CIRCULAR

ON AMENDMENTS TO CIRCULAR NO. 35/2016/TT-NHNN DATED DECEMBER 29, 2016 OF THE GOVERNOR OF THE STATE BANK ON SAFETY, CONFIDENTIALITY OVER PROVISION FOR BANKING SERVICE ON THE INTERNET

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Credit Institutions No.47/2010/QH12 dated June 16, 2010 and the Law on amendments to the Law on Credit Institutions dated November 20, 2017;

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to the Law on cyberinformation security dated November 19, 2015;

Pursuant to the Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to the Decree No.35/2007/ND-CP dated March 08, 2007 of the Government on E-transactions in the banking activities;

Pursuant to the Government’s Decree No. 117/2018/ND-CP dated September 11, 2018 on protection of confidentiality and provision of client information of credit institutions and foreign banks’ branches;

At the request of Director of Information Technology Administration;

The Governor of the State bank of Vietnam promulgates a Circular on amendments to Circular No. 35/2016/TT-NHNN dated December 29, 2016 of the Governor of the State Bank on safety, confidentiality over provision for banking service on the Internet (Circular No. 35/2016/TT-NHNN).

Article 1. Amendments to certain articles of Circular No. 35/2016/TT-NHNN

1. Article 3 shall be amended as follows:

“Article 3. General principles for safety and confidentiality for the information technology system serving the Internet Banking services

1. Internet Banking system is an important information technology system under regulations of the State Bank in terms of safety and confidentiality of information technology system in banking operation.

2. Ensure confidentiality and integrity of clients' information; ensure the Internet Banking system's availability to deliver services on a continual basis.

3. The level of risks of transactions shall be assessed according to each type of clients, types of transactions, and transaction limits so as to provide appropriate solutions for transaction authentication at clients’ options. The authentication of transactions shall:

a) At least apply multi-factor authentication upon any changes to client’s identity;

b) Apply authentication methods to each group of clients, type of transactions, transaction limits under a decision of Governor of the State Bank from time to time;

c) Regarding multi-step transactions, at least apply the authentication at the last authorization step.

4. Carry out annual inspection and assessment of security and confidentiality of the Internet Banking system.

5. Regularly identify risks, threats to pose risks and causes of risks, promptly take safeguard and control measures and deal with the risks while rendering internet banking services.

6. The information technology equipment providing Internet Banking services shall obtain copyright and have clear origin. Regarding a piece of equipment that has reached the end of its life and the manufacturer will no longer provide maintenance services, the service provider shall have a plan for upgrade or replacement according to the notice of the manufacturer, ensuring that the new software version may be installed on that equipment.”. 

2. Clause 3 Article 4 shall be amended as follows:

“3. The client’s information may not be stored in the Internet connection zone and DMZ.”.

3. Clause 10 Article 4 shall be amended as follows:

“10. The Internet connection lines shall maintain high availability and continuous services.”.

4. Clause 2 Article 6 shall be amended as follows:

 “2. The Internet Banking system must have disaster backup database capable of replacing the main database and ensure that clients’ online transaction data is not lost.”.

5. Point c and point dd Clause 6 Article 7 shall be amended as follows:

 “c) Session control: the system applies session timeout in a case where a user has been inactive for more than the specified time prescribed by the service provider or applies other protective measures”;

“dd) With regard to a client being an organization, the application is designed in a manner to ensure that the transaction will be conducted in two steps as follows:  creating and approving transaction and conducted by different persons. If the client is an organization authorized by the law to apply simple accounting regulations, the transaction shall be performed in the like manner as an individual client”.

6. Clause 3 Article 8 shall be amended as follows:

“3. The application must authenticate users upon their access and do not have password-saving feature. If incorrect passwords are entered continuously exceeding the times prescribed by the service provider, the application shall be automatically and temporarily locked to prevent the users from keeping using Internet Banking.”.

7. Point c shall be added to clause 1 Article 9 as follows:

“c) For access to Internet Banking system by browser, the service provider must have measures to disable automatic login.”.

8. Clause 2 Article 9 shall be amended as follows:

“2. The application shall have feature that requires a client to change his/her password immediately upon the first login; and lock out the account in a case where a client enters incorrect password continuously exceeding a certain times prescribed by the service provider. The account will be unlocked only when such client requests to unlock it and the client authentication must be done before unlocking to avoid fraud.”.

9. Clause 3 Article 12 shall be amended as follows:

“3. The service provider must establish a policy that the computers used for management, supervision and operation shall be restricted to access the Internet. Where it is necessary to access the Internet for the work, the service provider shall:

a) Assess the risks for Internet connection;

b) Apply controls for connectivity;

c) The implementation plan must be approved by a competent person at the service provider.”.

10. Clause 6 shall be added to Article 13 as follows:

“6. Update information on published security vulnerabilities related to system software, database management system and applications according to the Common Vulnerability Scoring System version 3 - CVSS v3). Update security patches or precautions that meet the following criteria:

a) Within 1 month after publication with a security vulnerability rated as critical (CVSS v3 score greater or equal to 9.0);

b) Within 3 month after publication with a security vulnerability rated as high (CVSS v3 score from 7.0 to 8.9);

c) The time period determined by the service provider itself with the security vulnerability rated as medium or low (CVSS v3 score less than 7.0).”.

11. Clause 1 Article 19 shall be amended as follows:

“1. The client’s confidential information, upon storage, must be encrypted or hidden to ensure the confidentiality.”

Article 2.

1. Clause 7 Article 4 and clause 1 Article 10 of Circular No. 35/2016/TT-NHNN shall be annulled.

2. The phrase “Cục Công nghệ tin học” (Informatics Technology Administration) shall be replaced with “Cục Công nghệ thông tin” (Information Technology Administration) in Articles 20, 21 and 23 of Circular 35/2016/TT-NHNN.

Article 3. Implementation

Chief of Office, Director of Information Technology and the heads of units of the Vietnam State Bank, Directors of State Bank-branches in provinces and cities directly under the Central Government, Chairmen of the Management Boards, Chairmen of the members’ Councils, general directors (directors) of credit institutions, branches of foreign banks providing Internet Banking services, providers of payment intermediary services shall implement this Circular.

Article 4. Entry into force

This Circular comes into force from July 1, 2019./.

---------------

This document is handled by Vinas Doc. Document reference purposes only. Any comments, please send to email: [email protected]