Mandatory functions of online banking application software in Vietnam from January 1, 2025

Mandatory functions of online banking application software in Vietnam from January 1, 2025​ (Image from the Internet)

On October 31, 2024, the Governor of the State Bank of Vietnam issued Circular 50/2024/TT-NHNN regulating safety and security for providing online services in the banking sector.

Mandatory functions of online banking application software in Vietnam from January 1, 2025​

According to Clause 6, Article 7 of Circular 50/2024/TT-NHNN, online banking application software in Vietnam must include the following mandatory functions:

- All data transmitted over network environments or data exchanged between the online banking application software and related equipment must employ end-to-end encryption;

- Ensure the integrity of transaction data; unauthorized modifications must be detected, alerted, prevented, or measures must be taken to ensure the accuracy of transaction data during transaction execution and data storage;

- Session control: the system must have a mechanism to automatically terminate sessions when the user remains inactive for a period specified by the institution or apply other protective measures;

- Must have a function for concealing the display of secret keys and PINs used for system login;

- Must have an anti-auto login function;

- In the case where electronic transaction accounts as specified in Clause 1, Article 9 of Circular 50/2024/TT-NHNN use a PIN or secret key as a form of authentication, the online banking application software must have functions to control PINs and secret keys;

+ Require customers to change their PIN or secret key when they are initially issued a default PIN or secret key;

+ Notify customers when a PIN or secret key is about to expire;

+ Invalidate a PIN or secret key upon expiration and require customers to change expired credentials when using them to log in;

+ Invalidate a PIN or secret key if entered incorrectly consecutively beyond a limit set by the institution (but not exceeding 10 times) and notify the customer;

+ The institution will only reissue a PIN or secret key upon customer request and must verify the customer before reissuing to prevent fraud and impersonation.

- For customers who are organizations, application software is designed to ensure the execution of online payment transactions includes at least two steps: transaction creation and approval. In cases where the customer is a household business or microenterprise applying simple accounting policies, the execution of transactions is not required to be separated into these two steps;

- Must have a notification function for the first login to the online banking application software or logging in on a device different from the one used in the most recent login, via SMS or other channels registered by the customer (phone, email, etc.), except in cases where the organizational customer logs in on pre-registered devices or logs in using at least one of the forms of authentication specified in Clauses 3, 4, 5, 7, 8, 9 of Article 11 of Circular 50/2024/TT-NHNN.

More details can be found in Circular 50/2024/TT-NHNN effective from January 1, 2025.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE