From July 1, 2024, credit institutions must implement solutions to minimize risks in online payments in Vietnam

From July 1, 2024, credit institutions must implement solutions to minimize risks in online payments in Vietnam (Internet image)

Regarding this issue, LawNet would like to answer as follows:

On December 18, 2023, the Governor of the State Bank of Vietnam issued Decision 2345/QD-NHNN implementing safe and secure solutions for online payments and bank card payments.

From July 1, 2024, credit institutions must implement solutions to minimize risks in online payments

Credit institutions, foreign bank branches, and payment intermediary service providers must apply the following solutions to minimize risks in online payments:

(1) For customers and individual customers, before making the first transaction using the Mobile Banking application or before making a transaction on a device other than the device where the last Mobile Banking transaction was made, the customer must be authenticated:

- By the customer's biometric identification mark: (i) matching the biometric data stored in the chip of the customer's Citizen ID Card issued by the Police agency; (ii) or through authentication of the customer's electronic identity account created by the electronic identification and authentication system;

- Or by the customer's biometric identification mark matching the biometric data stored in the collected customer biometric database and check, combined with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.

(2) Notification of logging in to the Internet Banking/Mobile Banking application for the first time or logging in to the Internet Banking/Mobile Banking application on a device different from the device that last logged in to the Internet Banking/Mobile Banking application via SMS or other channels registered by the customer (email, phone, etc.)

(3) Store information about the device that conducts the customer's online transactions and the transaction authentication log for at least 3 months.

- Minimum device information includes;

+ For mobile devices: unique device identification information (such as IMEL serial number, WLAN MAC, Android ID, etc.).

+ For computers; MAC address or other device identification information is obtained through the API (Application Programming Interface) of the operating system.

- The minimum transaction authentication log includes: authentication method, authentication time, authenticated transaction code, and customer code.

06 risk mitigation solutions applicable to organizations providing card payment services

Organizations providing card payment services must implement risk mitigation solutions as follows:

(1) Transaction notification via SMS or email.

(2) Set daily transaction limit.

(3) Set up the feature to allow/disallow online payments.

(4) Set online card payment limit for the day.

(5) Set up the feature to allow/disallow overseas payments (except online transactions).

(6) Deploy 3D Secure authentication solution (or equivalent) for online payments with international cards.

More details can be found in Decision 2345/QD-NHNN, taking effect on July 1, 2024, and replacing Decision 630/QD-NHNN in 2017 of the Governor of the State Bank on promulgating the Plan to apply safety and security solutions to online payments and bank card payments.

For specially controlled credit institutions, the application period for the provisions in Article 1 and Article 2 of Decision 2345/QD-NHNN is January 1, 2025.

Chief of Office, Director of the Information Technology Department, and Heads of Units under the State Bank of Vietnam, Chairman of the Board of Directors, Chairman of the Board of Members, General Directors (Directors) of credit institutions, foreign bank branches, and payment intermediary service providers are responsible for implementing 2 Decision 2345/QD-NHNN.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE