Elevating security standards for online banking services in Vietnam
On October 31, 2024, the State Bank of Vietnam issued Circular No. 50/2024/TT-NHNN, establishing regulations on security and confidentiality for online banking services -marking a strategic step in building a robust legal foundation for Vietnam’s digital banking ecosystem. As digital banking services rapidly expand and cyberattacks and data breaches become increasingly common, the banking sector must continuously enhance safety, security, and transparency in all electronic transactions. Circular 50 replaces Circular 35/2016/TT-NHNN and meets the growing demand for higher security amid Vietnam’s strong digital transformation efforts. Effective from January 1, 2025, Circular 50/2024/TT-NHNN applies to credit institutions, foreign bank branches, intermediary payment service providers, and credit information companies. All online banking services must comply with stringent security standards to ensure safety for both banks and their customers. The Circular clearly outlines principles and technical requirements in the design, implementation, and operation of online service systems. Key highlights include: The tightened security standards under Circular 50/2024/TT-NHNN are not merely a legal compliance obligation, but a strategic advantage for banks in the digital age – building greater trust in online services. For credit institutions, the Circular provides strong motivation to invest in IT infrastructure, standardize operational processes, and gradually align with international standards such as PCI-DSS and ISO/IEC 27001- laying the groundwork for deeper integration into the global Open Banking movement. For customers, the Circular enhances trust in digital services and reduces risks associated with online transactions. At present, with the enforcement of Circulars 64 and 50, credit institutions are required to upgrade their systems to ensure stronger security at every level of service. In the long run, compliance with Circular 50 – along with adherence to international standards like PCI-DSS and ISO/IEC 27001, and alignment with strong customer authentication (SCA) requirements under PSD2/PSD3 in the EU—will help elevate Vietnam’s banking sector to global standards, promoting innovation and fostering fair competition.
Savyint & Kryptus: Collaboration to build open banking security standards
Open Banking is experiencing remarkable development in many countries. To ensure that open banking operates effectively and securely, it is particularly important to establish and adhere to a system of technical standards. With their expertise, Savyint and partner Kryptus have collaborated to develop a specific security standard system for each component in open banking. The API Gateway plays a crucial role in securing APIs by providing authentication, authorization, access control, and traffic limiting mechanisms. For the API Gateway, we ensure compliance with European and global regulations such as PSD2/PSD3, FAPI 2.0, CIBA, OIDC/OAuth2, and API Security. Meanwhile, Consent Management utilizes the Strong Customer Authentication (SCA) method as stipulated in PSD2, as well as security standards for key storage on HSM devices that meet FIPS 140-2 Level 3 or higher. The data exchange flows, data signing in transaction flows, or user data sharing are encrypted with the highest security level, ensuring integrity and safe authentication with JWS (JSON Web Signature) and JWT (JSON Web Token). End-to-end data encryption is also strictly adhered to with JWE (JSON Web Encryption) and RSA-PSS (Probabilistic Signature Scheme). In Vietnam, with the specific regulations for implementing open banking officially in effect, the standards set by Savyint and Kryptus fully comply with the regulations on Open API, API Security (according to Appendices 1 and 2 of Circular No. 64/2024/TT-NHNN), as well as regulations on transaction encryption, digital signing, and user authentication (according to Circular No. 50/2024/TT-NHNN). This is a promising market for the development of open banking in the near future. “We are proud to contribute our expertise in building a secure and regulation-aligned open banking ecosystem in collaboration with Savyint,” said Thierry Martin, Kryptus Managing Partner. “Kryptus has already achieved FIPS 140-2 Level 3 and the Common Criteria EAL4+ certification for HSM, strengthening our compliance across various global environments, as the fintech and banking sectors require enhanced key protection. Our joint solutions not only fully comply with European and international standards such as PSD2 and FAPI, but also with Vietnam’s specific regulatory frameworks, including Circulars 64/2024 and 50/2024. This partnership reflects our long-term commitment to helping financial institutions meet compliance obligations while accelerating digital transformation. We believe this collaboration will pave the way for broader regional adoption and global expansion of secure open banking models.” The swift, solid and well-directed steps taken by the two companies in providing a secure and safe open banking solution will be an advantage for Savyint and Kryptus to conquer markets in the region and globally. About Savyint SAVYINT is an IT security company in Sydney, Australia, with an R&D Center in Hanoi and international offices in Singapore, Dubai, Ho Chi Minh City (Vietnam), and Sofia (Bulgaria). With over 20 years of experience, we consistently rank among the leading global information technology enterprises, providing software platforms, system solutions, and services for digital transformation. Our expertise spans Open Banking solutions, information security, and FinTech, particularly in the Finance – Banking & FSI, Government, Manufacturing, Telecommunications, Healthcare, Education, and Media sectors. About Kryptus Kryptus is a Swiss and Brazilian multinational company specializing in cybersecurity and cryptography solutions. Since 2003 it has been delivering highly customizable, reliable and secure encryption and cybersecurity solutions. For over twenty years, we have served public and private sector clients in Latin America, Europe, the Middle East and Africa for critical applications, with the best level of products and services for mission-critical applications.
Open Banking takes flight in Vietnam
On December 31, 2024, the State Bank of Vietnam officially issued Circular No. 64/2024/TT-NHNN, setting the regulatory foundation for Open Banking through the implementation of Open Application Programming Interfaces (Open API) within the banking sector – a key driver of digital finance innovation globally. Open Banking is a new financial ecosystem in which banks and financial institutions allow third parties (fintech companies, financial service providers, etc.) to access customer data, with customer consent, to develop new services such as personal financial management, integrated payments, etc., through Open Application Programming Interfaces (Open APIs). Amid the rapid global development of Open Banking, in Vietnam, the State Bank of Vietnam issued Circular 64, effective from March 1, 2025, which is considered a legal tool paving the way for establishing a controlled, secure, and transparent data-sharing infrastructure, fostering innovation in the financial and banking sector. Key highlights in Circular 64: Accordingly, the Bank must comply with API security technical standards as stipulated in Annex 01 and Annex 02 issued with Circular 64/2024: These regulations have a profound impact on the development of Open Banking in Vietnam. Most crucially, they establish a clear and consistent legal framework for the secure and controlled connection, sharing, and processing of customer data, thereby laying the foundation for building innovative, personalized financial products and services. This enables the realization of comprehensive digital banking goals by allowing third parties to access user data with user consent. This is the key factor in forming an expansive, flexible, and customer-centric open banking ecosystem. Simultaneously, these regulations create significant opportunities for the Fintech community to engage more deeply in the financial ecosystem, enhancing the provision of new and innovative services. In the initial phase, financial institutions may face challenges in adapting. However, the issuance of Circular 64 fundamentally provides a robust legal foundation, serving as a springboard for building a modern Open Banking ecosystem in Vietnam, where data is leveraged and managed rigorously, with users at the center of all financial services.
Open API: Ushering in the era of Open Banking
Open API plays a pivotal role in the digital transformation of the financial and banking sectors. It drives innovation in traditional banking, promising secure, efficient financial transactions that meet every customer need. 1. Open Banking and Open API market could exceed $200 billion by 2033 Open banking represents the evolution of a new financial ecosystem based on connections between banks, financial institutions and third-party service providers, supported by APIs. Through this ecosystem, banks can offer customers superior and more flexible services, while enabling better personal financial management and decision-making. Although still relatively new, banks and financial institutions are actively engaging in the open banking ecosystem. According to reports and forecasts from Market.us, the global open banking market is expected to grow steadily over the years, reaching $203.8 billion by 2033. On January 13, 2018, the European Union’s Payment Services Directive (PSD2) came into effect, requiring banks to grant third parties access to customer accounts via available APIs, provided customers give consent. By using APIs, third parties can access banking data, enabling trusted banks and service providers to serve customers more effectively. Since the advent of PSD2, the payments sector has undergone a true technological revolution, notably with the rise of open banking and open APIs. These developments have fueled banks’ efforts to innovate and transition from traditional to new business models. Open banking and open APIs offer banks opportunities to create new services, personalize offerings, and enhance customer experiences. Read more: Open API – The key to promoting open banking 2. Benefits of applying Open API in Open Banking 3. Challenges of applying Open API in Open Banking Despite the benefits, applying Open API in open banking comes with challenges. Overcoming these is crucial to ensure the sustainability and security of open banking initiatives based on Open API. While Open API offers immense potential for the open banking ecosystem, participants must address technical, security, governance, and collaboration challenges to fully unlock its benefits. 4. Open API application in Savyint Open Banking: Comprehensive Open Banking Solution 4.1. Savyint partners with global leaders in providing Open API and Open Banking solutions On the journey to conquer the era of open banking, Savyint has been collaborating with international giants in Open API and Open Banking to deliver advanced, secure solutions tailored to the specific requirements of each market. Notable partners include Brankas, SaltGroup, Konsentus, Curity, Axway, TykIO, and others. Brankas is currently one of the world’s leading Open Banking solution providers, particularly in the Asia-Pacific and Middle East regions. With an extensive network of connections to banks and financial institutions across Southeast Asia, Brankas focuses on payment solutions and API-based connectivity for financial products. Savyint and Brankas work closely to provide solutions related to Open API, user authentication and consent management in compliance with international standards, and to develop a Banking-as-a-Service (BaaS) platform that helps build and expand the Open Banking ecosystem in the region. Salt Group is recognized as a trusted security solutions provider for banks, financial institutions, and government agencies in Australia and the Asia-Pacific (APAC) region. Savyint partners with SaltGroup to enhance the security and trustworthiness of its Open Banking ecosystem. Leveraging SaltGroup’s strengths in strong authentication, fraud prevention, and digital identity management, the collaboration focuses on strengthening the security of open financial transactions, ensuring regulatory compliance, and protecting customer data in the digital banking environment. Savyint has joined forces with Konsentus — a global brand in open banking consultancy and infrastructure — to co-develop operational principles, service models, and regulatory frameworks for open banking in Vietnam. Through working sessions, both parties will jointly build a set of principles to guide the operation of Vietnam’s open banking ecosystem, establish operational processes for technology deployment, and develop technical specification documents. Curity is a leading provider of API-driven identity management solutions, delivering comprehensive security for digital services. Curity’s strength lies in its advanced CIAM solutions with multi-factor authentication (passkeys, digital wallets), SSO, adaptive authentication, and FAPI 2.0 protection, helping to enhance user experience and ensure data security in open financial transactions. By integrating Curity’s pioneering technologies, Savyint is gradually modernizing the banking sector, strengthening security, and improving the user experience. Axway and TykIO are long-established global technology companies specializing in API integration and management solutions. Partnering with Axway and TykIO provides Savyint with the opportunity to build a comprehensive API management and integration system within the open banking ecosystem, rapidly deploy infrastructure, and ensure security, safety, and strict compliance with both domestic and international standards and regulations. With innovative solutions and strategic partnerships, Savyint is committed to offering the most advanced technologies and optimal user experiences. 4.2. About Savyint Open Banking Solution The Savyint Open Banking Platform is a specialized solution designed by Savyint for the financial and banking sector, meeting legal and technological requirements to connect and build a digital financial ecosystem. The solution focuses on enhancing and optimizing APIs through SAVYINT Open Banking API — ensuring seamless connection with all systems and providing standardized, ready-to-use APIs — and SAVYINT API Management — supporting the development, analysis, operation, and expansion of APIs. At the same time, SAVYINT Open Banking also emphasizes portals, consent management, user identity, and data security through the synergy of solutions such as: With solid technological infrastructure and operational expertise, Savyint delivers advanced technology and the best user experience to customers. Connect with Savyint experts now to gain a leading edge in open banking.
Europe pushes Open Banking: Mandatory UX improvements on banking apps
How you see and interact with your online bank accounts is about to change. That’s because Europe is forcing change into the financial market. Digital transformation is a thing this decade. “Digital disruption,” startups who want to be “the Uber of X” in their industry, and going “mobile first” are not new trends. But the banking industry has been slow to move with the times. New businesses have started to push into the European banking market. Yet progress has been slow, due to both regulation and customer inertia. Even though companies who focus on the best customer experience outperform the market. The pace of change in the banking industry will accelerate in 2018. Some new laws coming into effect are to thank. Why are things changing? European governments have decided that “traditional” banks are uncompetitive and slow. New banks find it very hard to break into the market. To do something about this, they have created some new legislation. This new legislation will force all banks to share a lot more digital information when their customers ask them to. As the above diagram shows, current core banking services will have a new digital interface added. This is called an API, or Application Programming Interface. It will allow third party “fintech” (Financial Technology) apps and services to get information directly from your bank. It’ll also add a new layer of tools on top. These fintech apps may be provided by your bank, or by external companies. All these changes must become law by January, 2018. In addition to the European legislation (PSD2), the UK has its own version (Open Banking). So this change will affect the UK regardless of Brexit. What differences will it make? This piece will focus on three of the biggest, broadest changes and how they will affect consumers. I will also follow up with a deeper dive into each change. There, I’ll discuss possible side effects as well as business opportunities. Direct bank account payments What are they? Right now, if you’re shopping online, you would most likely choose to pay with your debit card. The merchant (e.g. Amazon) has an acquirer (e.g. WorldPay) who coordinates with your debit card provider (e.g. Visa). They will then pull the payment out of your bank account (e.g. Barclays). That’s a lot of companies — and they’re all getting paid. The idea is that you, the consumer, can instead “push” a bank transfer direct from your bank (Barclays) to the merchant (Amazon). How it affects you, the consumer In the future, instead of entering all your card information, you’d grant Amazon permission to access your bank account. The user experience would be like logging into other websites with your Facebook account today. The first time, it will take you to your bank’s website and ask you to confirm your authorization. After that, the permission should stay active until you revoke it, so you can just click and buy. It will be interesting to see how this change affects all those other companies who were playing the middlemen. That will, of course, have an indirect effect on you. But it’s hard to say exactly what. Amazon’s costs should go down. Will they pass those savings on to you, or otherwise incentivize you to pay in the way that’s cheapest for them? Information sharing across all financial institutions What is it? Currently, the only way to get your bank information online is to log on to the website. Or perhaps they have a clumsily ported mobile website, packaged as an “app.” If you wanted to let another organization see your bank account, you’d have to give them your login details. This breaks the bank’s T&Cs, and would cause all kinds of issues in case of fraud or misuse. How it affects you By the new regulations, banks must provide a secure way for third parties to access your banking information. You will be able to consolidate all your information in one place, and see your ‘actual’ balance across all banks, accounts, and cards. Furthermore, you’ll be able to use that information in useful services. For example, some of the new “challenger banks” like Monzo or Starling can show you a breakdown of your spending. They can do it by category (e.g. restaurants), then by store (e.g. Nandos), then by transaction. They’ll even show you the location of that pub where you bought a round last night. Now imagine if you didn’t have to switch current accounts or wait for your bank to bring out something similar. You could just plug in to a service that collates it for you, from all your accounts and credit cards. After these changes, that should be possible and even simple. There are many possible applications for this type of information. Some examples include: personalized credit or budgeting advice; easier savings; easier current account switching (based on automated, personalized advice); better terms for loans or credit (in exchange for more access to your information for underwriting); easier personal tax returns, or small business accounting; third party fraud detection services you can use across all your cards and accounts; simpler and cheaper international transfers; and the list goes on. Let’s look at an example of the possible, unexpected side effects of the improved customer service and transparency banks can provide. There’s a great story here about how Monzo helped one customer get his stolen bag back the same night it was taken. There was even a bonus bottle of Jack Daniel’s included. Strong authentication for online payments What is it? Authentication is how the bank or payment provider knows that you are who you say you are. Given how much of your financial information they’ll be able to share, it’s critical that they use it securely. This is where authentication comes in. The new regulations will require multi-factor authentication in many areas. This will include every online purchase over €30. There are three commonly recognized methods of authentication: Using more than one of these methods together is “2-factor” or “multi-factor” authentication. How it affects you The average online