Table of Contents
On January 9, 2026, the Banque du Liban (BDL) issued Basic Decision No. 13790, a landmark regulation that finally creates a clear legal framework for Electronic Payment Services Providers (EPSP) in Lebanon.
For years, the sector operated in gray areas. Now, we have clarity. Whether you are launching an E-Wallet (Category A), a Money Transfer service (Category B/C), or a Payment Gateway (Category E), the path to legitimacy is open.
But legitimacy comes with a heavy infrastructure price tag. The new licensing requirements are rigorous, particularly regarding IT infrastructure and data sovereignty.
At EXEO, we have been anticipating this shift for over 12 months. Here is the breakdown of the biggest IT hurdles in Decision 13790 and how to solve them.
1. The "Data Sovereignty" Mandate (Article 27)
This is the single most critical operational change for modern startups.
The Rule: Article 27 explicitly states that all licensed institutions “must store in Lebanon all data and information pertaining to customers and executed operations (Local Data Hosting)” .
The Challenge: Most modern fintech stacks are built on foreign public clouds (AWS, Azure, Google Cloud). Under this new regulation, relying solely on offshore hosting for customer data is no longer a compliant option. You cannot get a license if your user database lives in Frankfurt or Virginia.
The Solution: You need a local cloud partner. We anticipated this requirement and invested heavily in local data center capacity within the Lebanese territory.
We offer the compliant, local hosting environment you need to satisfy Article 27 immediately.
2. The IT Security Barrier (Annex 2)
The licensing application requires you to submit a massive amount of technical documentation, proving your infrastructure is hardened against cyber threats.
Your application will be rejected if you cannot demonstrate:
- SIEM Implementation: A system for recording and reviewing system logs.
- Hardening & Encryption: Documented procedures for device hardening and encryption algorithms .
- Business Continuity: A full Disaster Recovery (DR) plan to ensure service continuity.
- Penetration Testing: A commitment to regular tests by specialized companies.
Building a Security Operations Center (SOC) from scratch to meet these standards is a massive CAPEX drain for a startup.
3. The Outsourcing Permit (Article 31)
Here is the good news. While the BDL prohibits outsourcing your core administrative Risk or Compliance departments, it explicitly allows you to outsource IT Security .
Article 31 states that functions related to “IT security, cyber risk management, and internal audit of IT” can be managed by a third party (with BDL approval).
This allows you to utilize EXEO’s vCISO (Virtual CISO) Service. Instead of hiring a full-time executive to write your security policies and manage your cyber risk strategy, you can leverage our certified security team to:
- Design the “Information Security Framework” required by Article 9 .
- Manage the “Cyber Risk” function mandated by Article 31.
- Oversee the “Penetration Testing” and remediation process.
We provide the strategic security leadership you need to get licensed, at a fraction of the cost of a full-time hire.
How EXEO Gets You "License-Ready"
We didn’t wait for the circular to drop. We have spent the last year building the infrastructure that BDL 13790 demands.
- Compliant Local Cloud: Our dual data centers provide the “Local Data Hosting” required by Article 27, with the redundancy required for your Business Continuity Plan.
- Documentation Support: We provide the Letter of Intent for hosting and the technical infrastructure mapping required for your license application.
- Managed Security: From SIEM to perimeter defense, we wrap your application in the security layer mandated by Annex 2.
The race for licenses has started. The BDL has set strict capital requirements and operational timelines. Don’t let infrastructure be the bottleneck that slows you down.
Contact our Team for a Readiness Assessment
Exeo is a certified managed services provider with a local hosting offering, a strong cybersecurity culture and cyber-governance services.
