LogoRegulatory Alerts
2017-11-28 | 12725

Cybercrime Prevention

Banque Libanaise issued Basic Decision No. 12725 to mandate banks and financial institutions to implement comprehensive administrative, technical, and judicial policies against cybercrime. The decision requires these entities to establish dedicated working groups, allocate budgets for information security, adopt multi-factor authentication and encryption protocols, and enforce strict internal procedures for electronic fund transfers. Furthermore, it obligates institutions to promptly notify customers of risks, report incidents to the Special Investigation Commission, and ensure rapid corrective actions including fund cancellation and refunds upon confirmed cyber fraud.

Banque du Liban logo

Lebanon

Banque du Liban

Click to view thumbnail

1171 Text/ Section 2, Circular No. 144, Date: December 31, 2017

Basic Circular for Banks No. 144 Also addressed to Financial Institutions

We enclose herewith a copy of the Basic Decision No. 12725 dated November 28, 2017 Concerning the Prevention of Cybercrime.

Beirut, on November 28, 2017 Governor of Banque Libanaise Riad T. Salamé

1172

Basic Decision No. 12725 Prevention of Cybercrime

The Governor of Banque Libanaise, Based on the Monetary and Loan Law, particularly Articles 174, 70, and 182 thereof, Based on Anti-Money Laundering and Counter-Terrorist Financing Law No. 44 dated November 24, 2015, Based on Basic Decision No. 7818 dated May 18, 2001, and its amendments concerning the system for monitoring financial and banking operations to combat money laundering and terrorist financing, attached to Basic Circular No. 83, And based on the "Guidelines for Prevention of Cybercrime via Electronic Mail" issued by Banque Libanaise, the Special Investigation Commission, the Association of Lebanese Banks, and the Information Crimes Combating and Intellectual Property Protection Office under the Judicial Police Unit, launched on October 20, 2016, And based on the decision taken by the Central Council of Banque Libanaise in its meeting held on November 21, 2017,

Decrees as follows:

First: Policies and Procedures for the Prevention of Cybercrime Article 1: Banks and financial institutions shall prepare policies and adopt preventive measures and procedures against cybercrime, including at least: First: General policies include:

  1. Analyzing potential cybercrime risks and continuously monitoring the latest developments in information security technology.
  2. Allocating the necessary amounts and budgets to establish and apply information technology security policies, systems, and rules.
  3. Organizing insurance contracts covering risks of cybercrime.
  4. Formulating and continuously updating necessary plans for the prevention of cybercrime (such as incident response plan, business continuity plan during and after a disaster, immediate intervention training plan...).
  5. Establishing a dedicated working group for the prevention of cybercrime.
  6. Exchanging information related to cybercrime with relevant authorities inside or outside the bank or financial institution.
  7. Raising awareness among employees and customers regarding the prevention of cybercrime.
  8. Monitoring any changes in employee habits and behaviors, especially those with important privileges for accessing information systems.
  9. Exercising caution when contracting with external parties to perform tasks related to electronic systems and ensuring that these parties do not subcontract to secondary entities of lower reliability.

Second: Technical measures include:

  1. Adopting a technology relying on at least two means to verify the identity of users outside the bank or financial institution, particularly regarding their right to access the system.
  2. Using full and secure encryption technology for highly important data, preventing loss or tampering.
  3. Adopting strict filtering rules for incoming electronic mail and controlling access to email boxes outside the bank or financial institution.
  4. Updating all computer systems and devices, and verifying the security of devices made available to employees for use outside the bank or financial institution.
  5. Testing penetration capabilities to identify any potential weaknesses in the network.
  6. Monitoring network traffic to detect any abnormal behavior, whether through the type or number of transmitted packets.
  7. Verifying data integrity and monitoring it to detect any unauthorized tampering, and tracing the source of unauthorized access.

1173 Text/ Section 2, Circular No. 144, Date: December 31, 2017

Second: Measures specific to the prevention of cybercrime with a financial nature Article 2: Banks and financial institutions, each within its competence, shall generally and under their own responsibility adopt appropriate administrative, technical, and judicial measures to alert, monitor, and combat financial cybercrime, specifically:

  1. Specifically taking into account the guidelines set forth in paragraph (1) of Part One of the "Guidelines for Prevention of Cybercrime via Electronic Mail" as indicators of cybercrime.
  2. Following the "Policies and Preventive Measures against Cybercrime" specified in paragraph (2) of Part One of the aforementioned Guidelines.
  3. Establishing internal systems and procedures dedicated to executing electronic fund transfer requests (electronic mail, Electronic Banking services...).
  4. Including in the contract signed with the customer special provisions regarding determining other non-electronic mail communication means (such as telephone, etc.) for electronic fund transfer requests to confirm their validity, provided that these means are not altered without written agreement between the parties.
  5. Notifying the customer of risks arising from using electronic mail for financial transactions, directing them to use safer means, and obtaining their written consent to bear these risks.
  6. Providing the customer with the "Guidelines for Individuals and other non-financial institutions and entities" subject of Part Two of the aforementioned Guidelines.
  7. Requesting that their customers report any cybercrime they have been exposed to immediately upon knowledge, discovery, or notification that they have fallen or are about to fall victim to it.

1174 Second: Measures specific to the prevention of cybercrime with a financial nature Article 3: Banks and financial institutions, upon discovering, knowing, or being notified that any of their customers has fallen victim to cybercrime with a financial nature, shall take swift and effective measures including at least the corrective measures set forth in paragraph (3) of Part One of the aforementioned Guidelines, specifically:

  1. Providing all relevant information to the sending bank, receiving bank, and benefiting financial institution, and requesting the cancellation of the transfer process and refunding its value to the customer.
  2. Notifying the Special Investigation Commission of relevant information and correspondence, including technical information regarding:
  • The source of the electronic mail (IP Address) attributed to the customer or through which suspicious transfer requests were sent.
  • The name of the Internet service provider through which suspicious transfer requests were sent.
  • The name of the Internet service provider used for unauthorized access to the customer's account via Electronic Banking services.
  1. Directing the customer to file a report or judicial complaint with the competent authorities.

Article 4: The "Compliance Department" established at each bank and financial institution shall apply the provisions of this decision.

Article 5: This decision shall take effect upon its issuance.

Article 6: This decision shall be published in the Official Gazette.

Beirut, on November 28, 2017 Governor of Banque Libanaise Riad T. Salamé

Share