ONLINE PAYMENTS 1. Which types of online payment solutions are available in your country? Digital wallets[1], Internet Payment service providers[2] (IPSPs, also called as aggregated account or the third‐party biller), and Payment service providers[3] (PSPs).

2. What services do most Payment service providers (PSPs) offer in your country? Opening merchant accounts[4], or providing access to aggregated accounts, at the acquiring bank, Transact multiple payment methods, and Security services, such as risk management.

3. What categories of PSPs are available to provide digital payment services in your country? Retail PSP[5], Micropayment PSP[6], Government PSP[7] and Non‐issuing PSP[8].

4. What are the main laws and regulations that establish how PSPs are regulated and supervised in your country? Law on State Bank of Vietnam 2010, Law on Credit Institutions 2010, Decree No. 101/2012/ND‐CP on non‐cash payment as amended, Circular No. 39/2014/TT‐NHNN guiding intermediary payment services as amended, Circular No. 46/2014/TT‐NHNN guiding non‐cash payment services.

5. How many business days does it take for PSPs to obtain a license to provide digital payment services? 60 days by law.

6. What is the main authority in charge of issuing licenses and supervising PSPs in your country? The State Bank of Vietnam

7. According to the law, how long (in years) is the PSP license valid in your country? 10 years (Article 16.3 of Decree No. 101/2012/ND‐CP)

8. Which of the following documents are required for the PSP license application? Registration documents (including certificate of incorporation and the Articles of Association); The business model, specifically outlining the type of digital payment services and payment instruments envisaged; Evidence that the PSP applicant holds the minimum initial capital required; A certified copy of the bank guarantee on the initial capital; A description of the measures implemented to ensure adequate levels of operational reliability, including disaster recovery and business continuity mechanisms; A description of how the PSP Applicant will settle payment transactions accompanied by a certified copy of the agreement with a settlement bank or a designated payment system; A copy of the system rulebook, detailing the operational rules of the envisaged payment scheme; A risk management system; A report of a feasibility and risk assessment study; An internal control system; and An outsourcing agreement if any.

9. According to the law, do PSPs have to meet the requirement of minimum initial capital at the time of authorization? Yes. USD2.2 million (Article 15.2(c) of Decree No. 101/2012/ND‐CP).

10. According to the law, do PSPs have to establish at least one separate account with commercial banks to safeguard User Funds[9]? What are required for PSPs when managing the separate account(s)? They must ensure all received funds are placed in a ring‐fenced account at commercial bank exclusively dedicated for this purpose as approved by the Central Bank; Ensure that the account balance is not at any time be less than the outstanding balance owed to Users; Not use the Funds to engage in any lending activity, including (but not limited to) the provision of credit and overdraft facilities; Not invest User Funds in any type of financial asset; and Not transfer User Funds to another account used for other business activities.

11. According to the law, do PSPs have to hold and account User Funds separately from any other funds they hold for other business purposes? Yes. (Article 8.2 of Circular No. 39/2014/TT‐NHNN).

12. According to the law, do PSPs have to ensure that User Funds are covered by an insurance policy or a guarantee from a credit institution? No.

13. According to the law, do PSPs have to seek for approval from the related authority before they intend to outsource any operational functions? They cannot outsource the licensed activities (Article 6.2 of Circular No. 39/2014/TT‐NHNN).

14. According to the law, do PSPs, their agents and users have to comply with Anti‐Money Laundering and Combating of Financing of Terrorism (AML/FT) law, standards and measures? Yes. (Article 7 of Circular No. 39/2014/TT‐NHNN).

15. According to the law, which of the following documents that PSPs/agents require when performing customer due diligence processes? For any natural person users: An original copy of a valid ID card/passport For any legal person users: Investment/ Enterprise registration certificate; and Copy of passports of authorized signatories.

16. According to the law, are PSPs allowed to charge users for registration? Yes. (Articles 10‐13 of Circular No.39/2014/TT‐NHNN).

17. According to the law, do PSPs have a monthly load limit for Electronics Inc.[10] through an issued payment instrument in your country? No.

18. According to the law, do PSPs have a single payment transaction limit for Electronics Inc. through an issued payment instrument in your country? No.

19. What information is required for PSPs to disclose to Electronics Inc. upon the execution of a payment transaction? A unique reference number enabling the payer/payee to identify the payment transaction; The payment transaction amount; The identity of the payer/payee; and The date on which the payment order was placed.

20. What are the main laws and regulations that govern the payment and settlement system in the country? Decree No. 101/2012/ND‐CP, Circular No. 39/2014/TT‐NHNN, Circular No. 46/2014/TT‐NHNN.

21. Does the PSP require additional information from Electronics Inc. for cross border payment transactions? Yes. The information include Additional identity confirmation and Detailed transaction purpose.

22. Does Electronics Inc. have to pay additional service fees to the PSP for cross border e‐commerce transactions? Yes. The fees include Currency conversion fee and International transaction fee.

23. Based on the pricing model above, how much transaction fee does Electronics Inc. have to pay on a $20 transaction to the PSP in your country? Domestic e‐commerce: Below $0.05 USD dollar Cross border e‐commerce: $0.05 ‐ $0.10 USD dollar

24. What are the main laws and regulations about online payment authentication standards in your country? Law on Internet information security 2015, Law on Information Technology 2006, Law on E-transactions 2005, Circular No. 35/2015/TT‐NHNN, Circular No. 47/2014/TT‐NHNN.

25. According to the law, do PSPs have to provide two‐factor authentication using standards like 3D Secure? Yes.

26. According to the law, do PSPs and users (like Electronics Inc.) have to comply with the Payment Card Industry Data Security Standard (PCI DSS)? Yes. (Section 2, Point 3.1.3, Decision No. 488/QD‐NHNN).

27. According to the law, do PSPs and users (like Electronics Inc.) have to install Transport Layer Security (TLS) or Secure Sockets Layer (SSL) on webpage or internet browser? Yes. (Article 15 of Circular No. 47/2014/TT‐NHNN).

28. According to the law, how long (in years) does PSPs have to store and retain all user and transaction data from that of the original transaction? 20 years (Article 9.1(a) of Regulation attached to Decision No. 376/2003/QD‐NHNN).

29. According to the law, how long (in years) does a PSP have to store all details data of users’ personal information after the user relationship is terminated? 20 years from the original transaction, not depending on the relationship termination

30. According to the law, PSPs should keep user identification data and transaction records confidential and can only be made available to? The corresponding User, the State Bank of Vietnam, or By a court order in the country.

31. What are the main laws that regulate chargebacks regarding online payments in your country? The Civil Code of Vietnam, Circular No. 39/2014/TT‐NHNN.

32. The legal framework on chargebacks apply to: Fraudulent transactions, Credit and service not processed; and An error in the amount.

33. According to the law, do banks hold initial amount to cover prospected chargebacks? No.

34. Is there a legal time limit for Electronics Inc. to notify the PSP of any unauthorized/incorrectly executed payment transaction? No.

35. After a successful dispute, how many business days it usually takes for customers to get a full chargeback of the original form of payment or an Electronics Inc. gift card? 3-10 days.

36. Do PSPs set a maximum predetermined threshold of monthly chargeback rate for Electronics Inc.? No.

DIGITAL MARKETS 1. Are merchants selling goods through Electronics Inc. legally mandated to comply with a legal framework on online consumer protection? (i.e. is there an online consumer protection law in your country?) Yes. Law No. 59/2010/QH12 on Consumer Protection.’

2. Are merchants selling goods through Electronics Inc. (i.e. engaged in distance or off‐premises selling) legally mandated to comply with online information disclosure rules? Yes.

3. What information are merchants on Electronics Inc. legally mandated to disclose to consumers prior their online purchase? Full business address of the merchant (i.e. geographical address); Identity of the merchant (i.e. trading name, phone number, fax number, email address, etc.); Product information (availability, price, description, etc.); Delivery information (time, price, etc.); Information about payment processes; Information about the existence of a right of withdrawal (or cancellation); Information about complaint handling; Information about the party bearing the cost of returning the goods in case of cancellation; Information on out‐of‐court complaint and redress mechanism; Information on product guarantee, rights and obligations of the merchants and customers in each transaction.

4. Are online information disclosure rules specified above applicable to mobile devices? Yes.

5. Considering a domestic merchant selling a computer charger on Electronics Inc.’s platform, he is legally mandated to comply with the following general rules related to the right of withdrawal (or cancellation) for online purchases: Information duty: Electronics Inc. must inform the customer of his right of withdrawal Absence of reason: Electronics Inc.’s customer can withdraw from contract with no reason Withdrawal period: Electronics Inc.’s customer can withdraw from contract after receiving the product

6. What is the period (in number of days) during which the customer of Electronics Inc. can withdraw (cancel) its purchase without any penalties and without giving any reason (also called cooling‐off period), if applicable? It depends on policy of each merchant.

7. In case of a dispute between a domestic customer and a domestic merchant on Electronics Inc. for a low value sale (less than 30USD), what types of procedures are legally available for the domestic consumer acting individually? Use of the general judicial system for addressing online disputes; Use of alternative dispute resolution (ADR) mechanism such as consultations, conciliation, or mediation; and Other provision for a dispute resolution mechanism (e.g. administrative procedures before a specific authority).

8. Are merchants on Electronics Inc. legally mandated to comply with redress rules for online purchase of goods? Yes.

9. What types of remedy are legally enforced for online purchase of goods? Monetary remedy: monetary payment Non‐monetary remedy: repair, replacement

10. Is Electronics Inc, an e‐commerce platform, considered as an internet intermediary in your jurisdiction? No.

11. Bearing in mind that it processes data such as name, surname, data of birth, email address, mail address, credit card information, preferences of its customers, does Electronics Inc., an e‐commerce platform, have to comply with a legal or regulatory framework on data privacy? Yes. Decree No. 52/2013/ND‐CP.

12. Bearing in mind that Electronics Inc. is managing the data it collects, does it have to process differently non‐sensitive and sensitive personal data? Yes.

13. What categories of personal data are considered sensitive in Electronics Inc.’s jurisdiction? Political opinions, Sex life, Sexual orientation.

14. Under which conditions can Electronics Inc. lawfully process computerized personal data of its adult customers (also called data subject)? The customer has given consent to the processing of his personal data for one or more specific purposes; Processing is necessary for the performance of a contract to which the customer is party; Processing is necessary for compliance with a legal obligation to which Electronics Inc. is subject.

15. Regarding consent, what are the legal grounds on which Electronics Inc. can lawfully get its customer’s consent (the customer is an adult) when collecting (non‐sensitive, if applicable) personal data: Consent must be freely given Consent must be specific Consent must be informed Consent must be non‐ambiguous Consent must be distinguishable from (or tied to) other matters Consent must be obtained by a specific method.

16. Regarding data access, if a customer (an adult) requests Electronics Inc. information on the processing of his personal data and is ready to bear the cost of it, to what degree is Electronics Inc. obliged to provide it? The customer can access all his personal data with no condition

17. Regarding data deletion (or erasure), if a customer (an adult) requests the deletion of his personal data to Electronics Inc., to what degree is the latter obliged to comply? All personal data must be deleted (or erased) under certain conditions; and Electronics Inc. can apply suitable measures to protect the data or inform the customer that the request cannot be processed due to a technical reason or any other reasons.

18. Is Electronics Inc. required to establish a procedure for the deletion of personal data if requested by a customer (an adult)? Yes.

19. To what degree is Electronics Inc. allowed to transfer personal data of local customers (also local citizens) to non‐domestic third parties? Totally free with certain countries but subject to certain conditions.

20. What are the general conditions under which Electronics Inc. can engage in cross‐border data trade with a nondomestic third party? (general conditions exclude specific conditions such as model contract clauses, binding corporate rules or other contractual arrangements.) Adequacy approach: The country in which a non‐domestic third party is based has an “adequate level of protection”, “an equivalent protection”, “a sufficient level of protection”, or any provision entailing an adequacy approach.

21. What circumstances constitute an “adequate level of protection” when trading personal data with a third‐party country? the nature of the personal data, the country of final destination of that information, the law in force in the country in question, the international obligations of that country, any relevant codes of conduct or other rules which are enforceable in that country; any security measures taken in respect of the data in that country.

22. Bearing in mind that Electronics Inc. is considered as a data controller, does Electronics Inc. have to comply with any of the following security requirements for automated (computerized) personal data?

Adoption of an internal policy for establishing procedures for preventing and detecting violations; Performance of internal controls; Assessment of the harm that might be caused by a data breach; Awareness program among employees.

23. Bearing in mind that Electronics Inc. processes personal data for marketing purposes, is it monitored by a supervisory authority? No.

24. Does Electronics Inc. have to comply with the following administrative procedures with the supervisory authority to lawfully process personal data for marketing purposes? There is no administrative procedures to process personal data for marketing purposes.

25. Given that Language Inc.[11] and free‐lance instructors[12], based abroad, sign a local contract (Language Inc. is based in your country), what are the types of e‐signature granting the same legal status as handwritten contracts? E‐signature (click wrap, digitized signature, etc.) Digital signature (need for a public key)

26. Does Language Inc. need to comply with any requirements on the use of a specific technology (e.g. PKI) for a digital signature to have legal validity? Yes. PKI.

27. On the contrary, is any form of digital signature including the following requirements equally acceptable? The digital signature helps verify the identity of the signatory (origin).

28. Does the use of a specific technology (e.g. PKI) grant additional legal benefits in terms of the legal recognition of the digital signature (e.g. validity in terms of burden of proof)? No.

29. Does Language Inc.’s signature need to be certified by a Certification Authority (CA) in order to be recognized as having full legal validity? Yes.

30. Do certification authorities (CAs) need a license to operate? Yes. The conditions include: (1) Being enterprises established under the laws of Vietnam; (2) Having sufficient financial capacity to establish a system of technical equipment, organization, and maintenance of activities in accordance with the scale of service provision; (3) Depositing at a commercial bank operating in Vietnam or having a guarantee of a commercial bank operating in Vietnam of not less than 5 (five) billion VND, or insurance buying commitments to solve risks and the compensation that may occur during the course of service provision and make payment for expenses receiving and maintaining database of enterprises in the event of withdrawal of licenses; (4) Having team of technical staffs, managers, administration staffs, security managers and customer service personnel meeting professional requirements and scale of services deployment of having no criminal records; (5) The legal representative having knowledge of law on digital signatures and certification service of digital signatures; (6) Suitable formulation of technical equipment system; (7) Having feasible technical plans and business plans, consistent with the technical regulations and mandatory standards to apply; (8) Having plans to control the entrance and exit of head offices, the right to access the system, right to enter, exit the place where the equipment is located for providing for certification service of digital signatures; (9) Having contingency plans to maintain the continuous, safe operation, and overcome when the problem occurs; (10) The entire system of equipment used to service providers is located in Vietnam; (11) Construction of offices, places where the machinery and equipment is located in accordance with the requirements of the law on prevention and combat of fire and explosion; having ability of fighting against floods, earthquakes, electromagnetic interference, illegal intrusion of man; and (12) Having public certification regulations in the form issued by the Ministry of Post and Telecommunications, and contents in accordance with relevant laws.

31. How many CAs are available in your jurisdiction? 6-10 CAs.

32. Please list the most popular Certification Authorities available in your city: 1: VNPT‐CA 2: CA2‐CA 3: Viettel ‐CA

33. What is the average time and cost for Language Inc. to obtain a digital signature from a certification authority (if applicable)? 5‐10 days; USD50‐210 per 15-month package

34. Does your country have a national VAT/GST scheme applying to imported services bought on the internet? Yes.

35. If applicable, is there a registration process for VAT/GST purposes for foreign‐based companies (like tutors) selling through Language Inc.? Yes. There is no threshold under which foreign‐based companies do not need to register.

BROADBAND REGULATORY FRAMEWORK

1. Does your country have a national broadband plan or policy to develop a high-speed access network? Vietnam has a national broadband plan in 2016 under Decision No. 149/QD-TTg of the Prime Minister dated 21 January 2016 approving the program on the development of broadband telecommunications infrastructure through 2020

2. What is the main body responsible for planning implementing the national broadband plan Ministry of Information and Communications is the main body to plan and implement the national broadband.

3. Does the plan include blended finance or PPP investment schemes for broadband expansion? We are not aware of the plan includes blend finance or PPP investment schemes or applicable financial instruments.

4. Does the plan include government investment in infrastructure to make broadband more broadly available? The Government focus to investment in the following area: First Mile: international gateways or the segment of a telecommunications network where the internet enters a country such as through cable landing stations or satellite links Middle Mile: national backbone networks, or the segment of a telecommunications network linking a network operator’s core network to the local network plant

5. Does the plan include investments in cross border links and networks? The plan under WTO’s Commitment include investments in cross border links. There are agreements in effect or in preparation with other countries to foster cooperation or joint investment for cross border.

6. Does the plan or policy include new internet exchange points (IXPs)? We do not see any updates related to internet exchange points in the policy

7. Does the plan have a universal service fund (USF) Yes. Vietnam has a universal service fund at http://www.vnpt.vn and there is implicit funding arrangement for USF

8. Are there fiscal incentives to accelerate internet deployment? Now there are not fiscal investment to accelerate internet deployment.

9. Does Vietnam have a unified licensing regime? Yes. WTO’s Commitment, Law on Investment 2014

10. Does Vietnam have a policy for releasing more licensed spectrum? Yes. Circular 46/2016/TT-BTTTT on list of license-exempt radio serves and accompanying technical and operational conditions.

11. Does Vietnam assign spectrum on the basis of competitive auctions? Yes. The spectrum auction winner are primarily evaluated on speed of build out, technology and quality of spectrum.

12. Does Vietnam have policies and regulations that allow the following practices for spectrum allocation? Yes. Vietnam has spectrum shortage evaluations and spectrum caps.

13. What is the duration of the spectrum license? 15 years

14. Is there equal access to shared and/or government owner infrastructure such as road, railways, water and power lines? No.

15. According to the law, does Vietnam require its cable operators to provide open access for internet services? No.

16. Does your country have unbundling and line sharing rules? No.

17. What restriction, if any, are placed on the level of foreign ownership of foreign telecom operators? We see the minimum level of local ownership mandated.

18. Are there regulations regarding portability or preventing customer lock-in No.

19. Does your country’s national broadband plan or policy set performance targets? Vietnam has the national broadband plan with minimum download speed 22.77 mbps and minimum upload speed 22.28 mbps.

20. Does Vietnam’s national broadband plan or policy allow different access technologies? Yes

21. Are there backward compatibility requirements with legacy infrastructure? Yes

22. Does Vietnam’s national broadband plan or policy set date localizations requirements Yes

23. Are there spectrum harmonization efforts in the national broadband strategies? No.

24. Does Vietnam’s national broadband plan set coverage targets? Yes. The plan includes population with broadband with 40% of the population, schools with broadband with 99% of schools and e-government with 100% national information portal, government portal.

25. Are peak usage charges allowed No.

26. Are there fiscal incentives to increase access to broadband? Yes. Incentives in rural broadband subsidies

27. Does Vietnam’s broadband plan or program include the rollout of free, public access points? Enterprise Registration Certificate ID Card or Passport of the legal representative Contract Service with the broadband provide

28. What documents are needed in order to secure a business broadband connection? Enterprise Registration Certificate ID Card or Passport of the legal representative Contract Service with the broadband provide

29. Please list what Broadband Access Providers are available to connection in Vietnam? VNPT, Viettel, FPT

*** Please do not hesitate to contact Dr. Oliver Massmann under omassmann@duanemorris.com if you have any questions or want to know more details on the above. Oliver Massmann is the General Director of Duane Morris Vietnam LLC. THANK YOU!