News and Thinking

NOTEWORTHY UPDATES UNDER NEW CIRCULAR ON SAFETY AND SECURITY FOR ONLINE BANKING SERVICES

Posted on by Ngọc Anh

Circular No. 50/2024/TT-NHNN dated Oct 31, 2024 (“Circular 50”) introduces comprehensive regulations on safety and security for online banking services applicable to credit institutions, intermediary service companies, and credit information companies (applicable institutions). Below are key aspects of Circular 50 and their implications:

Reporting Obligations for Data Breaches

One notable aspect of Circular 50 is the requirement for applicable institutions to report unauthorized disclosure or leakage of customer data. However, together with the Personal Data Protection Decree (Decree 13), this point gives rise to dual reporting obligations in cases involving personal data breaches, specifically:
– Under the Personal Data Protection Decree (PDPD), organizations must notify the MPS’s Department of Cybersecurity and High-Tech Crime Prevention within 72 hours of detecting a personal data breach.
– Circular 50 requires institutions to report incidents related to online banking system security to the Department of Information Technology of The State Bank of Vietnam. However, unlike the prevailing regulations, the deadline for this reporting duty is not explicitly provided.

Personnel and System Management Requirements

Article 12 of Circular 50 specifies key responsibilities for managing and operating online banking systems:
– Applicable institutions must assign staff to monitor and address system performance, detect technical issues, and handle cyberattacks.
– Staff must assist customers and promptly respond to unusual or suspicious transactions.
– Personnel responsible for administering and supervising online banking systems must undergo annual safety and security training.
– The granting and monitoring of administrative system access must be supervised by an independent unit to ensure accountability.

Upgrade in Technical System and Operation

– Transaction authentication measures now supplement FIDO – Fast Identity Online, customer confirmation of data messages when performing transactions such as clicking accept, approve, send, or similar operations on online banking applications, and, applicable to online card transactions, EMV 3-D Secure.
– Common Vulnerability Scoring System version 4 or equivalent must be updated.
– Implementation of security patch updates or preventive measures based on impact and risk assessment within certain deadlines.
– In terms of continuous operation, the drill requirement is now returning to once per year in lieu of once every six months.

Circular 50 marks a significant step toward strengthening safety and security in Vietnam’s online banking ecosystem. Applicable institutions must proactively adapt to these regulations to safeguard customer data, enhance operational resilience, and comply with dual regulatory frameworks.

online banking system technology law Vietnam data