Vietnam's Retail Banking Is 95% Digital. Its VIFC Institutional Stack Is Not.
The SBV's journal maps five gaps blocking international investor digital banking at the VIFC — eKYC, open API, multi-currency products, AML risk, and talent.
Vietnam's banks processed more than 95% of all retail banking transactions digitally in 2025, according to the Vietnam Banking Association — a figure the association says places Vietnam among the highest in Southeast Asia for consumer digital finance. The VIFC, meanwhile, cannot yet offer an international investor a fully digital path from onboarding to profit repatriation. That contradiction sits at the centre of an analysis published in mid-2026 by the State Bank of Vietnam's official journal, and it is the most direct acknowledgement from within the SBV's own publication ecosystem that the VIFC's digital banking infrastructure has a structural problem.
The article, written by ThS. Võ Hoàng Nhi of the Banking Academy's Phu Yen branch and published on tapchinganhang.gov.vn, is not a regulatory announcement. It carries no binding force. But the SBV does not platform analysis it finds inconvenient — what the journal publishes is, at minimum, what the regulator is willing to have discussed in its name. For banks building VIFC subsidiaries and international investors evaluating market entry, that distinction matters less than the substance of what it says.
The Eight-Step Problem#
The paper maps the investment journey an international investor must complete to operate at the VIFC: market research, KYB/eKYC, account opening, capital transfer, multi-currency payments, asset custody, tax reporting, and profit repatriation. Eight sequential steps, each touching multiple institutions simultaneously — the SBV, commercial banks, capital market intermediaries, and tax authorities — with no single digital interface connecting them.
In Singapore, Hong Kong, Dubai, and Abu Dhabi, IFC operators have built or mandated single-window portals that standardise this journey. The SBV journal cites the HKMA's Open API framework, now in Phase III/IV, as covering functions well beyond retail banking, allowing institutional clients to connect custody, payments, and compliance reporting through a single authenticated channel. According to the journal, the MAS regulatory sandbox has generated a comparable set of institutional-grade cross-border services. The VIFC has neither.
That gap is not primarily a technology problem. It is a legal and regulatory architecture problem — and the SBV journal identifies five specific dimensions.
Five Bottlenecks, Named Explicitly#
Cross-border eKYC/KYB. Vietnam's identity verification framework was built for domestic retail customers. There is no legal basis for banks to accept foreign digital identity credentials for institutional onboarding — no cross-border mutual recognition arrangement, no regulatory standard for what a foreign corporate KYB process must look like, and no shared database that VIFC banks can query to verify international counterparties. Every international investor arriving at a VIFC bank today faces a manual, paper-intensive process that adds weeks to onboarding and cannot scale.
Data connectivity. Banks, fintechs, capital market operators, and regulators maintain separate, unsynchronised data systems. An international investor executing a transaction at the VIFC touches all of them — but they do not talk to each other in real time. Tax reporting requires data from the bank; the bank requires confirmation from the securities depository; the regulator requires confirmation from both. Each handoff is manual. The result is compliance friction that compounds across every transaction.
Specialised product gaps. Multi-currency accounts, digital FX execution, automated compliance reporting, and cross-border cash flow management tools — the product set that institutional investors in Singapore or Hong Kong treat as table stakes — are not yet available at scale from VIFC banks. The FX architecture under Circular 72's dual-track system provides the regulatory foundation for multi-currency accounts, but banks have not yet built the products on top of it.
API security, AML, and data protection risks. Opening the ecosystem to institutional participants and third-party service providers creates new attack surfaces. The journal identifies API security, anti-money laundering controls at system entry points, and personal data protection as risks that must be designed in from the start — not bolted on after the fact. Vietnam's personal data protection decree (specific instrument to be confirmed) governs personal data; the AML framework under existing SBV circulars was written for domestic retail, not cross-border institutional flows.
Talent. Banks building VIFC subsidiaries need people who understand institutional finance, Vietnamese regulatory requirements, international compliance standards, and the API architecture that connects them. That combination is rare globally and nearly absent in Vietnam's current labour market. The VIFC's own talent incentives address compensation but not the supply of people who have this specific cross-disciplinary profile.
The Decree 94 Hook#
The journal identifies Decree No. 94/2025/ND-CP — the fintech sandbox regulation covered in our earlier analysis of P2P lending limits — as the most directly relevant existing mechanism for solving the connectivity problem. The open API provisions in Decree 94 create a legal basis for fintechs and banks to share data through standardised interfaces. But the analysis is clear that Decree 94 alone is insufficient.
For the VIFC institutional use case, open API requires four things Decree 94 does not yet provide: cross-border data-sharing guidelines (covering what data can leave Vietnam, in what form, and under what conditions); security standards for third-party API integrations; liability rules establishing who bears the risk when an API connection fails or is compromised; and alignment with Vietnam's personal data protection decree (specific instrument to be confirmed). Until those four elements exist, the sandbox framework cannot be extended to institutional cross-border applications without exposing participating banks to unquantified legal risk.
The article calls for the SBV to publish a dedicated open banking technical standard covering API architecture, transaction data formats, customer identity protocols, security specifications, and third-party risk management. Whether that standard will emerge as an amendment to the Decree 94 sandbox framework or as a standalone SBV circular is not settled — the journal does not specify, and the SBV has issued no draft.
A Three-Phase Roadmap#
The proposed roadmap moves in three stages.
Short-term: Resolve the core legal barriers — establish the cross-border eKYC/KYB framework, publish the open banking API standard, and clarify data-sharing rules under Vietnam's personal data protection decree. This is the precondition for everything else. Without legal certainty on identity verification and data, banks cannot build compliant institutional products regardless of their technology capability.
Medium-term: Deploy RegTech for automated risk control. Once the API standard and data-sharing rules exist, compliance automation becomes possible — automated AML screening at API entry points, real-time regulatory reporting, and machine-readable audit trails that replace the current manual reconciliation process. The journal cites Singapore and Hong Kong's RegTech deployment as the model.
Long-term: Achieve full alignment with global cross-border payment standards, specifically the G20 cross-border payments roadmap coordinated through the BIS and FSB. This is the horizon at which the VIFC would be interoperable with other major IFCs — the point at which a fund in Singapore could move capital to the VIFC with the same digital friction as moving it to Hong Kong.
The roadmap also recommends a single-window digital service portal for international investors at the VIFC, standardising service information, fee schedules, processing times, and compliance requirements across all participating institutions. No institution has been named to build or operate this portal.
What This Means for Banks Entering the VIFC#
The SBV journal's analysis, read alongside the wave of domestic bank VIFC subsidiary approvals in 2026, reframes what VIFC entry actually costs. The charter capital requirement is the visible threshold. The digital infrastructure investment — API architecture, cross-border KYB capability, RegTech partnerships, multi-currency product builds — is the less visible but potentially larger cost.
TPBank's VIFC subsidiary strategy has already positioned around fintech platform capability rather than conventional branch banking. That positioning now looks like a response to exactly the infrastructure gap the SBV journal describes. Banks that treat their VIFC subsidiary as a conventional lending operation, without the API and KYB infrastructure to serve institutional international clients, will find the product set they can offer is limited precisely where international investor demand is highest.
For fintech and RegTech firms, the journal identifies an explicit B2B opportunity. The VIFC does not need another consumer-facing payments app. It needs infrastructure-layer vendors — cross-border identity verification, institutional KYB, regulatory reporting automation — with experience deploying in MAS or HKMA-regulated environments. The journal's call for an open banking API standard is, in effect, a procurement signal for that category of vendor.
What Comes Next#
Three things to watch. First, whether the SBV issues a formal open banking technical standard for the VIFC, and whether it comes through a Decree 94 amendment or a standalone circular — that choice will determine which institutions can participate in VIFC institutional banking infrastructure and on what terms. Second, whether any VIFC bank announces a formal RegTech partnership explicitly targeting the cross-border KYB and compliance automation gaps the journal identifies. Third, whether the single-window investor portal concept gets picked up by the VIFC Executive Council — constituted under Decree 92 — as a near-term operational priority.
The journal analysis is a diagnosis, not a prescription with a delivery date. Nothing in it commits the SBV to a timeline. But a regulator's house journal naming five specific infrastructure gaps, proposing a three-phase fix, and comparing the outcome to Singapore, Hong Kong, Dubai, and Abu Dhabi is not an academic exercise. It is the SBV mapping what it intends to build — and signalling to the market what it expects banks and fintechs to build alongside it.
SBV's Draft AI Circular: Six Compliance Layers Banks Must Build by September 2027
The SBV's draft AI circular imposes six compliance layers on banks under Law 134/2025/QH15, with a September 2027 deadline for existing systems.
UOB Breaks Ground in VIFC Zone as Rating Barrier Stalls Bigger Rivals
UOB raises charter capital to VND 10 trillion and breaks ground on a VIFC-zone HQ in July — while JPMorgan and MUFG are blocked by Decree 329's rating barrier.
LPBank Becomes the Eighth Bank to Approve a VIFC Subsidiary — and the First to Name Digital Assets
LPBank's 28 April AGM unanimously approved a VIFC subsidiary — the eighth in 2026 — and the first to explicitly cite digital asset management as a target service.