THE STATE BANK OF VIETNAM SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness - No 35/2016/TT-NHNN Hanoi, December 29, 2016 CIRCULAR ON SAFETY AND CONFIDENTIALITY OVER PROVISION OF BANKING SERVICES ON THE INTERNET Pursuant to the Law on the State Bank of Vietnam No 46/2010/QH12 dated June 16, 2010; Pursuant to the Law on Credit Institutions No.47/2010/QH12 dated June 16, 2010; Pursuant to the Law on E-Transactions No.51/2005/QH11 dated November 29, 2005; Pursuant to the Law No 86/2015/QH13 dated November 19, 2015 on cyber information security; Pursuant to the Decree No.35/2007/ND-CP dated March 08, 2007 of the Government on Etransactions in the banking activities; Pursuant to the Decree No 156/2013/ND-CP dated November 11, 2013 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam; At the request of Director of Information Technology Management, The Governor of the State Bank promulgates a Circular on safety, confidentiality over provision of banking service on the Internet Chapter I GENERAL PROVISIONS Article Scope and regulated entities This Circular deals with the requirements for ensuring safety and confidentiality over the provision of banking services on the Internet This Circular applies to all credit institutions, branches of foreign banks, and providers of payment intermediary services (hereinafter referred to as the service providers) in Vietnam Article Interpretation of terms For the purposes of this Circular, the following terms shall be construed as follows: Banking services on the Internet (Internet Banking) mean the banking services and payment intermediary services offered via the Internet Internet Banking system means a structured set of hardware equipment, software, databases, security and communications networks systems to produce, transmit, collect, process, store and exchange digital information for the purposes of management and provision of Internet Banking services Clients mean the organizations and individuals using Internet Banking services One time Password (OTP) is a password that is valid for only one login session or transaction and in a certain period of time, often used as the second factor in the two-factor authentication to authenticate users assessing to the application or conduct Internet Banking transactions Two-factor authentication means the authentication method requiring two factors to prove the correctness of an identity Two-factor authentication based on the information that the user knows (PIN, password, etc.) along with something that user has (smart card, security token, mobile phones, etc.) or signs of biometrics to prove an identity End to end encryption means the mechanism that the information is encrypted at the source point before it is sent and is decrypted only after receiving at the destination point of the process of information exchange between applications or devices in the system to limit the risk of the information exposure on the transmission line Article General principles for safety and confidentiality for the information technology system serving the Internet Banking services Internet Banking system is ranked as an important information technology system and compliance with regulations of the State Bank in terms of safety and confidentiality of information technology system in banking operation Ensure confidentiality of clients' information; the integrity of client transaction data and all financial transactions of clients shall be authenticated with at least two factors Ensure the availability of Internet Banking system to provide services continuously Carry out annual inspection and assessment of security and confidentiality Determine risks, prevention measures, and deal with the risks in provision of Internet Banking services The information technology infrastructure (hereinafter referred to as IT infrastructure) providing Internet Banking services shall obtain copyright and clear origin; in a case where the producer fails to provide support, or the service provider is unable to upgrade new versions, it must have a plan for upgrading or replacement according to notices of the producer Chapter II SPECIFIC PROVISIONS Section IT infrastructure of Internet Banking system Article Network system, communications, and security and confidentiality Each service provider must establish a network system, communications, and security and confidentiality at least meeting the following requirements: The network system is divided into zones, at least containing: Internet connection zone, demilitarized zone (DMZ), user zone, management zone, server zone Computers in service of providing information on the Internet shall be placed in the DMZ Hosting and data processing servers shall be placed in the server zone Measures in terms of security and confidentiality to Internet Banking system, at least containing: firewall; anti-virus; prevention of denial-of-service attacks; application layer firewall and intrusion prevention system Sensitive data shall not be stored in the Internet connection zone and DMZ Any outside connection with Internet Banking system shall go through the DMZ for the purpose of controlling security and confidentiality Establish policies to minimize services and gateways to the Internet Banking system Conduct at least quarterly inspection of security policy; assess right; connections, equipment or software installed illegally to the network system Do not establish a connection from the wireless network to the operational environment of Internet Banking system Restrict remote connection to the work of system administrators In a case where the remote connection to the server is required, the service provider must use communication protocols that are encrypted and not store password in utility software The connection from the Internet to intranet system for the purpose of system management must comply with the following rules: a) It is approved by a competent person after considering connection purposes and methods; b) Encrypted communication protocols shall be used; c) Security software shall be installed in connecting devices, d) Two-factor authentication shall be used when logging in the system 10 The Internet connection lines must ensure the availability and connect at least two service providers 11 Measures for safety and confidentiality between zones are adopted: Firewall or intrusion prevention devices are required between different zones Article Server system and system software Requirement for server a) Monthly average efficiency reaches up to 80% of its design capacity; b) It has high availability: The Internet Banking system must have backup server on site; c) To separate the server in terms of logic or physic aspects with the servers operating other professional skills The server must make a list of software to be installed in the server Biannually, the list shall be updated and inspected in terms of its adherence Article Database management system The database management system must have an assess protection and authorization mechanism related to database resources The Internet Banking system must have backup database at the Disaster Recovery Center The backup database must be updated within at least one hour compared to official database The database shall be copied daily Copies shall be managed and stored safely The service provider must take measures for supervision and logging database access and manipulation related to database access Article Internet Banking application The requirements for safety and security must be determined in advance and initiated in the process of application development: analysis, design, testing, official operation and maintenance The documents on safety and security of the software must be systemized and stored and used according to "confidential" regime The service provider must control the software source code with the minimum requirements below: a) Check the source code, to remove the malicious code sections, the security vulnerabilities (backdoor) b) To appoint specifically individuals to manage the source code of the Internet Banking application; c) The access to the source code must be approved by the competent persons and to be monitored and logged; d) The source code must be kept safely in at least two separate locations; dd) In case the service provider purchases software from a third party without being handed over the source program, the service provider must require the third party to sign agreement not containing malicious code in the software application delivered to the service provider The service provider shall test and ensure that the Internet Banking application satisfies minimum requirements below: a) Developing and approving plans and testing scenario for Internet Banking application, which clearly states the conditions of safety, security required to be met; b) Detecting and eliminating errors, frauds that can occur when entering input data; c) Assess and scan technical vulnerabilities Assess the capacity to prevent attacks: Injection (SQL, Xpath, LDAP…), Cross-site Scripting (XSS), Cross-site Request Forgery (XSRF), Brute-Force; d) Writing down the errors and process to deal with errors, especially errors on safety and security in the reports on inspection of the test; dd) Testing safety and security features that must be taken on the popular browsers (web application) and software version of mobile equipment (mobile application); inspecting and notifying users running applications on the browser or the software version which undergoes safe testing; e) The use of data for the test process is required to take precaution measures for preventing to be benefited or confused c) Prior to initiating new applications the service provider must assess the risks of the initiation process for professional operations, relevant information technology systems and making and implementing plans to limit, overcome the risks Service providers in charge of management, change, and upgrade of application version must meet the following requirements: a) For each requirement to change application, it must analyze and assess the impact of changes to the existing systems as well as other relevant information technology systems of the service provider; b) The software versions include the source code required to be centrally managed, stored, kept secret and have decentralization mechanisms for each member in the manipulation with the files; c) Information of the versions, update time, the update person of versions must be saved; d) Each upgraded version must be inspected the test of safety, security features, risks and stability before the official initiation; dd) The upgrade of version must be based on test results and must be approved by the competent persons; e) After the application versions are successfully tested, they must be managed closely; to avoid illegally modified and ready for initiation; g) Along with the new software version, it must have clear instructions on the changed contents, software update, and other relevant information and must be approved by the competent persons prior to the initiation of new version to clients Compulsory functions of the application: a) All data transmitted on the Internet shall apply end to end encryption; b) The integrity of transaction data shall be ensure, all illegal changes shall be promptly discovered during the processing of transactions and data storage; c) Have a mechanism to control transaction sessions and assess time of websites and applications In a case where a user fails to manipulate within a certain time prescribed by the service provider but not exceeding five minutes, the system shall automatically disconnect the session or apply other protective measures; d) Have concealing function in the display of passwords used to log in to the system; dd) With regard to a client being an organization, the application is designed in a manner to ensure that the transaction will be conducted in two steps as follows: creating and approving transaction and conducted by at least two different persons Article Mobile application Internet Banking application on mobile equipment provided by the supplier shall be consistent with regulations on Article of this Circular and the following requirements: The supplier must clarify the link on the website or in application store enabling clients to download and install the Internet Banking on mobile equipment The application must be protected to hinder reverse engineering The application must authenticate users upon their accesses If incorrect passwords are entered continuously exceeding a certain times prescribed by the service provider but not exceeding five times in a row, the application shall be automatically and temporarily locked out to prevent the users from keeping using Internet Banking Section TRANSACTION AUTHENTICATION OF INTERNET BANKING Article Authentication of clients accessing Internet Banking services A client accessing to use the Internet Banking services must be authenticated with at least user name and password complying with the following requirements: a) The user name must be at least characters long; all the same characters or characters in the order of the alphabet or numerals are not allowed; b) The password must be at least characters longs, including letters and numerals, containing uppercases and lowercases or special symbols Maximum validity period of the password is 12 months The application shall have feature that require a client to change his/her passwords immediately in the first login; and lock out the account in a case where a client enters incorrect password continuously exceeding a certain times prescribed by the service provider, but not exceeding five times in a row The account will be unlocked only when such client requests to unlock it at a service provider’s transaction counter Article 10 Requirements for measures for transaction authentication A service provider must assess level of risks of transactions according to each type of clients, types of transactions, transaction limits so as to provide appropriate measures for transaction authentication at clients’ options The transaction limits shall not exceed the limits prescribed by the Governor of the State Bank in each period Requirements for OTP authentication by SMS or email: a) OTP sent to clients must attach with warning of OTP’s purposes; b) OTP shall be valid within minutes Requirements for authentication using OTP matrix cards: a) An OTP matrix card shall be used within year from the date of registration; b) OTP shall be valid within minutes Requirements for OTP authentication generated by an application installed in mobile equipment: a) The service providers must clarify the link on the website or application store enabling clients to download and install the OTP generator software; b) The OTP generator software, before its operation, shall be activated by the password provided by the service provider An activate password will be used for solely one mobile equipment; c) OTP generator software shall be controlled in terms of access In a case where five incorrect passwords are entered continuously, the application shall be automatically locked out to prevent clients from keeping using d) OTP shall be valid within minutes Requirements for OTP authentication generated by a token (OTP token): OTP shall be valid within minutes Requirements for authentication by digital signatures: The service provider shall use digital signatures and authentication of digital signatures from a provider of authentication of digital signatures operating in accordance with regulations of law on digital signatures and authentication of digital signatures Requirements for biometric authentication: signs of biometric identification are the only signs associated with a client and cannot be forged Section OPERATION MANAGEMENT Article 11 Management of personnel in charge of management and operation of Internet Banking system The service provider shall assign personnel in charge of supervision of the system operation, discover and deal with technical incidents and network attacks The service provider shall assign personnel in charge of receiving information and supporting clients, and promptly contacting clients upon detection of unusual transactions Personnel in charge of management, supervision and operation of the Internet Banking system must participate in annual training courses in update of security and confidentiality knowledge The issuance and authentication of administrative accounts of the Internet Banking system must be monitored by a division independent from the division in charge of issuance of accounts Article 12 Management of operation environment of Internet Banking system The service provider shall not install or store application development software or source codes in the operation environment Computers of personnel in charge of management and operation shall be placed in the management zone, installed with anti-virus software and established with policy that the screen will be automatically locked after a specified period of in activity prescribed by the service provider, but not exceeding minutes The service provider must establish a policy that computers of personnel in charge of management, supervision and operation shall be prohibited from accessing the Internet Article 13 Management of technical vulnerabilities and weaknesses The service provider shall manage vulnerabilities and weaknesses of the Internet Banking system in terms of basic contents below: Adopt measures for preventing, combating, and finding changes of the website and Internet Banking application Establish mechanism to discovering, preventing and combating intrusion or attacks to the Internet Banking system Cooperate with regulatory agencies, information technology partners in timely acquiring incidents and cases of unsafety and insecurity so as to implement prompt preventative measures Review and inspect the update of patches of the system software, database management system and application at least quarterly Assess security and confidentiality of Internet Banking system at least annually Implement testing attack drills to assess the levels of security of the system Article 14 System of management and supervision of the Internet Banking system The service provider must establish a system of supervision of the Internet Banking system The service provider must formulate criteria and software to determine unusual transactions according to time, geographic locations, transaction frequency, transaction amounts, number of incorrect login attempts exceeding the prescribed number and other unusual signs The service provider must arrange the control room separately from the common working area to perform tasks of management and supervision of the Internet Banking system that satisfy the following requirements: a) Any personnel member entering or leaving the control room must be approved by a competent person; b) The access to the system so as to carry out management, operation and maintenance shall be conducted through equipment placed in the control room Remote access or direct access on the equipment must be approved by a competent person; c) Any outside access to equipment placed at the control room must apply two-factor authentication measures Article 15 Management of confidentiality incidents The service provider must establish measures for recording, monitoring and dealing with confidentiality incidents Quarterly, the service provider shall access, find reasons and proactively implement appropriate measures to prevent recurrent incidents Article 16 Assurance of continuous operation The service provider shall formulate a disaster prevention system, procedures and scenario to ensure the continuous operation of the Internet Banking system as prescribed by the State Bank on assurance of safety and confidentiality of information technology system in banking operation In addition, the service provider must: Analyze and determine circumstances likely to cause insecurity and disruption of the Internet Banking system operation Determine and access levels of risks, possibility to occur of each circumstance at least biannually Make a list of circumstances posing levels of risks and possibility in descending order of high, medium, acceptable and low levels Formulate a plan (procedures or scenario) for dealing with circumstances posing levels of risks and possibility in high and medium levels as prescribed in Clause hereof Determine maximum down-time to restore the system, restore the database for the plan for each circumstance Raise relevant personnel's awareness of handling plans to understand their tasks in actual circumstances Arrange sources of personnel, finance and technical equipment to hold drills of plans for handling circumstance with high level of risks and possibility at least biannually Make plans and hold drills to ensure the continuous operation of business, store related documents and access the drill results Section PROTECTION OF CLIENTS’ INTERESTS Article 17 Information about Internet Banking services The service provider must provide a client with information about Internet Banking services before he/she/it registers to use the services, at least containing: a) Method of providing services: on the Internet, via mobile equipment or telecommunication Method of accessing Internet Banking services equivalent to each equipment on the Internet, mobile equipment, or telecommunication equipment; b) Transaction limit and transaction authentication measures; c) Necessary conditions for equipment upon using of services: OTP generator, mobile phone number, email, digital certificate, mobile equipment to be installed with the software; d) Risks in connection with using of Internet Banking services The service provider must provide the client with a contract of Internet Banking services, at least containing: a) Rights and obligations of the client when using Internet Banking services; b) Responsibility of the service provider for confidentiality of the client’s personal information; method of collecting and using the client’s information; commitment not to sell or disclose the client's information; c) Commitment to ensure the continuous operation of the Internet Banking system; d) Other contents in terms of Internet Banking services (if any) Article 18 Guidance for clients using Internet Banking services The service provider shall formulate procedures and manuals on installation and use of software, applications, equipment conducting Internet Banking transactions and provide clients with guidance on using such procedures and manuals The service provider shall instruct each client to adopt measures for ensuring safety and confidentiality when using Internet Banking services, at least containing the following: a) Protecting password and OTP and not sharing equipment storing such information; b) Method of establishing password and change password of the username at least once a year or upon its exposure or suspected exposure; c) Not using public computers for the purposes of accessing and conducting Internet Banking transactions; d) Not saving username and password on web browsers; dd) Logging out from the Internet Banking application when not using; e) Identifying and taking actions against circumstances of phishing or fake websites; g) Requesting to install or use anti-virus software on personal equipment used for Internet Banking transactions; h) Selecting authentication measures with safety and confidentiality levels in conformity with the client’s demand in terms of transaction limit; i) Warning of risks in connection with using of Internet Banking services; k) Not using mobile equipment which is unlocked to download and use the Internet Banking application, or OTP generator software l) Promptly notifying the service provider of any unusual transaction; m) Immediately notifying the service provider of the following cases: loss, missing, damage of OTP generator, phone number from which SMS is received, storing device of private key generating digital signature; upon being fraudulent or suspiciously being fraudulent; upon being attacked or suspiciously attacked by hackers 3 The service provider must provide the client with information about the contact point of receiving information, hotline and guidelines for procedures and methods of cooperation in dealing with mistakes and incidents during the service using Article 19 Protecting clients’ information The service provider must adopt measures for ensure the safety and confidentiality of clients’ database, at least containing the following: Sensitive data of clients upon storage or transmission on the Internet must be encrypted or hidden Establish access right according to functions and tasks of personnel in charge of accessing clients' database; and adopt monitoring measure upon each access Implement measures for managing access to equipment and device that store clients' information to prevent the risks of exposure of clients' information Chapter III IMPLEMENTATION Article 20 Reporting Providers of Internet Banking services shall send reports in writing to Information Technology Administration affiliated to the State bank of Vietnam as follows: Report on provision of Internet Banking services: a) Time limit for submission: At least 10 days prior to the official provision of Internet Banking services; b) Contents of report: (i) Website address or application store; (ii) The products and services currently offered; (iii) The official date of provision; (iv) Unit providing for Internet Banking system products; (v) The third parties hired or coordinating together with to set up and operate Internet Banking system; the activities related to Internet Banking system with the participation of third parties and forms of participation of third parties; (vi) Authentication measures applicable to each type of clients, each type of transactions and transaction limits; (vii) Other documents on information technology infrastructure and communications, human resources, process of business technique, the plans for dealing with risk, and other related matters as prescribed in Chapter II of this Circular 2 Irregular reports: a) The service providers shall submit irregular reports when the unsafe incidents occur or affecting the operation of the Internet Banking system within 05 days from the time of the accident or of incident detection, in particular (i) Time and place of occurrence of incidents; (ii) Preliminary description of the incidents, the status of the incidents when they occur; (iii) The cause of the problem; (iv) Assessment of risk, the impact on Internet Banking system and other involved systems; (v) The situation of the damage; (vi) The measures taken to eliminate the problem; prevent and stop risks; (vii) Recommendations and proposals b) Other cases of irregular reports at the request of the State Bank Annual reports: Time limit and contents of annual reports shall be consistent with regulations of the State Bank in terms of statistical reports applicable to credit institutions, branches of foreign banks Article 21 Responsibilities of affiliates of the State bank Information Technology Administration shall: a) Monitor, consolidate the reports on the implementation of safety and confidentiality of information technology system providing Internet Banking services as prescribed in Article 20 hereof and send them to the Governor of the State Bank b) Take charge and cooperate with relevant affiliates of the State Bank in dealing with difficulties arising during the implementation of this Circular Agency inspectors, bank supervisors are responsible for coordinating with the Department of Information Technology to inspect and supervise the implementation of this Circular and handling administrative violations for the violations under the provisions of law Article 22 Entry into force This Circular comes into force from July 1, 2017 and replaces Circular No 29/2011/TT-NHNN dated September 21, 2011 of the State bank of Vietnam on assurance of safety and confidentiality in provision banking services on the Internet Article 23 Implementation Chief of Office, Director of Information Technology and the heads of units of the Vietnam State Bank, Directors of State Bank-branches in provinces and cities directly under the Central Government, Chairmen of the Management Boards, Chairmen of the members’ Councils, general directors (directors) of credit institutions, branches of foreign banks providing Internet Banking services, providers of payment intermediary services shall implement this Circular./ P.P GOVERNOR DEPUTY GOVERNOR Nguyen Kim Anh This translation is made by LawSoft and for reference purposes only Its copyright is owned by LawSoft and protected under Clause 2, Article 14 of the Law on Intellectual Property.Your comments are always welcomed ... a contract of Internet Banking services, at least containing: a) Rights and obligations of the client when using Internet Banking services; b) Responsibility of the service provider for confidentiality. .. in provision banking services on the Internet Article 23 Implementation Chief of Office, Director of Information Technology and the heads of units of the Vietnam State Bank, Directors of State... TRANSACTION AUTHENTICATION OF INTERNET BANKING Article Authentication of clients accessing Internet Banking services A client accessing to use the Internet Banking services must be authenticated