The State Bank of Vietnam (SBV) will tighten Online Banking security requirements starting March 1, 2026. What are the key new regulations? Below are the major changes introduced under Circular No. 77/2025/TT-NHNN.
1. Mobile Money services are subject to bank-level security requirements
Accordingly, Article 1 of Circular No. 77/2025/TT-NHNN expands the scope and subjects of application of Circular No. 50/2024/TT-NHNN to include the provision of Mobile Money services.
As a result, Mobile Money service providers are required to apply security measures equivalent to those applicable to credit institutions under Circular No. 77/2025/TT-NHNN.
Recently, the Government officially issued Decree No. 368/2025/ND-CP on Mobile Money services, which provides specific and clear regulations governing this type of service.
2. Additional verification requirements for changes to customers’ identification information
Under Article 3 of Circular No. 77/2025/TT-NHNN, where customers change their information, biometric matching verification must be applied in combination with one of the following authentication methods:
One-time password (OTP);
Authentication via voice calls, Zalo or similar platforms, USSD quick message codes, or specialized software applications;
Secure electronic signature authentication.
Changes to customer information include changes to:
Personal identification documents (including citizen identity cards, identity cards, electronic identity cards, and passports);
Information used to register and use transaction authentication methods (at a minimum including phone numbers, email addresses, or electronic signatures).
3. Requirement to install the latest Mobile Banking version when changing devices
A notable new provision effective from March 1, 2026 is the tightening of control over Mobile Banking application versions, as stipulated in Article 5 of Circular No. 77/2025/TT-NHNN.
Specifically, at least once every three months, credit institutions are required to assess the safety and security of application versions permitted for installation and use, in order to promptly detect vulnerabilities and risks of cybercriminal interference.
Where customers activate Mobile Banking on a new mobile device or reactivate the application, they must install and use the latest or most recent version to ensure security. In particular, downgrading to older versions is not permitted.
4. Mobile Banking applications must automatically suspend operation in three cases
Along with stricter version management to prevent malware attacks, Clause 2 Article 5 of Circular No. 77/2025/TT-NHNN requires Mobile Banking applications to automatically disconnect or immediately cease operation if the mobile device is detected to be in any of the following cases:
The device has been jailbroken (for iOS), rooted (for Android), or has had its bootloader protection mechanism unlocked. Such actions are commonly taken to install unofficial applications or circumvent licensing restrictions;
The device has been injected with malicious code to monitor or record operation history, or has been modified or repackaged;
The device has debugging tools attached or is running applications on emulators, virtual machines, or simulated devices.
5. Additional cases permitting password storage in Mobile Banking applications
Clause 5 Article 8 of Circular No. 50/2024/TT-NHNN has been amended and supplemented by Article 5 of Circular No. 77/2025/TT-NHNN as follows:
The function allowing storage of access secret keys is not permitted, except where the authentication method specified in Clause 6 Article 11 of this Circular is applied.
Accordingly, Mobile Banking applications are not permitted to store passwords, except where customers are authenticated through fingerprint, iris, or Face ID matching with information stored on the device. Such authentication must satisfy the following conditions:
Activation is allowed only after obtaining customer consent and after the customer has successfully completed at least one transaction using another authentication method.
The maximum authentication time is two minutes.
6. Biometric spoofing detection solutions must meet ISO 30107 standards
Another major change effective from March 1, 2026 is stipulated in Clause 1 Article 7 of Circular No. 77/2025/TT-NHNN, which introduces new requirements for biometric Presentation Attack Detection (PAD) solutions, particularly in light of increasingly sophisticated fraud schemes such as AI-generated deepfakes.
Accordingly, such solutions must not only be certified by biometric organizations or laboratories recognized by the FIDO Alliance, but may also be certified by accredited certification bodies confirming compliance with international ISO standards, meeting ISO 30107 Level 2 or equivalent.
Certification bodies must be accredited by an accreditation authority that is a participant in the multilateral mutual recognition arrangement of the International Accreditation Forum.
The above summarizes the key new provisions of Circular No. 77/2025/TT-NHNN, effective from March 1, 2026, regarding Online Banking security.
Vietnamese
