On October 31, 2024, the State Bank of Vietnam issued Circular No. 50/2024/TT-NHNN, establishing regulations on security and confidentiality for online banking services -marking a strategic step in building a robust legal foundation for Vietnam’s digital banking ecosystem.
As digital banking services rapidly expand and cyberattacks and data breaches become increasingly common, the banking sector must continuously enhance safety, security, and transparency in all electronic transactions. Circular 50 replaces Circular 35/2016/TT-NHNN and meets the growing demand for higher security amid Vietnam’s strong digital transformation efforts.
Effective from January 1, 2025, Circular 50/2024/TT-NHNN applies to credit institutions, foreign bank branches, intermediary payment service providers, and credit information companies. All online banking services must comply with stringent security standards to ensure safety for both banks and their customers. The Circular clearly outlines principles and technical requirements in the design, implementation, and operation of online service systems. Key highlights include:
- General Principles for Ensuring Online Banking System Security:
- Online banking systems must must achieve at least Level 3 security, with financial switching and electronic clearing systems requiring Level 4, as defined by TCVN 11930:2017 and State Bank regulations.
- Institutions must deploy, at a minimum, application firewalls, database firewalls, and DoS/DDoS protection solutions.
- Customer data must not be stored in Internet-facing zones or DMZs to ensure confidentiality and integrity.
- Authentication Methods: Passwords, PINs, OTPs (SMS OTP, voice OTP, email OTP, matrix card OTP, soft OTP, token OTP); biometric authentication (complying with NIST SP 800-63B, ISO 30107, or FIDO Biometric Requirements with high accuracy); FIDO authentication; EMV 3-D Secure (for online card payments).
- All data transmitted over networks or exchanged between online banking applications and related devices must employ End-to-End Encryption and Transaction Signing.
- Transaction information and authentication logs must be stored for 3 months and backed up for 1 year. Device information (IMEI, Serial number, MAC address) and transaction logs must be recorded.
- Customer data must be encrypted or masked. Applications must not store passwords, and banks are prohibited from sending links via SMS/email unless explicitly requested.
- Risk Management: Institutions must conduct annual security assessments, identify and address risks, and ensure IT equipment has clear origins.
- Reporting: Must report to the State Bank 10 days before launching any service, including details on websites, apps, authentication solutions, and security certificates.
The tightened security standards under Circular 50/2024/TT-NHNN are not merely a legal compliance obligation, but a strategic advantage for banks in the digital age – building greater trust in online services.
For credit institutions, the Circular provides strong motivation to invest in IT infrastructure, standardize operational processes, and gradually align with international standards such as PCI-DSS and ISO/IEC 27001- laying the groundwork for deeper integration into the global Open Banking movement. For customers, the Circular enhances trust in digital services and reduces risks associated with online transactions.
At present, with the enforcement of Circulars 64 and 50, credit institutions are required to upgrade their systems to ensure stronger security at every level of service. In the long run, compliance with Circular 50 – along with adherence to international standards like PCI-DSS and ISO/IEC 27001, and alignment with strong customer authentication (SCA) requirements under PSD2/PSD3 in the EU—will help elevate Vietnam’s banking sector to global standards, promoting innovation and fostering fair competition.
