Rules Navigator

Plastic loopholes – how Visa and Mastercard missed Iraq’s dollar drain

Iranian militia
Members of the Iranian Basij paramilitary force march in Tehran. Photo: Majid Saeedi/Getty Images

Vlada Gurvich

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Visa and Mastercard-linked debit cards in Iraq were exploited for years by militias and fraud networks to move billions in US dollars abroad.

For years, Iraq’s dollar-based card economy grew quietly and dangerously beneath the radar of global financial watchdogs. Enabled by partnerships with Visa and Mastercard, local banks and payment providers issued millions of prepaid and debit cards that were exploited by powerful militias to extract dollars from foreign ATMs, often in the UAE, and launder them back into Iraq for profit.

The scheme thrived on a compliance blind spot: weak due diligence, minimal transaction monitoring, and a dual exchange rate system that incentivized arbitrage. As the scale of abuse surged past a billion dollars per month, international regulators and US officials scrambled to rein in a system that had, for years, operated with the branding and infrastructure of the world’s most trusted financial networks.

Invasion aftermath

In the aftermath of the 2003 invasion of Iraq, the US established an improvised financial mechanism to stabilize Iraq’s economy by holding its oil revenues, amounting to tens of billions annually, at the Federal Reserve Bank of New York.

With Iraqi banks lacking access to the global SWIFT messaging system due to decades of sanctions, the US and the Central Bank of Iraq facilitated international dollar transfers using interbank Swift messages, which, unlike commercial messages, do not require identifying end recipients. This created a critical compliance gap: wire transfers bypassed due diligence protocols that would normally screen for suspicious or illicit activity, exposing the system to misuse.

Over time, this vulnerability was systematically exploited. Iraqi banks, some later acquired or influenced by politically connected militias, engaged in wire transfers underpinned by falsified trade invoices, funneling funds abroad to jurisdictions with minimal oversight.

US officials reported that large sums were ultimately laundered through informal channels and, in some cases, diverted to entities linked to Iran’s Islamic Revolutionary Guard Corps. Despite the US withdrawing military forces in 2011, the dollar-based system persisted, with physical cash shipments and electronic transfers continuing under a structure that lacked the transparency and counterparty disclosure required for international anti-money-laundering compliance.

On some days, up to 80% of outbound wire transfers from Iraqi banks were untraceable.

By late 2022, after nearly two decades of permissive oversight, US authorities moved swiftly to curtail Iraq’s dollar outflows by blocking several private banks from accessing the Federal Reserve’s transfer system. These banks had been major participants in an unconventional framework created during the US occupation, which enabled dollar wire transfers ostensibly for legitimate imports, often with little scrutiny.

US audits and intelligence raised alarms that a significant volume of these transactions involved fabricated trade documentation, routed through front companies, with no visibility into the ultimate beneficiaries. Compliance concerns intensified as internal reviews revealed that, on some days, up to 80% of outbound wire transfers from Iraqi banks were untraceable.

The decision to shut down access marked a delayed yet decisive response to long-standing warnings from US watchdogs, including the Pentagon’s inspector general, who had flagged large-scale fraud risks as early as 2012.

For years, US officials hesitated to enforce stricter controls out of concern for destabilizing Iraq’s fragile economy. However, mounting evidence of systemic abuse, including allegations that diverted funds were supporting sanctioned entities and armed groups, prompted Treasury officials to act.

Dollar loophole

After US authorities began restricting Iraq’s access to dollars via wire transfers in late 2022, a parallel surge in cross-border card transactions emerged, exploiting a new compliance gap.

Major US payment networks, Visa and Mastercard, expanded rapidly in Iraq by partnering with local banks, some of which had ties to militia-linked groups and lacked robust anti-fraud controls. These arrangements enabled massive flows of dollar-loaded debit and prepaid cards to be moved out of Iraq, where they were used to withdraw foreign currency at official exchange rates.

The funds were then re-imported and exchanged on the black market, exploiting the wide spread between Iraq’s official and unofficial rates: a loophole that generated returns of up to 21%.

Despite early warnings from the US Treasury as far back as mid-2023 about militia exploitation of the scheme, significant action by the card networks only materialized in early 2024. By then, Iraqi cardholders were estimated to have reaped around $450m in arbitrage profits in 2023 alone, with Visa and Mastercard collectively earning nearly $120m in transaction fees.

Although neither company is accused of violating sanctions, their delayed response prompted concern among regulators over weak due diligence and oversight.

The Central Bank of Iraq has since imposed a cap on international card use, and at Treasury’s urging, moved to suspend over 200,000 suspect cards, underscoring the challenges of enforcing compliance amid fragmented oversight and rapid financial innovation in high-risk markets.

Compliance dragnet

As Iraq’s card-based dollar outflows soared, US officials identified a growing compliance threat in the country’s rapidly expanding debit and prepaid card ecosystem. Between 2017 and 2024, the number of licensed Iraqi card issuers more than tripled, and transaction volumes surged, especially through Qi Card, the most widely held debit card in Iraq, used to pay millions of public employees – including militia members.

US and Iraqi officials flagged misuse of Qi Cards, including mass issuance to ghost soldiers and centralized control of rank-and-file cards by militia commanders, enabling exploitation of Iraq’s dual exchange rate. This arbitrage scheme funneled funds abroad, especially to the UAE, where irregular spending patterns concentrated in obscure businesses signaled large-scale financial abuse.

Audits and internal reviews revealed major lapses in due diligence and anti-money-laundering controls among Iraqi card issuers. Mastercard’s compliance review of Yana Banking Services in 2023 exposed failures in sanctions screening, customer risk assessment, and suspicious activity monitoring: findings that led to a temporary suspension of the issuer’s ability to onboard new customers.

While Yana and others took corrective action, Mastercard and Visa began broader enforcement in early 2024: Mastercard blocked over 100,000 cards and cut off thousands of suspicious merchants in the UAE; Visa issued fraud alerts for 70,000 cards and suspended access to 5,000 vendors. Both firms later reinstated some accounts after secondary review, but scrutiny remains high.

In parallel, US and Iraqi authorities intensified structural reforms. The Central Bank of Iraq capped cross-border card use at $300m per month, imposed a $5,000 monthly limit per cardholder, and brought in a US financial crimes advisory firm, K2, to oversee compliance.

Treasury blacklisted three Iraqi card issuers over militia links, including Al Saqi Electronic Payment Company, affiliated with a powerful Shia religious institution. Visa subsequently ceased processing Al Saqi cards, although marketing materials promoting Visa services remained online.

From loophole to lesson

The crackdown on Iraq’s misuse of dollar-denominated cards, including Qi Card’s militia-linked salary disbursements, underscores how legacy banking infrastructure, when layered with newer financial technologies, can be co-opted for illicit enrichment on a staggering scale.

Despite regional instability and outdated systems, the compliance failures here were rooted not in technological complexity but in institutional neglect, allowing powerful non-state actors to exploit gaps between official exchange rates, foreign merchant networks, and weak KYC safeguards.

Visa and Mastercard, despite flagging risk indicators and regulatory engagement, were slow to act. Even after action was taken (card blocks, merchant removals, caps) the damage had been done, with militias profiting handsomely from arbitrage and loopholes once designed to stimulate economic inclusion.

Compare that to Canada’s landmark terror-financing case against Khalilullah Yousuf, where enforcement finally caught up with the crypto-crowdfunding nexus long feared by policymakers. Here, digital anonymity posed the primary threat: financial flows left no traditional trail, and content spread virally across unregulated spaces. Unlike Iraq’s ATM-fed fraud economy, Yousuf’s model was decentralized and platform-native.

Public institutions were unprepared to anticipate how digitized financial tools … could facilitate transactions that defy oversight.

Yet both cases share a common denominator: public institutions were unprepared to anticipate how digitized financial tools, whether Visa-branded cards or GoFundMe links, could facilitate transactions that defy oversight. In each case, the slowness of institutional response highlights an urgent need not just for compliance frameworks, but for predictive compliance architectures attuned to behavioral and systemic risk.

By contrast, the US Justice Department’s decision to spare USRA from prosecution for an export control violation reflects a different model: one that rewards transparency over perfection, and internal accountability over external optics.

Unlike the reactive and often punitive enforcement seen in Iraq or Canada, the USRA case sets a forward-looking benchmark for national security compliance. There, the danger wasn’t card fraud or crypto laundering, but the unlawful transfer of sensitive military technology. Yet the government’s response prioritized structural reform over blame assignment.

These three cases, when seen together, illustrate diverging paths: where outdated mechanisms were gamed by armed groups; where decentralized finance raced ahead of legal doctrine; and where a proactive, integrity-driven approach turned a potential prosecution into a national security success story.

In an era of accelerating financial innovation, compliance must evolve not only to catch violations, but to prevent them before they escalate from gaps into crises.

, , ,

You may also like