Circular 77/2025: Vietnam's Tighter Online Banking Security Rules and What VIFC Firms Must Do
The State Bank of Vietnam (SBV) issued Circular 77/2025/TT-NHNN on 31 December 2025, substantially tightening the security and authentication requirements for online banking services across Vietnam. The circular amends Circular 50/2024/TT-NHNN — the baseline framework that took effect on 1 January 2025 — and its core provisions have been active since 1 March 2026. For foreign bank branches, fintech firms, and payment providers operating within or entering the VIFC, Circular 77 represents the technology compliance layer that sits beneath the centre's foundational commercial and banking decrees.
Who is in scope#
Circular 77 explicitly names credit institutions, foreign bank branches, intermediary payment service providers, mobile money service providers, and credit information companies. This scope directly captures every financial institution operating within the VIFC framework, including foreign bank branches authorised under Decree 329. The VIFC's foundational decrees set the commercial and forex framework but do not carve out technology compliance obligations — those flow from the SBV's general regulatory stream, and Circular 77 is now the binding standard.
For fintech firms in the Decree 94 sandbox or pursuing licences under Resolution 05, the circular's OWASP and biometric requirements effectively set a floor for any mobile or web banking interface.
What changed from Circular 50#
Mobile Money brought into scope#
Circular 77 adds Mobile Money service provision as a regulated activity. Providers must meet equivalent security standards to credit institutions — a meaningful extension given Mobile Money's mass-market profile and the populations it serves.
Biometric verification for new institutional clients#
Organisations incorporated within the past 12 months, or newly establishing banking relationships, must authenticate using biometric matching or secure digital signatures. The SBV carved out exemptions for state agencies, other credit institutions, listed companies, Fortune Global 500 firms, and foreign indirect investors. This exemption structure may reduce onboarding friction for large international firms opening accounts within the VIFC, but it does not reduce the technical infrastructure obligations on the institutions serving them.
Stronger authentication on information changes#
When any customer changes identification document details or authentication methods, the institution must apply biometric verification plus one additional factor — an OTP, security question, or digital signature. Biometric matching alone is no longer sufficient.
OWASP compliance as a rolling obligation#
Online banking web applications must address the OWASP Top 10 vulnerabilities. Mobile applications must comply with OWASP Mobile Application Security standards. The critical detail: the applicable OWASP version must be from within the preceding six months. This is not a one-time certification. It creates a continuous technical maintenance obligation that requires institutions to track OWASP releases and update their security posture accordingly.
Corporate client transactions must implement separate creation and approval steps (maker/checker controls), with exemptions for micro-enterprises using simplified accounting.
Quarterly mobile app security assessments#
Institutions must assess all permitted mobile banking application versions at minimum every three months to identify vulnerabilities. When a customer activates or reactivates Mobile Banking on a new device, only the latest version may be installed — downgrading is prohibited. Upon detection of high or critical severity vulnerabilities, institutions must immediately restrict transactions or deploy countermeasures.
Mandatory auto-suspension on compromised devices#
Mobile Banking applications must automatically terminate and notify the user if the app detects active debuggers or emulators (including Android Debug Bridge), code injection or hooking attacks, application repackaging, or a rooted/jailbroken device with an unlocked bootloader. This is a hard technical requirement, not a recommended practice. Firms accustomed to lighter-touch mobile security approaches in other markets will need to integrate runtime application self-protection (RASP) capabilities or equivalent tooling.
ISO 30107 Level 2 biometric verification#
Biometric Presentation Attack Detection (PAD) solutions must meet ISO 30107 Level 2 or equivalent — the standard specifically designed to resist deepfake, photo, and video replay attacks. Certification must come from either a FIDO Alliance-recognised biometric laboratory or an International Accreditation Forum (IAF)-accredited body.
This requirement is technically demanding. Many legacy biometric systems deployed by international banks were not built to this standard, and certification processes typically take six to twelve months. Institutions that have not already begun procurement face a genuine timeline risk.
Credential storage restrictions#
Saving access credentials is prohibited unless four conditions are met: alternative biometric verification is implemented, customer consent is obtained, at least one prior transaction via an alternate method has been completed, and the authentication window is capped at two minutes.
Compliance timeline#
| Deadline | What it covers |
|---|---|
| 1 March 2026 (already active) | All general provisions of Circular 77 |
| 1 July 2026 | Institutions serving both individual and corporate clients |
| 1 October 2026 | Institutions serving corporate clients only |
| 31 December 2026 | Mobile Money automatic debit transactions may continue under existing terms |
The staggered timeline gives corporate-focused VIFC participants — wholesale banks, treasury operations — until October 2026. But treating this as a distant deadline would be a mistake. Procuring an ISO 30107 Level 2-compliant biometric system, obtaining certification from a recognised laboratory, and integrating it into existing authentication flows is a process that typically consumes the better part of a year.
Why this matters for VIFC entrants#
The VIFC's licensing and membership framework establishes what firms can do within the centre. Circular 77 establishes how their technology must work. The two are not optional alternatives — they are cumulative obligations.
Three aspects of the circular create particular adaptation burdens for international firms:
The rolling OWASP requirement means compliance is never finished. A firm that certifies against the April 2026 OWASP Top 10 must recertify against any updated release within six months. This is more demanding than most equivalent regimes in competing financial centres, where OWASP compliance is typically assessed against a fixed version at the time of licensing.
The device integrity mandate goes further than most Asian financial centres require. While Singapore's MAS and Hong Kong's HKMA recommend runtime protection for mobile banking apps, Vietnam's requirement is prescriptive: specific detection triggers (debuggers, emulators, jailbreaking, code injection) are named in the regulation, and auto-suspension is mandatory. Firms cannot satisfy this through policy alone — it requires technical implementation.
The ISO 30107 Level 2 biometric standard reflects the SBV's focus on countering increasingly sophisticated identity fraud. The requirement for certification by FIDO Alliance or IAF-accredited laboratories narrows the field of acceptable vendors and adds lead time that firms must factor into their market-entry planning.
Penalties and enforcement context#
Circular 77 does not itself set penalties — those flow from the SBV's administrative sanctions framework and Vietnam's evolving data protection and cybersecurity legislation. Non-compliance with Circular 77's technical standards would constitute a regulatory breach under these frameworks.
What comes next#
The general provisions of Circular 77 are already in force. The immediate question for VIFC-bound institutions is whether their existing technology stacks can meet the ISO 30107, OWASP, and device integrity requirements within the remaining compliance windows — 1 July 2026 for dual-service providers, 1 October 2026 for corporate-only institutions.
Firms in the early stages of VIFC entry planning should treat Circular 77 compliance as a workstream that runs in parallel with licensing, not sequentially after it. The biometric certification timeline alone — six to twelve months from vendor selection to accredited certification — means that institutions starting now are already working to tight margins.
The SBV has signalled through the pace and prescriptiveness of these amendments that online banking security is not an area where it intends to grant transitional leniency. Firms that build to Circular 77's standards from the outset will avoid the remediation costs that come with retrofitting a compliant system after launch.
This article reflects Circular 77/2025/TT-NHNN as in force on 25 April 2026. We will update it as implementation guidance or further amendments are issued.