Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Vietnam State Bank stimulating on the management, use of digital signature, digital certificates and digital signature certification service of the State Bank

THE STATE BANK OF VIETNAM

Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Vietnam State Bank stimulating on the management, use of digital signature, digital certificates and digital signature certification service of the State Bank

Pursuant to the Law on State Bank of Vietnam No. 46/2010/QH12 June 16, 2010;

Pursuant to the Law on Credit Institutions No. 47/2010/QH12 June 16, 2010;

Pursuant to the Law on Information TechnologyNo.67/2006/QH11 dated 29/6/2006;

Pursuant to the Law on E-Transaction No.51/2005/QH11 dated 29/11/2005;

Pursuant to the Decree No.26/2007/ND-CP dated 25/02/2007of the Government detailingthe implementation of the Electronic Transaction Law on digital signature and digital signature certification service;

Pursuant to the Decree No. 106/2011/ND-CP dated November 23, 2011 of the Government amending, supplementing a number of article of articles of the DecreeNo.26/2007/ND-CP dated February 15, 2007of the Government detailingthe implementation of the Electronic Transaction Law on digital signature and digital signature certification service;

Pursuant to the Decree No. 170/2013/ND-CP dated November 13, 2013 amending,supplementing a number of article of articles of the DecreeNo.26/2007/ND-CP dated February 15, 2007of the Government detailingthe implementation of the Electronic Transaction Law on digital signature and digital signature certification service and the DecreeNo. 106/2011/ND-CP dated November 23, 2011 of the Government amending, supplementing a number of article of articles of the DecreeNo.26/2007/ND-CP dated February 15, 2007;

Pursuant to the Decree No. 156/2013/ND-CP dated November 11, 2013 of the Governmentregulating functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Information Technology Department;

The State Bank of Vietnam promulgates the Circular on the management, use of digital signature,digital certificates and digital signature certification service of the State Bank.

Article 1. Scope of adjustment

This Circular defines the management, use of digital signature,digital certificates, and digital signature certification service of the State Bank.

Article 2. Subjects of application

1. Units under the management of the State Bank; credit institutions, branches of foreign banks; State Treasury;

2. The other organizations choose to use the service of digital signature certification of the State Bank in the operations of electronic transaction organized by the State Bank.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. "Digital certificate" is a form of electronic certificate provided by the organization of providing digital signature certification service of the State Bank.

2. "Digital signature certification service" means a type of service provided by the organization of providing digital signature certification service of the State Bank. Digital signature certification service includes:

a) Creating key pairs including public keys and private keys for the subscribers;

b) Providing, renewing, suspending, restoring, and withdrawing digital certificates of subscribers;

c) Maintaining online database of digital certificates;

d) Other Service under the provisions of the Decree on signatures;

3. “Organizations providing digital signature certification service” means organizations providing digital signature certification service of the State Bank operated by the Information Technology Department;

4. "Subscriber" means an organization or individual under the management of units, organizations as stipulated in Article 2 of this Circular; provided digital certificate by the organization of providing digital signature certification service; accepting the digital certificate and keeping private key corresponding to public key recorded on the digital certificate issued.

5. "Organization of subscriber management" means the unit of the State Bank; credit institutions, the State Treasury or other organizations requesting for issuance of digital certificates to organizations and individuals in their organizations.

6. "E-Transactions of the State Bank" mean the activities, service conducted by electronic methods of the State Bank.

7. “Private key” means a key in the code system that is used to create the digital signature.

8. “Public key” means a key in the code system that is used to check digital signatures created by corresponding private key.

9. “Signer” means the subscriber that uses the private key to sign under his/her name.

10. “Receiver” means organization, individual who receive the data that is signed by the signer, using digital certificate of that person to check the digital signature in the received data and process related transactions.

Article 4. Contents of digital certificate

1. Name of organization of providing service of digital signature;

2. The name of the subscriber;

3. Name of the subscriber management organization;

4. Number sign of digital certificate;

5. The validity of digital certificate;

6. The subscriber s public keys;

7. The digital signature of the organization of providing digital signature service;

8. The limitations on the purpose and scope of use of digital certificate;

9. The limited liability of organization of providing service of digital signature;

10. Other information as stipulated by the Ministry of Communication and Information;

Chapter II

DIGITAL SIGNATURE CERTIFICATION SERVICE

Article 5. Grant of digital certificates

1.Digital certificates for individuals under the organization of managing subscribers.

Upon the demand of granting digital certificates for individuals under the organization of managing subscribers, the organization of managing the subscriber shall submit 01 dossier of application for granting digital certificates by internet or by post to the organization of providing digital certificates. The dossier includes:

a) A written request for issuance of digital certificates of the organization of managing subscriber;

b) The written request for granting digital certificate (Form No. 2 in the Appendix attached to this Circular) of the individual under the organization of managing subscribers.

2. Digital certificates for competent persons (legal representatives)

Upon the demand of granting digital certificates for competent persons (legal representatives) of the organization of managing subscribers, the organization of managing the subscriber shall submit 01 dossier of application for granting digital certificates by internet or by post to the organization of providing digital certificates. The dossier includes:

a) Documents as stipulated under Clause 1 of this Article;

b) Copies of stamp registration certification of organizations as stipulated under the law on management and use of stamps.

c) Copies of the title certification of competent persons of organizations;

d) For copies under Point b, c of this Clause, organizations shall select copies granted from the original book or certified copies or copies can be presented together with the original to contrast.

3. Within 5 working days since the full receipt of application for granting digital certificates, the organization of providing digital signature service shall grant digital certificates for the subscriber and notify the result on the internet or by post. If refusal, clearly state the reasons.

4. The effective time of digital certificates shall be proposed by the organization of managing the subscriber but it should not be over 05 years since the effective day of that digital certificate.

Article 6. Extension of digital certificates

1. The digital certificate which is requested for renewal must be ensured that it is still effective.

2. The organization of managing subscribers shall submit an application for extension of the digital certificate (Form No.3 in the Appendix attached to this Circular) to the organization that provides digital signature service directly or by post.

3. Application for extension of the digital certificate must be sent to the organization providing the digital signature service 10 days before the expiration date of the digital certificate.

4. Within 05 working days since the receipt of the valid application for extension of the digital certificate, the organization providing the digital signature service shall extend digital certificates and notify the results to the subscriber by post or by internet. If refusal, clearly state the reasons.

Article 7. Suspension of digital certificates

1. The subscriber s digital certificate shall be suspended in the following cases:

a) The private key is leaked or suspected as leaked; storage device of private key is lost, copied unlawfully or other unsafe circumstances; Upon written request from the subscribers (Form No.4 in the Appendix attached to this Circular);

b) Upon written request from the competent agencies, security agencies or the Ministry of Communication and Information.

c) Upon written request from the organization of managing subscriber;

d) The organization of providing service of digital signature found any errors or incidents that may affect the rights of subscriber or of security and safety of the system providing service of digital signature certification.

dd) The time to suspend the digital certificate as stipulated under Point a, c of this Clause is upon the request of the subscriber or the organization of managing subscriber; The time to suspend the digital certificate as stipulated under Point b of this Clause is upon the request of competent agencies, security agencies or the Ministry of Communication and Information.

2. When receiving information, requests as stipulated under Clause 1 of this Article, the organization providing digital certificates shall immediately suspend the digital certificate, and notify the results through internet or by post with 5 working days and update information on the website of the State Bank.

Article 8. Recovery of digital certificates

1. Digital signature that is proposed to recover must be in the time of temporary suspension.

2. The organization of providing the digital signature service is responsible for considering the restoration of digital certificates to the subscribers in the following cases:

a) Upon written request from the competent State agency; security agencies or Ministry of Communication and Information;

b) Upon the proposal to restore the digital certificate of the organization of subscriber management;

c) Time to suspend digital certificate upon the suspension request has expired;

d) The digital certificates suspended according to provisions in point d Clause 1 Article 7 of this Circular and the violations, errors, problems have been corrected.

3. The organization of subscriber management shall send the request for recovery of digital certificate according to Form 05 in the Appendix attached together with this Circular by internet or by pos to the organization of providing digital certificates.

4 Within 05 working days from the date of receiving complete dossiers as prescribed, the organization of providing digital signature service is responsible for recovery of digital certificates to the subscribers or if refusal, clearly state the reasons.

Article 9. Revocation of digital certificates

1. The subscriber s digital certificate is revoked in the following cases:

a) Upon the request of competent agencies, security agencies or the Ministry of Communication and Information.

b) Upon written request from the organization of managing subscriber;

c) The organization of managing subscriber, subscriber is dissolved or declared bankrupt according to the law regulations;

d) Having sufficient grounds to identify the subscriber that commits violation of the regulations on management and use of private key and the storage device of private key as stated under Clause 1, Clause 2 Article 15 of this Circular;

2. The organization of managing subscriber shall send the application for revocation of digital certificates according to Form 06 in the Appendix attached to this Circular by internet or by post to the organization of providing digital signature service.

3. When receiving information, requests as stated in the Clause 1 of this Article, the organization of providing digital signature service shall immediately revoke the digital certificate and notify the results by internet or by post within 05 working days and update information on the website of the State Bank.

Article 10. Creation and provision of key

1. A subscriber s key pair can be created by subscribers’ self or the organization of providing service of digital signature;

2. Where self-creating key pair, the subscribers must create key before the activation day is due as stated in the notification of granting digital certificates. Where the subscriber hasn’t created a key pair before the due activation date, the organization of providing the digital signature service shall send the proposal for changing activation code before the due date in the notification of granting digital certificate according to Form 08 and send to the organization of providing the digital signature service. If the activation date is over, the subscriber who wants to continue to use digital certificates shall implement procedures according to Article 11 of this Circular.

3. Where organization of providing the digital signature service creates a key pair for the subscribers, the subscribers shall see the organization of providing the digital signature service to request to create a key pair. The organization of providing the digital signature service shall create a key pair and give it to the subscribers.

4. The subscribers must use the storage device by the technical standards defined by the organization of providing digital signature service.

Article 11. Change of the key pairs

1. Subscribers with requirements of change of the key pairs must ensure that the digital certificate is still effective. If the digital certificate is ineffective, the subscriber who wants to continue the service shall process procedures as stated under Article 5 of this Circular.

2. The organization of managing subscriber sends the written request to change the subscriber s key pair (Form No. 7 in the Appendix attached to this Circular) to the organization of providing digital signature service by internet or by post.

3. Within 05 working days since the receipt of the written request to change the subscriber s key pair, the organization of providing digital signature service shall change key pairs and notify the result by internet or by post. If refusal, clearly state the reasons.

Article 12. Update and disclose information

The organization of providing digital signature service shall update and maintain 24 hours in a day and seven days a week on the website of the State Bank the following information:

1. Information on management, use of digital signature, digital certificate and digital signature certification service;

2. List of the digital certificate that is effective, suspended and revoked of the subscriber;

3. Other information;

Chapter III

RESPONSIBILITY OF PARTIES PROVIDING AND USING DIGITAL SIGNATURE CERTIFICATION SERVICE

Article 13. Responsibilities of organization of providing digital signature service

1. To grant, extend, revoke and recover digital certificates and change pair keys for the subscriber when being requested;

2. To manage and operate the system of technical equipment to provide service of digital signature certification of the State Bank;

3. To have reserve plans to maintain operations of providing digital signature certification service of the State Bank safely, continuously;

4. To keep for archiving the complete, accurate and updated information of the subscribers for the management of digital certificates during the validity of the digital certificates;

5. To distribute keys and digital certificates to subscribers;

6. To provide for the subscriber the scope, limitation of use of digital certificates, security requirements and other information likely to affect the benefits of the subscriber applying for issuance of digital certificates

7. To ensure communication channels to receive requests for the suspension and revocation of digital certificates to operate available 24 hours per day and 07 days per week

8. To store information relating to the suspension or revocation of digital certificates or change in pair keys in a period of at least 05 years from the time that the digital certificates are suspended or revoked or change in pair keys.

9. To publish the list of digital certificates issued, suspended, or revoked;

10. To provide information on software, guidelines on management, use of digital signature, digital certificate and digital signature certification service.

Article 14. Responsibility of the organization of managing subscriber

1. To register digital certificates of competent people (legal representatives) who are on behalf of the organization of managing subscriber to sign digital signatures documents related to digital certificates.

2. To manage, update the list of the subscriber in the organization. To review the list of the subscriber three times a month: (i) the list of subscribers and professions in accordance with the position, job requirements; (ii) officers who quit, transfer to another workplace must be revoked digital certificates timely; (iii) digital certificates that are about to expire shall be extended promptly to ensure the operation.

3. To report periodically in accordance with Article 17 of this Circular.

4. To be responsible for the accuracy of information in the documents on digital certificates of the subscriber that is sent to the organization of providing digital signature service.

5. To send documents on digital certificate through the portal of the State Bank or by post or send directly to the organization of providing digital signature service. Documents on digital certificates sent by internet route must be signed by competent persons whose digital signatures are granted by the organization of providing digital signature service.

6. To guide, inspect and create conditions for the subscribers under their organizations’ management to manage and use digital certificates and in accordance with the provisions of this Circular;

7. To promptly notify in writing the organization of providing digital signature service to suspend or withdraw digital certificates of competent persons in the following cases: competent persons terminate temporarily or terminate their jobs, transfer to other organizations.

8. To promptly notify in writing to the organization of providing digital signature service to suspend or withdraw the subscribers digital certificates in the following cases: Subscribers terminate temporarily or terminate their jobs, transfer to other organizations; subscribers transfer to the new works that are no longer to use digital certificates issued and the other cases rising from the needs of organizations of managing subscribers.

Article 15. Responsibility of the subscriber

1. To use for the proper purpose the registered digital certificates;

2. To preserve and use the data in the storage device of the under the regime "Confidentiality"; avoid sharing private keys, equipment containing private keys of digital certificates.

3. To promptly notify the organization of providing digital signature service and organization of managing their subscribers in case of detection or suspicion of digital certificates’ safety;

4. To comply with other regulations on allocation, management and use of digital certificates

Article 16. Responsibility of signer and receiver

1. Before accepting digital signatures, the receiver must inspect the following information:

a) Effectiveness, scope, limitation of use of digital certificates of the signer and digital signatures of the organization of providing digital signatures;

b) Digital signatures must be protected by private keys corresponding with public keys on the digital certificates of the signer.

2. The receiver shall take responsible for any loss arising in the following cases:

a) To fail the compliance of regulations as stipulated under Clause 1 of this Article;

b) To be notified about inaccuracy of digital certificates and private keys of the signer but still accept that digital certificates;

Chapter IV

IMPLEMENTATION PROVISIONS

Article 17. Reporting regime

The organization of managing the subscriber shall report to the State Bank (The Information Technology Department) as follows:

1. To report periodically on management, use of digital certificates:

a) Time to report: 06 months/time, no later than January 15 and July 15 annually;

b) Form of reporting: To report in writing by using Excel file of Microsoft and send it through internet according to Form 09 to the State Bank (the Information Technology Department).

2. To report urgently upon the request of the organization of providing digital signature service.

Article 18. Violations and handling of violations, complaints, and dispute settlement

The determination of violations and handling of violations, complaints, and dispute settlement on digital signatures and digital signature certification service of the organization of providing digital signature service, subscribers and subscriber management organizations comply with the provisions of the Decree of digital signatures and other provisions of the concerned law.

Article 19. Effects

This Circular takes effect from February 01, 2016 and replaces the Decision No. 12/2011/TT-NHNN dated May 17, 2011 of the State Bank stipulating the management, use of digital signature,digital certificates and digital signature certification service of the State Bank.

Article 20. Organization of implementation

1. The Information Technology Department is responsible for:

a) Guiding the management and use digital signatures, digital certificates and the digital signature certification service;

b) Monitoring the implementation of this Circular;

2. The inspection agencies, bank supervisors are responsible for coordinating with the Department of Information Technology to inspect the observance of this Circular of the credit institutions, branches of foreign banks.

3. Heads of units under the State Bank, directors of State Bank - branches in provinces and cities under central authority, the chairperson of Management Board, General Directors (directors) of credit institutions, branches foreign banks, the State Treasury shall implement this Circular.

For The Governor
Deputy Governor

Nguyen Toan Thang

*All appendices are not translated.