Electronic Banking and Financial Operations

381

Basic Circular for Banks No. 69 Also addressed to Financial Institutions

We enclose a copy of Basic Decision No. 7548 dated 30/03/2000 concerning Electronic Banking and Financial Operations.

Beirut, 30 March 2000 Governor of Banque du Liban Riad T. Salamé Old Reference No. 1810

382

1. Basic Decision No. 7548

Electronic Banking and Financial Operations

The Governor of Banque du Liban, Pursuant to the Monetary and Banking Law, particularly Articles 70 and 174 thereof, Pursuant to Law No. 133 dated 26/10/1999 concerning the mandates of Banque du Liban, Pursuant to the Decision of the Central Council adopted at its meeting held on 29/03/2000,

Decrees as follows:

Article 1: Definitions For the purpose of applying the provisions of this Decision, the following terms shall have the meanings set forth below: -1 Electronic Means: Any tool, system, or technical means used to carry out Electronic Banking and Financial Operations. -2 Electronic Banking and Financial Operations: Financial and banking operations and services carried out, wholly or partially, via electronic means, which include the following: • Electronic Payments (Digital Payments): Payment or money transfer operations via electronic means (P2P, P2M, P2Gov, …). • Local and/or Cross-border Electronic Money Transfer Service: Sending or receiving funds domestically via a local network or internationally by contracting with a foreign company.

1. Articles of Basic Decision No. 7548 and its attached annexes were repealed and replaced by Interim Decision No. 13791 dated 09/01/2026 (Interim Circular No. 750).

383

• Electronic Know Your Customer (KYC-E) Service: The definition referred to in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services) shall be adopted. • Electronic Lending: Loans and credit facilities granted via electronic means. • Electronic Trading: Buying and selling financial instruments (shares, bonds, investment funds, etc.) via electronic means. • Issuing Virtual Payment Cards: Issuing, managing, and using digital banking cards via electronic means. • Electronic Payment Gateway: The definition referred to in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services) shall be adopted. • "Electronic Money" (Money-E) Service: A service provided exclusively by financial institutions, for which the definition referred to in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services) shall be adopted. -3 Virtual Assets: The definition referred to in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services) shall be adopted. Article 2: Prior Notification and/or Prior Approval of Banque du Liban First: Banks and financial institutions registered with Banque du Liban may conduct "Electronic Banking and Financial Operations" subject to: -1 Obtaining prior approval from Banque du Liban to provide: a - The "Electronic Know Your Customer" (KYC-E) service (as specified in Article 4 below), applicable to banks and financial institutions. b - The "Electronic Money" (Money-E) service (as specified in Article 3 below), applicable to financial institutions only. -2 Notifying Banque du Liban in advance via written letter of its intention to conduct any of the operations covered by this Decision, except those mentioned in paragraph (1) of the "First" section of this article, at least 90 days prior to commencing the operation, promoting it in advance, or making any subsequent modification to a previously authorized operation. -3 Including in the letter a description of the intended services, associated risks, and technical procedures followed.

384

Second: Banks and financial institutions wishing to provide local and/or cross-border electronic money transfer services must comply, in addition to the conditions mentioned in paragraphs (2) and (3) of the "First" section of this article, with the conditions specified for Categories B and C in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services). Third: Banque du Liban and the Banking Control Commission reserve the right to request additional information or impose special conditions on these operations.

Article 3: "Electronic Money" (Money-E) Service Financial institutions registered with Banque du Liban, excluding banks, may provide the "Electronic Money" (Money-E) service subject to obtaining prior licensing from Banque du Liban and complying with the conditions specified for Category A in Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services).

Article 4: "Electronic Know Your Customer" (KYC-E) Service First: Banks and financial institutions may onboard new individual customers via the "Electronic Know Your Customer" (KYC-E) form to open accounts not exceeding LBP 10,000,000 and/or to carry out banking and financial operations, as applicable, subject to obtaining prior approval from Banque du Liban and providing it with documents related to the electronic technologies, mechanisms, and software to be used for this purpose. The approval request must include proof that the concerned banks and financial institutions have complied with the following: -1 Compliance with applicable laws and regulations, particularly those related to compliance and combating money laundering and terrorist financing, specifically regarding: a - Verifying and confirming the authenticity of the customer's identity by:

• Applying Enhanced Due Diligence procedures.
• Adopting Digital ID Systems, including requirements related to identity proofing and enrollment, and identity authentication and lifecycle management, as specified in the FATF Guidance on Digital ID.

385

b - Ongoing monitoring of electronic transactions continuously in accordance with adopted standards, including those specified in Basic Decision No. 7818 dated 18/05/2001 concerning the system for monitoring banking and financial operations to combat money laundering and terrorist financing, attached thereto. c - Adopting a mechanism to classify all customers based on their risk categories (high, medium, and low) and risk categories that may arise from transaction ceilings. -2 Including in the "Electronic Know Your Customer" form, at a minimum, the information set forth in Annex No. 2 attached herewith. -3 Ensuring compliance with the electronic signature conditions stipulated in this Decision. -4 Adopting appropriate security and compliance procedures that ensure the highest levels of legal and technical protection, particularly in light of customer risks and available transaction ceilings. -5 Notifying the customer of the details of the executed transaction immediately upon execution via an in-app notification and/or email and/or SMS sent to their mobile phone. -6 Electronically providing the customer with a detailed monthly statement of executed transactions, as needed. Second: Banque du Liban may exceptionally approve banks for a ceiling higher than the aforementioned LBP 10,000,000 amount, based on a reasoned request submitted by the concerned bank to Banque du Liban for this purpose. Third: The "Electronic Know Your Customer" (KYC-E) form may be adopted to renew and/or modify the standard "Know Your Customer" (KYC) form. Article 5: Electronic Signature Banks and financial institutions may adopt electronic signatures subject to the simultaneous fulfillment of the following conditions: -1 Obtaining the customer's consent to potential risks when resorting to electronic signatures. -2 Taking appropriate measures to ensure the highest levels of security, under the full responsibility of the concerned parties.

386

-3 Ensuring that the electronic signature is uniquely linked to the signatory and is organized and stored in a manner that guarantees its validity and the integrity of the customer's personal data. -4 Ensuring that the identity of the person issuing the electronic signature can be identified. -5 Using what is known as electronic signature creation data to generate the electronic signature, enabling the signatory to use this signature with a high level of confidence and under their sole control. -6 Linking the signature to the signed data in such a way that any subsequent change to the data is detectable. -7 Using a One-Time Password (OTP) as the customer's electronic signature.

Article 6: Customer Dealing Conditions Banks and financial institutions conducting "Electronic Banking and Financial Operations": -1 Shall not deal with any customer under the age of eighteen or lacking full contractual capacity except through their legal guardian. -2 Shall cooperate to facilitate supervisory activities, including technical supervision, conducted by Banque du Liban or the Banking Control Commission over their operations. -3 Shall provide both the Non-Bank Financial Institutions Directorate at Banque du Liban and the Banking Control Commission with every modification to their operating systems and the technical rules they follow in executing their electronic operations covered by this Decision. -4 Shall request their supervisory commissioners to prepare annual reports on their electronic operations and their technical and organizational status related to these operations, and provide copies to both the Non-Bank Financial Institutions Directorate at Banque du Liban and the Banking Control Commission by the end of April of each year at the latest. -5 Shall comply with principles of integrity and transparency and take necessary measures to ensure the security of electronic operations.

387

-6 Shall comply with the operating systems and technical rules referred to in Annex No. 1 attached herewith. -7 Shall display on their website and electronic application the license number granted to them by Banque du Liban.

Article 7: Data Hosting Banks and financial institutions conducting "Electronic Banking and Financial Operations" must store (host) in Lebanon the data and information belonging to customers and related to executed operations. (Local Data Hosting) Article 8: Data Protection Banks and financial institutions conducting "Electronic Banking and Financial Operations" must apply data protection procedures for personal data, particularly as specified below: -1 Taking measures that ensure the highest levels of security to protect personal data belonging to their customers, as well as the methods of processing, storing, and the legality of its use, as data controllers. -2 Restricting access to personal data to the minimum necessary to perform required duties (need-to-know basis). -3 Refraining from sharing personal data with any third party or entity, except Banque du Liban, the Banking Control Commission, the Special Investigation Commission, and judicial and prosecutorial authorities. -4 In case of contracting with any third party to process this data or carry out any operation that may lead to its processing, doing the following: a - Notifying the customer that their personal data will be processed by a third party, and obtaining the customer's explicit, written, and limited consent for specific purposes of processing their personal information. b - Including in the contract provisions stating: • That the processing of customers' personal data by the third party is limited to the purpose for which it was granted, and that it cannot subsequently process it in a manner inconsistent with the stated and explicit purposes in the contract, and that processing must be conducted honestly and in accordance with the legitimate and necessary objectives for which it was granted.

388

• Obliging the third party to adopt the highest security standards to ensure the protection, storage, and security of data, and to prevent it from being distorted, damaged, or accessed by unauthorized persons. • That the bank and/or financial institution remains liable to the customer for the protection of personal data and the legality of its use by the third party, and for any misuse by the latter. Article 9: Consumer Protection Banks and financial institutions conducting "Electronic Banking and Financial Operations" must prepare a detailed policy on customer protection procedures, which must include at least the following: -1 Measures taken to protect information privacy. -2 Types of fees and commissions intended to be applied to provided services. -3 Mechanism for resolving disputes with customers and the role of the entity responsible for receiving customer complaints. Article 10: Prohibition of Virtual Assets Banks and financial institutions are prohibited from issuing, dealing in, and/or facilitating the dealing in virtual assets in any form, except as issued by Banque du Liban regarding this matter. Article 11: Transitional Provisions First: Financial institutions that previously obtained approval from Banque du Liban, under the provisions of this Decision, to provide services that have now become subject to Basic Decision No. 13790 dated 09/01/2026 (concerning providers of electronic payment services) must regularize their status and take necessary measures to comply with the provisions of the aforementioned Basic Decision No. 13790 within a period of 6 months from its date. Second: Banks and financial institutions are granted a period of 6 months to comply with the provisions of Article 7 of this Decision. Third: The submission of requests by financial institutions to obtain prior approval from Banque du Liban to provide the "Electronic Money" (Money-E) service mentioned in this Decision is suspended until further notice.

Article 12: Role of the Banking Control Commission The Banking Control Commission is tasked with monitoring the proper implementation of the provisions of this Decision and issuing implementing texts, as needed. Article 13: Violation of the Provisions of the Basic Decision Any violation of the provisions of this Decision shall subject the violating institution to the administrative penalties stipulated in Article 208 of the Monetary and Banking Law. Furthermore, violation of the provisions of this Basic Decision also constitutes a criminal offense under Article 770 of the Penal Code, and Banque du Liban is authorized to prosecute any violating institution before the competent judicial authority. Article 14: This Decision shall take effect upon its issuance.

Article 15: This Decision shall be published in the Official Gazette.

Beirut, 30 March 2000 Governor of Banque du Liban Riad T. Salamé

389

Annex No. 1 Documents Related to Operating Systems and Technical Rules

1. Customer onboarding mechanisms for the service, including the authentication and strengthening procedure (Multifactor Authentication Procedure) and the transaction confirmation mechanism (OTP, Face ID, or other secure dynamic code).
2. Distribution of permissions on the information system (Access Control List).
3. Inventory of all devices, operating and application systems, database systems, network systems, and security and protection systems intended to be adopted.
4. Diagram of the technical design of the intended communication network infrastructure (Network Topology & Infrastructure).
5. Specification of the primary and backup internet lines intended to be adopted to ensure service continuity.
6. Information logging mechanism via a SIEM system intended to be adopted for log storage, facilitating reading, and enabling appropriate auditing and monitoring.
7. System protection software intended to be adopted (Antivirus, Antispam, Firewall, Proxy, Intrusion Detection, …).
8. Network protection procedures.
9. Encryption procedures (Encryption Algorithms).
10. Device and system hardening procedures.
11. Self-protection application software intended to be adopted against cyberattacks (Application Self-Protection).
12. Data backup and storage procedures.
13. Anti-money laundering and terrorist financing procedures, including the dedicated auditing and monitoring software intended to be adopted.
14. Business continuity and disaster recovery plans for the institution's operations and information system.
15. Commitment to conduct penetration testing of systems and networks by specialized and reliable companies (Intrusion Penetration Testing) after obtaining the license.
16. Documents related to the technical software approved for data storage in Lebanon (Local Data Hosting) or a Letter of Intent from the company intended to be contracted for this purpose.
17. Documents related to the technical software approved for providing the "Electronic Payment Gateway" service or a Letter of Intent from the company intended to be contracted for this purpose.

390

Annex No. 2

Electronic Know Your Customer Form

To apply compliance procedures and necessary due diligence, the following information must be available, at a minimum, in the "Electronic Know Your Customer" form:

• Full name (First, Middle, Last)
• Mother's name and maiden name
• Gender
• Date of birth
• Place of birth
• Place and number of civil registry record
• Nationality
• Any other nationality
• Marital status (Single/Married/Divorced/Widowed)
• Spouse's name and maiden name
• Country of residence
• Full residential address (City/District/Street/Building Name/Floor) and phone number
• Occupation/Profession
• Rank/Title
• Workplace (Company Name)
• Full workplace address and phone number
• Salary or annual income
• Any other income sources
• Beneficial owner
• Must not have been convicted within the past ten years for any ordinary crime, theft, fraud, or misdemeanor subject to fraud or embezzlement penalties, or issuing bad checks due to bad faith or to the detriment of the state's financial standing, as per Articles 319 and 320 of the Penal Code, or concealing proceeds obtained through such offenses.
• Must not have any relationship (residence, work, or any type of activity, income source) with any FATF high-risk jurisdictions subject to a call for action (Iran, North Korea, Myanmar).