internal guide for the Board of Directors and Senior Management, established within the strategic context of the Central Bank of Iraq’s (CBI) 2025 Banking Reform Initiative. Its purpose is to ensure our bank achieves and maintains full and unwavering compliance with all CBI mandates for digital banks. Adherence to these standards is not optional; it is a fundamental condition of our license. As explicitly stipulated by the CBI, any failure to comply will result in immediate administrative actions, up to and including the revocation of our banking license.

——————————————————————————–

1.0 The CBI Reform Program: Framework and Timeline

Understanding the structure of the CBI’s reform program is of paramount strategic importance. This section serves as the operational roadmap for our journey toward a full digital banking license, outlining the key phases of assessment, critical milestones, and the initial constraints that will govern our operations. This framework defines our path and sets the clear expectation that full compliance must be achieved within the specified timeframes. We will begin by examining the program’s phased structure before detailing the specific operational restrictions that apply during the critical pilot phase.

1.1 The Phased Assessment Framework

The CBI has instituted a three-phase framework designed to progressively assess our bank’s adherence to the reform standards. Each cycle targets a specific subset of standards, sequenced by complexity, culminating in full compliance by 2028. Successfully passing each assessment is a non-negotiable prerequisite for advancing to the next stage and ultimately securing a full, unrestricted digital banking license.

1.2 Operational Restrictions During the Pilot Phase

During the initial pilot phase, the bank’s activities are subject to specific and stringent restrictions designed to ensure a controlled and secure entry into the market. It is imperative that our business strategy and product development roadmap fully account for these constraints.

• Credit Facilities:
  • Restriction: The bank is strictly prohibited from offering any credit facilities during the first year of the pilot program. In the second year, the bank is limited to offering a single credit product.
  • Implication: Our initial business model must focus exclusively on deposit-taking and payments. Revenue streams from lending will only become available in the second year and will be limited in scope until the full license is granted.
• Deposit Ceilings:
  • Restriction: The bank’s total deposits are capped at 10 billion IQD. Individual customer deposits are capped at 20 million IQD. All services are limited to individuals; services for companies are not permitted.
  • Implication: Our customer acquisition strategy must target individuals and manage deposit growth to remain under the aggregate ceiling. Product design for deposit accounts must enforce the individual cap.
• Prohibited Services:
  • Restriction: The bank is explicitly forbidden from offering services such as documentary credits and letters of guarantee.
  • Implication: Our service portfolio must be strictly limited to permitted digital banking activities. We cannot engage in any form of trade finance.
• Investment Constraints:
  • Restriction: The bank is prohibited from making any investments that are not directly related to building its technological capabilities and infrastructure.
  • Implication: All capital allocation must be directed toward technology platforms, security, and operational resilience. No investments in securities, real estate, or other asset classes are permitted.
• International Transfers:
  • Restriction: All international transfers are banned during the pilot phase.
  • Implication: Our payment services must be exclusively domestic. The product roadmap cannot include any cross-border remittance features until the full license is obtained.
• Lifting of Restrictions:
  • Clarification: These restrictions will only be lifted after the bank successfully passes the Cycle 2 assessment in 2028 and is granted the full, unconditional digital banking license by the CBI.

1.3 Licensing Fees

A mandatory, one-time Licensing Fee of 200,000 USD (or its equivalent in IQD) is required. Payment of this fee must be completed to coincide with the start of the first formal assessment cycle in the first half (H1) of 2027.

——————————————————————————–

2.0 Pillar A: Ownership and Governance Standards

Pillar A establishes the standards for ownership and governance that form the bedrock of our bank’s credibility, stability, and right to operate. These are not procedural guidelines; they are foundational requirements designed to enforce transparency, accountability, and sound decision-making. Unwavering adherence is critical for building trust with depositors and regulators, attracting international partners, and ultimately ensuring the long-term survival of this institution. A strong governance framework is the essential prerequisite for developing a sustainable and trustworthy business model.

2.1 Standard A1: Ownership Structure

• Core Standard: No individual or company may hold more than 10% of the bank’s shares, including the holdings of any related parties, without explicit written approval from the CBI.
• Special Conditions: The CBI may grant approval for shareholdings to exceed the 10% cap under specific conditions:
  • An individual or company may be approved to hold up to 40%.
  • A “Qualified Institutional Investor” (QII) may be approved to hold up to 60%.
• QII Requirement: It is mandatory for the bank to have at least one QII that holds a minimum of 10% of the bank’s shares. To be classified as a QII, a firm must meet the criteria for one of the following categories:
  • A. Financial Services Company:
    • Licensed and supervised by a regulator in a non-FATF grey/black-listed jurisdiction.
    • Minimum three years of operation as a customer-facing financial technology company.
    • Minimum annual revenues of 30 billion IQD.
    • Minimum of 100,000 active users.
  • B. Investment Fund:
    • Minimum capital of 100 billion IQD.
    • Minimum five-year operational record of active investments in customer-facing fintech companies.
    • Demonstrated experience in corporate oversight through active board membership in portfolio companies.

2.2 Standard A2: Owner Due Diligence

• Core Standard: All shareholders holding 1% or more of the bank’s shares, as well as any individuals classified as “high-risk senior officials,” (defined by the CBI as Politically Exposed Persons (PEPs) and their relatives by kinship or marriage up to the second degree) must undergo Enhanced Due Diligence (EDD).
• Assessment Process: The EDD must be conducted by an independent firm from the CBI’s approved list. This evaluation assesses the individual’s or entity’s background, source of wealth, reputation, integrity, financial soundness, and history of regulatory and legal compliance.

2.3 Standard A3: Board of Directors Governance

• Board Composition: The Board of Directors must be structured according to the following specific requirements:
  • Size: The board must consist of exactly 9 members.
  • Executive Status: All board members must be non-executive, with the sole exception of the Managing Director (CEO).
  • Independence: At least one-third of the board members must be independent. Of these independent members, at least half must be nominated by the bank’s Qualified Institutional Investors (QIIs).
  • Expertise: A minimum of three board members must possess a proven academic or practical background in the areas of banking information technology, payment systems, cybersecurity, digital banking platforms and applications, or the management and operation of e-banking services.
• Meeting and Decision Protocols: The board must hold a minimum of 6 meetings per year. Certain critical decisions require a supermajority vote (at least two-thirds approval), including appointing or dismissing key executives and approving any related-party transactions.

2.4 Standard A4 & A6: Fit and Proper Tests for Board and Senior Management

• Core Standard: All members of the Board of Directors and all individuals in Senior Management positions must successfully pass a comprehensive “Fit and Proper Test.”
• Key Personnel: The senior management roles explicitly subject to this test include the CEO, CTO, CFO, CRO, Head of Internal Audit, Compliance Officer, and Money Laundering Reporting Officer (MLRO).
• Assessment Criteria: The test evaluates professional experience, academic qualifications, financial soundness, personal integrity, reputation, and the absence of a criminal record or adverse regulatory history.

2.5 Standard A5: Governance Structure and Committees

• Core Standard: The bank must establish and maintain a clear governance structure that formally separates the roles, responsibilities, and authorities of shareholders, the Board of Directors, and Senior Management.
• Required Committees: In addition to the mandatory Audit Committee, the board must establish the following committees: Risk Management, IT & Communications, Corporate Governance & Sustainability, and Nominations & Remuneration. The chairperson of each committee must be an independent member of the Board.

——————————————————————————–

3.0 Pillar B: Business Model Sustainability Standards

This pillar evaluates the fundamental operational and technological viability of our digital bank. The CBI mandates these standards to ensure our institution is built on a resilient, secure, and customer-centric foundation capable of withstanding operational stress and sophisticated threats. Adherence is the definitive proof that we possess the infrastructure, processes, and controls necessary to deliver reliable digital financial services to the Iraqi public. These standards are directly tied to the financial metrics that prove our long-term viability.

3.1 B1: Detailed Business Plan

The bank is mandated to produce and maintain a comprehensive business plan that contains detailed five-year financial projections, a thorough market analysis, a clear product roadmap (covering cards, deposits, and payments), and a detailed operating model, including staffing plans and organizational structure.

3.2 B2 & B3: Core Banking and Online Services Technology

• Core System Mandate: The bank must operate a comprehensive core banking system and online/mobile banking platforms that fully comply with all CBI technical specifications.
• Integration Requirements: These systems must be fully integrated with all national payment and information systems mandated by the CBI, including the Real-Time Gross Settlement (RTGS) system, the Automated Clearing House (ACH), national AML systems, and the Credit Inquiry System (ICI).
• Security & Availability: Systems must incorporate robust security measures, including multi-factor authentication. The bank must guarantee high availability, with a minimum uptime of 99.5% for core banking systems and 98% for online and mobile channels.

3.3 B5 & B6: Customer Access and Service

• ATM Access: The bank must ensure customers have access to cash withdrawal services by establishing partnerships and ensuring interoperability with shared national ATM networks.
• Customer Support: The bank must operate a 24/7 contact center accessible via telephone and digital channels. This center must be adequately staffed, with clear, documented timelines for issue resolution.

3.4 B7, B8, B9: Infrastructure, Data, Payments, and Business Continuity

• Data Infrastructure: The bank must maintain a robust and secure data infrastructure, with all data centers physically located inside Iraq. A formal data classification framework must be implemented, with strong encryption protocols required for all sensitive data.
• Payment Systems: The bank must have the capability to issue payment cards (at a minimum, debit cards) that comply with international security standards, including EMV and PCI-DSS.
• Business Continuity: The bank must maintain fully documented and regularly audited Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). The DRP site must also be located within Iraq.

3.5 B10 & B11: Deposit Protection and Credit Reporting

• Deposit Insurance: Participation in the Iraqi Company for Deposit Guarantee is mandatory. The bank must pay all required premiums to ensure customer deposits are protected.
• Credit Bureau Reporting: The bank must regularly and accurately submit all relevant customer credit information to the CBI’s national Credit Inquiry System (ICI).

——————————————————————————–

4.0 Pillar C: Financial Metrics Standards

Pillar C establishes the non-negotiable financial metrics that anchor our bank’s solvency and public trust. These standards—capital, adequacy, and liquidity—are the quantitative proof of our stability. Failure to maintain these ratios at all times is not a matter for future remediation; it is a critical failure that directly threatens our license to operate and exposes this institution to immediate CBI intervention. These financial requirements are supported by the qualitative risk management and compliance frameworks that ensure their integrity.

4.1 C1: Capital and Composition

The bank must meet a phased minimum paid-up capital requirement, progressively increasing as it moves toward a full license.

Furthermore, at all times, at least half of the bank’s total regulatory capital must be composed of Tier 1 capital.

4.2 C2: Capital Adequacy

The bank must maintain a Capital Adequacy Ratio (CAR) of at least 12.5% at all times. This ratio measures the bank’s capital in relation to its risk-weighted assets (RWAs), ensuring a sufficient capital buffer to absorb potential losses.

4.3 C3: Liquidity Ratios

To ensure the bank can meet its obligations, it must adhere to two primary liquidity standards:

• Liquidity Coverage Ratio (LCR): Must be maintained at or above 100%.
• Net Stable Funding Ratio (NSFR): Must be maintained at or above 100%.

——————————————————————————–

5.0 Pillar D: Risk and Regulatory Compliance Standards

This pillar provides the essential framework for identifying, managing, and mitigating key operational, financial, and regulatory risks. The standards governing related-party transactions, financial crime prevention, and internal controls are critical for safeguarding the bank’s assets, ensuring operational integrity, and complying with both Iraqi law and international best practices. Strict adherence protects the bank’s reputation and ensures its sustainable operation.

5.1 D1: Related-Party Transactions and Conflicts of Interest

• Exposure Limits: Total exposure to all related parties must not exceed 10% of the bank’s qualifying capital base. This limit may be increased to 15% only with explicit CBI approval.
• Approval Process: Any extension of credit to a related party requires a supermajority (two-thirds) approval from the Board of Directors.
• Internal Policies: The Board will ensure the development, implementation, and rigorous enforcement of comprehensive internal policies for identifying and managing potential conflicts of interest.

5.2 D2: Anti-Money Laundering / Countering Financing of Terrorism (AML/CFT) / Sanctions

• Core Requirement: The bank is mandated to have comprehensive and robust policies, processes, and systems for AML/CFT and Sanctions compliance.
• Key Program Elements: The compliance program must include a formal governance structure, a risk-based approach to customer classification (including Customer Due Diligence and Enhanced Due Diligence), automated transaction monitoring systems, and systematic screening of all customers and transactions against sanctions lists.

5.3 D3: Reporting Transparency and Auditing

• Audit Mandate: The bank’s annual financial statements must be audited by two independent, external auditors, at least one of whom must be on the CBI’s approved list. The bank must rotate its external auditors every five years.
• Accounting Standards: All audits and financial reporting must be conducted in accordance with International Financial Reporting Standards (IFRS), with specific attention to the requirements of IFRS 9.

5.4 D4: Internal Controls

• Three Lines of Defense: The bank must implement the internationally recognized “Three Lines of Defense” model to ensure robust risk oversight:
  • First Line: Business units that directly own, manage, and are accountable for risk as part of their day-to-day operations.
  • Second Line: Independent risk management and compliance functions that establish risk frameworks, provide oversight, and challenge the First Line’s risk-taking activities.
  • Third Line: The internal audit function, which provides independent and objective assurance to the Board on the effectiveness of the bank’s governance, risk management, and internal control frameworks (the first and second lines).
• Assessment: The existence and quality of this model will be formally assessed by an independent firm approved by the CBI.

——————————————————————————–

Executive Mandate for Compliance

This handbook outlines the critical and non-negotiable path to securing and maintaining our digital banking license. The Board of Directors and Senior Management are directly and personally responsible for ensuring complete and continuous adherence to every standard detailed herein.

To that end, a formal, board-approved project plan must be established immediately. This plan will assign direct ownership for each standard, define clear timelines for implementation and validation, and create a permanent audit trail to track and report our progress to the CBI. Compliance is not a project with an end date; it is the permanent foundation of our operations.

6.0 CBI Support and Contact Information

The Central Bank of Iraq has committed to providing guidance and support throughout the reform and assessment process. For any inquiries, clarification on standards, or procedural questions, the CBI has established a dedicated help desk. All official written communication should be directed to the CBI’s reform team via the following email address:[email protected]