On August 21, 2018, the Governor of the State Bank of Vietnam issued Circular No. 18/2018/TT-NHNN (“Circular 18”) replacing Circular No. 31/2015/TT-NHNN dated December 28, 2015 regulating the network and information security in the banking sector.

Circular 18 updates new regulations of the Law on Cyber Information Security and adjusts requirements regarding information security to be in line with the significant development of IT and the current situation of information security in the banking sector.

The Circular states that information processed and stored in the system must be classified based on its confidentiality including public, internal, and confidential information. Accordingly, public information is made available for all types of audiences without their IDs and addresses identified. Besides, internal information belongs to an organization of which the management and exploitation are assigned to identified individuals or groups. On the other hand, confidential information is classified by the organizations with restricted access and can be rated as secret, top secret and absolute secret based on the legal rules stated on State Secrets Protection.

Basic contents regarding information security have been mentioned in Circular 18 including the management of IT assets, human resources, assurance of physical safety in installation, information exchange, access, IT usage of third parties, assurance of continuous operation of the information systems, etc.

Circular 18 also makes compulsory for providers of online banking services to ensure the following requirements:

• The completeness of information exchange with customers during the online transaction must be guaranteed;
• The data transmitted must be securitized and be complete with a precise address;
• Adequate safeguards are required to prevent illegal modification and duplication of information;
• Online transactions websites must apply authenticating methods for anti-counterfeiting and preventing illegal modification.

It is noticed that customers’ online transactions must be conducted in the information system of the bank. In case the bank uses services from third parties, at least an authentication method must be applied.

The online banking information system must be able to identify and warn about suspecting transactions based on elements such as transaction time, address (geographical or IP address), frequency, the amount of money, and how many times that the authentication is wrong. Besides, guidance relating to information security and risk warning must be notified for customers before they use the online banking services and on a periodic basis.

Relating to human resources in online banking security, according to Circular 18, it is compulsory for the legal representatives of the service providers to be directly involved in the planning phase of the information security strategy. In addition, when an individual terminates the contract with the bank, he or she must hand over the IT assets and be withdrawn from the right to access the information system. In case the individual changes his or her position within the organization, appropriate actions relating to his or her access rights must be made.

The organizations must review, check, and reconcile periodically (at least every 6 months) between the human resources department and IT management department for the authorization and withdrawal of personnel’s access rights.

The Circular will enter into force on January 1, 2019.