Circular 77/2025/TT-NHNN amend Circular 50/2024/TT-NHNN on security and confidentiality in online banking services

CIRCULAR

Amending and supplementing a number of articles of Circular

No. 50/2024/TT-NHNN of the Governor of the State Bank of Vietnam prescribing security and confidentiality in the provision of online services

in the banking sector

Pursuant to the Law No. 46/2010/QH12 on the State Bank of Vietnam;

Pursuant to the Law No. 86/2015/QH13 on Cyberinformation Security;

Pursuant to the Law No. 24/2018/QH14 on Cyber Security;

Pursuant to the Law No. 20/2023/QH15 on E-Transactions;

Pursuant to the Law No. 32/2024/QH15 on Credit Institutions, as amended and supplemented by the Law No. 96/2025/QH15;

Pursuant to the Government’s Decree No. 26/2025/ND-CP prescribing the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Department of Information Technology;

The Governor of the State Bank of Vietnam promulgates the Circular amending and supplementing a number of articles of Circular No. 50/2024/TT-NHNN of the Governor of the State Bank of Vietnam prescribing security and confidentiality in the provision of online services in the banking sector

Article 1. Amending and supplementing a number of points and clauses of Article 1

1. To add Point d to Clause 1, Article 1 as follows:

“d) Activities of provision of mobile money services;”.

2. To amend and supplement Clause 2, Article 1 as follows:

“2. Subjects of application

This Circular applies to credit institutions, foreign bank branches, intermediary payment service providers, mobile money service providers, and credit information companies (hereinafter collectively referred to as units).”.

Article 2. Adding Clause 11 to Article 2

“11. New institutional client is an organization that has been newly registered for establishment within a period of 12 months or an organization that have newly established a relationship with a unit within a period of 12 months, and for which the unit has conducted a risk assessment and determined the period during which the form of matching biometric information or safe electronic signatures must be applied to such client when conducting transactions. This provision shall not apply to:

a) State agencies and public service units;

b) Credit institutions and foreign bank branches;

c) Listed organizations as prescribed by the Law on Securities;

d) Organizations included in the Fortune Global 500 list published by the Fortune magazine in the immediately preceding year;

dd) Foreign investors being non-residents opening payment accounts to conduct indirect investment activities in Vietnam;

e) Other organizations selected by the unit, for which the unit shall take full responsibility for all risks arising from such selection. The unit shall ensure accurate client verification and shall take full responsibility for client identification.”

Article 3. Amending and supplementing Point a, Clause 3, Article 3

“a) Applying at least one of the authentication forms specified in Clauses 3, 4, 5, 7, 8 and 9, Article 11 of this Circular upon changing the client’s identification information.

In the case where an individual client or a new institutional client changes identification documents (including the citizen identity card, identity card, electronic identity card, or passport of the individual client or of the legal representative of the institutional client) or information used for registration and use of transaction authentication forms (at a minimum including the telephone number or email address or electronic signature), the authentication forms specified in Clause 5, Article 11 of this Circular shall be applied in combination with one of the authentication forms specified in Clauses 3, 4, 7, 8 and 9, Article 11 of this Circular.”

Article 4. Amending and supplementing a number of points and clauses of Article 7

1. To amend and supplement Point c, Clause 3, Article 7 as follows:

“c) To assess and scan to detect technical vulnerabilities and weaknesses. To assess the capability to prevent and combat vulnerabilities, weaknesses and attack types, ensuring at least the following requirements:

(i) For Online Banking application software provided via web platforms, it must prevent and combat the ten most common vulnerabilities published by the OWASP organization (OWASP Top Ten).

(ii) For Mobile Banking application software, it must meet at least the mobile application security requirements published by the OWASP organization (OWASP Mobile Application Security).

(iii) The applicable version of OWASP Top Ten or OWASP Mobile Application Security shall be the latest version or the version closest to the version issued within a period of 6 months.”

2. To amend and supplement Point g, Clause 6, Article 7 as follows:

“g) For a client being an institutional client, the application software shall be designed to ensure that the performance of online payment transactions (excluding online card payments via payment acceptance units) includes at least two steps: transaction creation and transaction approval.

In case the client is a business household or a micro-enterprise applying a simple accounting regime, the performance of transactions is not required to separate the two steps of transaction creation and transaction approval;”

3. To amend and supplement Point b, Clause 8, Article 7 as follows:

“b) Online Banking application software must have the function of authenticating the connection with the software of institutional clients in order to ensure safety and confidentiality and prevent fraud and forgery in accordance with international or Vietnamese standards and technical regulations;”

Article 5. Amending and supplementing a number of clauses of Article 8

1. To add Clause 1a after Clause 1, Article 8 as follows:

“1a. Control of released installation versions of the Mobile Banking application software:

a) On a periodic basis at least once every 3 months, the unit shall assess the safety and confidentiality of application software versions that are permitted for clients to install and use, in order to identify security vulnerabilities and assess the possibility of interference by cybercriminals.

b) In the case where a client activates the Mobile Banking application on a new device or reactivates the application, the client must install and use the latest version or the nearest version that satisfies safety and confidentiality requirements in accordance with regulations. The unit must have solutions to control and not allow downgrading to lower versions for use in this case.

c) When detecting security vulnerabilities assessed at a high or critical level, the unit shall take measures to inspect, prevent the performance of transactions or apply control measures in order to prevent criminals from taking advantage of security vulnerabilities to conduct cyberattacks, perform fraudulent transactions, and appropriate property; concurrently, the unit shall immediately process, remedy, and update to a new version within the time limit prescribed in Clause 6, Article 14 of this Circular.”

2. To amend and supplement Clause 4, Article 8 as follows:

“4. To deploy solutions to prevent, combat, and detect unauthorized interference with the Mobile Banking application installed on clients’ mobile devices; the Mobile Banking application must automatically exit or suspend operation and notify the client of the reason if detecting one of the following signs:

a) A debugger is attached or a debugging environment is active; or when the application is running in an emulator/virtual machine/emulated device environment; or operating in a mode allowing a computer to directly communicate with an Android device (Android Debug Bridge);

b) The application software is injected with external code while running, performing acts such as monitoring executed functions, recording logs of data transmitted through functions, APIs, etc. (hook); or the application software is interfered with or subjected to repacking;

c) The device has been rooted/jailbroken; or the protection mechanism has been unlocked (unlock bootloader).”

3. To amend and supplement Clause 5, Article 8 as follows:

“5. Not to allow the function of remembering the secret access code, except in the cases where the authentication form prescribed in Clause 6, Article 11 of this Circular is applied.

Article 6. Amending and supplementing a number of points and clauses of Article 10

1. To amend and supplement Point a, Clause 1, Article 10 as follows:

“a) For payment transactions using payment accounts or e-wallets or Mobile Money accounts, or money transfer transactions from debit cards or personalized prepaid cards, the unit shall classify transactions according to the transaction type groups specified in Appendix 01 promulgated together with this Circular and apply the authentication forms specified in Appendix 02 promulgated together with this Circular, except for the provisions at Points b, c, d and dd of this Clause;”

2. To amend and supplement Point d, Clause 1, Article 10 as follows:

“d) For transactions in which the unit proactively debits the payment account, proactively debits the e-wallet, proactively debits the Mobile Money account, or proactively makes payments from the client’s card in accordance with agreements with the client, it is not required to apply the transaction authentication specified at Points a and c, Clause 1 of this Article;”

3. To amend and supplement Clause 2, Article 10 as follows:

“2. For transactions registering for automatic debit from payment accounts, automatic debit from e-wallets, automatic debit from Mobile Money accounts, and automatic payment from clients’ cards, the unit shall apply at least one of the authentication forms specified in Clauses 3, 4, 5, 7, 8 and 9, Article 11 of this Circular.”

Article 7. Amending and supplementing a number of points and clauses of Article 11

1. To amend and supplement Point c, Clause 5, Article 11 as follows:

“c) The solution for detecting presentation attack detection of living biometric information (Presentation Attack Detection – PAD) as prescribed at Point a of this Clause, which is self-deployed by the unit or provided by a third party, must be certified by a biometric organization/laboratory recognized by the FIDO Alliance or by a certification body licensed to certify conformity with international standards (ISO), meeting ISO 30107 Level 2 or an equivalent level.The certification body must be accredited by an accreditation body that is a signatory to the Multilateral Recognition Arrangement of the International Accreditation Forum (IAF MLA).”

2. To amend and supplement Clause 8, Article 11 as follows:

“8. PGP (Pretty Good Privacy) authentication is an authentication form in accordance with security and authentication standards using asymmetric key encryption algorithms (including a private key and a public key, in which the private key is used for digital signing and the public key is used for digital signature verification) promulgated by the international standardization organization IETF (Internet Engineering Task Force).PGP authentication must meet the following requirements:

a) The client’s public key is registered with the unit, securely stored at the unit, and linked to the client’s electronic transaction account;

b) There are methods to ensure verification of the identity of the key holder, security mechanisms, and key revocation mechanisms;

c) There is an agreement on the legal responsibilities of the unit and the client relating to the authenticity, integrity, and non-repudiation of transaction files signed using this method.”

3. To amend and supplement Clause 9, Article 11 as follows:

“9. Secure e-signature authentication is an authentication form by electronic signature, in which the electronic signature is a digital signature or a foreign electronic signature recognized in Vietnam in accordance with the law on electronic signatures.”

Article 8. Amending and supplementing Article 21

“Article 21. Responsibilities of units affiliated to the State Bank

1. The Information Technology Department shall be responsible for following, examining, and coordinating with related units to handle difficulties arising in the course of implementation of this Circular.

2. The State Bank Inspectorate shall be responsible for inspecting and examining the implementation of this Circular and handling violations in accordance with the law provisions.

3. Regional branches of the State Bank shall be responsible for inspecting and supervising the implementation of this Circular at credit institutions, foreign bank branches, and intermediary payment service providers within the areas under their management, and handling violations in accordance with the law provisions.”

Article 9. Adding Clause 1a after Clause 1, Article 23

“1a. Transactions registered for automatic debit from Mobile Money accounts that are conducted before the effective date of this Circular shall continue to be implemented until the expiry of the term of the concluded agreement; in the case where the agreement does not specify a term, such transactions shall continue to be implemented until December 31, 2026. Any amendment, supplementation or extension of the agreement must comply with Clause 2, Article 10 of this Circular.”.

Article 10. Amending and supplementing the Appendices attached to Circular No. 50/2024/TT-NHNN

To replace Appendices No. 01, 02 and 04 promulgated together with Circular No. 50/2024/TT-NHNN with Appendices No. 01, 02 and 04 attached to this Circular.

Article 11. Implementation responsibilities

Heads of units affiliated to the State Bank of Vietnam, credit institutions, foreign bank branches, intermediary payment service providers, Mobile Money service providers, and credit information companies shall organize the implementation of this Circular.

Article 12. Implementation provisions

1. This Circular shall take effect from March 1, 2026, except for the cases prescribed in Clauses 2 and 3 of this Article.

2. For units providing online payment services to both individual and organizational clients, the provisions prescribed in Article 3 and Article 10 of this Circular shall be applied from July 1, 2026.

3. For units providing online payment services only to organizational clients (not providing services to individual clients), the provisions prescribed in Article 3 and Article 10 of this Circular shall be applied from October 1, 2026./.

FOR THE GOVERNOR
THE DEPUTY GOVERNOR
Pham Tien Dung

* All Appendices are not translated herein.