In order to promote the trend of cashless payments in Vietnam and enhance security to prevent fraudulent activities, scams, and minimize risks in online transactions, on December 18, 2023, the State Bank of Vietnam issued Decision No. 2345/QD-NHNN to replace Decision 630/QD-NHNN dated March 31, 2017 ("Decision 630") regarding the implementation of safety and security measures in online and bank card payments ("Decision 2345"). Accordingly, credit institutions ("CIs"), foreign bank branches, and intermediary payment service providers are required to implement a series of risk mitigation solutions in online payments on the Internet (Internet Banking, Mobile Banking). Below, ATA Legal Services has updated some noteworthy changes as follows:
1. Stringent requirements for biometric authentication measures in online payment transactions
Previously, biometric authentication measures were mentioned in Decision 630; however, to enhance security and minimize risks in online payments, Decision No. 2345 has supplemented and specified stricter requirements for this measure. Specifically, biometric authentication measures must meet one of the following conditions:
- Matching with the biometric data stored in the chip of the customer's Citizen Identification Card (CIC) issued by the Police Department; or through the verification of the customer's electronic identity account established by the electronic identification and authentication system.
- Matching with the biometric data stored in the Biometric Database (BDB) concerning the customer that has been collected and verified, preferably in combination with the OTP authentication method sent via SMS/Voice or Soft OTP/Token OTP.
2. New points in transaction identification for implementing authentication measures
2.1. Supplementing of transaction classification criteria
Previously, Decision 630 classifies transactions based on transaction limits. However, Decision No. 2345 has amended this by defining transaction groups according to multiple criteria, specifically including: Transaction value (denoted as "G"), Total value of type A and type B transactions for each transaction type group executed from a bank account (denoted as "Tksth"), and Total value of transactions for each transaction type group executed in a day from a bank account or electronic wallet (denoted as "T"). This classification is also determined for each individual or organizational customer to ensure appropriate authentication measures.
2.2. Supplementing online transaction types requiring authentication measures
Compared to Decision 630, Decision 2345 modifies and adds numerous transactions in online fund transfers/payment categories that require authentication measures, mostly involving transactions through E-wallets:
- Transfer of funds between E-wallets.
- Depositing funds into an E-wallet.
- Withdrawing funds from an E-wallet.
Additionally, Decision 2345 expands cases of service payments through intermediaries. Previously, Decision 630 limited service bill payments with fixed customer codes (such as electricity, water, telecommunications, traffic fines). However, Decision 2345 broadens this to include transactions for the payment of goods and legal services provided by payment service providers or intermediaries at payment acceptance units selected, appraised, supervised, and managed by payment service providers or intermediaries.
2.3. Clearing distinction and specification of appropriate authentication measures for organizational and individual customers
Previously, according to Decision 630, minimum authentication measures were uniformly applied to all customer categories. However, Decision 2345 distinctly specifies authentication measures for online payments between organizational and individual customers. Due to the unique characteristics of each customer category, distinguishing between authentication measures is deemed highly appropriate.
3. Supplementing various authentication measures aligned with practical norms
|
Transaction Type |
Decision 630 |
Minimum Authentication Measures |
|
|
Individual customer |
Organizational customer |
||
|
Type A Transaction |
Username, password, or PIN |
Username, password, or PIN (Similar to Decision 630 but with clearer provisions regarding cases where authentication is performed at login, not mandatory at the transaction execution step). |
|
|
Type B Transaction |
- SMS OTP - Or Matrix OTP Card - Or Basic Token OTP without user authentication functionality using Token |
In addition to SMS OTP, Matrix OTP Card, Basic Token OTP without user authentication functionality using Token, Decision 2345 adds the following authentication measures for individual customers: - OTP sent via Voice/Email - Or Soft OTP - Or two-channel authentication - Or using biometric identification attached to the customer's smart handheld device - Or Soft OTP/Advanced Token OTP - Or FIDO standard - Or secure electronic signature. |
In addition to SMS OTP, Matrix OTP Card, Basic Token OTP without user authentication using Token, Decision 2345 adds the following authentication measures for organizational customers: - OTP sent via Voice/Email - Or using biometric identification of the legal representative, the responsible accountant (if any), attached to the customer's smart handheld device. |
|
Type C Transaction |
- Soft OTP or Basic Token OTP with user authentication using software, Token - Two-channel authentication - Or biometric identification authentication.. |
Decision N2345 only allows these transactions to be authenticated using biometric measures, specifying that the biometric identification method of the customer must meet one of the conditions mentioned above. |
- Soft OTP/Basic Token OTP with user authentication using software, Token. - Or two-channel authentication. |
|
Type D Transaction |
- Soft OTP or Advanced Token OTP with transaction signing functionality - Or authentication using U2F/UAF device - Or authentication using digital certificate |
Authentication using biometric identification of the customer meets the conditions of Type C Transactions mentioned above and must be combined with one of the following authentication measures: - Soft OTP/Advanced Token OTP - Or FIDO standard - Or secure electronic signature |
- Soft OTP/Advanced Token OTP. - Or FIDO standard. - Or secure electronic signature. |
In cases where entities use authentication measures other than those mentioned above, they must report in writing to the State Bank (via the Information Technology Department) before applying for a minimum of three months.
4. Supplementing risk mitigation measures in online payments
Compared to Decision 630, in addition to the changes in the regulations for online fund transfers/payment mentioned above, Decision 2345 supplements additional risk mitigation measures in online payments for credit institutions, foreign bank branches, and intermediary payment service providers.
As per this decision, the State Bank requires individual customers to authenticate using biometric identification before initiating their first transaction via the Mobile Banking application or before conducting a transaction on a device different from the one used for the most recent Mobile Banking transaction.
Additionally, banks must notify customers via SMS or registered channels (such as Email, phone number, etc.) about the first login to Internet Banking/Mobile Banking or login on a device different from the one used for the most recent login.
Furthermore, the State Bank also mandates credit institutions to store information about the devices used for customers' online transactions and maintain a log of transaction authentication for a minimum of 3 months.
This decision takes effect from July 1, 2024. Credit institutions under special control implementing it from January 1, 2025.
Comment: