Answer ... The fintech industry in Iraq covers a limited range of sub-sectors, such as mobile and electronic payments and telecommunications; these are reportedly the only two competitive tech sectors in Iraq.

Other nascent tech areas that remain underdeveloped include online shopping, trading and electronic services, and smartphone applications.

Iraq is adopting fintech at a slow pace, and overall investment in fintech and the enactment of related regulations have been low, compared to other countries in the region. This is due to many factors, including:

• the large unbanked population – according to an analytical note entitled “Bringing Back Business in Iraq” published on 1 January 2019 by the World Bank Group, only 23% of Iraqi households have access to an account with a financial institution;
• the cost of internet and mobile services, relative to income, which limits demand for digital financial services; and
• the fact that Iraqis prefer cash on delivery in e-commerce transactions, due to concerns about security of online payments.

Answer ... While mobile and electronic payment services are increasing, they are not as widely used as in other countries in the region. The most common payment methods remain cash on delivery and bank transfer, with limited credit card use. E-commerce (food, real estate, shipping, transportation and travel services), e-banking and digital payments are reported as major underdeveloped sectors in Iraq.

Electronic payment services authorised in Iraq include managing deposits and cash withdrawals through automated teller machines and executing electronic debit and credit payments. Such electronic payments are made through any means of digital communication and information technology, or network operator acting as an intermediary between the user and the supplier of services, or any other recipient, through mobile phone transfers.

Electronic payment service providers licensed in Iraq may also facilitate access to loans from banks, disbursed directly to the user’s credit card.

Answer ... Electronic transactions are regulated in Iraq under the E-signature and E-transactions Law. However, online and technology businesses are not regulated as such in Iraq. This means that e-commerce sites and mobile applications are not legally considered as businesses, unless they have a physical office address in Iraq. Therefore, tech start-ups generally elect to register their businesses as ‘bricks and mortar’ companies for legal recognition.

Fintech services are also provided by banks that operate based on a licence from the Central Bank of Iraq (CBI).

Answer ... Financing options for fintech companies operating in Iraq are very limited.

Many start-ups in Iraq self-finance their fintech businesses or seek funding from family and friends. Other financing options may include donations, seed funds and grants from incubators. A less accessible option for fintech start-ups in Iraq is investment by angel investors; the terms of such investments are often unfavourable to fintech entrepreneurs, as angel investors often seek a majority stake in the start-up.

Answer ... The lack of electronic payments makes the expansion of fintech companies challenging. Fintechs in Iraq do not yet constitute a competitive threat to institutions offering traditional financial services. Authorised electronic payment service providers rely on banks to facilitate client access to certain products, such as loans, which are credited by banks directly to customers’ credit cards.

Answer ... We believe that the most relevant outsourcing by fintechs in Iraq currently concerns cloud computing.

Banks, financial institutions, payment service providers, exchange counters and other licensed institutions must comply with Central Bank of Iraq Decision 14/611 of 2019 when outsourcing to cloud computing service providers. Upon engaging in such activities, these institutions must take into account operational risks and factors such as confidentiality, integrity, cybersecurity, regulatory compliance and data transfer. The measures to be implemented by banks, financial institutions and other licensed institutions to ensure the safety of operations include:

• user identity management systems;
• identification and protection of personal data; and
• security and protection systems that prevent hacks and attacks.

The legal issues associated with outsourcing to cloud computing service providers include cybersecurity risks and protection of personal data by cloud computing service providers. In order to mitigate such risks, banks must have the cloud computing service provider sign a non-disclosure agreement. Banks must further ensure that they have the right to audit the cloud computing service provider, to verify its ability to protect the safety and integrity of data. Banks much ensure that the cloud computing service provider returns all data upon termination of the agreement and destroys any copies thereof in its possession.