Skip to content

Regulatory Playbook: Iraq

Field Value
Market Iraq (IQ)
Regulator Central Bank of Iraq (CBI)
Status Draft — requires local compliance review
Owner Country Manager IQ / CDO
Created 2026-04-04
Review Semi-annually
Reference Cross-Border Compliance Framework

Purpose

This is the operational playbook for Simpaisa's Iraq operations. The Cross-Border Compliance Framework defines what the law requires. This playbook defines what we actually do: who is responsible, what processes run, what reporting is due, and what happens when something goes wrong.

Iraq operates under the CBI Electronic Payment Services Regulation 2024, which replaced the 2014 regulation. This is a new regulatory framework with a 6-month compliance window from enforcement. All electronic payment service providers must adjust operations to comply within that window. Data localisation is mandatory — all customer data and transaction records must be maintained within Iraq.

Regulatory Landscape

Dimension Requirement Source
Primary licence Electronic Payment Service Provider licence CBI Electronic Payment Services Regulation 2024 (Official Gazette, 29 April 2024)
AML/KYC Robust AML compliance, CDD, secure authentication (OTPs, biometrics), mandatory STR filing AML/CFT Law No. 39 of 2015; CBI AML/CFT regulations
Data localisation All customer data and transactions must be maintained within Iraq. Minimum 5-year retention in-country. CBI requires on-site inspection capability. CBI Electronic Payment Services Regulation 2024
Encryption Robust cybersecurity measures mandated. Secure authentication required. CBI Electronic Payment Services Regulation 2024
PII handling No comprehensive data protection law. Customer data governed by CBI regulation. CBI circulars
Transaction limits Per CBI Electronic Payment Services Regulation 2024 CBI Regulation 2024
Reporting Detailed reporting to CBI. STRs to CBI AML/CFT Office. CBI Regulation 2024; AML/CFT Law No. 39 of 2015
Audit Annual external audit (CBI-approved auditor). CBI on-site inspection at CBI's discretion. Cybersecurity audit per CBI requirements. CBI Regulation 2024
Incident reporting Significant incidents reported to CBI within 24 hours. Cybersecurity incidents reported per regulation. CBI Regulation 2024

Current Compliance Status

Requirement Status Gap Risk
Electronic Payment Service Provider Licence Active Licence issued under previous 2014 regulation. Must confirm alignment with 2024 regulation within 6-month compliance window. HIGH
AML/KYC processes Partially compliant CDD processes undocumented. KYC workflow exists but alignment to AML/CFT Law No. 39 requirements not verified. HIGH
Data localisation Unknown Must confirm all customer data and transaction records reside within Iraq. Current infrastructure region not documented. HIGH
Encryption at rest Non-compliant PII stored in plain text (SECURITY-ARCHITECTURE.md, Finding R2). CRITICAL
Encryption in transit Compliant TLS 1.2+ for all external communications.
Transaction monitoring Partially compliant Rule-based monitoring exists. No automated STR generation. MEDIUM
Incident reporting to CBI Unknown No documented process for CBI notification within 24 hours. HIGH
Annual audit Unknown Audit history not documented in Architecture repo. MEDIUM
Request signing Non-compliant Pay-Ins has no request signing (SECURITY-ARCHITECTURE.md, Finding 1). CRITICAL
Rate limiting Non-compliant No documented rate limiting (SECURITY-ARCHITECTURE.md, Finding 5). HIGH
6-month compliance window (2024 Regulation) At risk Compliance window from enforcement of CBI Regulation 2024. Full gap analysis against new regulation required urgently. CRITICAL

Operational Processes

1. Merchant Onboarding (Iraq)

MERCHANT ONBOARDING FLOW (IQ)
─────────────────────────────────────────────────────

  Application      CDD/KYC         Technical        Go-Live
  ──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐
  │ Merchant │──▶│ Identity │──▶│ API Key  │──▶│ Live     │
  │ applies  │   │ verified │   │ Sandbox  │   │ traffic  │
  │          │   │ Docs     │   │ Testing  │   │          │
  └──────────┘   │ checked  │   │ Webhook  │   └──────────┘
                 └──────────┘   │ config   │
                                └──────────┘

  Owner: Commercial (IQ)    Compliance (IQ)     Engineering     Operations (IQ)
  SLA:   2 business days    5 business days     3 business days  1 business day
  Total: 11 business days target

Required documents for CDD (Iraq): - Company registration certificate (Iraqi Companies Registrar) - Trade licence / business permit - National ID cards of directors and beneficial owners - Bank account verification letter (Iraqi bank) - Business address verification - Beneficial ownership declaration (>25% shareholders) - CBI-mandated secure authentication enrolment (OTP/biometric)

Enhanced Due Diligence triggers: - High monthly transaction volume (threshold per CBI regulation) - High-risk merchant category (gambling, crypto, precious metals) - PEP (Politically Exposed Person) as beneficial owner - Adverse media screening hit - Sanctions list match (UN, OFAC, local lists)

2. Transaction Monitoring

Check Frequency Threshold Action
Velocity check Real-time > 100 transactions/minute per merchant Alert + temporary hold
Amount anomaly Real-time > 3x average daily volume Alert + manual review
New merchant spike Daily > 10x first-day average within first 30 days Manual review
Dormant reactivation On event No transactions > 90 days, then sudden high volume Manual review + re-KYC
STR screening Daily batch Rule-based pattern matching against CBI typologies STR filed with CBI AML/CFT Office within 3 business days if confirmed

STR filing process: 1. Alert generated by monitoring system or flagged by operations staff. 2. Compliance Officer (IQ) reviews within 24 hours. 3. If suspicious: STR prepared per CBI AML/CFT Office format. 4. STR filed with CBI AML/CFT Office within 3 business days. 5. Internal record retained for 5 years minimum. 6. No tipping-off: merchant not informed of STR filing.

3. Incident Response (Iraq-Specific)

In addition to the global Incident Response Playbook (Standards/INCIDENT-RESPONSE-PLAYBOOK.md):

Requirement SLA Owner
CBI notification for significant security incidents Within 24 hours of detection Country Manager IQ + CDO
CBI notification for cybersecurity incidents Within 24 hours of detection Country Manager IQ + CDO
CBI ad-hoc inspection response Immediate cooperation Country Manager IQ

CBI notification template: 

TO: Central Bank of Iraq — Electronic Payment Services Division
FROM: Simpaisa — Electronic Payment Service Provider Licence No: [XXXX]
DATE: [YYYY-MM-DD]
SUBJECT: Security Incident Notification — [Brief Description]

1. Nature of incident: [description]
2. Date/time detected: [timestamp]
3. Systems affected: [list]
4. Customer impact: [number affected, data exposed if any]
5. Containment actions taken: [list]
6. Root cause (preliminary): [if known]
7. Estimated resolution: [timeline]
8. Contact for follow-up: [name, phone, email]

4. Data Localisation

Current architecture (compliance unknown): - Infrastructure region for Iraq operations not documented. - Must confirm all customer data and transaction records reside within Iraq per CBI mandate. - CBI requires on-site inspection capability — infrastructure must be accessible to CBI inspectors.

Target architecture (per Data Architecture, DA-06): - Primary transaction data resides in-country (Iraqi data centre or CBI-approved local hosting). - Only aggregated/anonymised data flows to UAE for group reporting. - Cross-border transfer requires CBI approval or full anonymisation. - 5-year minimum retention of all data within Iraq.

Action items: 1. Audit current infrastructure to confirm data residency within Iraq. 2. If data is not Iraq-resident, initiate migration plan immediately (6-month compliance window). 3. Document all cross-border data flows with data classification. 4. Implement column-level encryption for PII before any data leaves Iraq. 5. Ensure CBI on-site inspection capability is in place (physical or logical access).

5. Reporting Calendar

Report Frequency Due Date Recipient Owner
Transaction reporting Per CBI schedule Per CBI Regulation 2024 CBI Electronic Payment Services Division Operations IQ
Suspicious Transaction Reports As needed Within 3 business days of confirmation CBI AML/CFT Office Compliance IQ
Annual compliance report Annually Per CBI-specified timeline CBI Compliance IQ + CDO
External audit report Annually Per CBI-specified timeline CBI Finance + CDO
Cybersecurity audit Annually Per CBI requirements CBI CDO
AML/KYC programme review Annually Per AML/CFT Law requirements Internal + CBI on request Compliance IQ

6. Key Contacts

Role Responsibility Name
Country Manager IQ Overall Iraq operations, CBI relationship TBD
Compliance Officer IQ AML/KYC, STR filing, regulatory reporting TBD
Operations Lead IQ Transaction monitoring, merchant support TBD
CDO Technology, security, data architecture decisions Daniel O'Reilly

Remediation Priorities

Based on the compliance status assessment above:

Priority Item Risk Owner Target
1 Full gap analysis against CBI Regulation 2024 CRITICAL CDO + Country Mgr IQ Immediate
2 PII encryption at rest CRITICAL CDO Q2 2026
3 Pay-In request signing CRITICAL CDO Q2 2026
4 Data localisation audit and confirmation HIGH CDO + Country Mgr IQ Q2 2026
5 CBI incident notification process HIGH Country Mgr IQ Q2 2026
6 Rate limiting implementation HIGH CDO Q3 2026
7 CDD process documentation HIGH Compliance IQ Q2 2026
8 Automated STR generation MEDIUM CDO + Compliance IQ Q3 2026

Connection to Strategy

This playbook directly supports: - SG1 (Operational Excellence): documented processes, incident response SLAs, regulatory compliance within the 6-month compliance window for CBI Regulation 2024. - SG4 (Market Expansion): Iraq as a regulated market following the Pakistan playbook template. Compliance with the new 2024 regulation is a prerequisite for continued operations. - Foundational Support #5 (Standardised global network): Iraq aligned to the same playbook structure as all Simpaisa markets.