The State Bank of Vietnam (SBV) will tighten Online Banking security requirements starting March 1, 2026. What are the key new regulations? Below are the major changes introduced under Circular No. 77/2025/TT-NHNN.
1. Mobile Money services are subject to bank-level security requirements
Accordingly, Article 1 of Circular No. 77/2025/TT-NHNN expands the scope and subjects of application of Circular No. 50/2024/TT-NHNN to include the provision of Mobile Money services.
As a result, Mobile Money service providers are required to apply security measures equivalent to those applicable to credit institutions under Circular No. 77/2025/TT-NHNN.
Recently, the Government officially issued Decree No. 368/2025/ND-CP on Mobile Money services, which provides specific and clear regulations governing this type of service.
2. Additional verification requirements for changes to customers’ identification information
Under Article 3 of Circular No. 77/2025/TT-NHNN, where customers change their information, biometric matching verification must be applied in combination with one of the following authentication methods:
One-time password (OTP);
Authentication via voice calls, Zalo or similar platforms, USSD quick message codes, or specialized software applications;
Secure electronic signature authentication.
Changes to customer information include changes to:
Personal identification documents (including citizen identity cards, identity cards, electronic identity cards, and passports);
Information used to register and use transaction authentication methods (at a minimum including phone numbers, email addresses, or electronic signatures).
3. Requirement to install the latest Mobile Banking version when changing devices
A notable new provision effective from March 1, 2026 is the tightening of control over Mobile Banking application versions, as stipulated in Article 5 of Circular No. 77/2025/TT-NHNN.
Specifically, at least once every three months, credit institutions are required to assess the safety and security of application versions permitted for installation and use, in order to promptly detect vulnerabilities and risks of cybercriminal interference.
Where customers activate Mobile Banking on a new mobile device or reactivate the application, they must install and use the latest or most recent version to ensure security. In particular, downgrading to older versions is not permitted.
4. Mobile Banking applications must automatically suspend operation in three cases
Along with stricter version management to prevent malware attacks, Clause 2 Article 5 of Circular No. 77/2025/TT-NHNN requires Mobile Banking applications to automatically disconnect or immediately cease operation if the mobile device is detected to be in any of the following cases:
The device has been jailbroken (for iOS), rooted (for Android), or has had its bootloader protection mechanism unlocked. Such actions are commonly taken to install unofficial applications or circumvent licensing restrictions;
The device has been injected with malicious code to monitor or record operation history, or has been modified or repackaged;
The device has debugging tools attached or is running applications on emulators, virtual machines, or simulated devices.
5. Additional cases permitting password storage in Mobile Banking applications
Clause 5 Article 8 of Circular No. 50/2024/TT-NHNN has been amended and supplemented by Article 5 of Circular No. 77/2025/TT-NHNN as follows:
The function allowing storage of access secret keys is not permitted, except where the authentication method specified in Clause 6 Article 11 of this Circular is applied.
Accordingly, Mobile Banking applications are not permitted to store passwords, except where customers are authenticated through fingerprint, iris, or Face ID matching with information stored on the device. Such authentication must satisfy the following conditions:
Activation is allowed only after obtaining customer consent and after the customer has successfully completed at least one transaction using another authentication method.
The maximum authentication time is two minutes.
6. Biometric spoofing detection solutions must meet ISO 30107 standards
Another major change effective from March 1, 2026 is stipulated in Clause 1 Article 7 of Circular No. 77/2025/TT-NHNN, which introduces new requirements for biometric Presentation Attack Detection (PAD) solutions, particularly in light of increasingly sophisticated fraud schemes such as AI-generated deepfakes.
Accordingly, such solutions must not only be certified by biometric organizations or laboratories recognized by the FIDO Alliance, but may also be certified by accredited certification bodies confirming compliance with international ISO standards, meeting ISO 30107 Level 2 or equivalent.
Certification bodies must be accredited by an accreditation authority that is a participant in the multilateral mutual recognition arrangement of the International Accreditation Forum.
The above summarizes the key new provisions of Circular No. 77/2025/TT-NHNN, effective from March 1, 2026, regarding Online Banking security.
As the global economy transitions towards a knowledge-based model, science, technology and innovation have become decisive engines of national growth. In Vietnam, the 2025 Law on Science, Technology and Innovation is widely viewed as a strategic institutional framework for improving national competitiveness while raising the country’s position in global value chains.
The State Bank of Vietnam has issued Circular No. 55/2025/TT-NHNN prescribing the licensing of non-bank credit institutions. Below are the major changes of Circular No. 55/2025/TT-NHNN to clarify the applicable regulations as of 09 February 2026.
The State Bank of Vietnam has issued a Circular amending and supplementing regulations on required reserves applicable to credit institutions and foreign bank branches. Below are the major changes introduced by Circular No. 23/2025/TT-NHNN regarding banks’ required reserves.
In the course of operation, commercial banks must comply with various regulations on the number and establishment of transaction offices. Under current law, how many transaction offices may a commercial bank establish? The article below provides detailed information.
The State Bank of Vietnam has promulgated a document providing guidance on the listing of stocks on foreign securities markets by credit institutions, which takes effect from January 29, 2026. Below are the major changes of Circular No. 47/2025/TT-NHNN.
To list stocks on foreign securities markets, joint-stock credit institutions must obtain approval from the State Bank of Vietnam. Below are the procedures for obtaining approval for listing stocks on foreign securities markets, in accordance with Circular No. 47/2025/TT-NHNN, which takes effect on January 29, 2026.
The establishment of the International Financial Center necessitates an appropriate judicial institution capable of resolving cross-border investment and business disputes. In this context, the Law on Specialized Court at the International Financial Center was enacted as a key legal foundation for the application of a professional adjudicatory mechanism, thereby enhancing Vietnam’s profile and competitiveness in the international arena.
English
RSS
