Circular 35/2018/TT-NHNN amending Circular 35/2016/TT-NHNN safety, confidentiality in Internet banking services

CIRCULAR

Amending and supplementing a number of articles of the Governor of the State Bank of Vietnam’s Circular No. 35/2016/TT-NHNN of December 29, 2016, prescribing safety and confidentiality in provision of banking services on the Internet^[1]

Pursuant to the June 16, 2010 Law on the State Bank of Vietnam;

Pursuant to the June 16, 2010 Law on Credit Institutions and the November 20, 2017 Law Amending and Supplementing a Number of Articles of the Law on Credit Institutions;

Pursuant to the November 29, 2005 Law on E-Transactions;

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

Pursuant to the Government’s Decree No. 16/2017/ND-CP of February 17, 2017, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to the Government’s Decree No. 35/2007/ND-CP of March 8, 2007, on banking e-transactions;

Pursuant to the Government’s Decree No. 117/2018/ND-CP of September 11, 2018, on confidentiality and provision of client information of credit institutions and foreign bank branches;

At the proposal of the Director of the Information Technology Department,

The Governor of the State Bank of Vietnam promulgates the Circular amending and supplementing a number of articles of the Governor of the State Bank of Vietnam’s Circular No. 35/2016/TT-NHNN of December 29, 2016, prescribing safety and confidentiality in provision of banking services on the Internet (below referred to as Circular No. 35/2016/TT-NHNN).

Article 1.To amend and supplement a number of articles of Circular No. 35/2016/TT-NHNN

1. To amend and supplement Article 3 as follow:

“Article 3. General principles for ensuring safety and confidentiality of the information technology system serving the provision of Internet banking services

1. The Internet banking system is an important information system under the State Bank’s regulations on safety of information systems in banking operations.

2. Client information confidentiality and integrity must be ensured. The Internet banking system must be available to provide services in an uninterrupted manner.

3. Levels of risks of information on client transactions must be assessed by client group, transaction type and transaction limit so as to introduce appropriate transaction authentication measures for customers’ selection. Transaction authentication measures must meet the following requirements:

a/ At least the multi-factor authentication measure must be applied upon the change of client identification information;

b/ Authentication measures must be applied for each client group, transaction type and transaction limit under the State Bank Governor’s decision in each period;

c/ For multi-step transactions, at least the authentication measure must be applied at the step of final approval.

4. The Internet banking system must be inspected and assessed in terms of security and confidentially on an annual basis.

5. Risks, possibility of occurrence and causes of risks must be regularly identified in order to promptly take measures to prevent, control and handle risks in the provision of banking services on the Internet.

6. Information technology infrastructure equipment serving the provision of Internet banking services must have copyright and clear origin. For equipment whose life cycle is about to expire and which are no longer eligible for support from manufacturers, the unit shall work out a plan for upgrading or replacing them as notified by the manufacturers, ensuring that infrastructure equipment are able to be installed with a new software version.”.

2. To amend and supplement Clause 3, Article 4 as follows:

“3. To refrain from storing client information in the Internet connection zone and DMZ.”.

3. To amend and supplement Clause 10, Article 4 as follows:

“10. To ensure the high availability and uninterrupted service provision of Internet connection lines for service provision.”.

4. To amend and supplement Clause 2, Article 6 as follows:

“2. The Internet banking system must have a backup database for disaster discovery which is able to replace the official database and protect customers’ online transaction data.”.

5. To amend and supplement Points c and dd, Clause 6, Article 7 as follows:

“c/ Controlling transaction sessions: The system must automatically stop the session in case a user makes no manipulation within a certain length of time set by the unit, or apply another protective measure;”;

“dd/ Being designed in a way that requires all transactions of institutional clients to be conducted in at least two steps of creating and approving transactions by different persons. For institutional clients permitted by law to apply a simple accounting regime, transactions shall be conducted under regulations applicable to individual clients.”.

6. To amend and supplement Clause 3, Article 8 as follows:

“3. Application software must authenticate users upon access and does not have the feature to store passwords. In case a user consecutively enters incorrect passwords for a number of times which exceeds that set by the unit, the application software shall be automatically locked out temporarily to prevent further use.”.

7. To add the following Point c to Clause 1, Article 9:

“c/ For accessing the Internet banking system with a browser, the unit must have measures to prevent automatic login.”.

8. To amend and supplement Clause 2, Article 9 as follows:

“2. Internet banking application software must have the feature requiring a customer to change the password immediately upon the first login, and lock out the account in case the customer consecutively enters incorrect passwords for a number of times which exceeds that set by the unit. The unit shall unlock the account only when the customer so requests and conduct the authentication before unlocking the account in order to prevent frauds.”.

9. To amend and supplement Clause 3, Article 12 as follows:

“3. Every unit shall adopt policies limiting the Internet access from computers that administer and supervise the Internet banking system. If wishing  connection to the Internet for work purposes, the unit shall:

a/ Assess risks from Internet connection;

b/ Apply measures to control the connection;

c/ Have the implementation plan approved by a competent person of the unit.”.

10.To add the following Clause 6 to Article 13:

“6. Updating information on published vulnerabilities related to system software, database administration system, and application software from the Common Vulnerability Scoring System - version 3 (CVSS, v3.0). To update security patches or timely preventive measures within:

a/ One month after the publication, for vulnerabilities rated as critical (equivalent to CVSS, v3.0, a score of  9.0 or higher);

b/ Two months after the publication, for vulnerabilities rated as high (equivalent to CVSS, v3.0, a score of between 7.0 and 8.9);

c/ The time limit decided by the unit, for vulnerabilities rated as medium or low (equivalent to CVSS, v3.0, a score of below 7.0).”.

11. To amend and supplement Clause 1, Article 19 as follows:

“1. For to be-stored secret information of customers,  encryption or concealment measures are required to ensure confidentiality.”.

Article 2.

1. To annul Clause 7, Article 4 and Clause 1, Article 10 of Circular No. 35/2016/TT-NHNN.

2. To replace the phrase “the Informatics Technology Department” with the phrase “the Information Technology Department” in Articles 20, 21 and 23 of Circular No. 35/2016/TT-NHNN.

Article 3.Responsibility for organization of implementation

The Chief of the Office, the Director of the Information Technology Department, and heads of units of the State Bank, directors of the State Banks’s provincial-level branches, chairpersons of the Boards of Directors or Members’ Councils, and directors general (directors) of credit institutions, foreign bank branches and institutions providing intermediary payment services shall organize the implementation of this Circular.

Article 4.Effect

This Circular takes effect on July 1, 2019.-

For the State Bank Governor
Deputy Governor
NGUYEN KIM ANH