Lebanon: Data Protection in the Financial Sector
1. Governing Texts
The protection of data and personal data under Lebanese law is mainly provided for in Law No. 81 of 10 October 2018 on Electronic Transactions and Personal Data (only available in Arabic here) ('Law 81').
Law 81 governs the protection of personal data, and determines the conditions for the collection, processing, storage, sharing, and use of personal data in Lebanon.
In addition to Law 81, there are other privacy-related provisions across various laws including:
- Article 579 of the Penal Code (Legislative Decree No. 340 of 1 March 1943) (only available in Arabic here) ('the Penal Code'), which subjects any person disclosing confidential information for illegitimate purposes or for their own personal interest to imprisonment for up to one year and a fine; and
- Articles 58 and 107 of the Consumer Protection Law (Law No. 659 of 4 February 2005) (only available in Arabic here) ('the Consumer Protection Law'), which requires to keep confidential all information related to a consumer and not disclose such information without the latter's consent.
The most important regulations governing data protection in the financial sector in Lebanon include:
- Law on Money and Credit promulgated by Decree No. 13513 of 1 August 1963 (only available in Arabic here) ('the Law on Money and Credit');
- Law No. 161 of 17 August 2011 on Capital Markets ('the Law on Capital Markets');
- Regulations and circulars issued by the Bank of Lebanon ('BDL'), i.e. the Central Bank of Lebanon (accessible, mainly in Arabic, here); and
- Regulations issued by the Capital Markets Authority ('CMA') of Lebanon.
1.2. Supervisory authorities
There is no standalone data protection regulator in Lebanon. However, the following regulatory bodies regulate and/or supervise the protection of personal data in specific sectors, notably the financial services business sector:
- the BDL, the main regulatory and supervisory authority over the banking sector, whose mission is to issue Lebanon's currency, regulates and supervises the banking institutions, and maintain monetary stability;
- the Banking Control Commission of Lebanon ('BCCL'), whose function is to supervise banks operating in Lebanon, Lebanese financial institutions, and exchange institutions. The BCCL performs its supervisory functions as an independent body, but in close coordination with the Governor of the BDL;
- the CMA, which is an independent, autonomous regulatory body established under the Law on Capital Markets. The CMA's main responsibilities include regulating, supervising, licensing, and monitoring the activities of Lebanese capital markets;
- the Insurance Control Commission ('ICC'), a body under the Lebanese Ministry of Economy and Trade, which represents the regulatory and supervisory authority over the insurance sector.
2. Personal and Financial Data Management
2.1. Legal basis for processing
The legal grounds for processing personal data in the financial sector are mainly governed by the following provisions:
Article 87 of Law 81 provides that personal data must be collected in good faith, and for legitimate, specific, and explicit purposes.
The regulations organising the implementation of Law 81 have not been issued to date. Therefore, there are no explicit legal texts that specify the practical significance of 'legitimate purposes' as provided for in Law 81, or list what constitutes a legitimate basis for personal data processing. A legitimate purpose is generally understood to mean any purpose that is not contrary to Lebanese laws.
In principle, Law 81 requires the notification of the Ministry of Economy and Trade ('MoET') for the processing of personal data, or the obtainment of a license from the MoET in limited cases under Article 97 of Law 81 (data related to (i) external and internal State security, (ii) criminal offences and judicial proceedings of any kind, and (iii) health, genetic identity, or sexual life of persons).
However, Article 94 of Law 81 provides that the instances listed below (inter alia) are exempt from the MoET notification requirement, and hence constitute a lawful basis for data collection:
- in case the purpose of the data processing is maintaining dedicated records, pursuant to legal or regulatory provisions, in order to inform the public, which can be accessed by any person or persons having a legitimate interest;
- in case of data processing related to the employees or members of institutions, commercial companies, trade unions, associations and self-employed persons, within the limits and for the needs of exercising their activities in a legal manner;
- in case of data processing related to the clients and customers of institutions, commercial companies, trade unions, associations and self-employed persons, within the limits and for the needs of exercising their activities in a legal manner;
- in case the person concerned agrees in advance to the processing of his/her personal data, unless there is a legal impediment in this regard;
In this respect, the duties of the personal data processor are (i) the duty to collect accurate data, (ii) the duty to inform the personal data owner, and (iii) the duty to safeguard the personal data. More specifically, personal data processors must:
- accurately collect the personal data for legitimate, specific and explicit purposes. The collection of Personal Data must be commensurate to the intended purpose of its use;
- inform the personal data owner of the following:
- the identity of the personal data processor or its representative;
- the purpose of the processing, the mandatory or optional nature of answering the questions raised,
- the consequences of not responding;
- the recipient of the personal data; and
- the right of the personal data owner to access and correct the processed data and the means to do so; and
- take all measures depending on the nature of the personal data and the risks related to the processing thereof in order to ensure the integrity and security of the data, and to protect it against distortion, damage and unauthorised access.
The Law Prohibiting Insider Trading
Law No. 160 of 17 August 17 2011 on the Prohibition of Exploitation of Inside Non-Public Information when Trading in the Capital Markets ('the Law Prohibiting Insider Trading'). According to the scope of the Law Prohibiting Insider Trading, the term 'insider non-public information' is defined as information that:
- relates to one or more financial instruments or to one or more issuers of financial instruments;
- has not been made public; and
- is of a precise and accurate nature. In particular, information shall be deemed to be of a precise nature if it indicates a set of circumstances which exist or may reasonably be expected to come into existence or an event which has occurred or may reasonably be expected to do so and which, if it were made public, would be likely to have a significant effect on the prices of those financial instruments or on the price of related derivative financial instruments. The information shall have a significant effect when, for example, it is considered relevant to a regular investor.
In this regard, it is forbidden for any person, natural or legal, notwithstanding his/her function, or any person having access to inside information by virtue of his/her profession, to use or exploit inside non-public information by directly or indirectly acquiring, disposing, or attempting to do so of the securities related to this inside non-public information, on his/her own part or on the part of a third party.
BDL regulations and circulars
With regard to personal and financial data, the BDL has rendered its Basic Circular No. on 13 September 2018 (only available in Arabic here) by virtue of which all institutions regulated by the BDL are required to take appropriate measures in line with the provisions of the European Union's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). However, such measures are to be implemented without prejudice to Lebanon's own laws and regulations.
The Business Conduct Regulation
CMA's Series 3000 – Business Conduct Regulation ('the Business Conduct Regulation'), issued on 10 November 2016 along with its amendments, provides for the obligation of an approved institution to protect the confidentiality of information obtained from a client and relating to a client's account, including information on transactions or proposed transactions (Article 3310 of the Business Conduct Regulation). Moreover, the Business Conduct Regulation compels approved institutions to preserve the confidentiality of information relating to each client, and to prevent its disclosure or misappropriation by third parties.
Proposed sector-specific legislation for insurance sector
With respect to the insurance sector, the Lebanese government has issued Decree No. 572 of 27 July 2007 in relation to proposed legislation regulating the insurance sector in Lebanon. You can read a summary of the proposal (only available in Arabic here). Article 111 of the proposed legislation considers confidential all information related to clients. However, to date, the proposed legislation has not been enacted.
There are no specific requirements for financial institutions to provide customers with notice of the institution's privacy policies and processes, although this is commonly adopted in practice.
The BDL has issued several circulars under which it requires financial institutions to implement and establish strict policies and procedures with regard to the protection and security of the personal data of its clients.
Several laws and regulations require entities working in Lebanon to retain documents and to keep records, such as Articles 16 and 19 of the Code of Commerce issued under Legislative Decree No. 304 of 24 December 1942 and its amendments (only available in Arabic here) ('the Commercial Code'), which require companies to maintain their records related to commercial documents for a period of ten years.
With respect to the financial sector, the following specific regulations are relevant:
- Article 3 of the Regulations on the Control of Financial and Banking Operations for Fighting Money Laundering and Terrorist Financing attached to BDL's Basic Circular No. 83 dated 18 May 2001 (only available to download in Arabic here) ('the AML/CFT Regulations') requires from banks to retain information on customers for at least five years after closing the account or upon ending the business relationship, particularly the customer's full name, residential address, occupation, and financial status, in addition to copies of all documents used to verify the above information. Banks must also retain copies of all operations-related documents, for at least five years after performing the operation.
- Articles 3401 to 3403 of the Business Conduct Regulation requires from CMA-approved institutions to keep all records (including inter alia records of its client accounts, securities business operations, financial operations and transactions) for a period of ten years unless the CMA specifies otherwise. Institutions must have systems and controls in place covering the security, adequacy, access to, and period of keeping of its records, and must ensure that adequate back-up arrangements for its records are in place.
- Article 4 of ICC Circular No. 3222 of 25 October 2017 on Common Reporting Standard Criteria ('the ICC Circular No. 3222') requires insurance companies to retain documents for a period of ten years as of:
- the closing date of the concerned financial account for the self-certification submitted by the account holder, or
- the end of the last calendar year referred to in the record for all other cases.
- Article 9 bis of BDL Basic Circular No. 69 of 30 March 2000 addressed to Banks, and Financial Institutions and Institutions Engaged in Electronic Financial and Banking Operations and relating to Electronic Financial and Banking Operations requires any Lebanese or foreign institution having previously been licensed by BDL to do the following:
- verify customer identity and addresses based on official documents;
- keep specific records for operations exceeding the amount of USD 10,000 or its equivalent; and
- retain, for at least five years, copies of the official documents (customer identity and addresses).
- Article 90 of Law 81 provides that the retention of personal data cannot be used beyond the period specified in the declaration of processing or in the decision authorising such processing. Moreover, Article 72 of Law 81 provides that IT service providers should maintain the data that identifies the persons using the internet and other technical data of communications, for three years from the service delivery date.
As the supervisory body concerning AML/CFT matters, the Special Investigation Commission ('SIC') is the centrepiece of Lebanon's AML / CFT regime and Lebanon's financial intelligence unit.
Law No. 318 of 20 April 2001 on Fighting Money Laundering ('the 2001 AML Law') establishes the SIC as the entity mandated to investigate money laundering operations and to monitor compliance with the rules set by the 2001 AML Law.
International regulatory framework
Lebanon has adhered to several international organisations, ratified several international conventions and treaties, and has adopted international recommendations and standards relating to AML/CFT such as:
International Recommendations and Standards:
- The Financial Action Task Force ('FATF') and its Middle East and North Africa Financial Action Task Force ('MENAFATF') guidance, including 40 recommendations for money laundering and nine recommendations for terrorism financing;
- Egmont Group guidance including its Principles for Information Exchange Between Financial Intelligence Units for money laundering etc. cases, and guidance on banking supervision and why it is important to Know Your Customer ('KYC');
- Wolfsberg Principles Global banks setting global standards related to KYC and AML/CFT policies;
- International Organization of Securities Commissions ('IOSCO'), International Association of Insurance Supervisors ('IAIS'), and the Basel Committee on Banking Supervision ('BCBS') guidance on common AML/CFT standards;
- IAIS guidance on insurance core principles and methodology (which can be accessed here);
- BCBS guidance on Customer Due Diligence for Banks; and
- IOSCO guidance and statement of principles concerning a variety of matters including Principles on Client Identification and Beneficial Ownership for the Securities Industry, the principles provide guidance to the industry on identification and verification requirements with respect to omnibus accounts, ongoing due diligence obligations, record keeping requirements for client identification information, and third-party reliance.
- The United Nations ('UN') 1999 International Convention for the Suppression of the Financing of Terrorism;
- the 2000 United Nations Convention against Transnational Organized Crime;
- the 2003 United Nations Convention against Corruption; and
- the 1958 United Nations Convention on the Recognition and Enforcement of Foreign Arbitral Awards, commonly referred to as the New York Convention.
Internal regulatory framework
Internally, the 2001 AML Law was passed to combat money laundering and was subsequently amended by Law No. 44 of 24 November 2015 Fighting Money Laundering and Terrorist Financing ('the 2015 AML/CFT Law') to include terrorism financing.
Article 4 of the 2015 AML/CFT Law requires banks, financial institutions, leasing companies, institutions that issue and promote credit or charge cards, institutions that perform money transfers electronically, exchange institutions, financial intermediation institutions, collective investments schemes, and any other institution requiring a licence or supervised by the BDL, to comply with the obligations specified below and with the regulations issued by the BDL:
- to implement proper customer due diligence measures on permanent customers (whether natural persons or legal persons or special legal arrangements), in order to check their identity on the basis of reliable documents or information or data;
- to implement customer due diligence measures on transient customers to verify their identity, if the amount of a single operation or series of operations exceeds the threshold designated by BDL;
- to determine the identity of the economic right owner and take the steps needed to verify this identity, on the basis of reliable documents or information or data;
- to retain copies of related documents of all operations and to retain information or data or copies of the customer’s identification documents, for at least five years after performing the operations or ending the business relationship, whichever longer;
- to continuously monitor and review business relationships with clients;
- to apply the measures specified above to permanent and transient customers, whenever there are doubts regarding the accuracy or adequacy of declared customer identification data, or whenever there is a suspicion of money laundering or terrorist financing, regardless of any thresholds or exemptions that limits the implementation of these measures; and
- to take into account the indicators that flag the likelihood of a money laundering or terrorist financing operation, as well as the due diligence principles to detect suspicious operations.
Moreover, Article 7 of the 2015 AML/CFT Law compels such institutions to promptly report to the SIC any suspicion concerning money laundering.
BDL's role regarding to AML/CFT
The BDL has issued several regulations with regard to AML/CFT similar to the measures required under the 2011 AML Law, including the following:
- the AML/CFT Regulations, Article 7 of which requires banks to implement enhanced due diligence procedures, including the inquiry from the customer about the source and destination of funds and about the subject of the process, the identity of the beneficiary and the holder of the economic right, when the bank suspects that the operation is taking place in unusual circumstances of complexity, or the operation appears to have no economic justification or legitimate aim;
- Basic Circular No. 126 of 4 April 2012 addressed to Banks and Financial Institutions and relating to the Relationship between Banks and Financial Institutions and their Correspondents; and
- Basic Circular No. 128 of 12 January 2013 addressed to Banks and Financial Institutions and relating to the Establishment of a Compliance Department with regard to regulated entities.
The Law of 3 September 1956 on Banking Secrecy ('the Banking Secrecy Law') establishing banking secrecy in Lebanon provides that banks are prohibited from communicating personal and account-related information about their clients. The Banking Secrecy Law applies to all Lebanese banks (and other types of financial institutions, brokerage firms, and other entities within the regulatory scope of the BDL) as well as to foreign banks operating in Lebanon. All bank managers and employees who are exposed to banking activities, unless an exception under Article 2 of the Banking Secrecy Law applies, may not reveal any information including client's names or assets to any party whatsoever whether a private individual or corporate entity or public authority, be it administrative, military, or judicial.
As noted above, Article 4 of ICC Circular No. 3222 requires insurance companies to retain documents for a period of ten years.
As noted above, Article 3 of the AML/CFT Regulations compels banks to retain information on customers for at least five years after closing the account or upon ending the business relationship, particularly the customer's full name, residential address, occupation, and financial status, in addition to copies of all documents used to verify the above information. It must also retain copies of all operations-related documents, for at least five years after performing the operation.
Moreover, Article 52 of Law 81 provides that banks, financial institutions, or any institution legally authorised or licensed by the BDL must provide written periodic statements of the transactions performed to the client's account, including information about electronic payments or transfers debited and credited to the client's account, and the dates and value of such transactions.
Outsourcing to third parties is permitted under Law 81, provided that the personal data owner is informed of the intended recipients of the data, and the data collector ensures that the necessary security measures are taken by the other recipients to protect the data (except for regulators).
No specific breach notification obligation is provided for by law.
Lebanon has not adopted a specific legal framework that regulates Fintech. The activities rendered by Fintech companies are governed by the regulations applicable to banks, financial institutions and other institutions licensed by the BDL, which provide electronic banking and electronic payment services.
Data protection violations
Article 106 of Law 81 provides for a fine ranging between LBP 1 million (approx. €610) and LBP 30 million (approx. €18,200) and imprisonment from three months to three years, or one of these two penalties against the following persons:
- anyone who has processed personal data without providing a permit or without obtaining a prior licence before commencing its work;
- anyone who has collected or processed personal data without complying with the rules established by Law 81; and
- anyone who, even if negligently, discloses personal data to unauthorised persons.
Insider trading violations
Article 6 of the Law Prohibiting Insider Trading provides for sentencing to a term of imprisonment of one to three years, and for fines not less than twice and not more than ten times the value of any unlawful gain. The court may prohibit the infringing party temporarily or permanently from practising a profession or work even if such practice does not require a certificate or permission from the competent authorities.
AML/CFT rule violations
Article 13 of the 2001 AMF Law provides for several sanctions imposed on institutions that violate its provisions, including imprisonment for a period of two months to one year, a fine not exceeding LBP 100 million (approx. €60,800), or both.
The SIC may issue a warning to institutions that are in violation of the provisions of the regulations issued for the purpose of implementing the 2001 AML Law and may request from such parties periodic reports about the measures taken to rectify their situation.
Banking secrecy violations
Article 8 of the Banking Secrecy Law provides for a sanction in the case of unlawful disclosure of information covered by banking secrecy consisting of three months to a one year imprisonment.
11. Additional Areas of Interest