SAVYINT Supports BAC A BANK in Upgrading Passwordless Authentication in Compliance with Circular 50/2024/TT-NHNN and Circular 77/2025/TT-NHNN (Vietnam)

SAVYINT successfully implemented passwordless authentications for BAC A BANK, including SmartOTP, Smart Token. The project enables the bank to fully comply with Circular 50/2024/TT-NHNN and Circular 77/2025/TT-NHNN issued by the State Bank of Vietnam while strengthening transaction security and reinforcing customer trust.

1. BAC A BANK and the Challenge of Complying with Circular 50/2024/TT-NHNN and Circular 77/2025/TT-NHNN 

Established in 1994, BAC A BANK currently operates 138 transaction offices across major cities and provinces in Vietnam. In 2024, the bank ranked among the Top 5 banks with the largest foreign exchange transaction volume in Vietnam. 

In 2024, the State Bank of Vietnam issued Circular 50/2024/TT-NHNN on security and safety requirements for providing online banking services, which officially came into effect on January 1, 2025. The regulation introduces several key requirements, particularly:

• Strengthening Strong Customer Authentication (SCA) for electronic transactions 

• Applying device-bound authentication mechanisms 

• Enhancing fraud and account takeover prevention 

• Risk-based transaction classification to determine appropriate authentication levels 

• Reducing reliance on traditional SMS OTP for high-value transactions 

In 2025, the State Bank of Vietnam continued to enhance the regulatory framework by issuing Circular 77/2025/TT-NHNN, which will take effect on March 1, 2026. This circular amends and supplements several provisions of Circular 50 to further strengthen security and risk management requirements for online banking services.

As a result, BAC A BANK needed to upgrade its authentication infrastructure to comply with the new regulations while ensuring secure and reliable electronic transaction authentication for both retail and corporate banking customers.

2. SAVYINT’s Solution 

As a global technology company specializing in Secure Payment, Digital Trust, and Open Banking, SAVYINT delivered a comprehensive electronic transaction authentication solution such as SmartOTP and Smart Token. The solution is designed in alignment with the regulatory requirements of Circular 50 and can be seamlessly integrated into the bank’s Internet Banking and Mobile Banking ecosystem, supporting both retail and corporate customers.

• These passwordless authentication methods replace or complement traditional authentication mechanisms such as SMS OTP, helping reduce fraud risks, prevent account takeover attacks, and ensure compliance with current regulatory standards.

• Each OTP is generated and cryptographically bound to a specific transaction, ensuring that the OTP is valid only for that particular transaction. This significantly strengthens protection against phishing, replay attacks, and transaction fraud.

2.1. System Architecture 

The advanced authentication system implemented by SAVYINT includes two main components: 

• SmartOTP/SDK Application: Integrated directly into the bank’s Mobile Banking application, the SmartOTP module allows users to authenticate transactions using a secure PIN or biometric authentication on their device, meeting multi-factor authentication requirements.

• Authentication Server System: The server-side authentication system manages OTP generation and verification, monitors failed attempts, handles security lock scenarios, and records transaction logs for monitoring, auditing, and regulatory compliance.

2.2. User Groups   

• Retail Customers: Retail users apply these authentication methods to authorize financial and non-financial transactions on Mobile Banking and Internet Banking, meeting both the bank’s internal security policies and regulatory requirements.

• Corporate Customers: For corporate banking users, authentication is implemented based on a role-based authorization model including Maker and Checker roles, ensuring proper segregation of duties and transaction control.

2.3. Models 

The system supports two primary authentication flows: 

• Web-to-App Authentication: Transactions are initiated or approved on Internet Banking and authenticated on the Mobile Banking application via push notification or QR code scanning.

• App- based Authentication: The entire transaction process – including initiation, approval, and authentication – is completed directly within the Mobile Banking application, ensuring a seamless and secure user experience.

2.4. Key Use Cases  

a. SmartOTP and Smart Token Service Activation & Management 

• Related operations: Registration and initial activation of SmartOTP, re-activation when users change devices, as well as service deactivation when users no longer need to use the service. 

• Purpose: Ensure that only properly verified users are allowed to use SmartOTP for transaction authentication 

b. Transaction Authentication using SmartOTP, Smart Token

• Target users: Individual customers and corporate customers. 

• Related operations: When performing financial and non-financial transactions on Internet Banking or Mobile Banking, the system requires authentication via SmartOTP using a PIN code or biometric verification.

• The OTP is generated specifically for each transaction and is valid only within a defined time window, meeting strong authentication and fraud prevention requirements in accordance with regulatory standards.

The solution also supports Web-to-App authentication and App-based authentication, ensuring flexibility in service usage.

c. Multi-Level Transaction Approval 

• Target users: Corporate customers. 

• Applicable model: Maker/Checker authorization model. 

• Related operations: Approvers authenticate using SmartOTP to approve or reject transactions according to their assigned roles and authorization levels.

• Purpose: Ensure dual control and reduce operational risk in corporate transaction processing. 

d. PIN Management and Security Protection 

• Target users: Individual customers and corporate customers. 

• Related operations: PIN change within the validity period, handling forgotten PIN cases, notifications when the PIN is about to expire, and mandatory PIN changes once expired in accordance with Circular 50/2024/TT-NHNN. 

• Purpose: Ensure strict PIN management and minimize the risk of credential exposure during service usage. 

e. Support Features and User Convenience 

• Related operations: Synchronization of advanced electronic transaction authentication and configuration/use of biometric authentication on mobile devices.
• Purpose: Enhance the user experience while maintaining compliance with multi-factor authentication (MFA) and information security requirements.

3. Results   

Following the successful deployment of SAVYINT’s passwordless authentication solution, BAC A BANK fully met the requirements of Circular 50/2024/TT-NHNN and Circular 77/2025/TT-NHNN issued by the State Bank of Vietnam. The solution is consistently applied across both retail and corporate banking services. 

By implementing advanced and passwordless authentication methods such as SmartOTP, Smart Token, BAC A BANK achieved several key benefits:

• Strengthened strong authentication capabilities and reduced risks of fraud and account takeover 

• Improved control over high-value and high-risk transactions 

• Maintained a seamless, secure, and convenient digital banking experience for users 

This strategic upgrade enables BAC A BANK to strengthen digital trust and enhance its competitiveness in the evolving digital finance landscape.