1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
The fintech space is not subject to specific fintech legislative and regulatory provisions in Lebanon. However, fintech companies may be subject to specific laws and regulations that apply to banks, financial institutions and insurance companies if they carry out such regulated activities, in addition to the e-commerce regulations that apply to online contracting and marketing in Lebanon and other laws of general application, as detailed below.
The main laws and regulations that may apply to fintechs, depending on their activities, include the following:
- Technology laws and regulations:
- Banque du Liban (BDL) Basic Circular 69/2000 on Electronic Banking and Financial Transactions;
- BDL Basic Circular 144/2017 on Prevention of Cybercrime; and
- the Electronic Transactions and Personal Data Law (81/2018).
- Banking laws and regulations:
- the Banking Secrecy Law 1956;
- the Code of Money and Credit (Decree 13513/1963);
- BDL Basic Circular 23/1996 on Facilities that may be Granted by the BDL to Banks and Financial Institutions;
- BDL Basic Circular 81/2001 on Operations Relating to Credit Investment, Shareholding and Participation;
- BDL Basic Circular 83/2001 on the Control of Financial and Banking Operation for Fighting AML-CFT Financing;
- BDL Basic Circular 118/2008 on Boards of Directors and Boards Committees in Lebanese Banks;
- BDL Basic Circular 124/2010 on Transparency, Conditions and Means of Credit;
- the Capital Markets Law (161/2011);
- BDL Basic Circular 126/2012 on Relationship of Banks and Financial Institutions with their Correspondents; and
- BDL Basic Circular 128/2013 on Establishment of Compliance Departments.
- Other laws and regulations:
- Resolution 2385/1924 on Commercial and Industrial Property Rights;
- the Code of Obligations and Contracts 1932;
- the Code of Commerce (304/1942);
- the Penal Code (Legislative Decree 340/1943);
- the Labour Law 1946;
- the Social Security Law (Decree 13955/1963);
- the Collective Agreements, Mediation and Arbitration Law (Decree 17386/1964);
- Decree 17561/1964 on Regulating Foreigners' Employment;
- the Regulation on Insurance Institutions (Decree 9812/1968);
- the Occupational Emergencies and Injuries Law (Legislative Decree 136/1983);
- the Beirut Stock Exchange Law (Legislative Decree 120/1983);
- the Code of Civil Procedure (Legislative Decree 90/1983);
- the Law on Illicit Enrichment (154/1999);
- the Law on the Protection of Literary and Artistic Property (75/1999);
- the Law on Patents (240/2000);
- the Law regulating the Financial Intermediation Profession (234/2000);
- the Investment Law (360/2001);
- the Forex Profession Law (347/2001);
- the Occupational Health, Safety and Welfare Law (Decree 11802/2004);
- the Collective Investment Scheme Law (706/2005);
- the Consumer Protection Law (659/2005);
- the Tax Procedures Law (44/2008);
- Decree 8709/2012 listing Investment Projects in the IT Sector;
- Capital Markets Authority (CMA) Decision 3/2013 on Crowdfunding;
- the Law on Fighting Money Laundering and Terrorist Financing (44/2015);
- the Law on the Prohibition of Exploitation of Inside Non-public Information when Trading in the Capital Markets (160/2015);
- the Exchange of Tax Information Law (43/2015);
- CMA Series 3000/2016 on Business Conduct Regulation;
- CMA Series 4000/2016 on Market Conduct Regulation;
- CMA Series 2000/2017 on Licensing and Registration Regulation;
- BDL Basic Circular 1/2018 on Fighting Money Laundering and Terrorist Financing;
- BDL Basic Circular 146/2018 on the General Data Protection Regulation;
- Special Investigation Commission Circular 25/2019 on National Money Laundering and Terrorist Financing Risk Assessment; and
- CMA Series 8000/2019 on Collective Investment Schemes.
1.2 Do any special regimes apply to specific areas of the fintech space?
Lebanon has not adopted an ‘all-inclusive' legal framework specific to the fintech space. Fintech activities are generally governed by the legal provisions applicable to traditional activities in Lebanon.
However, a few exceptions apply to certain specifically regulated activities carried out by fintech companies, such as crowdfunding and electronic payment and banking services.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The three main regulatory bodies responsible for enforcing the laws and regulations applicable to fintechs that conduct regulated activities are as follows:
- The BDL is the regulator responsible for granting licences to institutions that conduct banking, foreign exchange and/or financial activities, including lending institutions and electronic payment service providers.
- The CMA is the regulator responsible for regulating and supervising activities relating to crowdfunding, trading and investments, as well as granting licences to financial intermediaries, financial rating agencies, collective investment schemes and any institution carrying out securities businesses, including dealing, advising, arranging, managing and custody services.
- The Insurance Control Commission (ICC) is the regulator responsible for studying and providing its opinion on insurance licensing requests of institutions intending to carry out insurance activities, amending and withdrawing insurance licences, and controlling and supervising the insurance sector.
1.4 What is the regulators' general approach to fintech?
The BDL's approach to the fintech sector has been supportive, yet careful. BDL Basic Circular 69/2000 on Electronic Banking and Financial Transactions has been subject to several amendments to take into account technological changes and developments. In fact, a recent amendment to Circular 69 authorised the performance of financial and banking operations through mobile or computer applications using bank cards and/or accounts, subject to certain conditions, including the BDL's approval. This came as a result of the recent enactment of the Electronic Transactions and Personal Data Law, which regulates electronic payments and money transfers, bank cards and electronic checks. The Electronic Transactions and Personal Data Law also vests the BDL with extensive authority with regard to the issuance and regulation of electronic and digital money. It was recently reported in the press that the governor of the BDL may be launching a Lebanese cryptocurrency.
The CMA has taken more practical steps to regulate crowdfunding, and has announced the launch of the Electronic Trading Platform after completing a bidding phase and licensing private companies to set up the platform.
The ICC has not yet issued any laws or regulations on insurtech.
1.5 Are there any trade associations for the fintech sector?
Certain associations generally support fintechs, such as the following:
- The Beirut Creative Cluster aims to promote the transformation of the Lebanese creative industries through strategic action based on business cooperation, with innovation a constant underlying goal. It helps to provide vocational training in all creative industries, and supports research and business development leading to the creation of new jobs in the sector.
- The Syndicate of Computer Sciences in Lebanon is a professional association that represents and promotes the interests of the Lebanese computer science industry.
- The Association of the Lebanese Software Industry is a professional association that represents and promotes the interests of the Lebanese software industry.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
The fintech industry in Lebanon has been evolving relatively rapidly, particularly in recent years and following the enactment of the Electronic Transactions and Personal Data Law, which covers a range of sub-sectors. The most embedded sub-sectors include:
- digital banking services;
- payment-related platforms; and
- investment services.
2.2 What products and services are offered?
A variety of innovative products and services are offered by traditional financial institutions and new market players in Lebanon, such as:
- mobile and electronic payments;
- money transfer platforms;
- account information services;
- wealth management;
- insurtech services; and
- crowdfunding platforms.
With respect to cryptocurrencies, the Banque du Liban (BDL) has long adopted a rather unfavourable stance towards cryptocurrencies and has warned Lebanese banks and financial institutions against their use, pending the enactment of relevant laws and regulations. However, it was recently reported in the press that the governor of the BDL may be launching a Lebanese cryptocurrency.
2.3 How are fintech players generally structured?
Generally, fintech products and services are offered by traditional banks incorporated and licensed in Lebanon as a joint stock company (SAL), and licensed financial and insurance institutions.
Other unregulated fintech products and services are offered by new market players and start-ups, which are usually established as SALs or limited liability companies, which limit the liability of shareholders/partners l to their investment in the fintech company, given the need to attract equity investors.
2.4 How are they generally financed?
A number of financial tools and solutions are available to fintech companies operating in Lebanon.
Many fintechs rely on non-equity funding, including loans (eg, bank loans, Kafalat loans and loans from micro-credit institutions) and personal funding (eg, personal savings and funding from friends and family).
In terms of equity funding, investments in start-ups – and particularly fintech start-ups – has increased over the past few years. Equity investment is typically secured from:
- angel investors and capital ventures; and
- banks and financial institutions. In fact, BDL Basic Circular 23/1996, as amended by Intermediate Circular 331, encourages investment in local start-ups; and the BDL provides facilities to banks and financial institutions participating in direct start-up equity investment or indirect start-up support facilities (eg, incubators, accelerators and venture capital), subject to certain conditions.
Other financial trends available to fintech start-ups include crowdfunding, donations, seed funds and grants from incubators and accelerators. Some incubators and accelerators in Lebanon provide financial assistance, such as the following:
- Berytech offers an incubation and support programme for the launch of start-ups. This programme includes funding opportunities offered via Berytech's funding entities, partners and network.
- Flat6labs offers each selected start-up between $30,000 and $50,000 in seed funding in exchange for minor equity in the company, depending on which accelerator the start-up chooses to apply to and join from across the Middle East and North Africa.
2.5 How are they positioned within the broader financial services landscape?
Fintechs in Lebanon do not constitute a competitive threat to institutions offering traditional banking and financial services. On the contrary, it seems that the BDL, with the issuance of Intermediate Circular 331, is encouraging the collaboration between fintech start-ups and banks. Lebanese banks have already adopted fintech innovations and invested in fintech companies.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
It is common for start-ups in Lebanon to outsource processes and back-office functions (eg, HR, accounting and finance) and IT functions (eg, cloud computing) to third-party service providers.
Capital Markets Authority Decision 3/2013 regulating crowdfunding provides an option for crowdfunding licensed institutions to outsource IT functions, provided that the agreements with such service providers include provisions that allow the supervisory authorities to review information maintained by them.
The the BDL has explicitly prohibited licensed banks and financial institutions from outsourcing compliance monitoring to any external specialised firm, pursuant to BDL Basic Circular 128/2013 regulating the Establishment of Compliance Departments.
In general, institutions engaged in any outsourced functions must take into account the associated risks and factors such as confidentiality, integrity, cybersecurity, regulatory compliance and data transfer. The measures to be implemented by banks, financial institutions and other licensed institutions to ensure the safety of operations include:
- user identity management systems;
- identification and protection of personal data; and
- security and protection systems that prevent hacks and attacks.
The legal issues associated with outsourcing to cloud computing service providers include cybersecurity risks and the protection of personal data by cloud computing service providers. Institutions must comply with the relevant provisions, including the Electronic Transactions and Personal Data Law – in particular with regard to the protection and processing of personal data. For instance, in order to mitigate risk, fintechs must inform data subjects when collecting their personal data of the identity of the parties to which such data will be sent. In turn, the data processor must protect the safety and integrity of the data, and ensure the safe and legitimate processing of such data.
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
The Electronic Transactions and Personal Data Law sets out the legal framework for transactions carried out through electronic means. It regulates e-commerce, e-contracts, electronic documents and digital signatures. E-commerce is also generally subject to:
- the Code of Commerce;
- the Code of Obligations and Contracts;
- the Code of Civil Procedure; and
- the Consumer Protection Law.
Fintechs offering e-commerce services must adhere to certain measures/restrictions, including the following:
- providing easy and direct access to clients on their identification information and contact information, and detailed information on prices, including fees, expenses, taxes and so on;
- refraining from communicating unsolicited marketing and advertising emails without the recipient's prior consent or without obtaining the recipient's details through a previous communication; and
- ensuring that certain details are communicated to the client when offering an e-contract, such as:
- the terms and conditions, with the option to copy and duplicate them;
- the steps for concluding the electronic contract; and
- the official language of the contract.
Electronic documents and contracts have the same probative value as paper documents and contracts, subject to certain conditions, including the following:
- The sender of the electronic document must be identifiable; and
- The electronic documents and contracts must be organised and stored in a manner that ensures their safety.
The electronic transfer of money is regulated by the BDL, primarily through BDL Basic Circular 69/2000 on Electronic Financial and Banking Operations. The Electronic Transactions and Personal Data Law grants the BDL further extensive authority for the regulation of electronic banking and financial services. E-payments and money transfers may only be carried out by banks, financial institutions or other institutions legally authorised or licensed by the BDL.
E-payment service providers must take steps, among other things, to:
- provide clear and explicit terms and conditions of e-payments to the client pursuant to the BDL's regulations, including rights and obligations relating to electronic banking services, fees, expenses and so on;
- obtain the client's prior written consent to the conditions governing e-payments, transfers and their cancellation;
- take all necessary risk mitigation measures;
- store and protect data against disclosure, destruction, misuse, loss and theft;
- facilitate the BDL's access to its systems for supervision purposes;
- have their external auditors prepare an annual report concerning electronic operations;
- maintain secrecy in transactions; and
- ensure compliance with applicable laws, regulations and guides on data protection, cybersecurity, anti-money laundering (AML), counter-terrorist financing and so on.
Specific legal issues associated with e-commerce in Lebanon include the absence of implementing regulations for the Electronic Transactions and Personal Data Law and specific cybersecurity legislation. Cybersecurity is governed only by BDL Basic Circular 144/2017 and a guide on combating financial cybercrime issued jointly by the BDL and the Anti-cybercrime and Intellectual Property Rights Bureau, which sets out preventive measures and corrective actions both for the financial sector and for non-financial companies.
(b) Mobile (m-commerce)
M-commerce is governed by the same legislation as applies to e-commerce. Mobile payment service providers and banks offering mobile services are bound by the same obligations as licensed and authorised electronic payment service providers (see question 3.1(a)).
Banking operations executed by mobile between customers of different banks are prohibited, except for the receipt by a bank of a bank transfer request from a customer, provided that:
- the transfer is not instantly executed through a mobile application or software;
- the back office of the relevant bank verifies that the transfer request complies with the applicable laws and regulations; and
- the transfer is executed solely through the usual conventional methods (ie, through SWIFT).
However, customers of different banks may carry out electronic banking or financial operations through applications and software installed on mobile and electronic devices, using bank cards and/or accounts, provided that, among other things:
- the BLD's prior approval is obtained for such applications and software;
- the operations are executed instantly between the customers;
- the value of such operations does not exceed certain thresholds, as determined by the BDL; and
- the operations are in line with the applicable compliance and AML laws and regulations.
(c) Big data (mining)
No specific legislation deals expressly with big data in the fintech space.
However, any processing, storage or transmission of personal data must be compliant with the provisions of the Electronic Transactions and Personal Data Law (see question 5 for more details) and the Consumer Protection Law.
Moreover, the BDL has issued Basic Circular 146/2018 requiring all banks, financial institutions and other regulated institutions to take all appropriate measures in line with the provisions of the General Data Protection Regulation (GDPR) promulgated by the European Parliament and the Council of the European Union on 27 April 2016, and notify the compliance unit at the BDL of the procedures and measures adopted in this regard.
(d) Cloud computing
There are no specific regulations on cloud computing in Lebanon. Nevertheless, any cloud computing involving personal data must comply with the Electronic Transactions and Personal Data Law and the Consumer Protection Law.
However, cloud computing is specifically prohibited with regard to certain activities, such as crowdfunding; and crowdfunding licensed institutions are prohibited from storing databases through any form of shared cloud computing. Moreover, although there is no express legal prohibition against banks using cloud computing, the Banking Secrecy Law seems to be an obstacle for Lebanese banks, due to the requirements on the protection of client data under that law. It has been informally reported that the BDL does not seem amenable to banks' use of cloud computing in light of this issue.
(e) Artificial intelligence
Artificial intelligence is not expressly regulated under Lebanese law.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
The BDL has long adopted a rather unfavourable stance towards cryptocurrencies and has warned Lebanese banks and financial institutions against their use, pending the enactment of relevant laws and regulations. However, it was recently reported in the press that the governor of the BDL may be launching a Lebanese cryptocurrency. The BDL is vested under the Electronic Transactions and Personal Data Law with extensive authority with regard to the issuance and regulation of electronic and digital money.
No specific regulations explicitly regulate blockchain in Lebanon.
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Crowdfunding is a regulated activity in Lebanon under Capital Markets Authority (CMA) Decision 3/2013.
Subject to a prior licence from the CMA and approval to commence operations, the following entities only may carry out crowdfunding activities in Lebanon:
- Lebanese joint stock companies with the main objective of providing crowdfunding services and with share capital of at least LBP 1 billion; and
- foreign crowdfunding companies, through a branch opened in Lebanon and the allocation of LBP 1 billion for the branch's activities in Lebanon.
In carrying out its activities, a licensed institution must, among other things:
- cooperate in order to facilitate the CMA's monitoring duties;
- prepare and provide the CMA with periodical reports on its operations and technical, organisational and financial conditions;
- have its external auditors prepare annual reports;
- refrain from providing any advice to investors or the company seeking to raise capital through crowdfunding;
- refrain from receiving deposits of any kind;
- refrain from using the electronic platform to offer any financial products or derivatives to the public other than ‘equities and shares';
- refrain from direct or indirect trading in ‘equities and shares' on the electronic platform designed to provide the crowdfunding service; and
- abide by certain technical rules and procedures to ensure that it has in place:
- an effective electronic system (eg, hardware, operating systems, software and network);
- system protection software (eg, anti-spam, anti-virus, firewalls);
- encryption measures; and
- investors' protection procedures when logging in (log-in access), including an authentication procedure.
No specific regulations govern peer-to-peer lending in Lebanon. Lending activities are specifically regulated under the Code of Money and Credit (13513/1963) and Banque du Liban (BDL) regulations, and must be undertaken only by licensed banks, financial institutions or other specialised lending entities.
(b) Online lending and other forms of alternative finance
Online lending activities are not explicitly regulated in Lebanon. They must be subject to the laws and regulations governing lending in general, including the Code of Money and Credit and BDL regulations.
Lending activities may be undertaken only by banks, financial institutions licensed by the BDL and specialised lending entities. Specialised lending entities do not require a licence from the BDL, but must notify the BDL prior to engaging in any activity.
Additionally, BDL Basic Circular 124/2010 on Transparency, Conditions and Means of Credit sets out certain conditions on licensed institutions carrying out lending activities, including the following:
- Any direct or indirect advertisements for lending activities must be clear, comprehensive and accurate, and must not include any reference to any benefits or services if unavailable (eg, 0% interest, overdraft, weekly instalments);
- The contract and application forms adopted by the institution must be clear, comprehensive and accurate; and
- The institution must ensure that certain conditions and provisions are included in the application forms, such as the currency of the credit and its duration.
BDL Basic Circular 69/2000 on Electronic Payment and Financial Operations also applies to online lending and licensed institutions must comply with its provisions, including the following:
- registering with the BDL to carry out electronic payments and financial operations; and
- obtaining prior approval from the BDL to carry out electronic banking or financial operations executed via applications or software on mobile and fixed electronic devices and using bank cards (see question 3.1(b)).
Furthermore, online lending is also subject to the provisions of the Electronic Transactions and Personal Data Law, including the provisions relating to digital signatures. However, the implementing regulations for this law have not yet been issued.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
Electronic payment services are regulated by BDL Basic Circular 69/2000, and electronic banking and financial services are governed by the Electronic Transactions and Personal Data Law, which grants the BDL extensive regulatory powers in this respect. Electronic banking and financial operations may be carried out only by banks, financial institutions and any other institution that obtains a prior licence from the BDL (see question 3.1(a)).
Electronic payment and banking operations include:
- operations concluded, executed or promoted through electronic or photo-electronic means (eg, mobile, computer, internet, ATMs);
- operations executed by issuers or promoters of all types of electronic charge, debit or credit cards;
- electronic transfers of cash; and
- offers, purchases, sales and all other electronic banking services executed through specialised websites.
These services are subject to the supervision of the BDL. Payment service providers must take all necessary measures and submit the requested documents to facilitate and ensure the efficiency of such supervision.
Forex is a regulated activity and is subject to the Forex Profession Law. Forex activities may be carried out only by banks, financial institutions, financial brokerage firms and forex companies that have obtained a licence from the BDL. The BDL is vested with discretionary power to grant or reject a licence, depending on whether it serves the public interest.
The shareholdings of forex companies are subject to nationality restrictions and, depending on the legal form of the company, there is a minimum threshold of parts or shares that must be owned by Lebanese nationals.
Forex companies must comply with the BDL's regulations and must:
- submit to the BDL all information, accounting data, statistics and documents evidencing the legality of their operations; and
- maintain a special register that documents every transaction that exceeds a certain threshold set by the BDL.
Forex companies must not accept deposits, grant facilities or incur indebtedness other than for their forex activities. They are subject to the anti-money laundering/counter-terrorist financing (AML/CFT) legislation.
Trading in securities is a regulated activity under CMA Series 2000. It includes the following:
- dealing in or trading a security as principal or as agent; and
- selling, buying or taking an order to sell or buy a security.
Trading is reserved to institutions licensed by the CMA. The institution must be:
- established in Lebanon as a bank, financial institution or financial intermediation institution duly registered with the CMA or the BDL; or
- established in Lebanon as a branch of a foreign financial entity whose parent company engages in securities business and is licensed by a competent authority in a recognised jurisdiction.
Individuals carrying out certain activities within the licensed institution – such as the finance officer, CEO or senior executive officers – must also be licensed by the CMA.
The conduct of licensed institutions is regulated by CMA Series 4000, which sets out obligations when carrying out transactions on the market. Such obligations include refraining from the disclosure of inside information and from manipulative and deceptive acts.
(f) Investment and asset management (private management)
Investment and asset management activities in Lebanon are regulated activities governed by:
- the Collective Investment Schemes Law;
- the Capital Markets Law;
- the Law regulating the Financial Intermediation Profession; and
- CMA Series 2000 and 8000.
Asset management is reserved for:
- institutions that are licensed by the CMA and carry out securities business activities such as managing a security or a portfolio of securities for another person on a discretionary basis or managing a collective investment scheme (CMA Series 2000);
- Lebanese joint stock companies and branches of foreign financial intermediation institutions that have obtained a prior licence from the BDL and whose main object is to undertake financial intermediation activities (ie, asset management); and
- banks and financial institutions registered with the BDL.
Investment activities are undertaken by collective investment schemes, which must take the form of a mutual fund or a joint stock company. They must obtain a prior licence from the CMA and their constitutive act is subject to the CMA's approval. The latter enjoys discretionary power in this respect and will grant a licence insofar as it benefits the public interest. Collective investment schemes must provide the CMA with any document or record requested both before and during the commencement of activities.
The manager of a collective investment scheme established in Lebanon must disclose to the CMA any information relating to a scheme that is necessary for the CMA to carry out its responsibilities in a timely, accurate and complete manner.
Collective investment schemes must adhere to the provisions of the Banking Secrecy Law and AML/CFT legislation.
(g) Risk management
Every Lebanese bank must establish a risk committee to supervise the implementation of the risk management rules, as issued by the BDL and the Banking Control Commission, both in the bank in Lebanon and in its branches and affiliates abroad.
CMA Series 2000 requires any institution requesting a licence from the CMA to conduct securities activities to demonstrate that it has established sufficient systems, policies and procedures covering risk management. This series further obliges the institution to engage a risk management officer, who will be responsible for the design and implementation of an approved risk management policy.
Robo-advice activities are not specifically regulated in Lebanon. However, robo-advice may be considered as an advisory securities business which is a regulated activity under CMA Series 2000. This includes:
- advising another person on the benefits and risks of his or her investment or dealing in any type of securities;
- advising on the exercise of any right relating to a security; and
- providing financial advice relating to investments, dealing in securities, corporate finance matters or mergers and acquisitions.
Consequently, we believe that institutions conducting robo-advice must be approved and licensed by the CMA and ar subject to the code of conduct set out in CMA Series 4000.
No specific legislation governs insurtech in Lebanon. We believe that such activities may be subject to Decree 9812/1968 regulating Insurance Companies.
Any company, institution or organisation conducting insurance activities in Lebanon must obtain a licence from the minister of economy and trade.
Every Lebanese entity conducting insurance activities must be established as a joint stock company which satisfies the following conditions:
- Its object is restricted to the performance of insurance activities as detailed in Article 1 of Decree 9812/1968;
- It has a minimum capital of LBP 2.25 billion;
- It hires a general manager and assistant general manager with a good reputation, a university degree and at least 10 years' experience of insurance work; and
- It hires an insurance actuary if it conducts life insurance activities and offers child and marital insurance plans, among other things.
Insurance entities are subject to the supervision of the Ministry of Economy and Trade and the Insurance Control Commission, which is the regulatory authority in charge of the insurance sector in Lebanon.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
The processing of personal data is protected by and subject to the provisions of the Electronic Transactions and Personal Data Law.
In principle, a permit is needed from the Ministry of Economy and Trade to process personal data (subject to certain exceptions provided for in the law). The collection and processing of personal data by fintechs must comply with the requirements of the Electronic Transactions and Personal Data Law, including the following:
- Personal data must be collected faithfully and for legitimate, specific and explicit purposes.
- Personal data may not be processed for purposes that are not in line with the objectives specified, unless the data is processed for statistical or historical purposes or for scientific research.
- Every person must have the right to object to the data processor, for legitimate reasons, with regard to the collection and processing of his or her personal data, including collection and processing for the purpose of commercial promotion, except when the data processor is obliged by law to collect the data or the data subject has agreed to the processing of the personal data.
- When the personal data is not collected from the data subject, the data processor must, among other things, inform the data subject personally of the content of the processed data and the objectives of its processing, unless the data subject is aware of the processing or informing him or her is impossible or impractical.
Furthermore, fintech companies, when acting as data processors, must inform the data subject of the following:
- the identity of the processor;
- the purposes of the processing;
- whether the questions asked of the data subject are optional or mandatory;
- the consequences of not answering;
- the recipients of the personal data; and
- the data subject's right to access and correct the data, and the means to do so.
Certain personal data may be considered sensitive in nature, such as data that reveals, directly or
indirectly, the health status, genetic identity or sexual activities of the data subject. It is generally prohibited to process such information without the data subject's consent.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
There is no general cybersecurity regime in Lebanon. However, an Anti-cybercrime and Intellectual Property Rights Bureau has been established within the Internal Security Forces to combat cybercrime and enhance online security.
A guide on combating financial cybercrime issued jointly by the BDL and the Anti-CyberCrime Bureau sets out the preventive measures and corrective actions for the financial sector and non-financial companies to take.
Banks, financial institutions and financial brokerage institutions must adhere to the following rules, among others:
- Monitor the subject and destination of money transfers and the accredited financial brokers and bankers;
- Review the names of the final beneficiaries of money transfers and their account numbers in comparison with the client's previous transactions;
- Contact the client via a trusted means of communication other than email to verify that instructions received by email are correct, and preserve the information, communication and other evidence that proves the contact with the client; and
- Include special provisions in the ‘account opening' contract and establish internal procedures to implement money transfer requests by email.
BDL Basic Circular 144/2017 imposes additional obligations on banks and financial institutions to prevent cybercrime, including the following:
- conducting risk assessments of possible cybercrimes and ensuring constant access to the latest developments in the field of information security technology;
- concluding insurance contracts to cover cybercrime risks;
- establishing a team that is responsible for combating and preventing cybercrime;
- using a two-step verification process to verify users' identity from outside the bank or financial institution and their right to access the system; and
- using a full and safe encryption mechanism for highly important data to avoid loss or manipulation.
In case of a financial cyberattack, banks and financial institutions must take expedited and efficient measures, which include:
- informing the Special Investigation Commission of relevant information, such as the Internet Protocol address through which the suspicious transfer requests were sent; and
- directing the client to notify or file a complaint with the competent authorities.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
Financial crimes are governed in Lebanon by various provisions, as follows:
- Money laundering is governed by the Law on Fighting Money Laundering and Terrorist Financing and various BDL circulars and decisions, such as:
- Basic Circular 83/2001 on the Regulations on the Control of Financial and Banking Operations for Fighting Money Laundering and Terrorist Financing;
- Basic Circular 126/2012 on the Relationship of Banks and Financial Institutions with their Correspondents;
- Basic Circular 1/2018 on Fighting Money Laundering and Terrorist Financing in Financial Intermediary Institutions and in Collective Investment Schemes; and
- Special Investigation Commission Circular 25/2019 on National Money Laundering and Terrorist Financing Risk Assessment.
- Theft, breach of trust, embezzlement, bribery and fraud are regulated under the Penal Code.
- Market manipulation is an offence under Article 685 of the Penal Code and is sanctioned under CMA Series 4000.
- Insider trading offences are governed by the Law on the Prohibition of Exploitation of Inside Non-public Information when Trading in the Capital Markets and CMA Series 4000, which prohibit an insider from making a trade, directly or indirectly, in a traded security or a related security while in possession of inside non-public information relating to the traded security, and from using inside non-public information to acquire, attempt to acquire, dispose or attempt to dispose, directly or indirectly, of a traded security to which such information relates.
- Tax evasion is governed primarily by the Tax Procedures Law. Additionally, Minister of Finance Decision 2487/2019 reiterates that necessary legal measures will be taken, including increasing banking secrecy, to strictly combat tax evasion; the Exchange of Tax Information Law sets out the basis for the exchange of tax information.
- Corruption is criminalized under the Law on Illicit Enrichment.
Fintechs that conduct a regulated activity – such as banks, financial institutions, leasing companies, institutions that issue and promote credit or charge cards, institutions that perform money transfers electronically, exchange institutions, financial intermediation institutions, collective investments schemes and any other institution that requires a licence or is supervised by the BDL – must comply with certain obligations, including the following:
- Implement customer due diligence measures.
- Determine the identity of the beneficial owner and take the steps needed to verify this identity on the basis of reliable documents or information or data.
- Retain copies of related documents of all operations, and retain information or data or copies of the customers' identification documents, for at least five years after performing the operations or ending the business relationship, whichever is longer.
- Continuously monitor and review the business relationship with the client.
Fintech companies which require a licence or are supervised by the BDL will be also subject to the Law on Fighting Money Laundering and Terrorist Financing and the various laws and regulations which require, among other things, the establishment of an anti-money laundering/counter-terrorist financing (AML/CFT) Board Committee and an AML/CFT Compliance Unit.
The main challenge for fintechs that specifically provide payment services is to ensure compliance with applicable financial laws and regulations, given the money laundering, terrorist financing and tax evasion risks associated with online payments and money transfers.
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
The Lebanese Parliament is yet to pass a competition law. In 2012 the Ministry of Economy and Trade submitted a draft law aiming at strengthening competition. However, the draft law has not yet been enacted.
With regard to fintechs that carry out activities governed by the Electronic Transactions and Personal Data Law, this law tends to protect them from unfair competition by granting the Lebanese courts exclusive jurisdiction over any anti-competitive practices arising from a contract transmitted to the public in the form of signs, writing, pictures, sounds or messages of any nature, by digital means, even if such contract is governed by a foreign law.
Unfair competition is also briefly regulated under the Resolution on Commercial and Industrial Property Rights. This resolution grants the plaintiff in an unfair competition lawsuit the right to seek a court order to stop the act of unfair competition and claim compensation for the damages sustained.
8.1 How is innovation in the fintech space protected in your jurisdiction?
Lebanon's legal framework is protective of IP rights. Innovation in the fintech space is protected primarily under the following laws:
- Resolution 2385/1924 on Commercial and Industrial Property Rights;
- the Law on the Protection of Literary and Artistic Property; and
- the Law on Patents.
An innovative industrial design in relation to a specific fintech activity, once filed with the IP Protection Bureau at the Ministry of Economy and Trade, grants its creator the right to exploit that design. However, this alone does not grant the creator the right to ownership of the design; the owner must also use the design. This right endures for 25 years from the date of filing, subject to renewal for an additional 25 years.
Trademarks are also protected under Lebanese law once they are filed with the IP Protection Bureau. This grants the holder the right of ownership and protects against unauthorised use and imitation for 15 years; the trademark may be renewed indefinitely for further periods of 15 years.
A computer program constitutes a literary work that qualifies for copyright protection under the Law on the Protection of Literary and Artistic Property. This applies, among other things, to computer software and databases. Copyright arises automatically once a work is created, and grants the creator the right of ownership without any formalities (ie, filing or registration) and protection against any violation.
A patent protects a filed invention that is novel, innovative and capable of industrial application. Inventions include, among other things, new industrial products and processes, and applications of previously known processes. Once a patent is filed with the IP Protection Bureau at the Ministry of Economy and Trade, it grants the inventor the exclusive right to exploit the invention and prevents third parties from copying the invention for 20 years from the date of filing.
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
Under Banque du Liban (BDL) Basic Circular 23/1996, as amended by Intermediate Circular 331/2013, banks may benefit from interest-free loans from the BDL, for a maximum period of seven years, for their participation in the capital of start-ups that specialise primarily in ICT projects promoting economic and social growth and job opportunities in Lebanon.
Such loans are granted with the approval of the BDL Central Council, provided that the following conditions, among others, are satisfied:
- The start-up is a Lebanese joint stock company;
- The start-up is not a financial company or an offshore company;
- The bank undertakes to transfer its shares in the start-up within a period not exceeding seven years;
- The participation of the bank in the start-up's capital does not exceed 80% of the start-up's capital;
- The bank's total participation in start-ups does not exceed 3% of its capital, and its participation in a single start-up does not exceed 10% of that 3% total; and
- The bank plays an active role in the development of the start-up's business and supports its continuous growth and governance.
Additionally, the BDL grants subsidised loans for software and technology development; these loans are provided at a favourable interest rate and the borrower pays only part of the interest.
Under the Investment Law, the Investment Development Authority of Lebanon grants the following incentives for projects in the IT sector, such as ICT manufacturing, medical technologies, computer programming and other projects set out in Decree 8709/2012:
- an exemption from income tax and dividends tax for 10 years;
- the grant of work permits, subject to favouring the employment of Lebanese workers and registering employees with the National Social Security Fund; and
- the settlement on behalf of the company, for two years, of subscriptions due to the National Social Security Fund for Lebanese skilled labour whose annual salary does not exceed LBP 45 million.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
Employment in Lebanon is governed by a number of legal sources. The primary instrument that governs employment in the private and mixed sectors in Lebanon is the Lebanese Labour Law of 1946.
Other domestic sources include:
- Social Security Law enacted by Decree No. 13955 of 1963;
- Law on Regulating Foreigners' Employment enacted by Decree No. 17561 of 1964;
- Collective Agreements, Mediation and Arbitration Law enacted by Decree No. 17386 of 1964;
- Occupational Emergencies and Injuries Law enacted by Decree-Law No. 136 of 1983; and
- Occupational Health, Safety and Welfare Law enacted by Decree No. 11802 of 2004.
Additionally, governmental decrees and decisions issued by the Ministry of Labour, customary practices and international treaties further regulate employment in Lebanon.
Employees' rights include the following:
- A wage sufficient to cover the employee and his/ her family's basic needs, and that reflects the nature of the work, provided that it is not less than the statutory minimum wage;
- The working week must not exceed 48 hours;
- A 15 days' annual leave on full pay after completing one year of employment; and
- Protection against gender-based discrimination relating to the nature of the job, wages, recruitment, promotions, pay rises, professional training and attire.
In determining the terms and conditions of the employment contract, fintechs operating in Lebanon must pay attention to the mandatory applicable laws and the minimum rights granted to employees, such as working hours and termination rights. It is always recommended that fintechs seek local legal advice when developing internal HR regulations and drafting model employment contracts.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
The employment of foreigners in Lebanon is subject to the Law on Regulating Foreigners' Employment, enacted by Decree 17561/1964 and to the Lebanese Labour Law where applicable. Such employment is contingent upon the obtention of work permits from the Ministry of Labour. Certain restrictions on foreign employment aimed at favouring local employment apply.
The Labour Law is protective of foreign employees' rights and grants foreign employees the same rights as Lebanese employees at the termination of their employment, subject to reciprocity in the employee's country of origin and the employee having obtained a work permit from the Ministry of Labour.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The fintech industry has been growing rapidly in Lebanon. According to the 2018 Factbook of the Investment Development Authority of Lebanon (IDAL) on the Fintech Sector in Lebanon, Lebanon was MENA's third most advanced fintech startup ecosystem in 2018, hosting 14% of the region's fintech startups. It was also the fourth most served market by fintech companies with 27% of MENA fintech startups serving the Lebanese market.
However, fintech in Lebanon may prove challenging for startups given the specific lacking regulation and access to licensing. The BDL Governor released a statement in June 2019 expressing his intention to regulate and supervise fintech companies, by imposing their licensing by the BDL; however, we are not aware of any practical steps taken towards this end. The additional challenge for fintech startups is the lack of regulatory testing sandboxes for fintechs to test their innovative services, products and platforms.
Regarding developments anticipated in the next 12 months, we expect the issuance of the implementing regulation of the E-Transactions and Personal Data Law; the Council of Ministers resolved to expedite the issuance of such regulation in its Decision 1/2019. Furthermore, the BDL may be launching a cryptocurrency as recently announced by the BDL Governor and reported in the press.
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
Fintech players seeking to enter Lebanon would not only benefit from a favourable ecosystem, but also from the highly educated, skilled and cost competitive labour force and from Lebanon's international business culture and exposure to the MENA region and Europe.
However, before operating in Lebanon, fintechs must seek legal advice on any specific registration or authorisation requirements, depending mainly on whether the fintech undertakes a regulated activity such as electronic payment services that requires a license from the BDL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.