All Things Newz
Law \ Legal

Vietnam Steps Up Information Security For Banks – Financial Services


To print this article, all you need is to be registered or login on


Cyberattacks on banks have increased in scale, persistence, and
sophistication. There have been several bold violations of
information security, for example, leaks of customer information,
use of malicious codes, breaking passwords, all intended to
penetrate a bank’s information systems.

On October 21, 2020, the State Bank of Vietnam
(“SBVN”) issued Circular No.
09/2020/TT-NHNN (“Circular
”)1 which sets out minimum
requirements and conditions to heighten the security of the
information system used in banking operations. The minimum
requirements and conditions apply to credit institutions, branches
of foreign banks, intermediary payment service providers, credit
information companies, the National Payment Corporation of Vietnam
(“NAPAS”), Vietnam Asset Management
Company (“VAMC”), National Banknote
Printing Plant, and Deposit Insurance of Vietnam (collectively,
institutions”), that establish and
use information systems to support their technical and professional

Circular 09 replaced Circular No. 18/2018/TT-NHNN
(“Circular 18”) on information systems
security in banking operations which, when it was promulgated in
2018, attempted to improve security. However, it was soon
determined to be inadequate.

Circular 09 has made significant changes in the existing
framework. The most important is the re-classification of
information systems. Re-classification was necessary in order to
deal with shortcomings in the practice of information technology in
credit institutions. The change in the framework has resulted in a
change in the management of information systems security. It has
changed awareness and has tightened compliance.

Circular 09 came into effect on January 1, 2021. However, there
is a transitional period for one of the requirements for
multi-factor authentication. Approval of the final step of a
financial transaction which involves an interbank electronic funds
transfer of VND100 million or more is only required as from January
1, 2022. The Straight Through Process for inter-systems
transactions are excluded as they are automatically

Below are four significant improvements.

1. Classification of information – Personal

The previous Circular 18 included only 3 banking information
categories: public information, internal (private) information and
classified information. Stated differently, Circular 18 did not
provide specific management and protection of personal information.
Previously, personal information was referenced only in a
regulation regarding back-up requirements (ie, institutions which
owned both main and standby information systems which existed
outside of Vietnam had to store personal information and
transaction data belonging to their clients located
in Vietnam, in accordance only with general provisions of
Vietnamese law). Circular 09 now defines personal information as it
relates to banking. For these purposes, personal information is
defined to include:

  1. information related to a customer’s identification;

  2. account information;

  3. cash deposit information;

  4. asset deposit information;

  5. transaction information; and

  6. some other relevant information.

This is a huge advance, as personal information is a large part
of the banking system and it was a significant oversight to leave
it out of the mix. There were historical reasons, but they are no
longer relevant. Circular 09 now requires that an information
system that processes personal information, must:

  • satisfy certain key technical requirements. It must (a)
    separate the development environment and the test environment; (b)
    apply information security solutions; (c) not install tools to
    develop applications; and (d) remove or de-activate un-used
    functions or software within the information system;

  • limit and control the use of an administrator’s account
    by: (a) setting up a mechanism to monitor and control the creation
    of an account with administrative rights. This is important because
    “administrative rights” mean the rights to manage the
    system, by say, adding new content, restructuring the system,
    banning users, etc. The purpose of this limitation and control is
    to ensure that no personal or institutional account can access the
    systems without proper approval; (b) having a method to monitor and
    control use of the administrator’s account (this is important
    because an administrator’s account has the right to manage
    the system, say, to add new content, restructure the system, ban
    users, etc.); (c) limiting the use of the administrator’s
    account for a sufficient period of time to perform tasks and then
    to revoke the right to use the administrator’s account
    immediately after the authorized tasks have been completed [to
    avoid potential abuse of the administrator’s account]; and
    (d) using intermediate servers or a centralized management system
    to make administrative connections;

  • require the use of secured protocols and anti-automatic-login

  • comply with information security testing and assessment prior
    to operating;

  • compile a list of information security incidents and have an
    incident handling plan; the list and the plan must be updated at
    least once every six months; and

  • detect risks and threats of network attacks and information
    security incidents and send a timely warning to the system

Controls which an institution that uses a third party service to
manage clients’ personal information, can also be found in
Circular 09. The required tasks of such an institution are to:

  1. Identify and analyze each risk, and estimate the extent of
    threat and damage to information security which each risk

  2. Define the institution’s and the system’s capacity
    to control the institution’s operations, provide continuous
    service for clients and provide information to regulatory

  3. Define roles and responsibilities of each party to assure
    service quality;

  4. Work out methods to minimize risk, prevent and address
    incidents which do occur; and

  5. Review and amend risk management policies.

If an institution uses cloud computing services, the institution
must ensure the following four additional contents:

  1. Classify activities expected to be performed on cloud computing
    based on assessment of the impact of such activities on the
    institution’s operations;

  2. Develop backup plans for components of the information systems
    which are level 3 or above;

  3. Establish criteria to select a third party service, which
    satisfy Circular 09; and

  4. Review, amend and apply its information security methods, and
    limit access through cloud computing to its information

Circular 09 specifies minimum conditions which must appear in
the service contract with a third party service provider, ie, the
third party’s commitments to ensure information security,
specific provisions on maximum allowable service interruption and
troubleshooting time limit, assurance of continuous operation
(on-site backup, data backup, disaster recovery), processing
requirements, calculation and storage capacity as well as actions
to take when service quality fails, notification of regulatory
violations (committed by staff members of the third party providing
the service) on information security. The actions required may be
performed by the service provider or the institution, as

Circular 09 is comprehensive and offers greater protection. It
goes far to establish a proper legal framework to protect personal

2. Classification of information systems

Information systems have classifications under Circular 09:

  • Information systems which provide online services to customers
    have special classifications under Government Decree No.
    85/2016/ND-CP dated July 1, 2016.

  • Other information systems are classified into five
    (instead of the previous three-levels) according to the
    type of processed information involved and technical particulars.
    The five levels are divided by function, by the type of information
    it processes and by the complexity of the work it is expected to
    do. The five levels are:

    • Level 1: an information system that services
      the internal operation of the institution and only processes public
      information. By “public information”, we mean
      information that is publicly disclosed to any entity without the
      need to identify or locate the entity;

    • Level 3: an information system that satisfies
      one of the following criteria: (i) it processes Vietnamese State
      classified information at the Confidential level; (ii) it serves
      the daily internal operations of an institution; an interruption in
      service if it occurs, may not last more than four business hours;
      (iii) it serves customers which require 24/7 operation without an
      unplanned stop; (iv) it is a third party payment system to make
      payments outside the institution’s system; or (v) it is a
      shared information infrastructure system which serves the operation
      of the particular institution and the banking system;

    • Level 4: an information system that satisfies
      one of the following requirements: (i) it processes Vietnamese
      State classified information at the Secret level; (ii) it processes
      and stores the data of more than 10 million customers; (iii) it
      operates in the banking sector and requires 24/7 operation without
      an unplanned stop; (iv) it is an important payment system in the
      banking sector as defined by SBVN; and (v) it is a shared
      information infrastructure system which services parts of the
      banking sector and which requires 24/7 operation without an
      unplanned stop; and

    • Level 5: an information system that satisfies one of the
      following three criteria: (i) processes Vietnamese State classified
      information at the Top Secret level; (ii) operates in the banking
      sector and serves the connection between Vietnam and the world; and
      (iii) is a national banking information infrastructure system which
      serves the connection between Vietnam and the world.

  • In case an information system includes several components,
    which are classified at different levels, the information system
    will be classified as being in the highest level

To repeat, this change from a 3 to a 5-level information system
is designed to solve shortcomings in the treatment of information
technology in credit institutions. The 3-level information system
under Circular 18 was quite general and very broad. The 3-level
information system classification only provided 3 levels as
follows: Normal information system (Level 1), which serviced
internal information of the institution but could not process State
classified information; the Specially important information system
(Level 3), which, among other things, serviced e-Government,
required 24/7 operation and could not be stopped longer than 4
working hours; and the so-called Important information system
(Level 2). A large number of information systems focused on level 2
which was the largest. This created challenges in investing
resources to secure the management of information
systems.2 The five-level information system is
expected to be more effective and more tailored to specific needs.
The new arrangement is also expected to use resources more
effectively by decentralizing the classification of information

In short, the 5-level system is more specific and it is now
easier to classify the parts of the information system and to treat
them each appropriately.

3. Multi-factor authentication

In addition to creating a mechanism to ensure greater security,
there are now, new requirements for authentication of data. It is a
multi-factor authentication method which requires a user to provide
at least two forms of authentication to prove identity. From a
security standpoint, this is a significant step forward.

Authentication factors include:

  1. information known only to the user (PIN, password, etc.),

  2. items in the user’s possession (smart card, token, mobile
    phones, etc.), and

  3. user’s biometric characteristics.

Multi-factor authentication is now required in the following

  • To approve the final step of a financial transaction which
    involves an interbank electronic funds transfer of VND100 million
    or more (the Straight Through Process for
    inter-systems transactions is excluded as it is automatically

  • To access the internal network of an institution in order to do
    work; and

  • To access servers, applications, and important networks and
    network security equipment for information systems which are at
    level 4 and above.

Multi-factor authentication has long been discussed but it was
not clearly prescribed. With an increase in the frequency and
seriousness of violations of information security, provisions
regarding multi-factor authentication have become mandatory.
Multi-factor authentication creates a strong layer of protection
and makes it difficult for an unauthorized person to penetrate a
target. If an authentication element is compromised, attackers
still have to overcome at least one more barrier to successfully
enter the target. Among other objectives, multi-factor
authentication will reduce the leakage for log-in information
performed by an institution’s professional staff.

4. Enhancing the management of information security

Circular 09 carries over and upgrades certain regulations on the
management of information security incidents from Circular 18.
Requirements have been added as follows:

  • requires an annual rehearsal of responses to an information
    security incident for at least one of the information systems which
    is at level 3 or above. The annual rehearsal must be performed
    alternatively if there is more than one information system which is
    at level 3 or above;

  • establishes a specialized body (by each relevant institution)
    to manage the operation of the Network Security Operation Center,
    applicable to institutions which manage information systems from
    level 3 and above. There are certain exceptions which are foreign
    bank branches, intermediary payment service providers, non-bank
    credit institutions, microfinance entity, people’s credit
    funds at the grassroots level, credit information companies, asset
    management companies of Vietnamese credit institutions, and the
    National Banknote Printing Plant; and

  • A new principle to cooperate with and to respond in the event
    of information security incidents. For example: the network
    management board (established by the SBVN’s Governor) is
    responsible to: (i) approve annual operation strategies for the
    network; (ii) operate the network; (iii) evaluate results, report
    to the Director General of the SBVN.


1. Circular 09 came into effect on January 1, 2021.
However, there is a transitional period for one of the requirements
for multi-factor authentication. Approval of the final step of a
financial transaction which involves an interbank electronic funds
transfer of VND100 million or more is only required as from January
1, 2022. The Straight Through Process for inter-systems
transactions are excluded as they are automatically

2. Ngo Hai (2020), “Phan loai he thong thong
tin trong hoat dong ngan hang theo 5 cap do”, Financial and
Monetary Market Review,,
access May 7, 2021.

3. Straight Through Process is an automated process
done purely through electronic transfers with no manual
intervention involved.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Source link

Related posts

BVI VASP Update: A Two Step Approach – Money Laundering

Parallel Imports And The Trade Mark Risks In Singapore – Trademark

BC Court Confirms 24 Months’ Notice Remains The Normal Upper Limit For Common Law Reasonable Notice – Employment Litigation/ Tribunals