Circular 64/2024/TT-NHNN deployment of open application programming interfaces in the banking sector

CIRCULAR

On deployment of open application programming interfaces
in the banking sector

^{_______________}

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Credit Institutions dated January 18, 2024;

Pursuant to the Law on E-transactions dated June 22, 2023;

Pursuant to the Law on Cyberinformation Security dated November 19, 2015;

Pursuant to the Government’s Decree No. 52/2024/ND-CP dated May 15, 2024 on cashless payment;

Pursuant to the Government’s Decree No. 13/2023/ND-CP dated April 17, 2023 on personal data protection;

Pursuant to the Government's Decree No. 102/2022/ND-CP dated December 12, 2022 defining the functions, duties, powers and organizational structure of the State Bank of Vietnam;

At the proposal of the Director of the Information Technology Department;

The State Bank of Vietnam hereby promulgates the Circular on deployment of open application programming interfaces in the banking sector.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

1. This Circular prescribes the deployment of open application programming interfaces in the banking sector.

2. This Circular does not prescribe the connection and processing of data containing information within the scope of state secrets. The processing of data containing information within the scope of state secrets shall comply with respective applicable law regulations.

3. This Circular does not prescribe the connection and direct processing of data between:

a) A bank's information system and an organization's information system through the application programming interface to serve the internal operations of such organization;

b) A bank's information system and the information system of the organization hosting the electronic clearing system. The organization hosting the electronic clearing system, which is determined in accordance with regulations of the State Bank of Vietnam on provision of payment intermediary services.

Article 2. Subjects of application

1. Commercial banks, cooperative banks, branches of foreign banks (hereinafter referred to as banks).

2. Organizations and individuals involved in the deployment of services through open application programming interfaces in the banking sector.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Application Programming Interface (hereinafter abbreviated as API) means an interface that allows communication between software applications within an organization or between organizations.

2. Open Application Programming Interface in the banking sector (Open API) means a set of APIs provided by the banks for third parties to directly connect and process data for the purpose of providing services to customers. Open API includes: Basic Open API and Other Open API.

3. Open API testing system means a bank’s information system provided to a third party to test Open APIs before their official deployment.

4. Customers mean individuals using a bank's services.

5. Third party means an organization or another bank that has a contractual agreement with a bank to connect and process data via Open API for the purpose of providing services to customers.

6. Customer consent means any freely given and unambiguous indication of the data subject, signifies agreement to the processing of personal data relating to such customer.

Article 4. General principles

Banks, customers and third parties (hereinafter referred to as the parties) when deploying Open API must comply with the following requirements:

1. They must comply with law regulations on confidentiality, customer information disclosure and personal data protection. Personal data of a customer shall be only processed for the benefit of such customer, unless otherwise prescribed by law regulations.

2. During the processing thereof, data must be managed, stored, utilized and used for the appropriate purposes mentioned in the contract between the parties and in accordance with the law regulations.

3. During the processing thereof, data must be kept up to date and accurate. In case of any discrepancy, correction and adjustment must be made promptly in accordance with the agreement between the parties.

Chapter II

SPECIFIC REGULATIONS ON DEPLOYMENT OF OPEN API

Section 1

REGULATIONS ON DEPLOYMENT OF OPEN API

Article 5. Principles for deployment of Open API

1. When deploying the basic Open API prescribed in Article 6 of this Circular, the banks must comply with the regulations in Appendix 01 and Appendix 02 to this Circular.

2. When deploying other Open APIs based on actual needs and in accordance with law regulations, other than those stated in the Open API directory prescribed in Article 6 of this Circular, the banks must comply with the regulations in Appendix 02 to this Circular.

3. Banks are only allowed to deploy Open APIs as prescribed at Point c, Clause 1, Article 6 to a third party such as a bank or an organization providing intermediary payment services.

Article 6. Open API directory

1. The basic Open API directory is categorized into the following groups:

a) Open APIs for querying Bank's exchange rate and interest rate information, including: Get Interest Rate Information API, Get Exchange Rate Information API;

b) Open APIs for querying customer information, including: Customer Consent and Retrieval API, Get Access Token API, Refresh Access Token API, Revoke Access Token API, Get Account List API, Get Account Information API, Get Transaction History API;

c) Open APIs for initiating payments, e-wallet top-ups, and e-wallet withdrawals, including:

(i) Open APIs for initiating payments, including: Initiate Payment API, Customer Authentication Redirect Flow API, Get Access Token Redirect Flow API, Update Payment Authentication Status Decoupled Flow API, Confirm Payment API, Get Transaction Status API, Get Payment Authentication Status Decoupled Flow API;

(ii) Open API for e-wallet top-ups, including: Top-up E-Wallet API, Confirm OTP API, Update E-Wallet Top-up Authentication Status Decoupled Flow API, Get E-Wallet Top-up Authentication Status Decoupled Flow API, Confirm E-Wallet Top-up API, Get Transaction Status API;

(iii) Open API for e-wallet withdrawals.

2. Details of the Open API directory specifications in Clause 1 of this Article are prescribed in Appendix 01 to this Circular.

Article 7. List of technical standards

1. Technical standards for deploying Open API include architectural standards, data standards, and information security standards.

2. Technical standards for deploying Open API in the banking sector are specifically prescribed in Appendix 02 to this Circular.

Article 8. Contract between a bank and a third party

A bank shall enter into a contract with a third party for the deployment of Open API, which shall include at least the following details:

1. Commitments to information security, including an agreement on ensuring information security and confidentiality when processing data through the Open APIs provided by the bank.

2. Commitment to using the data provided by the bank within the defined scope and for the intended purpose.

3. The third party must notify the Bank upon discovery of any personnel’s violation of network security regulations during the deployment of the Open API.

4. Information regarding the services provided to customers that are deployed through the Open API.

5. Information regarding service fees charged to customers for services deployed through the Open API (if applicable).

6. Clauses stating that the third party's information systems used for connecting to and processing data through the Open API must be assessed and classified in accordance with the Government's regulations on the security of information systems by classification.

7. Data access rights granted to the third party during the deployment of the Open API.

8. Contract termination clauses.

Article 9. Public disclosure of Open API information

Before officially connecting and processing data with a third party, a bank must publicly disclose Open API information on its official website, including at least the following information:

1. Information about the Open API testing system.

2. Open API directory deployed by the bank.

Section 2

RIGHTS AND RESPONSIBILITIES OF BANKS AND THIRD PARTIES

Article 10. Rights of the banks

1. To require third parties to provide necessary information related to the connection and processing of data via Open API.

2. Other rights prescribed in the contract with the third party.

Article 11. Responsibilities of the banks

1. Completing the information system infrastructure to deploy Open APIs to be ready to connect and process data.

2. Developing and finalizing documentation for connection and processing of data.

3. Ensuring data quality during the deployment of Open APIs. Promptly notifying the third parties of any data discrepancies and coordinating with third parties to promptly correct and adjust them.

4. Ensuring cyber safety and security for information systems deploying Open APIs, satisfying at least level 3 requirements in accordance with the Government’s regulations on the security of information systems by classification and the regulations of the State Bank of Vietnam on information system safety in banking activities.

5. Providing tools or functionality that allow customers to:

a) Look up data for which they give consent to processing by such third party;

b) Withdraw their consent in accordance with the law regulations.

6. Establishing a timeframe not exceeding 180 days for third-party access to customer information after customer consent is granted, unless otherwise agreed upon between the customer and the Bank.

7. Providing information on the deployment situation of Open APIs to the State Bank of Vietnam (through the Information Technology Department) upon request.

8. Cooperating with third parties, as agreed upon, and with competent authorities to resolve issues and disputes arising during the Open API deployment process.

9. Employing technological solutions to limit the number of automated queries for customer information initiated by third parties.

10. Being held accountable for the selection, assessment, monitoring, and management of third parties.

11. Updating or revoking third-party data access rights in accordance with contractual changes.

12. Monitoring access:

a) Employing a monitoring system to detect and prevent unusual or unauthorized access attempts by third parties;

b) Maintaining logs of all Open API usage by third parties for a minimum of 03 months, with backups for at least 01 year, to facilitate audits when necessary.

Article 12. Rights and responsibilities of third parties

1. Third parties have the rights under contracts or agreements with the banks and customers.

2. A third party is responsible for:

a) Providing tools or functionality that allow customers, in an online manner, to:

(i) Look up data for which they give consent to processing by such third party;

(ii) Withdraw their consent in accordance with the law regulations.

b) Notifying customers of the terms and conditions of service and instructing customers on how to use the service.

c) Issuing a risk management process; a customer care process; a complaint handling process; a dispute resolution process; a business continuity process; and a service usage process when providing services to customers.

d) Utilizing and using data within the scope agreed upon between the parties and in accordance with the law regulations.

dd) Promptly notifying the bank of any information technology or information security incidents when deploying Open API. The form and time of notification shall be as agreed between the Bank and the third party.

e) Promptly notifying the bank of any data discrepancies and coordinating with the bank to promptly correct and adjust them. The form and time of notification shall be as agreed between the Bank and the third party.

Chapter III

IMPLEMENTATION PROVISIONS

Article 13. The Information Technology Department shall:

1. Assume the prime responsibility for, and coordinate with relevant affiliates to the State Bank of Vietnam, in addressing problems arising during the implementation of this Circular.

2. Monitor, summarize and report to the Governor of the State Bank on the implementation situations of the banks in accordance with this Circular.

3. Check the implementation of this Circular by the banks.

Article 14. Effect

This Circular takes effect on March 01, 2025.

Article 15. Transitional provisions

The banks that have connected and processed data directly with third parties via API or Open API for the purpose of providing services to individual customers before this Circular takes effect must:

1. Make a list of APIs, Open APIs being deployed and detailed deployment plans to ensure compliance with this Circular and send them to the State Bank of Vietnam (through the Information Technology Department), which shall be accomplished before July 1, 2025.

2. Comply with this Circular, which shall be accomplished before March 1, 2027.

Article 16. Organization of implementation

Heads of affiliates to the State Bank of Vietnam, commercial banks, cooperative banks, and branches of foreign banks shall be responsible for implementing this Circular./.