The State Bank of Vietnam’s Circular No. 50/2024/TT-NHNN regulating safety and security for the provision of online services in the banking sector (“Circular 50”), issued on October 31, 2024, took effect on January 1, 2025, with delayed effectiveness for certain provisions on (i) network, communication, and security systems, online banking application software, and mobile banking application software (July 1, 2025); (ii) transaction confirmation for payment transactions conducted via the straight-through processing method (January 1, 2026); and (iii) authentication forms and reporting obligations (July 1, 2026).

The cybersecurity situation in Vietnam is complicated, and the banking and finance sector has been one of the top targets of high-tech criminals. Circular 50 seeks to enhance user protection by expanding the technical requirements to more services in the banking sector as well as standardizing how transactions are authenticated.

Expanded Scope of Services Covered

Previous regulations on safety and security of online services in the banking sector only covered banking services and intermediary payment services. Circular 50 expands the scope to include other services of credit institutions and foreign bank branches such as credit information services, foreign exchange services, securities depository services, and services related to factoring and letters of credit, which now need to comply with technical requirements and standards for online services such as firewalls and DMZ network barriers.

Risk-Based Approach to Authentication

Circular 50 sets out standards for payment transactions and card transactions by:

• Classifying various online transactions based on the type of client, the purpose of the transfer, the value of the specific transaction, and the total value of certain transactions during the day; and
• Applying various types of authentication for the corresponding types of online transactions, e.g., using passwords or PINs for small-value online transactions, and using OTPs (through SMS, voice, or email), biometric matching, or e-signatures for larger-value online transactions.