Decree 94/2025/ND-CP on regulatory sandbox mechanism in the banking sector

DECREE

Providing the regulatory sandbox in the banking sector^[1]

Pursuant to the February 18, 2025 Law on Organization of the Government;

Pursuant to the June 16, 2010 Law on the State Bank of Vietnam;

Pursuant to the January 18, 2024 Law on Credit Institutions;

At the proposal of the Governor of the State Bank of Vietnam;

The Government promulgates the Decree providing the regulatory sandbox in the banking sector.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

1. This Decree provides the regulatory sandbox in the banking sector (below referred to as the regulatory sandbox) for the provision of new products, services and business models through the application of technology solutions (below referred to as financial technology solutions).

2. Financial technology solutions to be used in the regulatory sandbox include:

a/ Credit scoring;

b/ Data sharing via open applications programming interfaces;

c/ Peer-to-peer lending.

Article 2. Subjects of application

1. Credit institutions and foreign bank branches specified in the Law on Credit Institutions (not applicable to those specified at Point c, Clause 2, Article 1 of this Decree).

2.  Financial technology companies.

3. Competent state agencies.

4. Customers and other organizations and individuals related to the regulatory sandbox.

Article 3. Interpretation of terms

In this Decree, the terms below are construed as follows:

1. Financial technology (fintech) company means an organization other than a credit institution or foreign bank branch that has a lawful establishment license or business registration certificate in Vietnam’s territory; and provides, on its own or through cooperation with credit institutions and foreign bank branches, fintech solutions to the market.

2. Organization participating in the regulatory sandbox means a credit institution, foreign bank branch or fintech company that has been granted a certificate of participation in the regulatory sandbox by the State Bank of Vietnam (below referred to as the State Bank).

3. Peer-to-peer lending solution means an information technology application solution provided by a peer-to-peer lending company to connect information and provide assistance for contract conclusion via a digital platform between customers as borrowers and the lender. The currency used in peer-to-peer lending solution is Vietnam dong (VND).

4. Peer-to-peer lending company means a fintech company that provides peer-to-peer lending solutions to its customers.

5. Open Application Programming Interface (open API) means a standardized set of APIs that can be used by computer systems of credit institutions, foreign bank branches, fintech companies and other third parties to send service requests to systems of credit institutions and foreign bank branches sharing such open API.

6. Credit scoring means an information technology system application solution of credit institutions, foreign bank branches and fintech companies to score the creditworthiness of an individual or organization in order to support a credit extension decision of credit institutions and foreign bank branches.

7. Customer means an organization or individual that has the contractual relationship with, and directly uses fintech solutions provided by, an organization participating in the regulatory sandbox.

8. Users of peer-to-peer lending solutions provided by peer-to-peer lending companies include lenders that are legal persons (including also credit institutions and foreign bank branches) established in accordance with Vietnam’s law or individuals bearing the Vietnamese citizenship; and borrowers that are legal persons (excluding credit institutions and foreign bank branches) established in accordance with Vietnam’s law or individuals bearing the Vietnamese citizenship.

Article 4. Objectives of the regulatory sandbox

1. To promote innovation and modernization of the banking sector, thereby achieving the goal of financial inclusion for the people and enterprises in a transparent, convenient, safe, efficient and cost-effective manner.

2. To create a testing environment to assess risks, costs and benefits of fintech solutions; to facilitate the formulation and development of fintech solutions to meet the market demand and conform to the legal framework and management regulations.

3. To mitigate risks to customers using fintech solutions provided by organizations participating in the regulatory sandbox.

4. To use results of the pilot application of fintech solutions as a practical basis for competent state agencies to research, formulate and improve relevant legal frameworks and management regulations when necessary.

Article 5. Principles for approval of organizations participating in the regulatory sandbox

In order to ensure fairness, objectivity, publicity and transparency, the approval of organizations participating in the regulatory sandbox shall be carried out in adherence to the following basic principles:

1. The process of approval of organizations participating in the regulatory sandbox must ensure the transparency of criteria, conditions and procedures for assessment and selection.

2. That an organization is approved to participate in the regulatory sandbox does not mean that such organization satisfies the law-specified business and investment conditions.

3. Credit institutions, foreign bank branches and fintech companies that do not wish to participate in the regulatory sandbox or have yet to be approved to participate in the regulatory sandbox shall operate and comply with the current regulations on enterprises and investment, and other relevant regulations.

Article 6. Testing period, space and scope

1. The maximum testing period of fintech solutions is 2 years, depending on each solution and specific field, which shall be counted from the date the State Bank grants a certificate of participation in the regulatory sandbox. This period may be extended under Article 20 of this Decree.

The validity duration of a certificate of participation in the regulatory sandbox must not exceed the validity duration (if any) of the establishment license or the business registration certificate of the organization participating in the regulatory sandbox.

2. Testing space:

The testing of fintech solutions shall be carried out within Vietnam’s territory but may not be carried out on a cross-border basis.

3. Testing scope:

a/ An organization participating in the regulatory sandbox may only provide fintech solutions within the scope specified in its certificate of participation in the regulatory sandbox;

b/ Depending on fintech solutions and specific proposals of organizations applying for participation in the regulatory sandbox in their dossiers of application for participation in the regulatory sandbox, and opinions of related ministries, the State Bank shall decide on the testing scope of fintech solutions in their certificates of participation in the regulatory sandbox;

c/ A peer-to-peer lending company may only provide peer-to-peer lending solutions within the testing scope specified in its certificate of participation in the regulatory sandbox granted by the State Bank under this Decree. Peer-to-peer lending companies participating in the regulatory sandbox may neither carry out business activities other than those specified in their certificates of participation in the regulatory sandbox nor provide by themselves security measures for loans of their customers nor operate in the capacity as customers and provide peer-to-peer lending solutions to pawn service companies.

Article 7. Principles for preparation and submission of dossiers of registration for participation in the regulatory sandbox, adjustment of tested solutions, testing termination, extension of the testing period, and application for certificate of testing completion

1. A dossier shall be prepared in Vietnamese. The dossier’s documents that are issued, notarized or certified by foreign competent authorities shall be consularly legalized in accordance with Vietnam’s law (except cases of exemption from consular legalization in accordance with the regulations on consular legalization) and translated into Vietnamese.

2. Copies of dossiers and documents must be certified true copies, copies issued from master registers, or copies accompanied by the originals for collation in accordance with law. In case of online dossier submission, the regulations on administrative procedures in the electronic environment shall apply.

3. Curricula vitae must have the applicants’ signatures authenticated in accordance with regulations.

4. Dossiers shall be sent by post (via postal service) or by hand-delivery to the State Bank’s Single-Window Division or online to the State Bank’s Public Service Portal or the National Public Service Portal.

5. Organizations applying for a certificate of participation in the regulatory sandbox, adjustment of tested solutions, testing termination, or extension of the testing period, or for a certificate of testing completion shall take total responsibility before law for the accuracy and truthfulness of provided information.

Chapter II

REGISTRATION FOR, AND GRANT OF CERTIFICATES OF, PARTICIPATION IN THE REGULATORY SANDBOX

Section 1

FOR FINTECH SOLUTIONS SPECIFIED AT POINTS A AND B, CLAUSE 2, ARTICLE 1

Article 8. Conditions and criteria for participation in the regulatory sandbox

1. A credit institution currently not under special control in accordance with the Law on Credit Institutions or a foreign bank branch may be considered for grant of a certificate of participation in the regulatory sandbox when its fintech solution satisfies the following criteria:

a/ Having technical and professional contents that are not specifically and clearly guided by current regulations for implementation and application;

b/ Being of innovative nature that may bring about benefits and added value to service users in Vietnam, particularly for solutions that support and promote the achievement of the goal of financial inclusion;

c/ Having helped design and build a risk management framework and mitigate adverse impacts on the banking system and banking-monetary-foreign exchange operations; having helped formulate a plan on handling and remediation of risks occurring during the testing process, and a plan on protection of consumers’ interests;

d/ Having been fully reviewed and assessed by organizations participating in the regulatory sandbox in terms of operation, function, utility and usefulness;

dd/ Being feasible to be supplied to the market after the testing process is completed.

2. A fintech company may be considered for grant of a certificate of participation in the regulatory sandbox when its fintech solution satisfies the criteria specified in Clause 1 of this Article and the company satisfies the following conditions:

a/ It is a legal person lawfully established and operating in Vietnam’s territory; not undergoing division, splitting, consolidation, merger, transformation, dissolution or bankruptcy in accordance with law;

b/ Its legal representative or Chief Executive Officer must possess a university or higher degree in economics, business administration, law or information technology and have at least 2 years’ experience working as a manager or an executive officer of an organization engaged in the financial or banking sector, and does not fall into the cases banned by law from holding certain posts.

3. Organizations participating in the regulatory sandbox shall maintain their full satisfaction of the law-specified conditions throughout the course of participation in the regulatory sandbox.

Article 9. Dossier of registration for participation in the regulatory sandbox

1. An application for a certificate of participation in the regulatory sandbox, made according to Form No. 01 provided in Appendix I to this Decree, for credit institutions and foreign bank branches, or Form No. 02 provided in Appendix I to this Decree, for fintech companies.

2. Documents describing the organizational structure and management process for the implementation of the fintech solution registered for testing.

3. Resolutions of the Members’ Council or the Board of Directors and the General Meeting of Shareholders; and documents of the owner’s authorized representative in conformity with the authority stated in the Charter, on approval of the Scheme describing the fintech solution registered for participation in the regulatory sandbox.

4. The Scheme describing the fintech solution registered for participation in the regulatory sandbox, showing a simulation model or demonstration of the Fintech solution; group of potential customers; and the applicant’s full satisfaction of the criteria specified in Clause 1, Article 8 as specifically guided in Appendix II to this Decree.

5. A testing plan, stating tentative testing time, space and scope; estimated funding for testing activities; resources for testing; principles for exchange with and reporting to the State Bank during the testing period; testing termination that ensures the feasibility to fulfill obligations within 6 months after the testing termination decision is issued.

6. Personnel files, including curricula vitae (made within 6 months before the date of dossier submission), copies of degrees and diplomas proving professional qualifications and capacity of the legal representative, Chief Executive Officer, Chief Operations Officer, and key officers engaged in testing the fintech solution.

7. Copies of documents proving that the applicant is lawfully established and operates, including the establishment license or an equivalent paper; the Charter; and the investment certificate of the foreign investor (if any).

Article 10. Procedures for applying for participation in the regulatory sandbox

1. In case of sending a dossier of application for a certificate of participation in the regulatory sandbox by post (via postal service) or by hand-delivery to the State Bank’s Single-Window Division, an organization applying for participation in the regulatory sandbox shall send 2 dossier sets and 6 CDs (or 6 USBs) storing scanned copies of the complete dossier specified in Article 9 of this Decree.  

2. Within 5 working days after receiving the dossier, the State Bank shall issue a letter of confirmation of the receipt of a complete and valid dossier or request in writing the applying organization to supplement and complete the dossier. The time for dossier supplementation and completion will not be included in the dossier appraisal period.

Five working days after the State Bank sends the request for dossier supplementation and completion, if the applying organization fails to re-submit the dossier or the supplemented dossier remains incomplete, the State Bank shall issue a notice of return of the dossier to the applying organization.

3. Within 90 working days after sending a letter of confirmation of the receipt of a complete and valid dossier, the State Bank shall coordinate with related ministries in appraising the dossier, covering also an on-spot examination if necessary.

After receiving a complete and valid dossier, the State Bank shall send a consultation request to related ministries. Within 15 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

In case an on-spot examination is required, the State Bank shall send a written request to related ministries for assigning their officials to join the on-spot examination team. Within 5 working days after receiving the State Bank’s request, the related ministries shall send to the State Bank documents on assignment of officials to join the on-spot examination team. The on-spot examination shall be notified to the applying organization at least 3 working days before the examination is carried out at the working office of such organization. 

In case the dossier needs to be explained or clarified, the State Bank shall request in writing the applying organization to give explanations and complete the dossier. The applying organization may send explanations and supplemented dossier only once.

Thirty working days after the State Bank sends the request for explanation and dossier completion, if the applying organization still fails to send explanations and supplemented dossier, the State Bank shall issue a notice of return of the dossier to the applying organization. The time for explanation and dossier completion will not be included in the dossier appraisal period.

After receiving a completely supplemented dossier of the applying organization, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

4. Upon the expiration of the appraisal time limit specified in Clause 3 of this Article, the State Bank shall grant a certificate of participation in the regulatory sandbox for the applying organization that has submitted a dossier satisfying the conditions and criteria specified in Article 8 of this Decree. In case of refusal, the State Bank shall reply in writing, clearly stating the reason.

5. Within 90 days after being granted a certificate of participation in the regulatory sandbox by the State Bank, the organization shall implement its fintech solution within the scope stated in the certificate.

Section 2

FOR PEER-TO-PEER LENDING SOLUTIONS

Article 11. Conditions and criteria for participation in the regulatory sandbox

1. To be considered for grant of a certificate of participation in the regulatory sandbox, a peer-to-peer lending solution must satisfy the criteria specified in Clause 1, Article 8 of this Decree and following criteria:

a/ It provides measures to determine and manage the maximum debit balance for each borrower in the provided peer-to-peer lending solution, reports and exploits information about borrowers at the National Credit Information Center of Vietnam in order to ensure compliance with regulations on the maximum debit balance for each borrower in the provided peer-to-peer lending solution and the maximum debit balance for each borrower in all peer-to-peer lending solutions participating in the regulatory sandbox;

b/ The disbursement and payment of loans, interests and charges for transactions of customers in the peer-to-peer lending solution shall be carried out through payment accounts of such customers at credit institutions or foreign bank branches or e-wallets of customers at payment intermediary service providers;

c/ It provides measures to ensure that the term of the contract between the borrowers and the lender using the peer-to-peer lending solution participating in the regulatory sandbox does not exceed 2 years.

2. A fintech company applying for testing of a peer-to-peer lending solution may be considered for grant of a certificate of participation in the regulatory sandbox when such solution satisfies the criteria specified in Clause 1 of this Article and the company satisfies the following specific conditions:

a/ It is an enterprise lawfully established and operating in Vietnam’s territory; is not a foreign-invested enterprise; and is not undergoing division, splitting, consolidation, merger, transformation, dissolution or bankruptcy in accordance with law;

b/ Its legal representative or Chief Executive Officer holds the Vietnamese citizenship; has no criminal records; has not been sanctioned for administrative violations in the fields of finance, banking and cyber security; is not concurrently the owner or manager of any financial or banking service, pawn service or multi-level marketing enterprise; is not a tontine holder; or is not currently a member of the Board of Directors, Members’ Council or Supervisory Board, Chief Executive Officer, Chief Operations Officer or any equivalent post holder of a credit institution, foreign bank branch or payment intermediary service provider;

c/ Its legal representative or Chief Executive Officer possesses a university or higher degree in economics, business administration, law or information technology and has at least 2 years’ experience of acting as a manager or executive officer of an organization in the field of finance or banking and does not fall into the cases banned by law from holding certain posts;

d/ It satisfies the criteria on human resources and physical and technical foundations for digital platforms for application of the peer-to-peer lending solution, meeting the following minimum requirements:

Its information technology system and information storage system are located within Vietnam’s territory, operate safely and uninterruptedly, and the backup technical system is independent from the main system to prevent interruptions upon the occurrence of incidents, particularly technical and technological incidents.

Data and information of all customers and related parties are updated, stored and shared on highly secure digital platforms, ensuring transparency and openness among participants and while ensuring confidentiality of information of participants to unrelated parties in accordance with law.

Its information technology system is tested and assessed before being commissioned.

Its technical staff possess professional qualifications in the fields they are in charge of to ensure the safe and uninterrupted operation of the system.

3. Peer-to-peer lending companies participating in the regulatory sandbox shall maintain all above-mentioned conditions and criteria in the course of their participation in the regulatory sandbox.

Article 12. Dossiers of application for participation in the regulatory sandbox

A dossier of application for participation in the regulatory sandbox for a fintech company applying for testing of a peer-to-peer lending solution must comprise:

1. An application for participation in the regulatory sandbox, made according to Form No. 03 provided in Appendix I to this Decree.

2. Documents describing the company’s organizational structure, management and governance upon the implementation of the peer-to-peer lending solution expected to participate in the regulatory sandbox.

3. Resolutions of the Members’ Council or the Board of Directors and the General Meeting of Shareholders, and document of the owner’s competent representative in accordance with the Charter, on approval of the Scheme describing the peer-to-peer lending solution expected to participate in the regulatory sandbox.

4. The Scheme describing the peer-to-peer lending solution expected to participate in the regulatory sandbox as specifically guided in Appendix III to this Decree.

5. A testing plan, stating the tentative testing period, space and scope; estimated funding for testing activities, resources for testing, and principles on exchange with and reporting to the State Bank during the testing process; and termination of testing for ensuring feasibility to fulfill obligations toward customers and related parties after the issuance of the testing termination decision.

6. Personnel documents, including curricula vitae, criminal records certificate (issued within 6 months before the submission of the dossier), copies of degrees and diplomas proving professional qualifications and capacity of the legal representative or the Chief Executive Officer; and a document issued by the competent representative of the unit where the legal representative or the Chief Executive Officer has worked or is working, certifying the latter’s post and post-holding period, or copies of documents proving the latter’s post and post-holding period in the unit. 

7. Copies of documents proving that the fintech company has been lawfully established and operates, including the establishment license or equivalent paper, and the Charter.

Article 13. Procedures for applying for participation in the regulatory sandbox

1. In case of sending a dossier of application for a certificate of participation in the regulatory sandbox by post (via the postal service) or by hand-delivery to the State Bank’s Single-Window Division, an organization applying for participation in the regulatory sandbox shall send 2 dossier sets and 6 CDs (or 6 USBs) storing scanned copies of the complete dossier specified in Article 12 of this Decree.

2. Within 5 working days after receiving the dossier, the State Bank shall issue a letter of confirmation of the receipt of a complete and valid dossier or request in writing the applying organization to supplement and complete the dossier. The time for dossier supplementation and completion will not be included in the dossier appraisal period.

Within 5 working days after receiving the State Bank’s request for dossier supplementation and completion, if the applying organization fails to re-submit the dossier or the supplemented dossier remains incomplete, the State Bank shall issue a notice of return of the dossier to the applying organization.

3. Within 90 working days after sending a letter of confirmation of the receipt of a complete and valid dossier, the State Bank shall coordinate with related ministries in appraising the dossier, covering also an on-spot examination if necessary.

After receiving a complete and valid dossier, the State Bank shall send a consultation request to related ministries. Within 15 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

In case an on-spot examination is required, the State Bank shall send a written request to related ministries for assigning their officials to join the on-spot examination team. Within 5 working days after receiving the State Bank’s request, the related ministries shall send to the State Bank documents on assignment of officials to join the on-spot examination team. The on-spot examination shall be notified to the applying organization at least 3 working days before the examination is carried out at the working office of the applying organization. 

In case the dossier needs to be explained or clarified, the State Bank shall request in writing the applying organization to give explanations and complete the dossier. The applying organization may send explanations and supplemented dossier only once.

Thirty working days after the State Bank sends the request for explanation and dossier completion, if the applying organization still fails to re-submit explanations and supplemented dossier, the State Bank shall issue a notice of return of the dossier to the applying organization. The time for explanation and dossier completion will not be included in the dossier appraisal period.

After receiving a completely supplemented dossier of the applying organization, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

4. Upon the expiration of the appraisal time limit specified in Clause 3 of this Article, the State Bank shall grant a certificate of participation in the regulatory sandbox for the applying organization that has submitted a dossier satisfying the conditions and criteria specified in Articles 8 and 11 of this Decree. In case of refusal, the State Bank shall reply in writing, clearly stating the reason.

5. Within 90 days after being granted a certificate of participation in the regulatory sandbox by the State Bank, the organization shall implement its peer-to-peer lending solution within the scope stated in the certificate.

Chapter III

SUPERVISION OF THE TESTING PROCESS AND TERMINATION OF THE TESTING PERIOD

Article 14. Activities of supervising and examining the testing process 

1. The State Bank shall supervise organizations participating in the regulatory sandbox through following activities:

a/ Monitoring testing activities of organizations participating in the regulatory sandbox by:

Collecting documents, information and data from the following sources: reports, information provided by organizations participating in the regulatory sandbox specified in Article 15 of this Decree; documents, information and data collected through the on-spot examination for organizations participating in the regulatory sandbox; information provided by other competent state agencies; information provided by organizations and individuals related to the regulatory sandbox; and other sources of information provided at the request of the State Bank to serve the supervision. 

Assessing the rationality of documents, information and data; in case any documents, information or data is/are detected to be inadequate, erroneous, incorrect or inappropriate, requesting organizations participating in the regulatory sandbox to promptly provide explanations and provide accurate information.

Summarizing and analyzing documents, information and data that have been collected, assessed and examined;

b/ Assessing testing activities of organizations participating in the regulatory sandbox and fintech solutions participating in the regulatory sandbox.

Based on documents, information and data collected under Point a, Clause 1 of this Article, the State Bank shall assess testing activities of organizations participating in the regulatory sandbox and fintech solutions participating in the regulatory sandbox;

c/ Warnings and recommendations

In case of detecting potential risks during the testing process, the State Bank shall send written warnings and recommendations to organizations participating in the regulatory sandbox.

2. The State Bank shall coordinate with related competent state agencies in carrying out on-spot examinations for organizations participating in the regulatory sandbox to meet state management requirements or upon detecting problems related to risks that require collection of additional documents, information and data.

In case an on-spot examination is required, the State Bank shall send a written request to related ministries for assigning their officials to join the on-spot examination team. Within 5 working days after receiving the State Bank’s request, the related ministries shall send to the State Bank documents on assignment of officials to join the on-spot examination team. The on-spot examination shall be notified to the organization participating in the regulatory sandbox at least 3 working days before the examination is carried out at the office of such organization. 

Article 15. Regime of reporting and information provision

1. The State Bank may request organizations participating in the regulatory sandbox to provide information related to the testing process on a scheduled basis or an unscheduled basis. Based on the assessment of necessity, the State Bank may request organizations participating in the regulatory sandbox to develop monitoring software and tools to facilitate the reporting and information provision.

2. Organizations participating in the regulatory sandbox shall periodically report and provide on an unscheduled basis information about the testing process, arising risks and testing results to the State Bank under regulations. Organizations participating in the regulatory sandbox shall develop monitoring software and tools as requested by the State Bank and establish by themselves reporting indicators corresponding to specific characteristics of fintech solutions participating in the regulatory sandbox under this Decree.

3. Reports shall be presented as e-reports. E-reports may take the form of electronic data files or telegrams transmitted via the computer network or sent via information-carrying media and bearing e-signatures of legal representatives of reporting organizations in conformity with signs, transmission codes and file structures specified by the State Bank. E-reports shall be sent to the State Bank:

a/ Via the email system;

b/ Via the reporting information system of the State Bank (below referred to as the reporting information system); or,

c/ Through monitoring software or tools developed by organizations participating in the regulatory sandbox as requested by the State Bank.

4. Organizations participating in the regulatory sandbox shall send a report on a quarterly basis on operation indicators of fintech solutions participating in the regulatory sandbox, made according to the form provided in Appendix IV to this Decree, via the reporting information system. A quarterly reporting period is counted from the 1^st of the first month of a quarter to the last day of the last month of the quarter. A quarter’s report shall be submitted no later than the 15^th of the first month of the subsequent quarter.

5. Within 15 days after half of the testing period stated in the certificate of participation in the regulatory sandbox or the written approval of the extended testing period elapses, an organization participating in the regulatory sandbox shall send a report on preliminary assessment of results of the implementation of the fintech solution participating in the regulatory sandbox, made according to the form provided in Appendix V to this Decree, via the reporting information system.

6. At least 90 days before the expiration of the testing period, organizations participating in the regulatory sandbox shall send their reports on assessment of testing results, made according to the form provided in Appendix V to this Decree, via the reporting information system. In case an organization participating in the regulatory sandbox wishes to adjust its testing solution, terminate the testing process, extend the testing period or be granted a certificate of testing completion, it shall submit a report on assessment of testing results in accordance with regulations on procedures for processing dossiers for adjustment of tested solutions, termination of the testing process, extension of the testing period or grant of certificates of testing completion.

7. Within 24 hours after detecting an incident causing operation disruption or a serious risk, an organization participating in the regulatory sandbox shall immediately report thereon to the State Bank via [email protected], providing information on the time of detection of the incident or risk; and preliminarily describing the incident or risk, and send a report, made according to the form provided in Appendix VI to this Decree, within 3 working days after completing the risk or incident handling via the reporting information system.

8. If changing its legal representative or Chief Executive Officer, an organization participating in the regulatory sandbox that is a fintech company shall, within 30 days after the change occurs, send a report thereon to the State Bank and provide documents proving that the legal representative or the Chief Executive Officer satisfies the conditions for participation in the regulatory sandbox specified at Point b, Clause 2, Article 8, for the solutions specified at Points a and b, Clause 2, Article 1 of this Decree, or in Clause 2, Article 11, for peer-to-peer lending solutions.

9. Peer-to-peer lending companies shall report on credit information of customers (including borrowers and lenders) to the National Credit Information Center of Vietnam under decisions of the State Bank Governor. The National Credit Information Center of Vietnam may use credit information collected from peer-to-peer lending solutions in the regulatory sandbox to develop a national credit information database serving the management requirements of the State Bank and business and risk management activities of credit institutions, foreign bank branches, peer-to-peer lending companies and other organizations under decisions of the State Bank Governor.

Article 16. Customer protection

To protect lawful rights and interests of customers during the testing period, organizations participating in the regulatory sandbox shall:

1. Formulate and provide risk guidelines and recommendations to customers when using fintech solutions during the testing period.

2. Inform customers of the use of fintech solutions currently participating in the testing process; and provide accurate, adequate and truthful information on testing solutions, service charges, and customers’ rights and obligations for each type of solution.

3. Ensure customer information safety and confidentiality during and after the use of tested fintech solutions, unless they provide information upon request of competent state agencies in accordance with law.

4. Promulgate regulations on protection of customer information during storage and transmission through data confidentiality, encryption, anonymization and masking mechanisms. If wishing to collect, use and transfer customer information, the organizations shall obtain consent of customers and may only collect and transfer information to third parties after obtaining permission of customers or when competent state agencies so request; and take technical measures to certify the permission of customers for provision of the latter’s information to third parties.

5. Formulate, and ensure compliance with, internal processes and risk control measures to prevent unauthorized access or use of personal data, fraud and theft of personal information of customers.

6. Periodically assess risks, implement risk prevention measures during the testing process, and promptly inform customers of changes in the risk level of fintech solutions within the regulatory sandbox.

7. Formulate mechanisms and establish focal points for settlement of customers’ complaints. In case of disputes or complaints, organizations participating in the regulatory sandbox shall:

a/ Receive and take measures to handle all review requests and complaints submitted in paper form or via hotlines, online platforms or customers’ emails within 5 working days from the date of receipt;

b/ Pay compensations for damage to customers as agreed and prescribed by law.

Article 17. Adjustment of tested solutions

1. When its Fintech solution participating in the regulatory sandbox needs to be adjusted, an organization participating in the regulatory sandbox shall carry out the procedures for requesting the adjustment of such solution and may only make the adjustment after obtaining the State Bank’s approval.

2. Procedures

The organization participating in the regulatory sandbox shall send an application for adjustment of the tested solution, made according to Form No. 05 provided in Appendix I to this Decree, and a Scheme describing the adjusted solution.

Within 30 working days after receiving the application for adjustment of the tested solution, the State Bank shall assess the testing process.

When necessary, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the request, the consulted ministries shall send their written opinions to the State Bank.

In case the dossier of application needs to be explained or clarified, the State Bank shall send a written request for the organization participating in the regulatory sandbox to give explanations or complete the dossier. The organization participating in the regulatory sandbox may submit the explanations or the completed dossier only once. If the organization participating in the regulatory sandbox fails to submit the explanations or the completed dossier within 7 working days after receiving the State Bank’s request, the State Bank shall issue a notice of return of the dossier to the organization participating in the regulatory sandbox. The time for explanation and dossier completion will not be included in the dossier processing period.

Based on the Scheme describing the adjusted solution, practical supervision, and feedback (if any) from related ministries, the State Bank shall decide on the adjustment of the tested solution or make a written refusal of the adjustment, clearly stating the reason.

Article 18. Conclusion of the testing period

The State Bank shall, based on reports on assessment of testing results of organizations participating in the regulatory sandbox, and the monitoring, supervision, contributed opinions and feedback (if any) from related ministries, develop a subsequent handling plan upon the testing termination, covering the testing termination and revocation of certificates of participation in the regulatory sandbox, extension of the testing period or certification of testing completion.

Article 19. Testing termination and revocation of certificates of participation in the regulatory sandbox 

1. The State Bank shall consider terminating the testing and revoke the certificate of participation in the regulatory sandbox it has granted in one of the following cases:

a/ The testing period specified in the certificate of participation in the regulatory sandbox or the extended testing period has expired without any extension specified in Article 20 of this Decree and not falling into the case eligible for grant of the certificate of testing completion specified in Article 21 of this Decree;

b/ The organization participating in the regulatory sandbox sends a written request for testing termination, made according to Form No. 07 provided in Appendix I to this Decree, to the State Bank;

c/ The organization participating in the regulatory sandbox is dissolved or goes bankrupt in accordance with law and sends to the State Bank a written request for testing termination, made according to Form No. 07 provided in Appendix I to this Decree;

d/ The organization participating in the regulatory sandbox fails to carry out the testing within 90 days after being granted the certificate of participation in the regulatory sandbox, except force majeure cases;

dd/ Risks arise during the supervision and examination that are assessed by related competent state agencies as serious and likely to cause significant risks and material damage to customers or make the financial-monetary market unstable; there are technical incidents that are irremediable and violate relevant regulations when there is an effective court judgment, a judgment execution decision or a decision on sanctioning of administrative violations;

e/ The organization participating in the regulatory sandbox has no longer satisfied one of the conditions and criteria for the participation in the regulatory sandbox specified in Articles 8 and 11 of this Decree but fail to take remedies in order to satisfy such condition or criterion again within 15 days after the State Bank issues a notice of its failure and urges it to take remedies;

g/ The organization participating in the regulatory sandbox violates one of the contents of the certificate of participation in the regulatory sandbox during the testing period;

h/ The peer-to-peer lending company fails to implement the measure to manage the maximum debit balance for a borrower in its peer-to-peer lending solution.

2. Handling procedures:

a/ For the case specified at Point a, Clause 1 of this Article, the State Bank shall decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox when the testing period expires;

b/ For the case specified at Point b, Clause 1 of this Article:

The organization participating in the regulatory sandbox shall send to the State Bank a written request for testing termination, made according to Form No. 07 provided in Appendix I to this Decree; a report on assessment of testing results, made according to a set form provided in Appendix V to this Decree; and a testing termination plan.

Within 30 working days, the State Bank shall review and assess the entire testing process.

When necessary, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

In case the dossier needs to be explained or clarified, the State Bank shall request in writing the applying organization to give explanations and complete the dossier. The organization applying for participation in the regulatory sandbox may send explanations and completed dossier only once. Seven working days after the State Bank sends the request for dossier explanation and completion, if the applying organization still fails to send explanations and completed dossier, the State Bank shall decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox.

If the applying organization sends its written explanations and completed dossier, the State Bank shall, based on the testing supervision and monitoring and feedback (if any) from related ministries, decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox. The time for explanation and dossier completion will not be included in the dossier processing period.

c/ For the case specified at Point c, Clause 1 of this Article:

Within 7 working days after approving the decision on dissolution of an enterprise in accordance with the Law on Enterprises or receiving the bankruptcy declaration ruling of a people’s court in accordance with the law on bankruptcy, the organization participating in the regulatory sandbox shall send a written request for testing termination, made according to Form No. 07 provided in Appendix I to this Decree, to the State Bank.

Within 10 working days after receiving the request, the State Bank shall decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox.

d/ Within 7 working days after the occurrence of cases specified at Points d, dd, e, g, and h, Clause 1 of this Article, the State Bank shall send a notice of the testing termination to the organization participating in the regulatory sandbox. Within 15 working days after receiving the State Bank’s notice, the organization participating in the regulatory sandbox shall send its written explanations.

If the organization participating in the regulatory sandbox fails to send its written explanations or the explanations are invalid, within 5 working days, the State Bank shall decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox.

If the organization participating in the regulatory sandbox sends its written explanations, within 30 working days, the State Bank shall review and assess the entire testing process. When necessary, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank. 

Based on the testing supervision and monitoring and feedback (if any) from related ministries, the State Bank shall decide to terminate the testing and revoke the certificate of participation in the regulatory sandbox or send a written reply about further testing to the organization participating in the regulatory sandbox.

3. After receiving the testing termination decision from the State Bank, the organization participating in the regulatory sandbox shall:

a/ Immediately implement the testing termination plan;

b/ Promptly notify customers of the testing termination at least 30 days before officially terminating its participation in the regulatory sandbox in case of testing termination under Point a or b, Clause 1 of this Article; notify customers of the testing termination immediately after receiving the State Bank’s testing termination decision in case of testing termination under Points c, d, dd, e, g and h, Clause 1 of this Article;

c/ Terminate the introduction and provision of fintech solutions participating in the testing to new customers; and publicly announce the testing termination on its official website;

d/ Ensure customer rights and adopt a mechanism to settle complaints and pay compensation to customers in case customers suffer damage caused by the testing termination;

dd/ Organizations terminating the testing of solutions specified at Points a and b, Clause 2, Article 1 of this Decree shall fully settle all rights and responsibilities toward customers and related parties within 6 months after receiving the State Bank’s testing termination decision. Peer-to-peer lending companies terminating the testing of peer-to-peer lending solutions shall continue to settle all rights and responsibilities toward customers and related parties after the State Bank issues a testing termination decision.

e/ Send to the State Bank a written report on results of the settlement of customers’ rights and obligations following the testing termination within 5 days after the settlement is completed.

4. The testing termination for organizations participating in the regulatory sandbox does not means that they fail to satisfy the law-specified business investment conditions at the time of testing termination. Organizations shall  review and comply with current provisions on enterprise operations and investment and other relevant regulations.

Article 20. Extension of the testing period

1. At least 90 days before the conclusion of the testing period, an organization participating in the regulatory sandbox that wishes to extend the testing period shall carry out the procedures for extension of the testing period.

2. Procedures:

The organization participating in the regulatory sandbox shall send to the State Bank a written request for extension of the testing period, made according to Form No. 09 provided in Appendix I to this Decree; and a report on testing results, made according to a set form provided in Appendix V to this Decree.

Within 45 working days after receiving a written request for extension of the testing period and a report on assessment of testing results, the State Bank shall assess the entire testing process.

When necessary, the State Bank shall send a consultation request to related ministries. Within 15 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

In case the dossier needs to be explained or clarified, the State Bank shall request in writing the applying organization to give explanations and completed the dossier. The applying organization may send explanations and completed dossier only once. Seven working days after the State Bank sends the request for explanation and dossier completion, if the applying organization still fails to send explanations and supplemented dossier, the State Bank shall issue a notice of return of the dossier to the applying organization. The time for explanation and dossier completion will not be included in the dossier processing period.

Based on the report on testing results (including the usefulness of the solution), practical supervision and feedback (if any) from related ministries, the State Bank shall decide to extend the testing period or issue a written refusal, clearly stating the reason.

3. Each extension of the testing period must not exceed 1 year and the testing period may only be extended twice.

Article 21. Certificates of testing completion

1. A certificate of testing completion shall be granted by the State Bank to an organization participating in the regulatory sandbox in the following cases:

a/ As soon as official regulations on fintech solutions are completed and take effect, the organization participating in the regulatory sandbox may be granted a certificate of testing completion by the State Bank and shall comply with relevant regulations upon the testing completion;

b/ When the pilot testing of fintech solutions by the organization participating in the regulatory sandbox is assessed as not violating current regulations and fintech solutions are not regarded as conditional business activities, the organization participating in the regulatory sandbox may be granted a certificate of testing completion by the State Bank and shall implement such solutions in the market in accordance with law upon the testing completion.

2. Procedures:

An organization participating in the regulatory sandbox shall send an application for certificate of testing completion, made according to Form No. 11 provided in Appendix I to this Decree, and a report on assessment of testing results, made according to a set form provided in Appendix V to this Decree, to the State Bank.

Within 30 working days, the State Bank shall assess the entire testing process. When necessary, the State Bank shall send a consultation request to related ministries. Within 10 working days after receiving the State Bank’s consultation request, the consulted ministries shall send their written opinions to the State Bank.

Based on the report on testing results (including the usefulness of the solution), practical supervision and the feedback (if any) from related ministries, the State Bank shall grant a certificate of testing completion to the organization participating in the regulatory sandbox or issue a written refusal, clearly stating the reason.

3. The certificate of testing completion for fintech solutions participating in the regulatory sandbox is only valid within the scope regulated by this Decree and may not be used to certify the satisfaction of business investment conditions by the organization participating in the regulatory sandbox.

Chapter IV

RESPONSIBILITIES OF RELATED PARTIES

Article 22. Responsibilities of organizations participating in the regulatory sandbox

1. To be held fully responsible before law for the accuracy, completeness and truthfulness of information provided in dossiers of application for participation in the regulatory sandbox; to take responsibility for all activities during the operation and pilot implementation of fintech solutions; to fully comply with this Decree, relevant regulations and contents of certificates of participation in the regulatory sandbox during the testing period.

2. To implement the reporting regime specified in this Decree and at the request of competent state agencies.

3. To provide adequate, transparent and accurate information to customers and other organizations and individuals related to the regulatory sandbox; to comply with the advertising and communication regulations.

4. To take responsibility for providing inaccurate, untruthful or inadequate information to customers unless it can be proven that all measures specified by law have been taken to check the accuracy, adequacy and truthfulness of such information.

5. To proactively self-monitor and regularly assess risks during the testing period, regularly review and detect suspicious signs related to violations of law and promptly report thereon to competent state agencies; to closely coordinate with the State Bank and other competent state agencies during the testing period when so requested.

6. To issue internal procedures and regulations, including procedures for decentralization and authorization of powers and responsibilities of individuals and sections for developing, operating and implementing the regulatory sandbox in order to ensure traceability and control of responsibilities of related individuals and sections; procedures for handling incidents; regulations on risk management and internal control; regulations on customer information storage and security, and mechanisms for preventing personal information leakage; regulations on responsibilities of organizations participating in the regulatory sandbox for settling complaints and disputes among parties concerning the provision of fintech solutions; regulations on prevention of risks in, and examination and monitoring of, information technology systems and information storage systems, thereby ensuring safe and uninterrupted operation, formulation of plans and solutions to promptly respond to and remedy incidents.

7.  To fulfill responsibilities as agreed upon with customers and other organizations and individuals related to the regulatory sandbox as specified in this Decree and relevant laws.

8. A peer-to-peer lending company has the following additional responsibilities:

a/ To adopt measures to ensure that members of the Board of Directors, Executive Board and employees of the company do not participate as customers or loan guarantors for customers; commit fraudulent or deceptive acts or misappropriation of assets of customers and related parties;

b/ To adopt measures to examine, collate, update and verify customer information and data; to adopt measures to prevent impersonation, intervention or alteration that distorts information and data;

c/ To provide adequate information about contracts, loans, rights, responsibilities and lawful interests of customers and related parties, various interest rates and related charges before customers enter into loan agreements, and obtain customers’ confirmation that they have received adequate information from the peer-to-peer lending company;

d/ To ensure that contracts between lenders and borrowers and those between the peer-to-peer lending company and customers and related parties comply with relevant current regulations;

dd/ To adopt measures to manage the maximum debit balance of a borrower in the peer-to-peer lending solution it provides; to exploit information from the database of the National Credit Information Center of Vietnam to ensure that at the time customers (the borrower and lender) enter into a contract, the borrower does not violate the regulations on the maximum debit balance for a borrower in any and all peer-to-peer lending solutions participating in the regulatory sandbox as specified at Point e, Clause 1, Article 24 of this Decree. In case the peer-to-peer lending company participating in the regulatory sandbox fails to fulfill this responsibility, the State Bank shall consider terminating the testing or may refuse to grant a certificate of testing completion to the peer-to-peer lending company;

e/ To announce its information on its official website; to have annual financial statements audited independently and published on its official website;

g/ To store its establishment dossier; internal regulations; operational procedures; contracts between it and customers and related parties; contracts between borrowers and lenders; data and information of customers and related parties as required by law. Information and data must be stored safely, kept confidential and backed up; and to ensure the completeness and integrity of information and data to serve the examination, collation, settlement of traceability, complaints and disputes, and the provision of information upon requests of competent state agencies.

Article 23. Responsibilities of customers

1. To provide truthful and accurate information as requested by organizations participating in the regulatory sandbox.

2. To be aware of risks likely to arise when agreeing to use fintech solutions during the testing process and take responsibility for risks or losses that may occur during the testing process.

3. To coordinate with organizations participating in the regulatory sandbox in settling their rights and responsibilities upon the testing conclusion.

4. In addition to the responsibilities specified in Clauses 1, 2, and 3 of this Article, customers using peer-to-peer lending solutions have the following additional responsibilities:

a/ Borrowers shall provide accurate and adequate information about loan use purposes, commit to using loans lawfully and for proper purposes, and ensure the ability to repay both loan principals and interests as agreed upon in loan contracts. Borrowers shall ensure that their debit balance in any and all peer-to-peer lending solutions participating in the regulatory sandbox complies with the maximum debit balances specified at Point c, Clause 1, Article 24 of this Decree. In case of violation, a borrower shall take measures to reduce the debit balance and may not borrow new loans through a peer-to-peer lending solution participating in the regulatory sandbox until he/she/it meets the requirement on the maximum debit balance at Point c, Clause 1, Article 24 of this Decree;

b/ Lenders shall ensure that lending funds are lawful and may not borrow capital for on-lending;

c/ To ensure that the term of a contract between a borrower and a lender using the peer-to-peer lending solution participating in the regulatory sandbox does not exceed 2 years.

Article 24. Responsibility for organization of implementation

1. The State Bank shall:

a/ Based on complete dossiers of organizations applying for participation in the regulatory sandbox, assume the prime responsibility for, and coordinate with related ministries in, appraising dossiers of application for participation in the regulatory sandbox; assess the satisfaction of the criteria and conditions specified in this Decree for grant of certificates of participation in the regulatory sandbox for each specific case;

b/ Receive and process the adjustment of tested solutions, terminate the testing and revoke certificates of participation in the sandbox, extend the testing period, and grant certificates of testing completion;

c/ Monitor the testing process, provide guidance and address difficulties during the testing process and issue warnings of risks to organizations during their participation in the regulatory sandbox;

d/ Publicize the following information on its portal: the number of dossiers of application for participation in the regulatory sandbox for each solution that is under review and appraisal; the number of organizations participating in the regulatory sandbox; information on organizations participating in the regulatory sandbox, including their names, fintech solutions participating in the regulatory sandbox, time, space and scope of the testing; list of organizations granted certificates of testing completion; list of organizations whose solution testing has been terminated and certificates of participation in the regulatory sandbox revoked;

dd/ Assume the prime responsibility for examination and supervision of the testing process of organizations participating in the regulatory sandbox;

e/ The State Bank Governor shall decide on the maximum debit balance for a borrower in any and all peer-to-peer lending solutions participating in the regulatory sandbox;

g/ To guide peer-to-peer lending companies to connect, report and examine customer credit information with the National Credit Information Center of Vietnam;

h/ To annually synthesize and report to the Prime Minister on results of the implementation of the Decree and propose appropriate management policies for the next period.

2. The Ministry of Science and Technology shall:

a/ Provide written opinions on dossiers of application for certificates of participation in the regulatory sandbox as specified in Clause 3, Article 10; and Clause 3, Article 13 of this Decree, including the assessment of the compliance with regulations on standards and technical regulations and on e-transactions for fintech solutions participating in the regulatory sandbox;

b/ Have other responsibilities specified in Clause 4 of this Article.

3. The Ministry of Public Security shall:

a/ Provide written opinions on dossiers of application for certificates of participation in the regulatory sandbox as specified in Clause 3, Article 10; and Clause 3, Article 13 of this Decree, including the assessment of the compliance with regulations on assurance of cyber information security, and information system security by level for information systems used for fintech solutions participating in the regulatory sandbox;

b/ Have other responsibilities specified in Clause 4 of this Article.

4. Related ministries and agencies shall, within the ambit of their functions and tasks, coordinate with the State Bank in:

a/ Providing written opinions on the satisfaction of conditions and criteria for dossiers of application for participation in the regulatory sandbox; the grant of certificates of participation in the regulatory sandbox, certificates of testing completion, decisions on adjustment of tested solutions, decisions on testing termination and revocation of certificates of participation in the regulatory sandbox, decisions on extension of the testing period; coordinating with one another in the on-spot examination during the appraisal of dossiers of application for certificates of participation in the regulatory sandbox after receiving the State Bank’s written requests;

b/ Examining, managing, supervising, and providing guidance on and resolving difficulties during the testing process;

c/ Summarizing and evaluating implementation results and proposing appropriate policies.

Chapter V

IMPLEMENTATION PROVISIONS

Article 25. Effect

This Decree takes effect on July 1, 2025.

Article 26. Implementation responsibility

Ministers, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of provincial-level People’s Committees, and related organizations and individuals shall implement this Decree.

On behalf of the Government
For the Prime Minister
Deputy Prime Minister
HO DUC PHOC

* The appendices to this Decree are not translated.