Press Release on issuance of Circular No.50/2024/TT-NHNN
Hanoi, October 31, 2024 – The Governor of the State Bank of Vietnam (SBV) has issued Circular No. 50/2024/TT-NHNN stipulating the safety and security for the provision of online banking services. The new Circular takes effect from January 1, 2025, replacing Circular No.35/2016/TT-NHNN dated December 29, 2016 on the safety and security of the provision of Internet banking services (as amended and supplemented in Circular No.35/2018).
The new Circular is composed of 3 Chapters, 4 Sections and 24 Articles, specifically as follows:
1. Chapter I. General provisions, comprising of 3 Articles
Stipulating the governing scope, the subjects of application, the interpretation of terms, the general principles of ensuring the safety and security of the information technology systems for the provision of online banking services, which include expanding the governing scope to cover all of the operations of the credit institutions and the foreign bank branches, the provision of payment intermediary services, and the credit information in the online environment; amending and supplementing the subjects of application to include the credit information service providers.
2. Chapter II. Specific provisions, comprising of 4 Sections and 16 Articles
(i) Section 1: stipulating specific provisions on the technical infrastructure for the online banking systems, including the Internet system, the communication, and the safety and security features (Article 4); the system of servers and softwares (Article 5); the database management (Article 6); the online banking applications (Article 7); the mobile banking applications (Article 8).
The new Circular also supplements a number of regulations on strengthening the safety and security of mobile banking applications in line with the current IT development, specifically: supplementing the regulations on the provision of Mobile Banking applications in the official app stores provided by the mobile operators (Paragraph 1 of Article 8); supplementing the regulations on ensuring the safety for the mobile banking applications installed in the customers’ mobile devices (Paragraphs 3 & 4 of Article 8); supplementing the regulations on verifying the biometric data of the customer for his or her first use of a mobile banking application on a new device (Paragraph 6 of Article 8) (this requirement has previously been stipulated in Decision No.2345/QD – NHNN).
The new Circular supplements a number of measures aimed at strengthening the safety and security, preventing against information security breaches that have occurred recently, specifically as follows: supplementing the regulations on the installation of firewall features for the databases (point b, Paragraph 1 of Article 4); supplementing the regulations on the inspection and system hardening for the server operating systems and the database management systems (point d, Paragraph 1 of Article 5, and Paragraph 3 of Article 6).
(ii) Section 2: stipulating the verification of electronic transactions through the online banking systems, including the regulations on accessing online banking applications (Article 9); verifying the transactions (Article 10); and the forms of verification (Article 11).
The new Circular stipulates the forms of verification of an electronic transaction, including the digital signature and other forms of electronic verification (such as passwords, PINs, OTPs, dual verification, biometric authentication, FIDO, EMV 3DS, or other actions that can verify a customer), which are applied to the online transactions in the banking sector. Accordingly, the new Circular specifically stipulates the forms of verification of online transactions (replacing the regulations in Decision No.2345/QD-NHNN) and supplements a number of specific regulations for some typical cases, such as virtual card payment; payments processed by end-to-end methods; transactions that are actively debited from a payment account, actively debited from an e-wallet, or actively paid from a customer’s card; online payment transactions on the National Public Service Portal, depositing into the state budget; transactions that have been registered for automatic debits from a payment account; automatic debits from an e-wallet, automatic payments from a customer’s card, and other online transactions.
(iii) Section 3: stipulating the operation management, including the human resource management for online banking systems’ administration and operations (Article 12); the management of the online banking systems’ operational environment (Article 13); the management of technical gaps and vulnerabilities (Article 14); the supervision and monitoring system of the online banking systems (Article 15); and ensuring continuous operations (Article 16).
(iv) Section 4: stipulating the protection of the customers’ rights, including: the information of online banking services (Article 17); providing guidance to customers on online banking services (Article 18); the customers’ information security (Article 19). Accordingly, Paragraph 3 of Article 17 stipulates that all entities are not allowed to send SMS messages or emails with hyperlinks to their customers, except for cases with a specific request from a customer, in order to prevent phishing via SMS messages or emails.
3. Chapter III. Enforcement, comprising of 5 Articles
Stipulating the reporting requirements (Article 20); the responsibilities of the SBV entities (Article 21); the entry into force (Article 22); the transitional provisions (Article 23); and the implementation arrangements (Article 24)
About the entry into force, the new Circular shall take effect from January 1, 2025. For a number of new regulations, to enable the credit institutions, the foreign bank branches, the intermediary payment service providers, and the credit information providers to revise and update their technical solutions for the implementation, the new Circular stipulates the entry into force of some specific Articles as follows:
+ Entry into force from July 1, 2025 for the regulations mentioned at Point b, Paragraph 1 of Article 4 , Point d, Paragraph 9 of Article 7, Paragraphs 3 & 4 of Article 8.
+ Entry into force from January 1, 2026 for the regulations mentioned at Point b, Paragraph 1 of Article 10.
+ Entry into force from July 1, 2026 for the regulations at Point c, Paragraph 5 of Article 11, Point c, Paragraph 7 of Article 11, Point b (iv), Paragraph 1 of Article 20.
Translated by Le Hang