Circular No. 10/2020/TT-NHNN amending Circular No. 28/2015/TT-NHNN

CIRCULAR

On amending, supplementing a number of Articles of the Circular No. 28/2015/TT-NHNNdated December 18, 2015 of theGovernor of theState Bankof Vietnamstimulating on the management, use of digital signature, digital certificates and digital signature certification service of the State Bank

_____________

Pursuant to the Law on State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on the Credit Institutions dated June 16, 2010 and the Law on amending and supplementing a number of Articles of the Law on the Credit Institutions dated November 20, 2017;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on E-transactions dated November 29, 2005;

Pursuant to the Decree No.130/2018/ND-CP dated September 27, 2018 of the Government on detailing the Law on E-Transactions regarding digital signatures and digital signature certification services;

Pursuant to the Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Atthe request of the Director of theInformatics Technology Department;

The Governor of the State Bank of Vietnam promulgates the Circular on amending and supplementing a number of Articles of the CircularNo. 28/2015/TT-NHNNdated December 18, 2015 of Governor of the State Bank of Vietnam stimulating on the management, use of digital signature, digital certificates and digital signature certification service of the State Bank (hereinafter referred to as the Circular 28/2015/TT-NHNN).

Article 1. To amend, supplement a number of Articles of the Circular No. 28/2015/TT-NHNN

1. To amend and supplement Article 1 as follows:

“This Circular defines the management, use of digital signature,digital certificates, and digital signature certification service of the State Bankof Vietnam (hereinafter referred to as the State Bank).”

2. To amend and supplement Clause 1, Article 2 as follows:

“Affiliates of the StateBank; credit institutions; foreign bank branches; the State Treasury Agencies;Deposit Insurance of Vietnam.”

3. To add Clauses 11, 12, 13, 14, 15 to the Article 3 as follows:

“11. “Activation code” includes the reference member and verification code used for certification in the process of digital certificate activation.

12. “Digital certificate activation” prescribes the installation the pair of key for digital certificates including secret key, public key and stored in the secret key equipment.

13. “Competent persons” include Heads of the State Bank, Heads of the affiliated units of the State Bank or the legal representatives under the legal provisions of the agencies and organizations prescribed in Article 2 of this Circular.

14. “Public service system” is defined as web portal serving the online public service of the State Bank.

15. “Digital certificate practice” includes practices in information system that subscribers can use digital certificate for signing approval or verification. A digital certificate can be used for signing approval or verification at one or many practices in one or many information systems. Information systems that use the digital certificates of the State Bank includes:

a) Public service system;

b) Inter-bank electronic payment system;

c) Reporting system of the State Bank;

d) System of bidding and open market operations, including:

- Bidding and open market;

- Issuing, paying, extending and cancelling the special bonds;

- Refinancing.

dd) Reporting system of the Deposit Insurance of Vietnam;

e) Other systems decided by the Governor of the State Bank.”

4. To add Article 4a as follows:

“Article 4a. Forms of sending and receiving dossiers, documents and reports in the verification service of digital signature and results

1. The organizations managing subscribers shall send relevant dossiers, documents and reports of digital certificates and service of digital signature verification to the State Bank (theInformatics Technology Department) by one of the following methods:

a) Electronic means via the Public service systems;

b) Written documents shall be submitted directly at Single-window department or by post. The State Bank (theInformatics Technology Department) only receives and processes the written documents in the cases as follows:

- Accidents can cause the stop the operation of the public service system;

- The organizations managing subscribers have not been issued with the digital certificates for public services, the digital certificate is expired or the subscriber’s devices for secret key storage are broken.

2. For dossiers, documents and reports relevant to digital certificates and the verification service of digital certificates of the State Bank, the organization managing subscriber shall be eligible for choosing the originals or the copies scanned from the originals (PDF form) which have been signed by the competent person of the organization managing subscribers using the digital certificates of CA-NHNN or the copies scanned from the original records or the certified copies or copies attached to the original for comparison.

3. TheInformatics Technology Departmentshall send the online results of processing and rejection reasons via the Public service system to the organization managing subscribers. In the case of having accidents in the public service system, the results shall be send to (i) the organization managing subscribers by post or (ii) emails of subscribers and individuals, or the department in charge of digital certificate management in the organization managing subscribers.”

5. To add the Article 4b as follows:

“Article 4b. Subscriber’s devices for secret key storage

1. The Informatics Technology Department shall be responsible for the guidance of model, technical specifications of the subscriber’s device for secret key storage which is in conformity with the State Bank’s verification system for digital certificates and the current situation of technology development.

2. The Informatics Technology Department shall provide the devices for secret key storage for the administrative units directly under the State Bank. Other organizations shall, by themselves, buy the secret key storage in accordance with the guidelines of the Informatics Technology Department.

3. Submission and receipt of the secret key storage shall be processed directly or by post between the Informatics Technology Department and administrative units directly under the State Bank.”

6. To amend and supplement the Article 5 as follows:

“Article 5. Issuance of digital certificates

1. The organization managing subscribers shall apply a (one) dossier upon the demand of issuing the digital certificate or professional supplement, including:

a) Issuing or supplementing digital certificate operations for the competent person:

- Application in written form for issuing, supplementing the digital certificate operations in accordance with the Appendix 01attached tothis Circular;

- Proposal for issuing and supplementing the digital certificate operations for individual in accordance with the Appendix 02attached tothis Circular;

- Written documents proving the legal representatives of the agencies and organization as follows:

+ The Certificate of business registration or the certificate of co-operative registration or equivalent papers for enterprises, credit institutions, and branches of foreign banks;

+ Assignment decision of the applicant (for state agencies).

b) Issuing, supplementing digital certificate operations for authorized competent individuals;

- Application in written form for issuing, supplementing digital certificate operations in accordance with the Appendix 01attached tothis Circular;

- Proposal in written form for issuing, supplementing digital certificate operations for individuals in accordance with the Appendix 02attached tothis Circular;

- Authorization documents in written form of the competent person to authorize another person to sign the dossier, documents, files, reports and other transaction in the relevant information system with the digital certificate operation. The authorized person is not allowed to re-authorize another person;

- Confirmation in written form for the applicant’s titles.

c) Issuing, supplementing the digital certificate operations for organizations:

- Proposal in written form for issuing, supplementing digital certificate operations for organizations in accordance with the Appendix 02aattached tothis Circular;

-  Establishment decision or decision prescribing the functions, tasks, rights and organizational structure or the certificate of business registration or the certificate of co-operative registration or equivalent papers.

2. The organization managing subscribers shall propose to supplement the digital certificate operations in the case that digital certificates have been used and valid, the Informatics Technology Department shall carry out operation supplementation for current subscriber’s digital certificates.

3. Processing deadline and results

The Informatics Technology Department shall check the dossiers, issue the digital certificates or supplement digital certificate operations for the subscribers, send the notification on digital certificate’s issuance and the activation code to the emails or message to the subscriber’s number within 05 working days from the date of receiving the dossiers. For the organization’s digital certificates, the Informatics Technology Department shall send the notification on digital certificate’s issuance and activation code to the emails and messages to the phone number of persons in charge of digital certificates of the organization managing subscribers in accordance with the regulations prescribed at the Clause 1, Article 14 of this Circular.

In case of inadequate applications, the Informatics Technology Department shall reject and specify the reason. Feedback and results shall conform to Clause 3, Article 4a of this Circular.

4. The activation code of digital certificates takes effect up to 30 days from the issuing date of the digital certificates. For the new digital certificates, the subscriber must activate the digital certificate before the invalid term of the activation code. The instructions for activation and extension of the State Bank’s digital certificates are posted on the website of the State Bank. For the digital certificates supplemented with operations, the subscribers are not required to activate the digital certificates.

5. The effective term of subscriber’s digital certificates shall be decided by the organization managing subscriber but not more than 05 years from the date of activation,”

7. To amend, supplement Article 6 as follows:

“Article 6. Digital certificate extension and revision

1. The digital certificates requested for extension and revision must be valid.

2. Validity of the digital certificates:

a) After the extension, the digital certificates takes effect from the time of successful extension but no longer than 05 years;

b) The revision shall have no effect on validity term of the digital certificates.

3. In the case of digital certificate extension and revision:

a) The organization managing subscribers shall request to extent the subscriber’s digital certificate at least 10 days before the expired date;

b) The organization managing subscribers shall request for revision of subscriber’s digital certificates within 05 working days when have any changes such as:

- Subscribers change the title, positions or working section;

- Subscribers change ID cards/Citizen ID cards;

- Subscribers change addresses, emails or phone numbers.

4. The organization managing subscribers sends a (one) dossier for extension and revision of the digital certificates include the Proposal for extension and revision of digital certificates in accordance with the Appendix 03attached tothis Circular.

5. Deadline and implementation results

The Informatics Technology Department shall check the dossiers of extension and revision of subscriber’s digital certificates within 05 working days from the time of receiving the dossiers. The Informatics Technology Department shall reject the dossiers with specific reasons in the case that the applications are invalid. Feedbacks and results of processing application shall be implemented in accordance with Clause 3, Article 4a of this Circular.

After receiving the approval notification for digital certificate extension, the subscribers shall extend the digital certificate in accordance with the instruction for activation, extension of digital certificates, which are posted on the website of the State Bank.”

8. To amend, supplement Article 7 as follows:

“Article 7. Suspension of digital certificates

1. Subscriber’s digital certificates shall be suspended in the case as follows:

a) Organizations managing subscriber apply the dossier for suspension of digital certificates to the Informatics Technology Department;

b) In accordance with the request in written forms from the proceeding agencies, police authorities or the Ministry of Information and Communications;

c) The Informatics Technology Department explores any errors or accidents that may effect on subscriber’s rights or security, safety of the digital certificate’s service system.

2. The suspension time of digital certificates prescribed at the Point a, Clause 1 of this Article shall conform to the request of the organization managing subscribers. The suspension time of digital certificates specified at Point b, Clause 1 of this Article shall conform to the request of the proceeding agencies, police agencies or the Ministry of Information and Communications. The suspension time of digital certificates specified at Point c, Clause 1 of this Article shall last until the above errors and incidents are remedied.

3. The organization managing subscriber shall apply n (01) dossier for digital certificate suspension, including the Proposal for digital certificate suspension in accordance with the Appendix 04attached tothis Circular.

4. Processing deadline and results

a) The Informatics Technology Department shall examine the dossiers, suspend the digital certificates and inform the results for the organization managing subscribers within 03 working days from the date of receiving the proposal for digital certificate suspension as prescribed at Point a, Clause 1 of this Article.  The Informatics Technology Department shall reject with specific reasons in the case of receiving inadequate dossiers. Feedbacks and results shall be processed in accordance with the regulations prescribed at Clause 3, Article 4a of this Circular;

b) The Informatics Technology Department shall suspend the digital certificates and inform in written form on time and reasons for digital certificate suspensions for the organization managing subscriber within 03 working days from the date of receiving information according to the regulations prescribed at Point b, Point c, Clause 1 of this Article.”

9. To amend, supplementPoint d,Clause 2; Clause 3, Clause 4 of Article 8 as follows:

“d) Digital certificates suspended under Point c, Clause 1 of Article 7 of this Circular and errors and incidents have been rectified.”

“3. Organizations managing subscriber shall apply a (01) dossier for digital certificate recovery including the Proposal for digital certificate recovery in accordance with the Appendix 05attached tothis Circular.”

4. Deadline and implementation results

a) TheInformatics Technology Departmentshall examine the dossier and recover the digital certificates for the subscribers within 03 working days from the time of receiving the proposal for digital certificate recovery in accordance with the regulations prescribed at Point a, Point b, Clause 21 of this Article. TheInformatics Technology Departmentshall reject the dossier with specific reasons for inadequate dossiers. Feedbacks and results shall be implemented in accordance with the regulations prescribed at Clause 3, Article 4a of this Circular;

b) TheInformatics Technology Departmentshall automatically recover digital certificates for subscribers within 03 working days from the time of receiving proposal in accordance with the regulations prescribed at Point c, Point d, Clause 2 of this Article.”

10. To amend, supplement Article 9 as follows:

“Article 9. Revocation of digital certificates

1. Organizations managing subscriber can issue the proposal for revoking digital certificates or cancelling a number of subscriber’s operations. In the case of revocation of digital certificates, all the operations of subscriber shall be revoked.

2. The subscriber’s digital certificates shall be revoked in the following cases:

a) At the request in written form of the proceeding agencies, police authorities or the Ministry of Information and Communications;

b) At the revocation request of the organizations managing subscribers;

c) The organizations managing subscribers have decisions for revoking the certificate of operation, split-up or division, merger, dissolution or bankruptcy as per law;

d) Subscribers are identified to commit violations of regulations on management, use of secret key and device of secret key storage;

dd) The digital certificates are invalid.

3. The organization managing subscriber shall send a (01) dossier for the revocation of digital certificates including the Proposal for revoking and annulling the digital certificate’s operation in accordance with the Appendix 06attached tothis Circular.

4. Feedbacks and implementation results

a) TheInformatics Technology Departmentshall examine the applications, revoke or annul the operations of digital certificates within 01 working day from the time of revocation proposal in accordance with regulations prescribed at Point a, Point b, Clause 2 of this Article. TheInformatics Technology Departmentshall refuse for possessing the dossier with specific results. Feedbacks and results shall be implemented in accordance with regulations prescribed at Clause 3, Article 4a of this Circular;

b) TheInformatics Technology Departmentshall automatically revoke subscriber’s digital certificates within 01 working days from the time of receiving the proposal in accordance with the regulations prescribed at Point c, Point d of this Article.”

11. To amend, supplement Clause 2, Article 10 as follows:

“2. Subscribers must create key pair before the activation day of code is due as stated in the notification of granting digital certificates. In the case that the activation codes are exposed or suspected to be exposed, or failed to be activated before the expired date at the issuance notification of digital certificates, subscribers fail in key pair creation and wish to continue using digital certificates, the organization managing subscribers shall apply a (01) dossier including the Proposal for changing activation code according to the Appendix 08attached tothis Circular.”

12. To amend, supplement Clause 2, Clause 3, Article 11 as follows:

“2. The organizations managing subscribers shall apply a (01) dossier of request for changing the key pair, including the Proposal for changing the key pair in accordance with the Appendix 07attached tothis Circular.

3.  TheInformatics Technology Departmentshall examine the application, change the key pair, and send the notification on changing key pair and activation code of digital certificates to the emails and messages to the subscriber’s phone numbers within 05 working days from the date of receiving the dossier for changing key pair. For organization’s digital certificates, theInformatics Technology Departmentshall send the notification on changing key pair and activation code of digital certificates to the emails and messages to the person in charge of organization managing subscribers in accordance with the regulations prescribed in Clause 1, Article 14 of this Circular.

TheInformatics Technology Departmentshall refuse processing the dossier in the case of inadequate dossier with specific reasons. Feedbacks and results shall be implemented in accordance with regulations prescribed at Clause 3, Article 4a of this Circular.

The subscriber shall activate the digital certificates to create the new key pair before the invalid time of activation code in accordance with the instruction on activation and extension of digital certificates which are all posted on the website of the State Bank after receiving the activation code.”

13. To amend, supplement Article 14 as follows:

“Article 14. Responsibilities of organizations managing subscribers

1. To appoint individuals or the entities in charge of registration, management of dossiers, documents and reports related to digital certificates, list of organization’s subscribers; and inform to theInformatics Technology Departmentat the first time and when having any changes in individual/entities in charge.

2. To register and have fully responsibilities on the information accuracy at the documents, dossiers and reports related to the subscriber’s digital certificates directly under the organization management sent to theInformatics Technology Department.

3. To manage, list and update the list of subscriber in the organization. To review and compare the list of digital certificates issued by the State Bank with the usage demand and current information at the organization managing subscribers at least every 6 months. Procedures in changing information, suspension, revocation or cancellation of digital certificate’s operations must be carried out if the digital certificates have inadequate information.

4. To periodically or irregularly report as per regulations at this Circular.

5. To guide, examine and create favor conditions for subscribers under the organization to manage and use digital certificates and secret key as per regulations in this Circular.

6. To promptly inform theInformatics Technology Departmentto suspend or revoke the subscriber’s digital certificates in the cases as follows:

- Subscriber’s secret key are suspected to be exposed, exposed, stolen or illegally used;

- Devices of secret key storage are lost;

- Subscribers change the working positions without using the digital certificates for works;

- Subscribers temporarily leave job, resign, retire or die;

- Subscribers in branches/units of organization managing subscribers that have had their bank code cancelled; - Other cases from the demand of the organizations managing subscribers.

7. Digital certificates granted for organizations must be used and managed by assigned individuals. The assignment must be made by written form stipulating the rights and obligations of individuals appointed to manage. These individual must perform the subscriber’s rights and obligations as per regulations in this Circular.

8. Organizations managing subscribers that are the administrative entities directly under the State Bank of Vietnam shall promptly revoke all the devices of secret key storage that are no longer used for the other subscribers.”

14. To amend and supplement Clause 2, Article 15 as follows:

“2. To preserve and use the codes for accessing devices, data in the devices of secret key storage safely and secretly in all the time that the digital certificate takes effect and is suspended; not to share and lend the code for accessing devices and devices of secret key storage. In case of resigning, reassigning or working in other positions that do not require digital certificates, transfer secret key storage devices to subscriber managing organizations.”

15. To add Clause 3 to the Article 16 as follows:

“3. Signers shall be responsible for the authenticity of information signed by their own digital signatures and only use their digital signatures in the information system when their digital certificates are valid due to system’s notification.”

16. To amend and supplement Article 17 as follows:

“Article 17. Reporting regime

The organizations managing subscribers shall be responsible for reporting to the State Bank as follows:

1. Periodic reports

a) Name of report: Report on checking the list of digital certificates of the State Bank;

b) Content of report:

- List of digital certificates and current situation of usage;

- Comparing the list of digital certificates issued by theInformatics Technology Departmentwith the practical demand and real information at the organization managing subscribers and reporting the list of digital certificates which have not been correctly matched.

c) Subjects of implementation: Entities directly under the State Bank, credit institutions, branches of foreign banks, the State Treasury, the Deposit Insurance of Vietnam, the National Payment Corporation of Vietnam, the Vietnam Asset Management Company and other agencies and organizations using the service of digital signature certifications of the State Bank;

d) Report’s receivers: theInformatics Technology Department– The State Bank;

dd) Method of report submission and receipt:

- The submission and receipt of report shall be implemented as per regulations prescribed in Clause 3, Article 4a of this Circular;

- Organizations managing subscribers shall send reports on checking digital certificates via the Public service system in accordance with the report outline in the Appendix 09attached tothis Circular.

e) Frequency and deadline for report: every 6 months and send reports no later than June 20 and December 20;

g) Time for closing data:

- Time for closing data for the first 06 months of the year is from December 15 before the reporting period to June 14 of the reporting period;

- The time for closing data for the last 06 months of the year is from June 15 to December 14 of the reporting period.

2. Irregular reports at the request of the organization managing subscribers of the State Bank.”

Article 2.

1. To replace the phrase “Information Technology Department” (Cục Công nghệ tin học) by the phrase “Informatics Technology Department” (Cục Công nghệ thông tin).

2. To replace the Forms01, 02, 03, 04, 05, 06, 07, 08, 09attached tothe Circular No. 28/2015/TT-NHNN by the Appendices01, 02, 03, 04, 05, 06, 07, 08, 09attached tothis Circular.

3. To supplement Appendix 02aattached tothis Circular.

Article 3. Responsibilities of implementation organization

Heads of entities affiliated totheState Bank, credit institutions, branches of foreign banks, State Treasury, Deposit Insurance of Vietnam, National Payment Corporation of Vietnam and Vietnam Asset Management Company are responsible for implementation of this Circular.

Article 4. Implementation provisions

1. This Circular takes effect on January 01, 2021.

2. This Circular annuls the Clause 6, Article 1, Clause 4, Article 2 of the Circular 14/2019/TT-NHNN dated August 30, 2019 on amending, supplementing a number or Articles of the Circulars on promulgating the periodic reporting regimes of the State Bank

* All Appendices are not translated herein.