THE STATE BANK
SOCIALIST REPUBLIC OF VIET NAM
Independence - Freedom - Happiness
Hanoi, July 31, 2006
PROMULGATING THE REGULATION ON RISK MANAGEMENT PRINCIPLES FOR E-BANKING ACTIVITIES
THE GOVERNOR OF THE STATE BANK
Pursuant to the 1997 Law on the State Bank of Vietnam and the 2003 Law Amending and Supplementing a Number of Articles of the Law on the State Bank of Vietnam;
Pursuant to the 1997 Law on Credit Institutions and the 2004 Law Amending and Supplementing a Number of Articles of the Law on Credit Institutions;
Pursuant to the 2005 Law on Electronic Transactions;
Pursuant to the Government's Decree No. 52/2003/ND-CP of May 19, 2003, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;
At the proposal of the director of the Department of Banks and Non-Bank Credit Institutions,
Article 1.- To promulgate together with this Decision the Regulation on risk management principles for e-banking activities.
Article 2.- This Decision shall take effect 15 days after its publication in "CONG BAO."
Article 3.- The director of the Office, the director of the Department of Banks and Non-Bank Credit Institutions, heads of concerned units under the State Bank of Vietnam, directors of State Bank branches in provinces and centrally run cities, and chairmen of the Management Boards and general directors (directors) of credit institutions shall have to implement this Decision.
FOR THE STATE BANK GOVERNOR
Dang Thanh Binh
ON RISK MANAGEMENT PRINCIPLES FOR E-BANKING ACTIVITIES
(Promulgated together with the State Bank Governor's Decision No. 35/2006/QD-NHNN of July 31, 2006)
Article 1.- Scope of regulation and subjects of application
1. This Regulation establishes risk management principles for e-banking activities.
2. Credit institutions and foreign bank branches in Vietnam (hereinafter collectively referred to as credit institutions) which are engaged in e-banking activities shall have to adhere to the risk management principles laid down in this Regulation.
Article 2.- Purpose
Risk management principles for e-banking activities shall serve as the basis for credit institutions to formulate their internal rules on risk management for e-banking.
Article 3.- Interpretation of terms
In this Decision, the terms below shall be construed as follows:
1. E-banking activities means banking activities conducted via electronic distribution channels.
2. Electronic distribution channel means a system of electronic equipment and automated processes to handle transactions, which is used by credit institutions for communication with customers and provision of banking products and services to customers.
3. E-banking risk means potential occurrence of losses in e-banking activities.
4. Customers mean organizations and individuals having transactions with credit institutions.
4. Third parties means professional organizations hired by or cooperating with credit institutions to provide technical services in support of e-banking activities.
Article 4.- Scope of e-banking activities
Credit institutions may conduct e-banking activities within the scope of their activities defined in their establishment and operation licenses and in compliance with their charters.
Article 5.- General principles
1. Credit institutions shall take responsibility for ensuring safe and sound e-banking activities; protecting legitimate rights and interests of credit institutions and customers as well as interests of the State and society in accordance with the provisions of law.
2. In order to effectively manage risks associated with e-banking activities, credit institutions should:
a/ Identify risks that may arise from current or planned e-banking activities;
b/ Analyze and identify impacts and consequences that may arise from the occurrence of risks;
c/ Categorize risks; decide on orientations and measures to prevent risks, paying special attention to the management of network security and the protection of information; determine the maximum acceptable loss in case of occurrence of losses; refrain from carrying out types of e-banking activities which require risk prevention measures beyond their capability;
d/ Regularly assess and supervise the results and effectiveness of risk management work; audit and update risk management processes.
RISK MANAGEMENT PRINCIPLES FOR E-BANKING ACTIVITIES
Section 1. MANAGEMENT OF RISKS WITHIN CREDIT INSTITUTIONS
Article 6.- Making of plans on e-banking activities
Before starting e-banking activities, a credit institution should make a plan thereon with the following basic contents:
1. Grounds for deciding to conduct e-banking activities, such as market demand; the credit institution's development strategy and its capabilities in terms of capital, technology, technique, business management, risk control and human resources.
2. Specific objectives set by the credit institution for e-banking activities.
3. Risks that may occur in e-banking activities and relevant risk management measures.
4. Plan on regular assessments, at least on a yearly basis, of the effectiveness of e-banking activities according to such fundamental criteria as income and cost of e-banking activities; number of customers frequently using e-banking services and products; total number of e-banking transactions already conducted and average cost per transaction; other criteria suitable to the practical activities of the credit institution.
Article 7.- Risk management policies
1. Determining the maximum level of risk acceptable to the credit institution;
2. Defining specific duties of each section or board involved in e-banking activities;
3. Regulations on regular reporting and irregular reporting when an incident occurs;
4. Adopting measures to manage each particular type of risks that may occur in the course of provision of e-banking products and services; at the same time requesting third parties to apply similar measures;
5. Studying and assessing the degree of risks and the risk control capability, testing new products before marketing them.
Article 8.- Assignment of duties and powers
Credit institutions shall clearly define the scope of duties and powers of each section and employee involved in an e-banking process:
1. Reviewing, revising and supplementing (if necessary) the regime of delegation of powers and duties currently applied at the credit institution to ensure its compatibility with the characteristics and requirements of e-banking activities.
2. Defining the scope of duties between employees entering data and those checking data.
3. Defining the scope of duties between the section establishing and the section administrating the e-banking system.
4. Regularly supervising the compliance with the requirement on delegation of duties and powers in e-banking activities.
Article 9.- Data protection
1. Credit institutions shall adopt appropriate measures to ensure safety, completeness, integrity and accuracy of stored data on all e-banking transactions on the following principles:
a/ All data and databases on e-banking transactions shall be stored, with particular attention paid to the opening or closing of customers' accounts; transactions related to financial results; change of access authority and scope, and the permitted transaction limit of each individual within the credit institution and of each customer.
b/ Regulations on the grant, registration and confidentiality of access rights of each employee of the credit institution and each customer in e-banking activities shall be promulgated.
c/ Any addition, deletion or change of the database of an organization, individual or system must be effected by a sole competent person. Information on the time of deletion or change of a database and on the persons who have effected such deletion or change shall be stored to facilitate inspection and control work.
2. Credit institutions shall have to formulate data safety control processes in e-banking activities.
a/ Applying necessary technical and technological measures to prevent illegal accesses to applications and databases of e-banking activities;
b/ Regularly reviewing and testing the effectiveness of data safety management measures so as to make timely adjustments when necessary.
3. Credit institutions shall apply necessary measures to ensure the confidentiality of e-banking information. Every specific measure should be commensurate with the materiality of information being transmitted and/or stored in databases.
a/ Only duly authorized persons may have access to confidential data of credit institutions;
b/ All confidential information of credit institutions must be securely stored and protected against all risks of illegal modification, access or leakage during transmission over internal or public networks;
c/ When having the right to access confidential information of a credit institution, third parties must meet all standards and comply with the inspection and control regime required by the credit institution;
d/ Credit institutions must take technical measures to log every access to confidential information and ensure that access logs are resistant to tampering.
Article 10.- Internal supervision, control and audit
1. Credit institutions shall formulate and adapt their internal supervision, control and audit processes in accordance with the characteristics of e-banking activities.
2. The e-banking systems shall be regularly inspected and assessed and regularly or unexpectedly internally controlled and audited in order to detect and prevent illegal or unauthorized access.
3. It is necessary to take into consideration the issue of copyright to software and applications used in the e-banking system.
4. Data related to every e-banking transaction must be fully stored to facilitate credit institutions' internal supervision, control and audit work. The duration of archive of electronic transaction documents shall comply with the provisions of law on archive.
Section 2. MANAGEMENT OF RISKS IN TRANSACTIONS WITH CUSTOMERS
Article 11.- Principles of transactions
1. To keep confidential and ensure the integrity and accuracy of information, data and databases of transaction figures in e-banking activities.
2. To classify transactions; important transactions shall be inspected and supervised by authorized persons in each section and be supervised and monitored by functional sections within a credit institution.
3. To ensure that accurate information is provided to customers to help them have a correct understanding and assessment of the actual capability and status of the credit institution as well as of their interests and obligations before they enter into transactions with credit institutions.
Article 12.- Principles on relationships with customers
1. Credit institutions shall have to promulgate specific regulations on the order and procedures for establishing relations, receiving and processing e-banking transactions with customers.
2. To ensure the verification of customer's identity, access right, accounts, permitted scope and limit of transactions.
3. To establish and clearly announce the obligations, responsibilities and powers of customers seeking to initiate transactions; to ensure the prevention of customers' denial or repudiation of transactions.
4. When signing contracts on provision of e-banking services to customers and/or when customers use for the first time e-banking services, banks shall have to inform customers of risks that customers may face when using these services and provide them with explicit and full explanations thereon.
5. To prevent and detect in time any tampering with and modification of accounting and financial information and data as well as commitments related to credit institutions' and customers' interests and obligations.
Section 3. MANAGEMENT OF RISKS RELATED TO THIRD PARTIES
Article 13.- Assessment of third parties
In case of hiring or cooperating with a third party to provide technical services in support of e-banking activities, a credit institution shall:
1. Prudently and adequately assess potential risks; make a contingency plan to deal with disruptions in the provision of services by third parties.
2. Thoroughly evaluate the technical competence and financial capability of their counterparts. Counterparties must have full financial capability, reputation and potential to bear legal and financial liabilities associated with services provided by themselves.
3. To take into consideration security and confidentiality issues when third-party employees are permitted to access the e-banking system.
4. To clearly define duties, powers and obligations of parties in the hiring or cooperation contract; to ensure that the credit institution has the right to regularly and irregularly supervise and oversee the provision of technical support services by third parties and have the right to request third parties to conduct independent audit when necessary.
5. To regularly assess difficulties, incidents and potential problems in the relationships with third parties in e-banking activities so as to work out appropriate risk management measures.
Article 14.- Data
In case the third party is responsible for managing the data processing and storage system, the credit institution should ensure that:
1. It is clearly stipulated in the contract signed with the third party that the credit institution has the right to access necessary data;
2. All data stored by the third party shall meet confidentiality standards and requirements set by the credit institution.
Section 4. MANAGEMENT OF RISKS UPON OCCURRENCE OF INCIDENTS
Article 15.- Prevention of incidents
1. To build a data storage system and step by step build a standby system for dealing with e-banking transactions.
2. To conduct regular and unexpected supervisions to assess the e-banking system's operational continuity; existing resources and future scalability on the basis of taking into consideration market elements related to e-commerce and the projected rate of customer acceptance of e-banking services and products.
3. To develop incident response plans in order to control, contain and minimize problems arising from by unexpected events occurring inside and outside the system and during and after working hours to the e-banking systems, which may affect the provision of e-banking services.
4. To develop processes of controlling incidents, identify persons responsible for receiving and processing information on incidents occurring in e-banking activities. To pre-determine members of incident response teams to promptly deal with serious incidents when they occur. Credit institutions may reach agreement with third parties on the mobilization of the latter's personnel to join incident response teams to deal with serious incidents.
5. To issue regulatory documents clearly defining the responsibilities of credit institutions and third parties when incidents occur. These documents shall be fully supplied to third parties right at the time of signing of contracts. In case such a document has some contents related to customers' interests and responsibilities when incidents occur, these contents shall be made known to customers when customers sign contracts on the use of e-banking services or when customers use such services for the first time.
Article 16.- Incident control and response
In case incidents occur in the e-banking system, credit institutions should apply the following measures:
1. To deploy incident response measures according to incident response processes and plans already developed.
2. To locate incidents and their causes due to technical failures or human factors. To determine the affected area and identify customers' groups likely to be affected.
3. To take timely measures to disseminate and explain to the public, customers and related subjects on incidents occurring in the e-banking system.
4. To collect and preserve legal evidences to facilitate the investigation into and handling of incidents in the e-banking system and apply measures to handle law-violating organizations and individuals.
5. To quickly respond to incidents and settle disputes related thereto and pay damages falling within the scope of their responsibility so as to prevent reputation risks for credit institutions.
Article 17.- Internal rules of credit institutions
1. Depending on the nature and characteristics of electronic distribution channels related to e-banking activities, credit institutions shall have to issue internal rules on management of risks in e-banking activities in accordance with current laws and the principles laid down in this Regulation.
2. Within 6 months after the effective date of this Decision, credit institutions which have carried out e-banking activities shall have to formulate and send their internal rules on management of risks in e-banking activities to the State Bank of Vietnam (the State Bank Inspectorate, the Department of Banks and Non-Bank Credit Institutions, the Department of Banking Informatic Technology and State Bank branches of the provinces or centrally run cities where joint-stock credit institutions are headquartered) to facilitate the latter's inspection and supervision work.
3. In case credit institutions make amendments to their internal rules, they shall have to notify them to the State Bank of Vietnam (the State Bank Inspectorate, the Department of Banks and Non-Bank Credit Institutions, the Department of Banking Informatic Technology and State Bank branches of the provinces or centrally run cities where joint-stock credit institutions are headquartered).
Article 18.- Reporting
1. No later than January 20 and July 20 every year, credit institutions shall send reports on e-banking activities and assessment of the results of control and handling of risks in e-banking activities in the first six months and the whole year to the State Bank of Vietnam (the State Bank Inspectorate, the Departments of Banks and Non-Bank Credit Institutions, the Department of Banking Informatic Technology and State Bank branches of the provinces or centrally run cities where joint-stock credit institutions are headquartered).
2. A report shall contain the following details:
a/ E-banking products and/or services currently provided;
b/ Third parties involved in e-banking activities on a hiring or cooperation basis; e-banking activities with the participation of third parties and forms of participation;
c/ Number of customers using e-banking services and the rate of increase in the number of customers compared with the same period of the previous year;
d/ Turnover of e-banking activities;
e/ Incidents having occurred in the period, reported according to the four categories of risks defined in Chapter II of this Regulation, inflicted damage and applied response measures.
Article 19.- Responsibilities of State Bank units
1. The State Bank Inspectorate:
a/ To inspect and supervise according to its competence credit institutions' adherence to the risk management principles for e-banking activities.
b/ To handle according to its competence and propose the State Bank Governor to handle violations of this Regulation and other provisions of law.
2. State Bank branches of provinces and centrally run cities:
To inspect and supervise local joint-stock credit institutions' adherence to the risk management principles for e-banking activities and handle violations according to their competence.
3. The Department of Banks and Non-Bank Credit Institutions:
a/ To study and submit to the State Bank Governor for consideration amendments and supplements to the provisions of this Regulation on management of risks in e-banking activities.
b/ To coordinate with the State Bank Governor in supervising credit institutions' adherence to the risk management principles for e-banking activities.
4. The Department of Banking Informatic Technology:
To coordinate with the State Bank Inspectorate in supervising credit institutions' adherence to the risk management principles for e-banking activities.