Circular No. 606

For Banks, Financial Institutions, and Institutions Engaged in Financial and Banking Operations via Electronic Means Related to Basic Decision No. 7548 dated 30/3/2000 (Financial and Banking Operations via Electronic Means) attached to Basic Circular No. 69. Beirut, December 23, 2021 Governor of Bank Lebanon Rached T. Salamé

---

Circular No. 606

Regarding Basic Decision No. 7548 dated 30/3/2000 on Financial and Banking Operations via Electronic Means

Whereas the Governor of Bank Lebanon, pursuant to Articles 70 of the Banking and Credit Law, and pursuant to Article 4 of Law No. 44 dated 24/11/2015 on Combating Money Laundering and Terrorist Financing, and pursuant to Basic Decision No. 7818 dated 18/5/2001 and its amendments on the monitoring system for combating money laundering and terrorist financing, and pursuant to Basic Decision No. 7548 dated 30/3/2000 and its amendments on financial and banking operations via electronic means, and pursuant to recommendations of the Financial Action Task Force (FATF), and pursuant to the decision of the Central Council of Bank Lebanon taken in its meeting on 15/12/2021, has decided as follows:

Article 1: Article 5 (repeated) of Basic Decision No. 7548 dated 30/3/2000 is hereby amended and replaced by the following text:

"It is confirmed, with full force and effect, that there exists a financial relationship between the client and the payment institution/agent or the agent's sub-agents, or with any contracted institution to which the aforementioned enjoys full authority."

Article 2: Article 9 (repeated) of Basic Decision No. 7548 dated 30/3/2000 is hereby amended and replaced by the following text:

"First, defined as follows:

• "Client": any natural or legal person, whether a company or institution regardless of its commercial or legal status (Legal Arrangement) such as Trust, Foundation, Organization, Non-profit Association (Mutual Societies, Cooperatives, Social Solidarity Banks, Charitable Associations, NGOs, etc.).
• "Beneficial Owner": in the case of natural persons, those who ultimately own or exercise effective control over the "Client" and/or the intermediary company through which operations are conducted, directly or indirectly. Indirect ownership/control refers to cases where ownership/control is held through a chain of intermediate entities or indirect control means.

Second, any financial institution mentioned in Articles 3 and 4 of "Article 2" of this Decision, which engages in electronic payment transactions, must at least:

• 1. Establish due diligence procedures for clients and beneficial owners regardless of transaction value, including verification of identity and cross-border, domestic, and non-domestic transactions, risk-based identification of legal persons/entities and control structures, purpose/nature of business, continuous monitoring of beneficial owners, funds, and operations (especially in the following cases: a) before or upon establishing the business relationship; b) when conducting occasional transactions amounting to at least 10,000 LBP or equivalent; c) when there is suspicion of money laundering or terrorist financing).
• 2. Conduct periodic risk-based reviews of existing client relationships to assess if prior due diligence is sufficient and data obtained remains reliable.
• 3. Obtain the following official documents/data for client and beneficial owner identification: a) For natural persons: National ID, tax number, or residence certificate. b) For legal entities/companies/institutions: Commercial register, tax ID, ownership structure (direct/indirect), list of authorized signatories, plus a certified copy of the articles of association and details of beneficial owners (direct/indirect) holding voting rights.
• 4. Maintain adequate due diligence records for clients and beneficial owners, ensuring sufficient information is obtained before or upon establishing the business relationship, considering the "Financial Intelligence Unit".
• 5. Apply enhanced due diligence for transactions exceeding 10,000 LBP or equivalent.
• 6. Require clients to submit original assets or copies when transactions are conducted through an agent, in addition to agency agreements, and apply due diligence to non-resident agents.
• 7. Maintain records of "Client" and "Beneficial Owner" information (full name, address, registered office for legal entities, main business location, financial status), along with all documents related to due diligence (commercial correspondence, transaction records) for at least five years after business relationship termination and all transactions until completion. These records must be readily available for inspection regarding any criminal activity.
• 8. Report immediately to the "Financial Intelligence Unit" if there are confirmations or suspicions of money laundering/terrorist financing related to funds, terrorist assets, or organizations. If the institution has a lower-risk assessment, it may delay reporting while continuing due diligence procedures.
• 9. Establish an internal control system (System Control Internal) for combating money laundering and terrorist financing, including: a) Adequate/effective procedures approved by senior management. b) Compliance Officer appointed by senior management with sufficient AML/CFT expertise and ongoing training for employees/agents. c) IT systems for monitoring operations. d) Risk-based reporting to the Operations Supervisor, including non-resident agents' compliance with procedures/regulations. e) Training programs for AML/CFT. f) Continuous updating of due diligence data. g) Enhanced procedures proportional to risk, applied to non-resident agents and financial institutions, as recommended by FATF. h) Centralized database of AML/CFT-related information (names reported by Financial Intelligence Unit, names submitted for approval, continuously updated).
• 10. Adopt appropriate measures to identify/assess/report money laundering/terrorist financing risks using a risk-based approach (Low, Medium, High Risk) for clients and transactions.
• 11. Establish control procedures based on risk (Control Based Risk), including: a) Ongoing monitoring and enhanced follow-up for existing relationships. b) Obtaining more accurate information (Increased KYC Levels) for clients and beneficial owners, especially wealth verification. c) Senior management approval for high-risk client transactions/relationships. d) Periodic relationship review. e) Peer comparison of risk classification. f) System to identify Politically Exposed Persons (PEPs). g) Risk assessment based on relationship duration and transaction history. h) IT systems for effective monitoring/classification. i) Senior management-approved policies for risk classification and control procedures. j) Documented risk assessment results, justified actions, and regulatory reporting.
• 12. Confirm that transactions with third parties are subject to monitoring and comply with FATF recommendations regarding due diligence procedures and record retention, ensuring immediate access to client/beneficial owner identification information and supporting documents. In all cases, the institution bears responsibility for due diligence procedures, whether domestic or foreign, with risk-based assessment as a primary consideration, especially for transactions not fully covered by FATF recommendations or insufficiently documented.
• 13. Identify and assess money laundering/terrorist financing risks arising from new products, practices, delivery mechanisms, or technological developments (including those using new/developed technologies and existing products in use). Risk assessment procedures must be applied before launching new products/practices/technologies, with appropriate risk-based measures.
• 14. Employees are obligated to maintain strict confidentiality and notify clients or allow notification, or inform non-affected third parties, that the institution has reported or will report to the "Financial Intelligence Unit" regarding confirmed/suspected money laundering/terrorist financing transactions or accounts, before the decision is published in the official gazette and reported to account holders and interested parties.
• 15. Apply the aforementioned procedures to branches and subsidiaries operating in foreign jurisdictions, provided they hold a majority stake. If conflicting laws/regulations apply, the institution must implement additional appropriate measures to assess/report AML/CFT risks and notify the "Financial Intelligence Unit".
• 16. Implement group-wide AML/CFT programs, including all branches and majority-owned subsidiaries, containing: a) Policies/procedures for sharing client due diligence information and AML/CFT risks. b) Provision of client/transaction information from branches/subsidiaries to the group level as necessary, including analytical and non-analytical reports. c) Sufficient confidentiality guarantees for shared information, including client notification/alert mechanisms.
• 17. If the institution is a foreign branch operating in Lebanon and licensed abroad, it must provide sufficient information regarding transactions and be prepared to report to the "Financial Intelligence Unit" promptly. If reporting, all relevant information must be attached.
• 18. Commit to continuously reviewing electronic transactions with the General Treasury (lb.gov.isf.www) regarding names listed in the National List of natural/legal persons and entities involved in terrorist financing or money laundering, based on available IT systems and immediate reporting by the "Financial Intelligence Unit" regarding transactions involving listed names or assets under their control, within a maximum of 48 hours. If there is similarity between client names and listed names, the "Financial Intelligence Unit" must be notified.
• 19. Apply the seventh recommendation of the Financial Action Task Force regarding effective monitoring and periodic review for money laundering/terrorist financing transactions, including those attempted or frozen, by notifying the "Financial Intelligence Unit" within 48 hours with relevant information and risk assessment.
• 20. Indicators, non-exhaustively, suggesting money laundering/terrorist financing risks when unexplained: a) Client-related indicators: transactions to/from distant regions, lack of supporting information for the client's business/occupation, bribery suspicion, transactions involving third parties with similar names, use of non-selected financial institutions for transfers, frequent/scheduled transfers not matching the client's profile, large third-party payments with clear justification, unexplained withdrawals related to standard procedures, amounts transferred not matching the client's funds. b) Transaction-related indicators: splitting transactions below reporting thresholds, frequent transfers to a single beneficiary across multiple clients, sudden increase in transaction volume/frequency, use of single addresses for multiple accounts, cancellation after client submission of documents/information. c) Agent-related indicators: agent located in high-risk geographic areas, unexplained increase in transaction volume, mismatch between incoming and outgoing transaction volumes, seasonal fluctuations in agent transactions."

Article 3: Add to Basic Decision No. 7548 dated 30/3/2000 the following new Article 19 (repeated):

"Article 19 (repeated): First, institutions engaged in electronic payment transactions (domestic or international) must include the transfer order and attached messages, regardless of value, with a clear reference number for the transfer order and beneficiary, valid across all process stages. For batch electronic transfers to a single beneficiary, the transfer file must contain required/essential order information and complete beneficiary details, with full data integration in the receiving institution, and the institution must include a reference number for the process. Second, licensed institutions engaged in electronic payment transactions must adopt enhanced procedures to identify suspended/frozen transactions related to reported order/beneficiary information, monitoring them upon execution when possible. Licensed institutions must also have risk-based policies/procedures for suspending, rejecting, or delaying electronic transfers related to reported order/beneficiary information, and maintain appropriate follow-up procedures. If a legal restriction prevents retaining information about electronic transfer orders/beneficiaries alongside the transaction, licensed institutions must retain all relevant information for at least five years. Third, intermediary institutions engaged in electronic payment transactions must:

• Ensure all information related to transfer orders and beneficiaries is attached to the electronic transfer.
• Adopt enhanced procedures, from originator to beneficiary, to identify suspended/frozen transactions related to reported order/beneficiary information.
• Establish risk-based policies/procedures for suspending, rejecting, or delaying such transfers with appropriate follow-up. If a legal restriction prevents retaining information about electronic transfer orders/beneficiaries alongside the transaction, intermediary institutions must retain all relevant information for at least five years."

Article 4: This Decision takes effect upon publication. Article 5: This Decision is published in the Official Gazette.

Beirut, December 23, 2021 Governor of Bank Lebanon Rached T. Salamé