Vietnam Scraps Bank Data-Sharing Rule After MoF–SBV Standoff

Vietnam's Ministry of Finance has pulled a proposal that would have required banks, e-wallet providers, payment intermediaries, and international card organizations to proactively share taxpayer account data with tax authorities — a sharp retreat driven by a direct institutional challenge from the State Bank of Vietnam. The withdrawal, confirmed in the latest draft submitted to the Ministry of Justice for appraisal, removes the most intrusive data obligation from the implementing decree for the 2025 Law on Tax Management (law number not confirmed at time of writing; readers should verify the official gazette citation once the promulgated text issues), which is expected to take effect 1 July 2026.

What the MoF Had Proposed#

The draft decree initially required credit institutions, foreign bank branches, payment intermediaries, online payment service providers, and international card organizations to supply tax authorities with users' payment account information on a proactive, ongoing basis. The proposed obligation went further: these entities would also have been required to cooperate with tax authorities in detecting "unusual transactions" related to tax compliance.

That second element — co-investigator status for payment operators — was especially consequential. It would have effectively made banks and e-wallet providers auxiliary arms of the tax enforcement apparatus, with legal exposure tied to their ability to flag transactions that tax authorities deemed suspicious.

Four Grounds the SBV Won On#

The SBV's objection was substantive rather than procedural, and it prevailed on all four points raised.

Banking secrecy conflict. Existing customer data confidentiality rules — established under the Law on Credit Institutions (passed in 2023, effective from mid-2024; cited throughout this article as the Law on Credit Institutions 2023) and related SBV-governed payment regulations — permit financial institutions to disclose customer information in only two circumstances: with the customer's consent, or in response to a formal request from a competent state authority. Automatic proactive disclosure to tax authorities satisfies neither condition.

No statutory basis. The 2025 Law on Tax Management — the new primary instrument this decree was written to implement — does not define responsibilities for credit institutions, payment service providers, or intermediaries to proactively supply tax information. A decree provision imposing such an obligation would sit above its own statutory parent. The SBV characterised this as a legislative gap that cannot be filled by implementing regulation alone.

Data architecture mismatch. Current payment regulations do not require service providers to collect information on the goods and services purchased in individual transactions. The data fields simply do not exist in the format tax reporting would require. An obligation to report transaction-level goods-and-services data would require payment operators to restructure data collection at the point of transaction — a change that flows from statute and primary regulation, not a decree.

Technical infeasibility. Vietnam's payment systems process millions of transactions daily. The proposal would have required banks to identify, within that volume, foreign service providers that have "not registered, declared, or paid taxes in Vietnam" — a determination that requires cross-referencing against tax authority records in real time. The SBV's position: operationally impossible at scale.

The SBV's successful challenge is itself worth noting. In inter-ministerial drafting processes, sectoral regulators often register objections that are partially accommodated. Here, the SBV's position on all four grounds was accepted in full — a signal of institutional weight when proposed obligations fall directly on its regulated entities.

What the Existing Framework Already Requires#

This withdrawal does not eliminate tax authority access to bank data. Under Decree 126/2020 and the 2019 Law on Tax Management — still operative for this purpose — banks must already provide account transaction records, balances, and transaction histories when formally requested by the head of a competent tax authority for inspection or audit purposes. Tax authorities are responsible for confidentiality of data obtained through this channel.

According to public remarks by Tax Deputy Director Dang Ngoc Minh, tax authorities already hold information on approximately 250 million bank accounts — around 200 million personal accounts and 50 million corporate accounts. The request-based model has not prevented large-scale data collection; it has required that collection to proceed through a defined legal gateway.

The operative distinction for payment operators is straightforward: you respond to formal requests with appropriate authorization. You do not file routine reports.

The Three-Way Tension This Episode Reveals#

The withdrawal reflects a real institutional conflict at the junction of three overlapping 2025–2026 reform tracks.

The MoF is pursuing a "cash flow analysis" model of tax administration — the approach familiar in OECD jurisdictions as real-time transaction monitoring for compliance purposes. The ministry's concern is that high-value digital transactions through e-commerce platforms, delivery services, and payment intermediaries are systematically underdeclared. The proposed proactive reporting obligation was one mechanism to address this.

The banking secrecy framework sits in direct tension with that objective. The Law on Credit Institutions 2023 and SBV-governed payment regulations maintain strict customer data confidentiality norms. Disclosure requires consent or legal compulsion — a standard that proactive reporting cannot meet without legislative change at the primary law level.

Vietnam's Personal Data Protection Law, effective 1 January 2026, adds a third layer of constraint. The PDPL imposes penalties of up to 5% of prior-year Vietnam revenue for data protection violations. A payment operator that disclosed customer data without adequate legal basis — even in response to a government proposal that was later withdrawn — would face direct exposure under this framework. The SBV's objection, read in this context, was also a form of protection for its regulated entities from PDPL liability.

Implications for VIFC-Zone Operators#

The VIFC's digital finance pillar explicitly targets payment technology companies, digital banking subsidiaries, and fintech payment infrastructure as priority entrants. For those firms, this episode has three practical dimensions.

Current obligations are request-based, not proactive. Payment operators, e-wallet providers, and digital banking services in Vietnam provide account data when formally requested by a competent tax authority with the appropriate authorization level. That standard survives the July 2026 decree intact. Firms calibrating their data governance architecture should build around the consent/request model — not a proactive-reporting model.

PDPL exposure is real and present. The PDPL's 5% revenue penalty for data protection violations is in force now. Any data-sharing arrangement — whether with tax authorities, within a corporate group, or with third-party analytics providers — requires a clearly documented legal basis. The MoF's withdrawn proposal is a useful illustration of what "inadequate legal basis" looks like: a framework that the SBV itself characterised as having no statutory grounding.

The MoF's stated direction has not changed. The 1 July decree will not implement proactive transaction monitoring, but the policy objective it was meant to serve has not been abandoned. The MoF's public position is that cash-flow-based tax administration is where the system is heading. The specific mechanism was rejected; the destination was not. VIFC-zone operators should treat systematic digital transaction reporting as a medium-term regulatory watch item, not a closed question.

The data governance picture in Vietnam is a patchwork of overlapping instruments — banking secrecy law, the PDPL, and tax administration requirements — each with its own enforcement authority and penalty regime. Clarity on which obligation applies in which circumstance, and which ministry owns the enforcement claim, is not yet settled. That complexity intersects with other regulatory layers VIFC-zone operators are navigating simultaneously.

See also: Circular 72: VIFC Forex and Inbound Capital — A Practical Guide | Circular 77: Online Banking Cybersecurity Requirements

What Comes Next#

The broader decree implementing the 2025 Law on Tax Management remains under Ministry of Justice appraisal and is expected to take effect 1 July 2026. The bank data-sharing provision has been removed, but the full text of remaining provisions — including any other data-related obligations — has not been publicly confirmed at the time of writing. Operators should review the final published decree text independently once it issues.

The more consequential question is whether the MoF pursues the proactive reporting objective through primary legislation in the next cycle of the Law on Tax Management or through a separate digital economy tax regulation. The SBV's objection was framed explicitly in terms of the 2025 law's failure to provide adequate statutory grounding. If the legislature closes that gap in the next amendment round, the institutional arguments that won this time may not be available.

Payment operators establishing in the VIFC zone should document their current data governance position against the existing request-based framework, build PDPL compliance into their data architecture from day one, and flag the cash-flow monitoring trajectory as a live compliance horizon item — because the MoF's direction is clear, even if the mechanism and timeline are not yet settled.

This article reflects the regulatory position as of 27 May 2026. It will be updated when the final implementing decree for the 2025 Law on Tax Management is published.