On 1 November 2016, the State Bank of Vietnam (SBV) released a draft circular (Draft Circular) to replace Circular No. 29/2011/TT-NHNN on Security and Confidentiality in the Provision of Banking Services on the Internet ('Circular No. 29').
In contrast to Circular No. 29, the Draft Circular captures a wider range of online banking services performed on both electronic and telecommunication devices. If adopted as is, the Draft Circular will apply not only to all credit institutions and foreign bank branches in Vietnam but also to online payment service intermediaries (the Provider). Among other provisions, the Draft Circular requires a Provider to employ specific security measures in its IT infrastructure systems, dictates specific transaction authentication processes a Provider must employ dependent upon the value of a transaction, and lays out specific requirements for the protection of users’ data.
1. No public cloud computing for online banking system database
Under the Draft Circular, a Provider must not store its online banking system databases on a public cloud computing network. However, "public cloud computing network" is not defined.
2. Sensitive data and personal data protection
A Provider must segregate their IT infrastructure networks into at least four zones: (i) [external-facing] zone connected to the Internet, (ii) demilitarized zone (DMZ), (iii) internal network zone, and (iv) server farm.
"Sensitive data," which is not defined in the Draft Circular, may not be stored in the [external facing] zones connected to the Internet and the DMZ. A Provider must use end-to-end encryption when sensitive data are transmitted over or stored on the Internet.
A Provider must provide detailed information to online banking users ("User") of the online banking service, including inter alia the security measures employed on such service, and hotline support. Furthermore, contracts between a User and a Provider must include, inter alia, specific commitments concerning a Provider’s protection of a User’s personal data.
3. New and specific security requirements for each component of the IT infrastructure system
The Draft Circular sets out new and specific security requirements a Provider must employ throughout their entire IT infrastructure system. For example:
- A Provider must ensure its security and confidentiality solutions in the online banking IT system meet minimum requirements, including: the use of a network firewall; anti-virus solutions; DoS attack prevention; application firewall; and IDS/IPS.
The online banking IT system must be configured so that any external connection will pass through the DMZ.
Remote access needed for system administration purposes must be limited and subject to specific authorization, encryption, verification, and record-keeping requirements.
The requirements applicable to a Provider’s database management system and application software are largely the same as those under Circular No. 29.
As to software installed on mobile devices, the Draft Circular requires encryption of both the software and the data transmitted to and from the server.
In regard to the operation of the service, a Provider must employ software to monitor unusual and suspicious transactions and employ general security measures including, inter alia, online access control verification, surveillance software, and personnel access controls.
4. Transaction authentication – transactions with a value of
USD 1,000 or more must be authenticated by, inter alia, e-signature, biometric authentication
The Draft Circular classifies a transaction into the following four categories according to its value: A, B, C and D. The Provider must employ a different authentication method dependent upon the classification of the transactions:
- Categories A, B and C (transactions with value of lower than VND200 million (approx. USD 1,000) and with certain total daily payment limits) can be authenticated by one-time password (OTP) which, dependent upon its category, may be generated via various solutions (e.g., random matrix grid, token, software application installed on mobile device, or two way authentication, etc.).
- Category D, i.e., transactions of VND 200 million or more and those not falling within Categories A, B and C, must be verified by e-signature, biometric authentication, or another equally secure measure approved by the SBV.
The e-signature solution used for authentication must be licensed or approved by the competent Vietnamese authority.
If the Provider generates OTPs via a banking application which is made available on a third party application store/website, the Provider must require the third party to undertake to use security measures in order to prevent the availability of potentially fraudulent applications on such store/website.
5. Other requirements
The Draft Circular also includes detailed requirements a Provider must follow on access controls, vulnerability detection, and incident response.
In particular, it sets out specific timeframes in which a Provider must review personnel access rights, evaluate system security, analyze cause of information security incidents, assess security risks, and rehearse incident responses.
The Draft Circular is expected to take effect on 1 March 2017. As of this writing, we understand that the SBV is still collecting comments on this Draft Circular.
B. New National Technical Regulations for Cryptography Used in the Banking Field
On 21 October 2016, the Ministry of National Defense issued Circular No. 161/2016/TT-BQP promulgating the three new National Technical Regulations of Civil Encryption Products (CEPs) in the Banking Field (Circular No. 161), including:
- QCVN 4 : 2016/BQP - National technical regulation on data encryption used in banking;
- QCVN 5 : 2016/BQP - National technical regulation on digital signature used in banking; and
- QCVN 6 : 2016/BQP - National technical regulation on key management used in banking.
Circular No. 161 took effect on 9 December 2016.
Under the Law on Cyber Information Security (LOCIS) and its implementing regulations, an importer that seeks to import a certain type of CEP must, among other requirements, ensure its products are certified by the relevant conformity assessment organization appointed by the Ministry of Defense. In order to circulate CEPs in the market, LOCIS also generally requires that such products be in conformity with applicable technical regulations; such conformity should be verified and certified to this effect by the relevant authority prior to circulation.
Importers and traders of CEPs used in the banking sector may be subject to the above requirements, and if so must ensure that such CEPs conform with the applicable national technical regulations under Circular No. 161.
Please refer to our Client Alert here for further details on CEPs business license and import permit requirements.
C. New Requirement for Offshore Switching Companies
On 30 June 2016, the SBV issued Circular No. 19/2016/TT-NHNN (Circular No. 19). Circular No. 19 took effect on 15 August 2016, but Article 24.2 will take effect on 1 January 2018.
If payment is made on a card with a BIN (Bank Identification Number) issued by an international card association, Article 24.2 requires the card issuer and acquirer (licensed to conduct foreign exchange transactions in Vietnam) to conduct such transaction through a switching company licensed by the SBV.
Please refer to our Client Alert on Circular No. 19 here for further details.