CIRCULAR

AMENDMENTS TO CIRCULAR NO. 28/2015/TT-NHNN DATED DECEMBER 18, 2015 OF THE GOVERNOR OF THE STATE BANK OF VIETNAM ON MANAGEMENT AND USE OF DIGITAL SIGNATURES, DIGITAL CERTIFICATES, AND DIGITAL SIGNATURE AUTHENTICATION SERVICES OF THE STATE BANK OF VIETNAM

Pursuant to the Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to the Law on Credit Institutions dated June 16, 2010 and the Law on Amendments to the Law on Credit Institutions dated November 20, 2017;

Pursuant to the Law on Information Technology dated June 29, 2006;

Pursuant to the Law on Electronic Transactions dated November 29, 2005;

Pursuant to Decree No. 130/2018/ND-CP dated September 27, 2018 of the Government of Vietnam elaborating on the Law on Electronic Transactions regarding digital signatures and digital signature authentication services;

Pursuant to Decree No. 102/2022/ND-CP dated December 12, 2022 of the Government of Vietnam on functions, tasks, entitlements, and organizational structure of the State Bank of Vietnam;

...

...

...

The Governor of the State Bank of Vietnam hereby promulgates a Circular on amendments to Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Governor of the State Bank of Vietnam on management and use of digital signatures, digital certificates, and digital signature authentication services of the State Bank of Vietnam (hereinafter referred to as “Circular No. 28/2015/TT-NHNN”).

Article 1. Amendments to Circular No. 28/2015/TT-NHNN

1. Amendments to Article 1 of Circular No. 28/2015/TT-NHNN (amended by Clause 1 Article 1 of Circular No. 10/2020/TT-NHNN dated November 2, 2020 of the Governor of the State Bank of Vietnam on amendments to Circular No. 28/2015/TT-NHNN (Circular No. 10/2020/TT-NHNN)):

“This Circular provides for the management and use of digital signatures, digital certificates, and special-use digital certificate authentication services of the State Bank of Vietnam (hereinafter referred to as “SBV”).”

2. Amendments to Clause 1 Article 2 of Circular No. 28/2015/TT-NHNN (amended by Clause 2 Article 1 of Circular No. 10/2020/TT-NHNN):

“1. Units of SBV; credit institutions; foreign bank branches; State Treasury agencies of Vietnam; Vietnam Deposit Insurance.”

3. Amendments to Clauses 5, 11, 12, 13, 14, and 15 Article 3 of Circular No. 28/2015/TT-NHNN (amended by Clause 3 Article 1 of Circular No. 10/2020/TT-NHNN):

“5. “Subscriber management organizations” are units of SBV, credit institutions, foreign bank branches, State Treasury agencies of Vietnam, and the Vietnam Deposit Insurance or other organizations requesting the issuance of digital certificates to subscribers under their management.”

“11. “Activation code” means the information provided for a subscriber, including the reference number and authentication code used for authentication during the process of activating a digital certificate”.

...

...

...

13. “Competent persons” mean Heads of SBV, heads of units of SBV, or legal representatives of agencies and organizations prescribed in Article 2 of this Circular.

14. “Public service system” is the web portal providing online public services of SBV.

15. “Digital certificate operation” is an operation on information systems where a subscriber can use a digital certificate for signing or authentication purposes. One digital certificate may be used for signing or authentication purposes for one or multiple operations on one or multiple information systems. Information systems using digital certificates of SBV include:

a) Public service system;

b) Inter-bank e-payment system;

c) SBV’s report system;

d) Bidding and open market operation system, including the following subsystems:

- Bidding and open market operations;

- Issuance, payment, term extension, and termination of special bonds;

...

...

...

- Refinancing.

dd) Vietnam Deposit Insurance’s report system;

e) Other systems decided by the Governor of SBV.”

4. Amendments to Article 4 of Circular No. 28/2015/TT-NHNN:

“Article 4. Contents of digital certificates

1. Name of the CA.

2. Name of the subscriber.

3. Serial number of the digital certificate.

4. Effective period of the digital certificate.

...

...

...

6. Digital signature of the CA.

7. Restrictions on purposes and scope of use of the digital certificate.

8. Restrictions on legal liability of the CA.

9. Cryptographic algorithm.

10. Other necessary contents according to the regulations of the Ministry of Information and Communications of Vietnam.”

5. Amendments to Article 4a of Circular No. 28/2015/TT-NHNN (amended by Clause 4 Article 1 of Circular No. 10/2020/TT-NHNN):

 “Article 4a. Methods of sending and receiving documents, text, and reports related to digital signature authentication services and processing results

1. Subscriber management organizations shall submit documents, text, and reports related to digital certificate and digital signature authentication services to SBV (via the Department of Information Technology) via any of the following methods:

a) Online submission via the public service systems;

...

...

...

c) Electronic documents sent through the system of document management and administration of SBV (applicable to units of SBV).

SBV (Department of Information Technology) shall only receive and process written documents and electronic documents sent through its system of document management and administration in the following cases:

- Public service systems are unable to operate due to accidents;

- Subscriber management organizations have not been issued with digital certificates with public services, have expired digital certificates, or subscribers have broken secret key storage devices.

2. Submission of documents, text, and reports related to digital certificates and digital signature authentication services of SBV

a) In case of submitting paper documents, text, and reports:

Subscriber management organizations may submit the original or copies or certified copies or copies enclosed with the original for comparison.

b) In case of submitting electronic documents, text, and reports:

Regarding documents, text, and reports (except for documents and reports that are Appendixes of this Circular converted to electronic forms on public service systems) submitted through public service systems, subscriber management organizations shall submit electronic copies digitalized from the original (in PDF form) and the competent persons of such organizations shall sign them digitally using digital certificates of CA-NHNN.

...

...

...

6. Amendments to Article 4b of Circular No. 28/2015/TT-NHNN (amended by Clause 5 Article 1 of Circular No. 10/2020/TT-NHNN):

 “Article 4b. Secret key storage devices of subscribers

1. The Department of Information Technology shall provide guidelines on models and technical specifications of secret key storage devices of subscribers conforming to digital signature authentication systems of SBV and technology developments.

2. The Department of Information Technology shall provide secret key storage devices to administrative entities affiliated with SBV. Public service providers of SBV and other subscriber management organizations shall furnish secret key storage devices in compliance with the guidelines of the Department of Information Technology.

3. Submission and receipt of secret key storage devices between the Department of information Technology and administrative entities affiliated with SBV shall be made in person or via postal services.”

7. Amendments to Article 5 of Circular No. 28/2015/TT-NHNN (amended by Clause 6 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 5. Issuance of digital certificates or addition to digital certificate operations

1. Upon the need for issuance of digital certificates or additional operations, a subscriber management organization shall submit 1 application consisting of:

a) Issuance of a digital certificate or addition to digital certificate operations for a competent individual:

...

...

...

- Appointment decision of a competent person when requesting issuance of the digital certificate (regarding a state agency).

b) Issuance of a digital certificate or addition to digital certificate operations for an individual authorized by a competent person:

- Written application for the issuance of the digital certificate or addition to digital certificate operations for individuals according to Appendix No. 01 enclosed herewith;

- Appointment decision of the competent person when requesting issuance of the digital certificate (regarding a state agency);

- Authorizing document of the competent person, specifying that the authorized person may represent the organization to sign applications, documents, text, reports, and transactions on the information system corresponding to the operation of the digital certificate requested for issuance. The authorized person shall not authorize another person to implement assigned tasks.

c) Issuance of digital certificates or addition to digital certificate operations for an organization:

Written application for the issuance of the digital certificate or addition to digital certificate operations for organizations according to Appendix No. 02 enclosed herewith.

2. In case digital certificates that have been issued and are still valid are requested for addition to digital certificate operations by subscriber management organizations, the Department of Information Technology shall add the requested operations to the current digital certificates of subscribers.

3. In case of wishing for the issuance of digital certificates after the previous digital certificates expire or are revoked, subscribers shall carry out the procedure for the issuance of digital certificates according to Clause 1 of this Article.

...

...

...

Within 3 working days from the date of receipt of the valid applications for digital certificate issuance, the Department of Information Technology shall issue digital certificates or add operations to the digital certificates of the subscribers, send notifications of digital certificate issuance and activation codes of digital certificates to the emails and messages to the phone numbers of subscribers. Regarding digital certificates for organizations, the Department of Information Technology shall send notifications of digital certificate issuance and activation codes of digital certificates to the emails and messages to the phone numbers of the officials in charge of digital certificates of subscriber management organizations.

In case of invalid applications, the Department of Information Technology shall refuse to process such applications and specify the reasons within 2 working days from the date of receipt of the applications. Responses and application processing results shall comply with Clause 3 Article 4a of this Circular.

5. Activation codes of digital certificates shall be effective up to 30 days from the date of digital certificate issuance. Regarding new digital certificates, subscribers shall activate them before the expiry date of the activation codes. Documents guiding the activation and renewal of digital certificates of SBV shall be posted on the web portal of SBV. Regarding digital certificates with additional operations, subscribers are not required to activate the digital certificates.

6. The effective period of digital certificates of subscribers shall be requested by the subscriber management organizations and shall not exceed 5 years from the activation date."

8. Amendments to Article 6 of Circular No. 28/2015/TT-NHNN (amended by Clause 7 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 6. Renewal and revision to digital certificates

1. Digital certificates requested for renewal or revision to their information shall still be effective.

2. Effective period of digital certificates:

a) Renewed digital certificates shall be effective no more than 5 years from the time of successful renewal;

...

...

...

3. In case of renewal or revision to digital certificates:

a) Subscriber management organizations shall request renewal of digital certificates of subscribers at least 10 days before the expiry date of such digital certificates;

b) Subscriber management organizations shall request revisions to the information in digital certificates of subscribers within 5 working days when:

- Subscribers change their working titles, positions, or departments, but their working units or branches remain the same. In case subscribers change working units or branches, subscriber management organizations shall carry out the procedure for revoking the digital certificates at the previous units or branches and issue new digital certificates to the subscribers at their new units or branches (if they wish to continue using digital certificates);

- Subscribers change their citizen cards/citizen identification cards/passports;

- Subscribers changes their addresses, emails, or phone numbers.

4. Subscriber management organizations shall send 1 set of applications for renewal or revision to the information in digital certificates, including applications for renewal or revision to the information in digital certificates following Appendix No. 03 enclosed herewith.

5. Settlement time limit and implementation results

Within 3 working days from the date of receipt of the valid applications for digital certificate renewal or revision, the Department of Information Technology shall renew or revise the information in digital certificates for subscribers. In case of invalid applications, the Department of Information Technology shall refuse to process the applications and specify the reasons within 2 working days from the date of receipt of applications. Responses and application processing results shall comply with Clause 3 Article 4a of this Circular.

...

...

...

9. Amendments to Article 7 of Circular No. 28/2015/TT-NHNN (amended by Clause 8 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 7. Suspension of digital certificates

1. Digital certificates of subscribers shall be suspended in the following cases:

a) Subscriber management organizations request the suspension of digital certificates;

b) Proceeding authorities, public security authorities, or the Ministry of Information and Communications of Vietnam request the suspension in writing;

c) The Department of Information Technology detects any mistake or incident that may affect the benefits of subscribers or the security and safety of the digital signature authentication service system.

2. The period of suspension of digital certificates, prescribed in Point a Clause 1 of this Article, shall conform to the request of subscriber management organizations. The period of suspension of digital certificates, prescribed in Point b Clause 1 of this Article, shall conform to the request of proceeding authorities, public security authorities, or the Ministry of Information and Communications of Vietnam. The period of suspension of digital certificates, prescribed in Point c Clause 1 of this Article, shall last until the mentioned mistakes and incidents have been rectified.

3. Subscriber management organizations shall submit 1 set of applications for suspension of digital certificates, including applications for suspension of digital certificates following Appendix No. 04 enclosed herewith.

4. Settlement time limit and implementation results

...

...

...

b) Within 1 working day from the date of receipt of the information prescribed in Points b and c Clause 1 of this Article, the Department of Information Technology shall suspend digital certificates and provide written notification of the time and reasons for the suspension of digital certificates for subscriber management organizations.”

10. Amendments to Point d Clause 2, Clause 3, and Clause 4 Article 8 of Circular No. 28/2015/TT-NHNN (amended by Clause 9 Article 1 of Circular No. 10/2020/TT-NHNN):

“d) Digital certificates suspended under Point c Clause 1 Article 7 of this Circular and mentioned mistakes or incidents have been rectified.”

“3. Subscriber management organizations shall submit a set of applications for restoration of digital certificates according to Point b Clause 2 of this Article, including application for restoration of digital certificates following Appendix No. 05 enclosed herewith.

4. Settlement time limit and implementation results

a) Within 1 working day from the date of receipt of written requests according to Point a Clause 2 of this Article or valid applications for digital certificate restoration according to Point b Clause 2 of this Article, the Department of Information Technology shall restore digital certificates for subscribers. In case of invalid applications, the Department of Information Technology shall refuse to process applications and specify the reasons within 1 working day from the date of receipt of applications. Responses and processing results shall comply with Clause 3 Article 4a of this Circular;

b) Within 1 working day from the date of receipt of the information prescribed in Points c and d Clause 2 of this Article, the Department of Information Technology shall automatically restore digital certificates for subscribers.”

11. Amendments to Article 9 of Circular No. 28/2015/TT-NHNN (amended by Clause 10 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 9. Revocation and termination of digital certificate operations

...

...

...

2. Digital certificates of subscribers shall be revoked in the following cases:

a) Proceeding authorities, public security authorities, or the Ministry of Information and Communications of Vietnam request the revocation in writing;

b) Subscriber management organizations request the revocation of digital certificates;

c) Subscriber management organizations are subject to revocation of operational licenses, division, separation, merger, dissolution, or bankruptcy according to laws;

d) There are grounds to determine that subscribers violate regulations on management and use of secret keys and secret key storage devices;

dd) Digital certificates expire.

3. Subscriber management organization shall submit 1 set of applications for revocation or termination of digital certificate operations, including an application for revocation or termination of digital certificate operations following Appendix No. 06 enclosed herewith.

4. Settlement time limit and implementation results

a) Within 1 working day from the date of receipt of the written requests according to Point a Clause 2 of this Article or valid applications for revocation or termination of digital certificate operations, the Department of Information Technology shall revoke or terminate digital certificate operations for subscribers. In case of invalid applications, the Department of Information Technology shall refuse to process such applications and specify the reasons within 1 working day from the date of receipt of the applications. Responses and application processing results shall comply with Clause 3 Article 4a of this Circular;

...

...

...

c) Within 1 working day from the date of receipt of the information prescribed in Point d Clause 2 of this Article, the Department of Information Technology shall revoke the digital certificates of subscribers and send notifications to subscribers according to Clause 3 Article 4a of this Circular.”

12. Amendments to Clause 2 Article 10 of Circular No. 28/2015/TT-NHNN (amended by Clause 11 Article 1 of Circular No. 10/2020/TT-NHNN):

 “2. Subscribers shall generate pairs of keys before the expiry dates of the activation codes in digital certificate issuance notifications. In case activation codes are leaked or suspected to be leaked or fail to be activated before their expiry dates prescribed in digital certificate issuance notifications before subscribers manage to generate pairs of keys but wish to continue to use digital certificates, they shall carry out the procedure for changing activation codes of digital certificates following Article 10a of this Circular.”

13. Article 10a is added as follows:

 “Article 10a. Changes to digital certificate activation codes

1. Subscriber management organizations shall send 1 set of applications for changing activation codes, including an application for changing digital certificate activation codes following Appendix No. 08 enclosed herewith.

2. Settlement time limit and implementation results

Within 3 working days from the receipt date of valid applications for changing digital certificate activation codes, the Department of Information Technology shall change the digital certificate activation codes for subscribers and send notifications of the grant of digital certificate activation codes to the emails and messages to subscribers' phone numbers. Regarding digital certificates for organizations, the Department of Information Technology shall send notifications of the grant of activation codes of digital certificates to the emails and messages to the phone numbers of the officials in charge of digital certificates of subscriber management organizations.

In case of invalid applications, the Department of Information Technology shall refuse to process such applications and specify the reasons within 2 working days from the date of receipt of the applications. Responses and application processing results shall comply with Clause 3 Article 4a of this Circular.

...

...

...

14. Amendments to Article 11 of Circular No. 28/2015/TT-NHNN (amended by Clause 12 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 11. Changes to pairs of keys of digital certificates

1. A subscriber is recommended to change the pair of keys of the digital certificate when:

The effective digital certificate of the subscriber has an unusable pair of keys because the key storage device has been broken, the pair of keys has been deleted from the device, or other reasons leading to errors when using the pair of keys.

2. Subscriber management organizations shall submit 1 set of applications for changing pairs of keys of digital certificates, including an application for changing pairs of keys of digital certificates following Appendix No. 07 enclosed herewith at least 10 working days before the expiry dates of the digital certificates.

3. Within 3 working days from the receipt date of valid applications for changing pairs of keys of digital certificates, the Department of Information Technology shall change the pairs of keys and send notifications of the change to the pairs of keys to the emails and messages to subscribers' phone numbers. Regarding digital certificates for organizations, the Department of Information Technology shall send notifications of the change to the pairs of keys to the emails and messages and activation codes of digital certificates to the emails and messages to the phone numbers of the officials in charge of digital certificates of subscriber management organizations.

In case of invalid applications, the Department of Information Technology shall refuse to process such applications and specify the reasons within 2 working days from the date of receipt of the applications. Responses and application processing results shall comply with Clause 3 Article 4a of this Circular.

When receiving the digital certificate activation codes, subscribers shall activate digital certificates to generate new pairs of keys before the expiry dates of the activation codes following the documents guiding the activation and renewal of digital certificates posted on the web portal of SBV.”

15. Amendments to Clauses 3, 4, 7, and 10 Article 13 of Circular No. 28/2015/TT-NHNN

...

...

...

4. Ensure safety and confidentiality throughout the process of allocating and transferring the activation information of digital certificates to subscribers. Adequately and accurately update and store the information of subscribers for digital certificate management. Comply with personal data protection laws when collecting, handling, and storing the information of subscribers and subscriber management organizations.”

“7. Ensure that electronic information channels receiving requests for digital signature authentication services are available 24/7.”

“10. Provide and update information on software, documents guiding the management and use of digital signatures and certificates, and digital signature authentication services.”

16. Amendments to Article 14 of Circular No. 28/2015/TT-NHNN (amended by Clause 13 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 14. Responsibilities of subscriber management organizations

1. Designate individuals or affiliated departments to take charge of the registration and management of lists of subscribers of organizations and management of documents, text, and reports related to digital certificates and digital signature authentication services. Provide written notifications for the Department of Information Technology of the initial individuals/departments in charge and in case of changes to the mentioned entities.

2. Register and take responsibility for the accuracy of information prescribed in documents, text, and reports related to digital certificates of subscribers under their management and submit it to the Department of Information Technology.

3. Manage, prepare statistics, and update lists of their subscribers. At least once per year, review and compare lists of digital certificates issued by SBV with the actual use needs and information at subscriber management organizations. Regarding digital certificates with inaccurate information, subscriber management organizations shall immediately carry out procedures for information revision and suspension, revocation, or termination of digital certificate operations.

4. Submit periodic reports as prescribed by this Circular.

...

...

...

6. Promptly notify the Department of Information Technology of the suspension or revocation of a digital certificate of a subscriber in the following cases:

a) The secret key of the subscriber is suspected to be leaked, leaked, stolen, or illegally used;

b) The secret key storage device of the subscriber is lost;

c) The subscriber changes his/her working position and does not require a digital certificate for work;

d) The subscriber temporarily leaves, quits, or retires from his/her job or passes away;

dd) The subscriber is subject to a branch or unit of a subscriber management organization whose bank code is terminated;

e) Other cases arising from the needs of the subscriber management organization.

7. Digital certificates issued to organizations shall be assigned to individuals for management and use. The handover shall be recorded in writing, stipulating the role and responsibility of individuals assigned to take charge of the management. The mentioned individuals shall carry out the roles and responsibilities of subscribers prescribed by this Circular.

8. Subscriber management organizations are administrative units of SBV shall promptly revoke secret key storage devices of subscribers that are no longer in use to be reused for other subscribers.”

...

...

...

Article 15. Responsibilities of subscribers

1. Use digital certificates in compliance with the issued purposes.

2. Manage and use secret keys and secret key storage devices:

a) Use the correct type of secret key storage devices according to the guidelines of the Department of Information Technology;

b) Preserve and use keys for device access, secret keys, and other data in secret key storage devices safely and confidentially throughout the effective period or suspension period of digital certificates;

c) Do not share or lend out keys for device access and secret key storage devices. When quitting jobs, being transferred, or changing working positions, if working requirements do not require digital certificates, terminate the data in secret key storage devices and hand them over to subscriber management organizations;

d) Do not use tools, programs, software, or any other forms to interfere, adjust, or change the information of secret keys and data in secret key storage devices or deliberately damage secret key storage devices;

d) Promptly notify their subscriber management organizations in case of detecting or suspecting that digital certificates or secret keys are no longer safe; secret key storage devices are lost, defective, or broken to the point of being unusable.

3. Comply with other regulations on digital certificate issuance, management, and use.”

...

...

...

“3. Signers shall take responsibility for the authenticity of the information digitally signed by them and shall only provide digital signatures on information systems when such systems notify the valid status of their digital certificates.”

19. Amendments to Article 17 of Circular No. 28/2015/TT-NHNN (amended by Clause 16 Article 1 of Circular No. 10/2020/TT-NHNN):

“Article 17. Regulation on reports

Subscriber management organizations shall submit periodic reports to SBV as follows:

1. Name of the report: Report on the review of the list of digital certificates of SBV.

2. Contents:

a) Statistics on digital certificates and usage status;

b) Comparison of the list of digital certificates issued by the Department of Information Technology with the actual use needs and information at subscriber management organizations and report on the list of digital certificates with inaccurate information.

3. Units of SBV, credit institutions, foreign bank branches, State Treasury agencies of Vietnam, Vietnam Deposit Insurance, and other organizations and agencies using digital signature authentication services of SBV shall comply with this regulation.

...

...

...

5. Reports shall be submitted and received in compliance with Clause 1 Article 4a of this Circular.

6. Reports shall be submitted annually, no later than December 20 of the reporting year.

7. Reporting data shall be finalized from December 15 of the year preceding the reporting period until the end of December 14 of the reporting period.

8. Subscriber management organizations shall submit reports on the review of lists of digital certificates of SBV following the report form prescribed in Appendix No. 09 enclosed herewith.”

Article 2. Replacement of phrases and forms of Circular No. 28/2015/TT-NHNN

1. “Cục Công nghệ tin học” (Information Technology Administration) is replaced with “Cục Công nghệ thông tin” (Department of Information Technology).

2. Forms No. 01, 02, 03, 04, 05, 06, 07, 08, and 09 enclosed with Circular No. 28/2015/TT-NHNN (replaced by Circular No. 10/2020/TT-NHNN) are replaced with Appendixes No. 01, 02, 03, 04, 05, 06, 07, 08, and 09 enclosed herewith.

Article 3. Implementation responsibilities

Directors of units of SBV, credit institutions, foreign bank branches, State Treasury agencies of Vietnam, Vietnam Deposit Insurance, National Payment Corporation of Vietnam, and asset management companies of Vietnamese credit institutions shall implement this Circular.

...

...

...

1. This Circular comes into force as of July 1, 2024.

2. This Circular annuls Circular No. 10/2020/TT-NHNN dated November 2, 2020 of the Governor of SBV on amendments to Circular No. 28/2015/TT-NHNN./.

PP. GOVERNOR
VICE GOVERNOR




Pham Tien Dung