Circular 50/2024/TT-NHNN prescribing security and confidentiality in provision of online banking services

CIRCULAR

Prescribing security and confidentiality in provision of online banking services

^{___________________}

Pursuant to the Law No.46/2010/QH12 on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

Pursuant to the Law on Cyber Security dated June 12, 2018;

Pursuant to the Law on E-Transactions dated June 22, 2023;

Pursuant to the Law on Credit Institutions dated January 18, 2024;

Pursuant to the Government’s Decree No. 102/2022/ND-CP dated December 12, 2022, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Department of Information Technology;

The Governor of the State Bank of Vietnam promulgates the Circular prescribing security and confidentiality in provision of online banking services.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation and subjects of application

1. Scope of regulation

This Circular prescribes requirements for ensuring security and confidentiality in provision of online banking services, including:

a) Banking activities and other business activities of credit institutions and foreign bank branches;

b) Activities of provision of intermediary payment services;

c) Credit information activities.

2. Subjects of application

This Circular applies to credit institutions, foreign bank branches and intermediary payment service providers and credit information providers (below collectively referred to as units).

Article 2. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Online services in the banking sector (hereinafter referred to as online banking service) include services specified in Clause 1 Article 1 of this Circular provided by units to clients on the network environment to conduct electronic transactions (hereinafter referred to as transactions), excluding direct transactions at units accepting payment via card readers at points of sale, via Quick Response Code (QR Code) displayed by clients.

2. Online banking system means a structured set of hardware equipment, software, databases, communication and security and confidentiality networks and systems to produce, transmit, collect, process, store and exchange digital information serving the management and provision of online banking services, that is established, administered and operated by the unit, or a hired third party.

3. Online banking application software means an application software providing online banking services.

4. Mobile banking application software means an online banking application software installed on mobile devices.

5. Online payment transactions mean transactions conducted by electronic means via online banking system.

6. Client means an organization or individual using online banking services.

7. Straight-through processing means a method of automatic two-way exchange of information, data, and documents, through a secure connection between the client’s information system and the online banking system.

8. Electronic transaction authentication (hereinafter referred to as transaction authentication) means a form of authentication by electronic means to express the client’s acceptance of data messages in electronic transactions.

9. End-to-end encryption means a mechanism under which information is safely encrypted at the source point before being sent and is decrypted only after being received at the destination point of the process of information exchange between applications or devices in a system, aiming to limit the risk of information exposure or leakage in transmission lines.

10. Database administration system means software designed for management, storage, retrieval and execution of data queries in a database.

Article 3. General principles for ensuring security and confidentiality of the information system serving the provision of online banking services

1. Online banking systems must follow regulations on ensuring information system security at level 3 or higher in accordance with the law on ensuring information systems by security levels; for information systems providing financial switching services and electronic clearing services, they must comply with regulations on ensuring information system security at level 4 or higher; comply with TCVN 11930:2017 (Information technology - Security techniques - Basic requirements for securing information according to security levels) and regulations of the State Bank on information system security in banking activities.

2. Client information confidentiality and integrity must be ensured. The online banking system must be available to provide services in an uninterrupted manner.

3. Client's transactions shall be classified and assessed the minimum risk level by groups of clients, client usage behavior, transaction type, transaction limit (if any) and compliance with relevant laws. On that basis, the unit shall provide appropriate forms of transaction authentication for clients to choose, while complying with at least the following regulations:

a) Applying at least one of the authentication forms specified in Clauses 3, 4, 5, 7, 8 and 9 Article 11 of this Circular upon changing the client's identification information;

b) Applying at least one combination of transaction authentication forms as prescribed in this Circular. In case the legal document guiding the services prescribed in Clause 1 Article 1 of this Circular stipulates the form of transaction authentication, that legal document shall be complied with;

c) For multi-step transactions, transaction authentication must be applied at the step of final approval.

4. The online banking system must be inspected and assessed in terms of security and confidentially on an annual basis.

5. Risks, possibility of occurrence and causes of risks must be regularly identified in order to promptly take measures to prevent, control and handle risks in the provision of online banking services.

6. Information technology infrastructure equipment serving the provision of online banking services must have a copyright and clear origin. For equipment whose life cycle is about to expire and which is no longer eligible for support from manufacturers, the unit shall work out a plan for upgrading or replacing them as notified by the manufacturers, ensuring that infrastructure equipment is able to be installed with a new software version. During the time when the equipment is not upgraded or replaced, the unit must take measures to enhance the security and confidentiality of the online banking system.

7. Systems providing electronic payment gateway services, collection and disbursement support services are not required to comply with regulations of Clauses 7, 9 and 10 Article 7 and Section 2 Chapter II of this Circular.

8. Online banking systems may operate and provide services to clients only when ensuring security and confidentiality in accordance with this Circular and relevant laws.

Chapter II

SPECIFIC PROVISIONS

Section 1. TECHNICAL INFRASTRUCTURE OF THE ONLINE BANKING SYSTEM

Article 4. Network system, communication, security and confidentiality

Every unit shall establish networks and communication, security and confidentiality systems that at least meet the following requirements:

1. To apply security and confidentiality solutions, at least containing:

a) Application firewall or equivalent protection solutions;

b) Database firewall or equivalent protection solutions;

c) Solutions for prevention against denial-of-service attacks (DoS), distributed denial of service attack (DDoS) for systems directly providing services on the Internet;

d) Information security event management and analysis system.

2. To refrain from storing client information (client identification information, client transaction information) in the Internet connection zone and demilitarized zone (DMZ).

3. To adopt policies to minimize services and gateways connected to the online banking system.

4. To ensure that all inbound connections to the online banking system for administration are possible only in case where it is impossible to connect from the internal network and ensure safety and comply with the following regulations:

a) The connection is approved by a competent authority after considering its purpose and method;

b) There must be a secure remote access management and system administration plan such as using a virtual private network or equivalent solution;

c) Connecting devices are installed with software that ensures security and confidentiality;

d) At least two of the authentication forms specified in Clauses 1, 3, 4, 7, 8 and 9 Article 11 of this Circular are applied when logging onto the system;

dd) Secure encrypted communication protocols are used, and passwords are not stored in utility software.

5. To ensure the high availability and uninterrupted service provision of network connection lines for service provision.

Article 5. Server system and system software

1. Requirements on a server:

a) Its monthly average usage, including a central processing unit (CPU), internal memory (RAM), data storage devices, data retrieval devices when storing or transmitting, is at most 80% of its design capacity;

b) The online banking system must have an on-site backup server to ensure high availability;

c) It is logistically or physically separated from the servers serving other professional operations;

d) It must be checked; security and confidentiality (hardening) for the operating system must be improved, and patches must be updated regularly.

2. Units shall make a list of software permitted to be installed in servers, update and inspect this list at least once every six months, and ensure that it is strictly complied with.

Article 6. Database administration system

1. The database administration system must have a mechanism for the protection of, and authorization of the right to access to, its resources.

2. The online banking system must have a backup database for disaster discovery which is able to replace the official database and ensure the completeness and integrity of clients’ transaction data.

3. The database administration system must be checked; its security and confidentiality (hardening) must be improved, and patches must be updated regularly.

4. Units shall take measures to supervise and log access to the database as well as manipulations upon access to the database.

Article 7. Online banking application software

1. Security and confidentiality requirements must be determined before developing software, and ensured in the process of development (analysis, design, development, testing), official operation and maintenance of the software. Dossiers and documents on software security and confidentiality must be systemized, stored and synchronously updated upon changes to the system, and strictly controlled, with limited access.

2. Units shall control software source codes according to at least the following requirements:

a) For software source codes self-developed by the unit:

(i) Periodically or when there is a change in the application software, the unit must check the check source code to remove malicious code sections and security vulnerabilities. The personnel performing the check must be independent of the personnel developing the software source code;

(ii) To appoint specific persons in charge of managing source codes of online banking application software;

(iii) A source code must be kept safely in at least two geographically separate locations, and measures must be taken to protect the integrity of the source code.

b) For outsourced software source codes:

(i) The unit must request the supplier to sign a commitment that the software source code is legal and not counterfeit; commit to implementing agreements on editing the source code when warranting and maintaining the software;

(ii) In case of source code handover, before accepting the handover of software source code, the unit shall request the supplier to check, handle and fix security vulnerabilities in the source code. After the source code is handed over, the unit shall comply with the provisions of Point a of this Clause;

(iii) In case a unit is not handed the source code of such software, when signing the product acceptance, it shall require the supplier to scan and remove malicious code sections, and sign a commitment that the application software does not contain malicious code sections.

3. Online banking application software must be inspected and tested before official operation, ensuring at least the following requirements are met:

a) To prepare and approve plans and scenarios for testing online banking application software, clearly stating safety and confidentiality conditions to be met;

b) To detect and eliminate errors and frauds that may occur when inputting data;

c) To assess and scan to detect technical vulnerabilities and weaknesses. To assess the capacity to prevent such attacks, including but not limited to Injection (SQL, Xpath, LDAP), Cross-site Scripting (XSS), Cross-site Request Forgery (XSRF), Server-Side Request Forgery (SSRS), Brute-Force, and errors related to confidentiality, such as access control errors; identification and authentication errors; encryption errors; design errors, insecurity configurations; logging and security monitoring errors;

d) To record errors and the process of fixing errors, especially those related to security and confidentiality, in the software inspection and testing reports;

dd) To inspect and test security and confidentiality features on popular browsers (for online banking application software provided via website platform) and mobile device operating system software (applicable to Mobile Banking application software); to create mechanisms to inspect and promptly notify clients to run applications on mobile device operating system software versions or browsers which have undergone safety inspection and testing.

4. Before initiating new online banking application software, a unit shall assess the risks of the initiation process to related professional operations and information technology systems and prepare and implement plans to limit and overcome these risks.

5. The management and change of online banking application software versions must meet the following requirements:

a) Documents analyzing the impacts of the change of application software on the bank’s existing system as well as other related systems of the unit must be formulated and approved by the competent authority before implementation;

b) Software versions, including also source codes self-developed by the unit or handed over by the supplier, must be managed in a centralized manner and stored to ensure confidentiality while there must be a mechanism for authorizing each staff member and recording logs to handle files;

c) Information on versions (update time, persons updating such versions, instructions for updating and relevant information of such versions) must be stored;

d) The upgrading of versions must be based on testing results and be approved by competent authorities.

6. Compulsory functions of online banking application software:

a) Applying end-to-end encryption to all data transmitted on the network environment, or data exchanged between online banking application software and relevant equipment;

b) Ensuring the integrity of transaction data; and being able to promptly detect, warn, and prevent all unauthorized modifications, or take appropriate measures to handle all unauthorized modifications to ensure the accuracy of transaction data in the process of transaction processing and data storage;

c) Controlling transaction sessions: The system must automatically stop the session in case a user makes no manipulation within a certain length of time set by the unit, or apply another protective measure;

d) Having the function of hiding passwords or PINs used to log onto the system;

dd) Having disable automatic login function;

e) In case the electronic transaction account specified in Clause 1 Article 9 of this Circular uses a PIN or password as a form of authentication, the online banking application software must have functions to control the PIN and password;

(i) Requiring the client to change the PIN or password in case the client is issued a default PIN or password for the first time;

(ii) Notifying the client when the PIN or password is about to expire;

(iii) Invalidating the PIN or password when it expires; requiring the client to change the expired PIN or password when the client uses the PIN or password to log in;

(iv) Canceling the validity of the PIN or password in case the PIN or password is entered incorrectly consecutively more than the number of times specified by the unit (but not more than 10 times) and notify the client;

(v) The unit shall only reissue the PIN or password when requested by the client and must check and identify the client before reissuing, to prevent fraud and forgery.

g) Being designed in a way that requires all online payment transactions of institutional clients to be conducted in at least two steps of creating and approving transactions. For clients being business households or micro-enterprises applying a simple accounting regime, the transactions are not required to be conducted separating the two steps of transaction creation and approval;

h) Having the function of notifying the first login to the online banking application software or the login to the online banking application software on a device different from the one that last logged in to the online banking application software via SMS or other channels registered by the client (phone, email, etc.), except in the case where the client organizes: logging in on devices that have been used for registration for use of the service; or logging in using at least one of the authentication forms specified in Clauses 3, 4, 5, 7, 8, and 9 Article 11 of this Circular.

7. Online banking application software must have the function of online storage of information about the device that performs client transactions, transaction logs, transaction authentication logs for at least 3 months and backup for at least 1 year, including:

a) Device identification information:

(i) For mobile devices: (information to uniquely identify the device (e.g., IMEI or Serial number or WLAN MAC or Android ID or other identification information);

(ii)- For computers: information to uniquely identify the computer (such as the MAC address or a combination of computer-related information that can uniquely identify the computer).

b) Transaction logs must at least include transaction code, client name, transaction initiation time, transaction type, transaction value (if any);

c) Transaction authentication logs must at least include transaction authentication form and transaction authentication time. In case of transaction authentication using biometric information matching, the unit shall store the client's biometric information when performing the transaction for at least the 10 most recent transactions of that client.

8. Requirements for straight-through processing:

a) The unit shall only provide online banking services using the straight-through processing for institutional clients. The unit is responsible for selecting, appraising, supervising, managing and reaching an agreement with the client when providing online banking services using the straight-through processing method;

b) Online banking application software must have the function of authenticating the connection with the software of the institutional client to ensure against fraud and forgery;

c) Provisions of Points c, dd, e, g, and h Clause 6, and Point a Clause 7 of this Article are not required to apply.

9. Card issuers providing online payment services using bank cards must have online banking application software with at least the following features:

a) Permitting or not permitting online payment;

b) Setting up a daily online payment limit using bank cards;

c) Permitting or not permitting overseas payments at card readers at points of sale and automatic transaction machines;

d) Allowing clients to register to choose to proactively confirm or agree to let the card issuer confirm all or part of online payment transactions using bank cards (online card payment transactions) in case of using the authentication form as prescribed in Clause 10 Article 11 of this Circular.

10. Online banking application software must have the function of notifying clients about transactions occurring via SMS or email or mobile banking application software or other communication channels registered by clients.

Article 8. Mobile banking application software

Mobile banking application software provided by the unit must comply with Article 7 of this Circular and the following requirements:

1. Being registered and managed at the official application store of the mobile operating system provider and having clear installation instructions on the unit's website for clients to download and install the mobile banking application software. In case, for objective reasons, the mobile banking application software is not registered and managed at the official application store of the mobile operating system provider, the unit must have a method of guiding, notifying, supporting the installation of the mobile banking application software to ensure security and confidentiality for clients and report to the State Bank (the Information Technology Department) before providing the service.

2. To apply measures to protect application software from reverse engineering of the source code.

3. To take measures to protect against interference in the data exchange flow on the mobile banking application and between the mobile banking application and the server providing online banking services.

4. To deploy solutions to prevent, combat, and detect unauthorized interference with the mobile banking application installed on clients’ mobile devices.

5. Not to allow the feature to store passwords.

6. For individual clients, there must be a function to check the client when the client accesses for the first time or when the client accesses by using a device other than the one that last accessed the mobile banking application software. The checking of the client includes at least the following:

a) Matching the correct SMS OTP or Voice OTP via the client's registered phone number or Soft OTP/Token OTP;

b) Matching the biometric information as prescribed in Clause 5 Article 11 of this Circular in case the specialized legal document related to the service provided on the mobile banking application software has regulations on collecting and storing clients' biometric information.

Section 2. AUTHENTICATION OF ELECTRONIC TRANSACTION VIA ONLINE BANKING SYSTEM

Article 9. Access to online banking application software

1. Clients registering the use of online banking application software must be identified by the unit and issued electronic transaction accounts. An electronic transaction account includes a login name and at least one of the forms of authentication specified in Clauses 1 thru 9 of Article 11 of this Circular.

2. Clients shall access online banking application software by electronic transaction accounts issued by units or access using a single sign-on form through an electronic transaction account of another information system that has been integrated by the unit according to the clients’ registration.

Article 10. Transaction authentication

1. For online payment transactions:

a) For payment transactions using payment accounts or e-wallets or money transfers from debit cards or personalized prepaid cards, the unit shall classify transactions according to the transaction type groups specified in Appendix 01 to this Circular and apply the authentication form specified in Appendix 02 to this Circular, except for the cases specified at Points b, c, d and dd of this Clause;

b) For payment transactions performed using the straight-through processing method, the unit shall confirm the transaction using at least one of the authentication forms specified in Clauses 7, 8, and 9 Article 11 of this Circular;

c) For online card payment transactions (excluding money transfer transactions), the unit shall classify transactions according to the transaction type groups specified in Appendix 03 to this Circular and apply the authentication forms specified in Appendix 04 to this Circular;

d) For transactions in which the unit proactively debits the payment account, proactively debits the e-wallet, proactively pays from the client's card as agreed upon with the client, it is not necessary to apply the transaction authentication specified at Points a and c, Clause 1 of this Article;

dd) For online payment transactions on the National Public Service Portal and deposits into the state budget, the transaction authentication specified at Point a and Point c, Clause 1 of this Article is not required.

2. For transactions registering for automatic debit from payment accounts, automatic debit from e-wallets, and automatic payment from clients' cards, the unit must apply at least one of the authentication forms specified in Clauses 3, 4, 5, 7, 8, and 9 Article 11 of this Circular.

3. For other transactions, in addition to the transactions specified in Clauses 1 and 2 of this Article, based on risk assessment and compliance with relevant laws, the unit shall select the appropriate form of authentication as prescribed in Article 11 of this Circular to provide to clients who register for use and shall be responsible for its selection.

4. In case a client is a person with a disability, the unit shall, based on its conditions and supply capacity, provide and guide the client who is a person with a disability to choose the appropriate form of authentication. It is not required to apply the provisions in Clauses 1, 2, and 3 of this Article, but must ensure checking and confirming the client's consent when making transactions in accordance with the law on electronic transactions and this Circular.

Article 11. Authentication forms

1. Authentication by password: clients use a password which is a string of characters to confirm client access to an information system, application, service or to confirm the client’s transaction. The form of authentication by password must meet the following requirements:

a) The password has a minimum length of 8 characters and consists of at least the following characters: numbers, uppercase letters, lowercase letters;

b) The maximum validity period of the password is 12 months. For the first default-issued password: the maximum validity period is 30 days.

2. PIN (Personal Identification Number) authentication is a form of authentication using a password in which the password is created from a string of digits. PIN authentication (except for PINs attached to physical cards) must meet the following requirements:

a) a PIN must be at least 6 characters long;

b) The maximum validity period of a PIN is 12 months. For the first default-issued PIN: the maximum validity period is 30 days.

3. One-time password (OTP) authentication is a form using a password in which the password is valid for one use and is valid for a certain period of time, including the following forms:

a) SMS OTP is a form of authentication through OTP number sent via short message services (SMS) or messages via basic telecommunications services on the Internet. SMS OTP must meet the following requirements:

(i) OTPs sent to customers must be attached with notification information for customers to know about the use purpose of the OTPs;

(ii) An OTP must be valid for at most 5 minutes.

b) Voice OTP is a form of authentication through OTP number sent via voice call or call via basic telecommunications services on the Internet. Voice OTP must meet the following requirements:

(i) OTPs sent to customers must be attached with notification information for customers to know about the use purpose of the OTPs;

(ii) An OTP must be valid for at most 3 minutes.

c) Email OTP is a form of authentication via OTP number sent via email. Email OTP must meet the following requirements:

(i) OTPs sent to customers must be attached with notification information for customers to know about the use purpose of the OTPs;

(ii) An OTP must be valid for at most 5 minutes.

d) OTP matrix card is a form of authentication through OTP number determined from a 2-dimensional table (rows, columns), in which every row, column corresponds to an OTP number. OTP matrix card must meet the following requirements:

(i) An OTP matrix card must be valid for at most 1 year from the date of registration;

(ii) An OTP must be valid for at most 2 minutes.

dd) Soft OTP is a form of authentication through OTP number generated by software installed on the client's mobile device. Soft OTP software can be standalone software or integrated with mobile banking application software.

Soft OTP is classified into 2 types: (i) Basic soft OTP: OTP number is randomly generated over time, synchronized with the online banking system; (ii) Advanced soft OTP: OTP number is generated in combination with the code of each transaction. When performing a transaction, the online banking system generates a transaction code to notify the client or transmit it to the soft OTP software. The client or the soft OTP software automatically enters the transaction code into the soft OTP software so that the latter can generate the OTP number.

Soft OTP must meet the following requirements:

(i) In case the soft OTP software is independent from the mobile banking application software, it must be registered and managed by the unit at the official application store of the mobile operating system provider and clear installation instructions must be provided on the unit's website for clients to download and install the soft OTP software;

(ii) The soft OTP software must require activation before use. The soft OTP activation code shall be provided by the unit to the client and can only be used to activate on a mobile device. The activation code must have an expiration date;

(iii) The soft OTP software must have an access control function. In case of consecutive incorrect access exceeding the number of times specified by the unit (but not exceeding 10 times), Soft OTP software must automatically lock to prevent clients from further use. The unit shall unlock the soft OTP only when the client so requests and conduct the client identification before unlocking in order to prevent fraud.

(iv) In case the soft OTP software is independent of the mobile banking application software, it must have the function of checking individual clients before allowing clients to use it for the first time or before clients use it on a device different from the device last used. The checking of the client includes at least the followings: (i) matching SMS OTP or voice OTP via the phone number registered by the client, (ii) and matching the client's biometric information;

(v) An OTP must be valid for at most 2 minutes.

e) OTP Token is a form of authentication through OTP number generated by a specialized device. OTP Token is classified into 2 types: (i) Basic OTP Token: OTP number is randomly generated over time, synchronized with the online banking system; (ii) Advanced OTP Token: OTP numb is generated in combination with the code of each transaction. When performing a transaction, the online banking system generates a transaction code to notify the client, the client enters the transaction code into the OTP Token so that the device can generate the OTP number. OTP Token must be valid for at most 2 minutes.

4. Two-channel authentication is an authentication form when the client makes a transaction, the online banking system shall send information requesting transaction authentication to the client's mobile device via voice call or call via basic telecommunications service on the Internet or via USSD (Unstructured Supplementary Service Data) instant message code or via specialized software, the client shall respond directly via the connected channel to confirm or not confirm the transaction. Authentication request of this form must be valid for at most 5 minutes.

5. Biometric authentication is the process of comparing and contrasting to ensure that the biometric information of the client conducting the transaction matches the biometric information of the client collected and stored at the unit according to the regulations of the Governor of the State Bank. Biometric authentication must at least meet the following requirements:

a) In case of applying the face matching method:

(i) Obtaining an accuracy determined according to the following international standards (or equivalent): The false rejection rate < 5% with a false acceptance rate < 0.01% according to the FIDO Biometric Requirement standard (applicable to a sample set of at least 10,000 samples);

(ii) Being able to detect biometric spoofing attacks of living objects (Presentation Attack Detection - PAD) based on international standards (such as NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management, or ISO 30107 - Biometric presentation attack detection, or FIDO Biometric Requirements) to prevent fraud and client spoofing through images, videos, and 3D masks.

b) In case of applying other forms of biometric information matching, it is necessary to ensure prevention of client forgery and fraud according to equivalent standards;

c) The solution to detect biometric spoofing attacks of living objects (Presentation Attack Detection - PAD) as prescribed at Point a of this Clause, which is self-deployed by the unit or provided by a third party, must be certified by a biometric organization/laboratory recognized by the FIDO Alliance;

d) In case the client confirms incorrect biometric information consecutively more than the number of times specified by the unit (but not more than 10 times): the function of performing transaction authentication by matching biometric information will be locked, such function shall only be unlocked when requested by the client and the client must be checked before performing in order to prevent fraud and forgery;

dd) Maximum duration for matching biometric information is 3 minutes.

6. Device-based biometric authentication is the process of comparing and contrasting to ensure that the biometric information of the client conducting the transaction matches the biometric information of the client stored on his/her mobile device. Device-based biometric authentication must at least meet the following requirements:

a) Only allowing activation after obtaining client consent and client has made at least one successful transaction using another form of authentication;

b) Maximum duration for matching biometric information is 2 minutes.

7. FIDO (Fast IDentity Online) authentication is a form of authentication according to the standard for transaction authentication using asymmetric key algorithms (including private keys and public keys, in which the private key is used for digital signature and the public key is used for digital signature verification) issued by the FIDO Alliance. FIDO authentication must meet the following requirements:

a) The private key is securely stored on the client's device. The client uses PIN authentication or matches the device's biometric information to access and use the private key when making transactions;

b) The public key is securely stored at the unit and linked to the client's electronic transaction account;

c) Solutions self-deployed by the unit or provided by a third party must be certified by an organization recognized by the FIDO Alliance.

8. E-signature authentication as prescribed by the law on e-signatures (excluding secure electronic signatures specified in Clause 9 of this Article).

9. Secure e-signature authentication is the form of confirmation by e-signature, in which the e-signature is a specialized e-signature that ensures safety or a digital signature or a foreign e-signature recognized in Vietnam in accordance with the law on e-signatures.

10. Authentication form based on risk assessment for online card payment transactions according to EMV 3-D Secure standard (hereinafter referred to as EMV 3DS authentication). EMV 3-D authentication must meet the following requirements: Card issuers, acquirers and merchants must implement the EMV 3-D Secure standard.

11. Authentication through operations showing the client's confirmation of the data message when performing a transaction such as clicking accept, approve, send or similar activities on the online banking application software. Such authentication form must meet the following requirements:

a) Authentication operations must be logged so that information related to these authentication operations can be retrieved;

b) Clients must be organizations that have logged into the online banking application software using the authentication forms as prescribed in this Article, except for Clauses 1, 2, 6, and 10.

Section 3. OPERATION MANAGEMENT

Article 12. Management of personnel in charge of administration and operation of the online banking system

1. Each unit shall assign personnel to take charge of supervising and monitoring the operation of the online banking system, and detecting and handling technical incidents and network attacks.

2. Every unit shall assign personnel to take charge of receiving information and supporting customers, and promptly contacting customers upon detection of extraordinary transactions.

3. The personnel in charge of administration, supervision and operation of the online banking system shall participate in annual training courses to update knowledge on security and confidentiality issues.

4. The issuance and authorization of accounts for administration of the online banking system must be monitored and supervised by a division independent from the account issuance division.

Article 13. Management of operation of the operational environment of the online banking system

1. A unit may neither install nor store application development software and source codes in the operational environment of the online banking system.

2. The administration, supervision and operation must meet the following requirements:

a) Computers of the personnel in charge of administration, supervision and operation must only be installed with permitted software and must be installed with anti-malware software, regularly updated with malware identification patterns and must not be allowed to self-disable anti-malware software;

b) System administration, supervision and operation connections must be made through intermediate servers or secure, controlled centralized administration systems, and not directly from the computers of the personnel in charge of administration, supervision and operation;

c) The use of an account with administrative rights must be limited to a period sufficient to perform the work and must be revoked immediately after the end of the working session;

d) Measures to monitor the use of accounts with administrative, supervisory and operational rights must be taken, with warning when there is an unusual impact on the database or application.

3. Every unit shall adopt policies for computers used for administration, supervision and operation of the online banking system; such computers may only be connected to the online banking system or other information systems of the unit for the administration, supervision and operation.

Article 14. Management of technical vulnerabilities and weaknesses

A unit shall manage vulnerabilities and weaknesses of its online banking system with the following basic contents:

1. Adopting measures for preventing, combating, and finding illegal changes to the online banking application software.

2. Establishing mechanisms to detect, prevent and combat intrusion into or attacks to the online banking system.

3. Cooperate with state management agencies and information technology partners in order to timely acquire information on incidents and circumstances concerning information security and confidentiality so as to work out appropriate preventative measures.

4. Updating information on published vulnerabilities related to system software, database administration system, and application software from the Common Vulnerability Scoring System - version 4 (CVSS, v4.0 or equivalent).

5. Scanning for vulnerabilities and weaknesses of the online banking system at least once a year or when receiving information related to new vulnerabilities and weaknesses. For system components directly connected to the Internet, scanning for vulnerabilities and weaknesses at least once every 3 months. Assessing the level of impact and risk of each discovered technical vulnerability and weakness of the system and proposing solutions and plans for handling.

6. Updating security patches or timely preventive measures based on the level of impact and risk:

a) For vulnerabilities rated as critical: Within one day for system components directly connected to the Internet; within one month for remaining components after the vulnerability is announced or discovered.

b) For vulnerabilities rated as high: Within one day for system components directly connected to the Internet; within 2 months for remaining components after the vulnerability is announced or discovered.

c) For vulnerabilities rated as medium or low: Within the time limit decided by the unit.

Article 15. System for supervising and monitoring operation of the online banking system

1. Every unit shall establish a system for supervising and monitoring the operation of its online banking system. The system for supervising and monitoring operation of the online banking system must collect complete logs of the components of the online banking system to detect and investigate unusual events or cyber-attacks.

2. Every unit shall develop criteria and software to warn extraordinary transactions based on time, geographical location, transaction frequency, transaction money (if any), number of incorrect login attempts exceeding the set one, and other unusual signs.

Article 16. Assurance of uninterrupted operation

Every unit shall develop a disaster prevention system and processes and scenarios to ensure uninterrupted operation of its online banking system in accordance with the State Bank’s regulations on security and confidentiality of the information technology system in banking operations. In addition, it shall:

1. Analyze and identify circumstances likely to cause information insecurity and disruption of operation of the online banking system. Identify and assess the level of risk and possibility of occurrence of each circumstance at least once every six months. Make a list of circumstances of high, medium, acceptable and low levels of risk and possibility of occurrence.

2. Prepare plans, including processes and scenarios, for remedying circumstances with a high or medium level of risk and possibility of occurrence as prescribed in Clause 1 of this Article. Determine the maximum downtime for restoring the system and database and a handling plan for each circumstance. Disseminate handling plans to relevant personnel for them to clearly understand tasks and jobs to be done in each circumstance.

3. Arrange human and financial resources and technical equipment to organize drills of plans for handling circumstances with a high level of risk and possibility of occurrence at high level at least once every year.

4. Make plans and hold drills to ensure the continuous operation of business, store related documents and evaluate drill results.

Section 4. PROTECTION OF CLIENT INTERESTS

Article 17. Information about online banking services

1. Units shall disclose information about online banking services, ensure that clients have access to information before or at the time of registering to use the service, at least including:

a) Method of providing the services, method of accessing the online banking services for each access method;

b) The transaction limits (if any) and transaction authentication forms;

c) Equipment required to use the service, conditions for the equipment used;

d) Risks related to the use of online banking services.

2. Units shall provide clients with information on terms of the agreement on provision and use of online banking services, at least on:

a) Rights and obligations of customers when using online banking services;

b) Types of client data that the unit collects, purposes of using client data and the unit's responsibility in protecting client data in accordance with the law, except in cases where the unit and the client have another agreement on protecting client data in accordance with the law;

c) Commitment to maintaining uninterrupted operation of the online banking system, at least including one-time service interruption time, total service interruption time in one year, except for cases of force majeure or system maintenance and upgrades notified by the unit;

d) Other content in terms of online banking services (if any).

3. The unit shall not send SMS messages or emails to clients containing hyperlinks to access websites, except at the request of the client.

Article 18. Instructions for customers to use online banking services

1. Units shall develop processes and manuals on installation and use of software, applications and equipment for conducting online banking transactions and provide clients with instructions on how to apply these processes and use these manuals.

2. Units shall instruct clients to implement measures for ensuring safety and confidentiality when using online banking services, at least the following:

a) Protecting passwords, PINs and OTPs and not sharing equipment storing such information;

b) Principles of creating and changing passwords and PINs of electronic transaction accounts;

c) Not using public computers to access the online banking system or conduct transactions; not using public WIFI networks when using online banking services;

d) Not saving usernames and passwords, PINs on browsers;

dd) Logging out from online banking application software after using them;

e) Identifying and taking actions against circumstances of phishing or fake websites, online banking application software;

g) Fully installing security patches for operating systems and mobile banking application software; considering installing anti-malware software and updating the latest malware identification pattern on personal devices used for transactions;

h) Selecting authentication forms with the level of security and confidentiality as prescribed, conformable with their demand with regard to transaction limits;

i) Giving warnings of the risks related to the use of online banking services;

k) Not using unlocked mobile equipment to download and use the online banking application software or OTP generator software;

l) Not installing strange software, unlicensed software, or software of unknown origin;

m) Promptly notifying the unit when detecting extraordinary transactions;

n) Immediately notifying the unit of the loss of, or damage to OTP generators, phone numbers to receive SMS, devices storing e-signature-generating keys; and cases of fraudulence or suspicious fraudulence; or attacks or suspicious attacks by hackers.

3. Units shall provide customers with information about their focal points for receiving information, hotlines and instructions on the process and methods for coordinated handling of errors and incidents occurring in the course of using the online banking services.

4. The unit must explain to the client about the specific cases in which the unit will contact the client, the method and means of communication during the client's use of online banking services.

Article 19. Client information confidentiality

Units shall apply measures for ensuring security and confidentiality of client information data, at least the following:

1. Client data must be kept safe and secure in accordance with the law.

2. Information used to authenticate client transactions including passwords, PINs, and biometric information must be stored using encryption or concealment measures to ensure confidentiality.

3. Establishing the right to access client data for the personnel in charge of accessing such data according to their functions and tasks; and taking measures for monitoring each access.

4. Taking measures for managing access to equipment and devices used to store client data to prevent the risk of exposure and leakage of data.

5. Notifying clients when there is an incident that causes client data exposure and leakage, and promptly reporting to the State Bank of Vietnam (the Information Technology Department).

Chapter III

IMPLEMENTATION PROVISIONS

Article 20. Reporting regime

Units providing online banking services shall send reports to the State Bank of Vietnam (the Information Technology Department) as follows:

1. Reports on provision of online banking services:

a) Time limit for sending reports: At least 10 working days before the official provision of online banking services;

b) Reporting contents:

(i) Website address or application store;

(ii) The official date of provision;

(iii) Solutions to check clients accessing online banking services; forms of transaction authentication applicable to each type of transaction and transaction limits (if any);

(iv) Certified copies of security and confidentiality assurance, fraud and counterfeit prevention as prescribed in Clause 5 and Clause 7 Article 11 of this Circular.

2. Irregular reports at the request of the State Bank.

Article 21. Responsibilities of units affiliated to the State Bank

1. The Information Technology Department shall follow, examine and cooperate with related units to handle difficulties arising in the course of implementation of this Circular.

2. The Banking Supervisory Agency shall inspect and supervise the implementation of this Circular and handle violations in accordance with law.

3. The State Bank branches of provinces and cities shall inspect and supervise the implementation of this Circular by intermediary payment service providers in localities (except for the National Payment Corporation of Vietnam - NAPAS) and handle violations in accordance with law.

Article 22. Effect

1. This Circular takes effect from January 1, 2025, except for provisions in Clauses 2, 3 and 4 of this Article.

2. Point b Clause 1 Article 4, Point d Clause 9 Article 7 and Clause 4 Article 8 take effect from July 1, 2025.

3. Point b Clause 1 Article 10 takes effect from January 1, 2026.

4. Point c Clause 5 Article 11, Point c Clause 7 Article 11 and Point b (iv) Clause 1 Article 20 take effect from July 1, 2026.

5. The following documents cease to be effective from the effective date of this Circular:

a) Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet;

b) Circular No 35/2018/TT-NHNN dated December 24, 2018, of the Governor of the State Bank, amending and supplementing a number of Circular No. 35/2016/TT-NHNN dated December 29, 2016, of the Governor of the State Bank, prescribing safety and confidentiality in provision of banking services on the Internet.

6. Article 25 of Circular No. 09/2020/TT-NHNN dated October 21, 2020, of the Governor of the State Bank, promulgating the security of information systems in banking operations, is hereby annulled.

Article 23. Transitional provisions

1. Transactions registered for automatic debiting of payment accounts, automatic debiting of e-wallets, and automatic payment from clients' cards made before the effective date of this Circular shall continue to be implemented until the end of the term of the signed agreement; in case the agreement does not specify a term, it shall continue to be implemented until December 31, 2026. Amendments, supplements, and extensions of agreements must comply with Clause 2 Article 10 of this Circular.

2. Passwords and PINs that are in use before the effective date of this Circular shall continue to be used until the client changes them or until the end of their validity period. From the effective date of this Circular, passwords and PINs must comply with Clauses 1 and 2 Article 11 of this Circular upon changes.

Article 24. Implementation organization

Chief of Office, Director of the Information Technology Department, heads of units affiliated to the State Bank of Vietnam, Chairpersons of the Board of Directors, Chairperson of the Member's Council and General Directors (Directors) of credit institutions, foreign bank branches, intermediary payment service providers and credit information providers shall implement this Circular./.

APPENDIX 01

CLASSIFICATION OF ONLINE PAYMENT TRANSACTIONS

(Attached to Circular No. 50/2024/TT-NHNN dated October 31, 2024, of the Governor of the State Bank of Vietnam)

Note:

G: Transaction value.

T_ksth: Total value of type A and type B transactions of each group of transaction types performed by a payment account or a card (including e-wallet top-up transactions) or an e-wallet (excluding e-wallet top-up transactions) of a client at a payment service provider or intermediary payment service provider, excluding transactions of actively debiting payment accounts, actively debiting e-wallets, and actively paying from cards. T_ksth is calculated as 0 at the beginning of the day or immediately after the client has a transaction during the day using the authentication form for type C or type D transactions.

T: Total value of each group of transaction types performed during the day (by a payment account or a card (including e-wallet top-up transactions) or an e-wallet (excluding e-wallet top-up transactions) of a client at a payment service provider or intermediary payment service provider), excluding transactions of actively debiting payment accounts, actively debiting e-wallets, and actively paying from cards.

(1) For transactions to deposit money into the e-wallet from the e-wallet owner's VND account at an affiliated bank, the transaction classification is based on the payment account linked to the e-wallet.

(2) The conversion limit is based on the exchange rate at the time of the transaction.

(3) In case the client is a business household or a micro-enterprise applying a simple accounting regime, the transaction classification is similar to that of an individual client.

APPENDIX 02

ONLINE PAYMENT TRANSACTION AUTHENTICATION

(Attached to Circular No. 50/2024/TT-NHNN dated October 31, 2024, of the Governor of the State Bank of Vietnam)

Note:

- Authentication forms are detailed in Article 11 of this Circular.

- Type-D transaction authentication methods may be used to authenticate transactions of types A, B and C.

- Type-C transaction authentication methods may be used to authenticate transactions of types A, and B.

- Type-B transaction authentication methods may be used to authenticate transactions of type A.

- In case the client is a business household or a micro-enterprise applying a simple accounting regime, the transaction authentication form to be applied is similar to that of an individual client. In which, for the form of matching biometric information and the form of matching device-based biometric information, the biometric information used for comparison is that of the legal representative or the individual authorized by the legal representative (if any).

(1) In case where the client has logged in the online banking application by matching the device-based biometric information, such authentication measure shall not be applied when conducting transaction in that login session.

APPENDIX 03

CLASSIFICATION OF ONLINE CARD PAYMENT TRANSACTIONS

(Attached to Circular No. 50/2024/TT-NHNN dated October 31, 2024, of the Governor of the State Bank of Vietnam)

Note:

G: Transaction value.

T: Total value of transactions made during the day by the client's active card at a card issuer, excluding transactions actively paid by the card issuer from the card according to the agreement with the client.

APPENDIX 04

ONLINE CARD PAYMENT TRANSACTION AUTHENTICATION

(Attached to Circular No. 50/2024/TT-NHNN dated October 31, 2024, of the Governor of the State Bank of Vietnam)

Note:

- Authentication forms detailed in Article 11 of this Circular.

- Type-G transaction authentication methods may be used to authenticate transactions of types E and F.

- Type-F transaction authentication methods may be used to authenticate transactions of type E.