Circular No. 35/2016/TT-NHNN dated December 29, 2016 of the State Bank of Vietnam on safety and confidentiality over provision of banking services on the internet

THE STATE BANK OF VIETNAM		THE SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness
No. 35/2016/TT-NHNN		Hanoi, December 29, 2016

 

CIRCULAR

Prescribing safety and confidentiality in provision of banking services on the Internet[1]

 

Pursuant to June 16, 2010 Law No. 46/2010/QH12 on the State Bank of Vietnam;

Pursuant to June 16, 2010 Law No. 47/2010/QH12 on Credit Institutions;

Pursuant to November 29, 2005 Law No. 51/2015/QH11 on E-Transactions;

Pursuant to November 19, 2015 Law No. 86/2015/QH13 on Cyberinformation Security;

Pursuant to the Government’s Decree No. 35/2007/ND-CP of March 8, 2007, on banking e-transactions;

Pursuant to the Government’s Decree 156/2013/ND-CP of November 11, 2013, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Information Technology Department,

The Governor of the State Bank of Vietnam promulgates the Circular prescribing safety and confidentiality in provision of banking services on the Internet.

 

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation and subjects of application

1. This Circular prescribes requirements for ensuring safety and confidentiality in provision of banking services on the Internet.

2. This Circular applies to credit institutions, foreign bank branches and institutions providing intermediary payment services in Vietnam (below collectively referred to as units).

Article 2. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Banking services on the Internet (Internet banking) means banking services and intermediately payment services provided by units via the Internet.

2. Internet banking system means a structured set of hardware equipment, software, databases, communication and security and confidentiality networks and systems to produce, transmit, collect, process, store and exchange digital information serving the management and provision of Internet banking services.

3. Customer means an organization or individual using Internet banking services.

4. One-time password (OTP) means a password which is valid for only once in a certain period of time, often used as the second factor to authenticate users who access to Internet banking applications or perform Internet banking transactions.

5. Two-factor authentication means a method of authentication requiring two factors to prove the authenticity of a user’s identity. Two-factor authentication is based on the information the user knows (PIN, password, etc.) together with things the user has (smartcard, token, mobile phone, etc.) or the user’s biometrics to verify the user’s identity.

6. End-to-end encryption means a mechanism under which information is encrypted at the source point before being sent and is decrypted only after being received at the destination point of the process of information exchange between applications or devices in a system, aiming to limit the risk of information exposure or leakage in transmission lines.

Article 3. General principles for ensuring safety and confidentiality of the information technology system serving the provision of Internet banking services

1. The Internet banking system is ranked as an important information technology system which must comply with the State Bank of Vietnam’s regulations on ensuring safety and confidentiality of information technology systems in banking operations.

2. Customer information confidentiality and integrity of customers’ transaction data must be ensured and all financial transactions of customers must be authenticated at least in terms of two factors.

3. The Internet banking system must be always available to provide services in an uninterrupted manner.

4. The Internet banking system must be inspected and assessed in terms of security and confidentially on an annual basis.

5. Risks in the provision of Internet banking services must be identified, prevented and handled.

6. Information technology infrastructure equipment serving the provision of Internet banking services must be copyrighted and of clear origin; in case a unit is no longer eligible for support from manufacturers or is unable to update the existing software to the latest versions, it shall work out a plan for upgrading or replacing such software as notified by the manufacturers.

Chapter II

SPECIFIC PROVISIONS

Section 1

TECHNICAL INFRASTRUCTURE OF THE INTERNET BANKING SYSTEM

Article 4. Network system, communication, safety and confidentiality

Every unit shall establish networks and communication, security and confidentiality systems that at least meet the following requirements:

1. To divide the network into zones, including at least the Internet connection zone, demilitarized zone (DMZ), user zone, administration zone, and server zone. Computers serving the provision of information on the Internet must be placed in the DMZ. Data storage and processing servers must be placed in the server zone.

2. To apply security and confidentiality solutions for the Internet banking system, at least containing firewall; antivirus; prevention against denial-of-service attacks, application layer firewall, and hacking prevention.

3. To refrain from storing sensitive data in the Internet connection zone and DMZ.

4. To ensure that all inbound connections to the Internet banking system go through the DMZ for the purpose of controlling security and confidentiality.

5. To adopt policies to minimize services and gateways connected to the Internet banking system.

6. To inspect security and confidentiality policies; access rights; and connections, and devices and software illegally installed to the network at least once every three months.

7. To refrain from establishing connections from wireless networks to the operational environment of the Internet banking system.

8. To restrict remote connections to the Internet banking system for the purpose of system administration. In case a remote connection to the server zone is required, encrypted communication protocols must be used and passwords must not be stored in utility software.

9. To ensure that all connections from the Internet to the internal network for the purpose of system administration comply with the following rules:

a/ The connection is approved by a competent person after considering its purpose and method;

b/ Encrypted communication protocols are used;

c/ Connecting devices are installed with software that ensure security and confidentiality;

d/ Two-factor authentication is used when logging onto the system.

10. To ensure the availability of Internet connection lines with at least two different Internet service providers.

11. To have solutions for ensuring safety and confidentiality between different zones of the network by installing firewalls or hacking prevention devices between such zones.

Article 5. Server system and system software

1. Requirements on a server

a/ Its monthly average usage is at most 80% of its design capacity;

b/ It is highly available: The Internet banking system must have an on-site backup server;

c/ It is logistically or physically separated from the servers serving other professional operations.

2. Units shall make a list of software permitted to be installed in servers, update and inspect this list at least once every six months, and ensure that it is strictly complied with.

Article 6. Database administration system

1. The database administration system must have a mechanism for protection of, and authorization of the right to access to, its resources.

2. The Internet banking system must have a backup database at the Disaster Recovery Center. The backup database must be updated within one hour after the official database. The databases must be backed up daily and backups must be managed and stored safely.

3. Units shall take measures to supervise and log access to the database as well as manipulations upon access to the database.

Article 7. Internet banking application software

1. Safety and confidentiality requirements must be determined in advance and ensured in the process of developing application software from analysis, design, testing, official operation to maintenance. Documents on software safety and confidentiality must be systemized and stored and used under the “confidential” regime.

2. Units shall control software source codes according to at least the following requirements:

a/ To check source codes to remove malicious code sections and security vulnerabilities;

b/ To appoint specific persons to manage source codes of Internet banking application software;

c/ Access to source codes must be approved by competent persons and be monitored and logged;

d/ A source code must be kept safely in at least two separate locations;

dd/ In case a unit purchases an application software but is not handed the source code of such software, when signing or liquidating the application software supply contract, it shall require the supplier to sign a commitment that the purchased application software does not contain malicious code sections.

3. Units shall test Internet banking application software ensuring at least the following requirements:

a/ To prepare and approve plans and scenarios for testing Internet banking application software, clearly stating safety and confidentiality conditions to be met;

b/ To detect and eliminate errors and frauds that may occur when inputting data;

c/ To assess and scan to detect technical vulnerabilities and weaknesses. To assess the capacity to prevent such attacks as Injection (SQL, Xpath, LDAP, etc.), Cross-site Scripting (XSS), Cross-site Request Forgery (XSRF), and Brute-Force;

d/ To record errors and the process of fixing errors, especially those related to safety and confidentiality, in the software inspection and testing reports;

dd/ To inspect and test safety and confidentiality features on browsers (for web applications) and system software versions of mobile equipment (for mobile applications); to create mechanisms to inspect and notify users to run applications on browsers or system software versions which have undergone safety inspection and testing;

e/ To work out preventive measures to avoid abuse and confusion in the use of data during the testing process.

4. Before initiating new application software, a unit shall assess the risks of the initiation process to related professional operations and information technology systems and prepare and implement plans to limit and overcome these risks.

5. The management, change and upgrading of application software versions must meet the following requirements:

a/ Impacts of the change of application software on the bank’s existing system as well as other related systems must be analyzed and assessed;

b/ Software versions, including also source codes, must be managed in a centralized manner and stored to ensure confidentiality while there must be a mechanism for authorizing each staff member to handle files;

c/ Information on versions as well as time of and persons updating such versions must be stored;

d/ Each updated version must be inspected and tested in terms of safety and confidentiality features, level of risk and stability before being officially initiated;

dd/ The upgrading of versions must be based on testing results and be approved by competent persons;

e/ Application software versions which have been successfully tested must be closely managed so as to prevent unauthorized modifications and make them ready for initiation;

g/ There must be clear instructions on changed contents and updating of application software and relevant information which must be approved by competent persons before new versions are initiated for customers.

6. Compulsory functions of application software:

a/ Applying end-to-end encryption to all data transmitted on the Internet;

b/ Ensuring the integrity of transaction data; and being able to promptly detect all unauthorized modifications in the process of transaction processing and data storage;

c/ Having a mechanism to control transaction sessions and website and application access time. In case a user makes no manipulations within a certain length of time set by the unit, which, however, must not exceed five minutes, the system must automatically stop the session or apply other protective measures;

d/ Having the function of hiding passwords used to log onto the system;

dd/ Being designed in a way that requires all transactions of institutional customers  to be conducted in at least two steps of creating and approving transactions and effected by at least two different persons.

 Article 8. Application software on mobile equipment

Internet banking application software on mobile equipment provided by a unit must comply with Article 7 of this Circular and the following requirements:

1. The unit shall clearly show the link to the Internet banking application software on its website or application store for customers to download and install such application software to their mobile equipment.

2. To apply measures to protect application software from reverse engineering.

3. Application software must authenticate users upon access. In case a user enters incorrect authentication data for several times in a row, which exceeds the number of times set by the unit but must not exceed five, the application software shall be automatically and temporarily locked out to prevent further use.

Section 2

AUTHENTICATION OF INTERNET BANKING TRANSACTIONS

Article 9. Authentication of customers accessing Internet banking services

1. A customer accessing Internet banking service shall be authenticated with at least a username and password meeting with the following requirements:

a/ The username must be composed of at least six characters which must neither be identical nor follow one after another in the alphabetical or numerical order;

b/ The password must be composed of at least six characters, including letters and numerals in both uppercase and lowercase or special symbols. The maximum validity of a password is 12 months.

2. Internet banking application software must have the feature requiring a customer to change the password immediately upon the first login and locking out the account in case the customer enters incorrect passwords for several times in a row exceeding the number of times set by the unit but not exceeding five. The account may be unlocked only when the customer files a written request at a transaction counter.

Article 10. Requirements on transaction authentication solutions

1. A unit shall assess the level of risk of a transaction based on type of customer, type of transaction and transaction limit so as to provide appropriate solutions for transaction authentication for customers’ selection. Transaction limits must not exceed the limits prescribed by the Governor of the State Bank of Vietnam in each period.

2. Requirements on authentication solutions using OTPs sent via short message services (SMS) or emails:

a/  OTPs sent to customers must be attached with warning information for customers to know about the use purpose of the OTPs;

b/ An OTP must be valid for at most 5 minutes.

3. Requirements on authentication solutions using OTP matrix cards:

a/ An OTP matrix card must be valid for at most 1 year from the date of registration;

b/ An OTP must be valid for at most 2 minutes.

4. Requirements on authentication solutions using OTPs generated by software installed in mobile equipment:

a/ Units shall clearly show the link to the OTP generator software on their websites or application stores for customers to download and install such software;

b/ OTP generator software must be activated using the password provided by the unit before use. An activated password may be used for only one mobile equipment;

c/ Access to OTP generator software must be controlled. In case a user enters  incorrect authentication data for five times in a row, software shall be automatically locked out to prevent further use;

d/  An OTP must be valid for at most 2 minutes.

5. Requirements on authentication solutions using OTPs generated by tokens (OTP token): An OTP must be valid for at most 2 minutes.

6. Requirements on authentication solutions using digital signatures: Units shall use digital signatures and digital signature certification services provided by digital signature certification service providers operating under the law on digital signatures and digital signature certification services.

7. Requirements on authentication solutions using biometrics: Biometrics must be the only signs associated with a customer and cannot be forged.

Section 3

OPERATION MANAGEMENT

Article 11. Management of personnel in charge of administration and operation of the Internet banking system

1. Each unit shall assign personnel to take charge of supervising and monitoring the operation of its system, and detecting and handling technical incidents and network attacks.

2. Every unit shall assign personnel to take charge of receiving information and supporting customers, and promptly contacting customers upon detection of extraordinary transactions.

3. The personnel in charge of administration, supervision and operation of the Internet banking system shall participate in annual training courses to update knowledge on security and confidentiality issues.

4. The issuance and authorization of accounts for administration of the Internet banking system must be monitored and supervised by a division independent from the account issuance division.

Article 12. Management of operation of the operational environment of the Internet banking system

1. A unit may neither install nor store application development software and source codes in the operational environment of the Internet banking system.

2. Computers of the system administration, supervision and operation personnel must be placed in the administration zone, installed with antivirus software and have their screens automatically locked after being left unused for a certain length of time set by the unit, which, however, must not exceed 5 minutes.

3. Every unit shall adopt policies prohibiting access to the Internet from computers of system administration, supervision and operation personnel.

Article 13. Management of technical vulnerabilities and weaknesses

A unit shall manage vulnerabilities and weaknesses of its Internet banking system with the following basic contents:

1. Adopting measures for preventing, combating, and finding changes of the website and Internet banking application.

2. Establishing mechanisms to detect, prevent and combat intrusion into or attacks to the Internet banking system.

3. Cooperate with state management agencies and information technology partners in order to timely acquire information on incidents and circumstances concerning information safety and confidentiality so as to work out appropriate preventative measures.

4. Reviewing and inspecting the updating of patches of the system software, database administration system and application software at least once every three months.

5. Conducting security and confidentiality assessment of the Internet banking system at least once a year. To organize attacking drills to inspect and assess the system’s security assurance level.

Article 14. System for administering and supervising operation of the Internet Banking system

1. Every unit shall establish a system for supervising and monitoring the operation of its Internet banking system.

2. Every unit shall develop criteria and software to identify extraordinary transactions based on time, geographical location, transaction frequency, transaction money, number of incorrect login attempts exceeding the set one, and other unusual signs.

3. Every unit shall arrange a control room separately from the common working area to serve the administration, supervision and monitoring of operation of the Internet banking system, which must meet the following requirements:

a/ Personnel allowed to enter the control room must be approved by a competent person;

b/ Access to the system for the purpose of system administration, operation and maintenance must be conducted using equipment placed in the control room. Remote access or direct access on equipment must be approved by a competent person;

c/ Any outside access to equipment placed in the control room must be subject to two-factor authentication.

Article 15. Management of information confidentiality incidents

Every unit shall work out measures for recording, monitoring and handling information security incidents. Once every three months, it shall conduct assessment to find out causes and proactively apply appropriate measures to prevent recurrent incidents.

Article 16. Assurance of uninterrupted operation

Every unit shall develop a disaster prevention system and processes and scenarios to ensure uninterrupted operation of its Internet banking system in accordance with the State Bank of Vietnam’s regulations on safety and confidentiality of the information technology system in banking operations. In addition, it shall:

1. Analyze and identify circumstances likely to cause information insecurity and disruption of operation of the Internet banking system. Identify and assess the level of risk and possibility of occurrence of each circumstance at least once every six months. Make a list of circumstances of high, medium, acceptable and low levels of risk and possibility of occurrence.

2. Prepare plans (processes and scenarios) for remedying circumstances with a high or medium level of risk and possibility of occurrence as prescribed in Clause 1 of this Article. Determine the maximum downtime for restoring the system and database and a handling plan for each circumstance. Disseminate handling plans to relevant personnel for them to clearly understand tasks and jobs to be done in each circumstance.

3. Arrange human and financial resources and technical equipment to organize drills of plans for handling circumstances with a high level of risk and possibility of occurrence at least once every six months.

4. Make plans and hold drills to ensure the continuous operation of business, store related documents and evaluate drill results.

Section 4

PROTECTION OF CUSTOMER INTERESTS

Article 17. Information about Internet banking services

1. Units shall provide customers with information about Internet banking services before they register to use the services, at least about:

a/ Method of providing the services: on the Internet, via mobile equipment or telecommunications equipment. Methods of accessing Internet banking services equivalent to each equipment on the Internet, mobile equipment, or telecommunications equipment;

b/ The transaction limits and transaction authentication measures;

c/ Necessary conditions on equipment when using the services: OTP generator, mobile phone number, email, digital certificate, and mobile equipment to be installed with the software;

d/ Risks related to the use of Internet banking services.

2. Units shall provide customers with information on the contract on provision and use of Internet banking services, at least on:

a/ Rights and obligations of customers when using Internet banking services;

b/ Responsibility of the unit for confidentiality of customers’ personal information; method of collecting and using customer information; and commitment not to sell or disclose or leak customer information;

c/ Commitment to maintain uninterrupted operation of the Internet banking system;

d/ Other contents in terms of Internet banking services (if any).

Article 18. Instructions for customers to use Internet banking services

1. Units shall develop processes and manuals on installation and use of software, applications and equipment for conducting Internet banking transactions and provide customers with instructions on how to apply these processes and use these manuals.

2. Units shall instruct customers to implement measures for ensuring safety and confidentiality when using Internet banking services, at least the following:

a/ Protecting passwords and OTPs and not sharing equipment storing such information;

b/ Method of creating and changing passwords of login accounts at least once a year or upon disclosure or suspected disclosure of such passwords;

c/ Not using public computers to access the Internet banking system or conduct Internet banking transactions;

d/ Not saving usernames and passwords on web browsers;

dd/ Logging out from Internet banking applications after using them;

e/ Identifying and taking actions against circumstances of phishing or fake websites;

g/ Installing and using antivirus software on personal equipment for Internet banking transactions;

h/ Selecting authentication measures with the level of safety and confidentiality conformable with their demand with regard to transaction limits;

i/ Giving warnings of the risks related to the use of Internet banking services;

k/ Not using unlocked mobile equipment to download and use the Internet banking application software or OTP generator software;

l/ Promptly notifying the unit when detecting extraordinary transactions;

m/ Immediately notifying the unit of the loss of or damage to OTP generators, phone numbers to receive SMS, devices storing digital signature-generating keys; and cases of  fraudulence or suspicious fraudulence; or attacks or suspicious attacks by hackers.

3. Units shall provide customers with information about their focal points for receiving information, hotlines and instructions on the process and methods for coordinated handling of errors and incidents occurring in the course of using the services.

Article 19. Customer information confidentiality

Units shall apply measures for ensuring safety and confidentiality of customer information databases, at least the following:

1. Encrypting or hiding sensitive data of customers which are stored or transmitted on the Internet. 1

2. Establishing the right to access customer data for the personnel in charge of accessing such data according to their functions and tasks; and taking measures for monitoring each access.

3. Taking measures for managing access to equipment and devices used to store customer information to prevent the risk of exposure and leakage of customer information.

Chapter III

IMPLEMENTATION PROVISIONS

Article 20. Reporting regime

Units providing Internet banking services shall send reports the State Bank of Vietnam (the Information Technology Department) as follows:

1. Reports on provision of Internet banking services:

a/ Time limit for submission: At least 10 working days before the official provision of Internet banking services;

b/ Reporting contents:

(i) Website address or application store;

(ii) The products and services currently provided;

(iii) The official date of provision;

iv) The unit providing the Internet banking system products;

(v) Third parties which the unit hires or cooperates with to set up and operate the Internet banking system; activities related to the Internet banking system with the participation of third parties and forms of their participation;

(vi) Authentication solutions applicable to each type of customer, each type of transaction and transaction limit;

(vii) Other documents on information and communication technology infrastructure, human resources, professional processes, plans for handling risks, and other related matters as prescribed in Chapter II of this Circular.

2. Irregular reports:

a/ Upon occurrence of incidents leading to unsafety or affecting the operation of its Internet banking system, within 5 days after an incident occurs or is detected, the unit shall send a report on:

(i) Time and place of the incident;

(ii) Brief description of the incident and the situation when the incident occurs;

(iii) The cause of the incident;

(iv) Assessment of risks and impacts on the Internet banking system and other relevant systems;

(v) The situation of the damage;

(vi) Measures already taken to remedy the incident and prevent risks;

(vii) Recommendations and proposals.

b/ Other cases to be reported at the request of the State Bank of Vietnam.

3. Annual reports:

The time limit for submitting and contents of an annual report must comply with the statistical reporting regime of the State Bank of Vietnam applicable to credit institutions and foreign bank branches.

Article 21. Responsibilities of departments and agencies under the State Bank of Vietnam

1. The Information Technology Department shall:

a/ Monitor, review and report to the State Bank Governor on the assurance of safety and confidentiality of information technology systems for provision of Internet banking services by units under Article 20 of this Circular;

b/ Assume the prime responsibility for, and coordinate with relevant departments and agencies under the State Bank of Vietnam in, handling problems arising in the course of implementing this Circular.

2. The Banking Supervisory Agency shall coordinate with the Information Technology Department in inspecting and supervising the implementation of this Circular and handle administrative violations in accordance with law.

Article 22. Effect

This Circular takes effect on July 1, 2017, and replaces the State Bank of Vietnam’s Circular No. 29/2011/TT-NHNN of September 21, 2011, prescribing safety and confidentiality in the provision of Internet banking services.

Article 23. Organization of implementation

The Chief of the Office, the Director of the Information Technology Department, and heads of departments and agencies under the State Bank of Vietnam, directors of provincial-level branches of the State Bank of Vietnam, chairpersons of the Boards of Directors and Members’ Councils and directors general (directors) of credit institutions, foreign bank branches and intermediary payment service providers shall implement this Circular.-

For the Governor of the State Bank of Vietnam
Deputy Governor
NGUYEN KIM ANH