Data confidentiality and privacy in e-banking services: legal perspectives and current practices in Vietnam

Saturday 12/06/2025 - 21:00

Vietnam’s shift toward e-banking has unlocked new levels of convenience and efficiency, but it has also exposed vulnerabilities in data security and personal privacy. Drawing on legal perspectives and realities, this article analyzes the strengths and shortcomings of the existing regulatory framework and explores what needs to change to protect data users in the digital era.

Assoc. Prof. Dr. Bui Huu Toan

Banking Academy of Vietnam

Interface of Techcombank Mobile Internet Banking__Photo: VNA

The Fourth Industrial Revolution has unfolded at a remarkable speed, driving substantial changes in the banking sector, especially in distribution channels and traditional products and services. One of the most prominent developments is the expansion of e-banking services. Digital technology has helped banks diversify their services, increase revenue streams and improve operational efficiency while delivering greater convenience to customers. However, this trend has also posed certain management challenges, including risks related to information security, data breaches, and infringements of privacy in the financial sector.

The adoption of information security standards in the banking sector has become increasingly important as cyber risks grow more complex. Globally, banks apply a range of widely recognized information-security standards to strengthen protection against cyber threats. The ISO/IEC 27000 series, developed by the International Organization for Standardization (ISO), provides a broad framework for information security management. The Cybersecurity Framework v1.0 (NIST CFS), released in 2014 by the United States’ National Institute of Standards and Technology, helps entities strengthen security and resilience against cyberattacks. For payment card activities, the PCI DSS standard, issued by the Payment Card Industry Security Standards Council, sets strict requirements for protecting cardholder data. In financial messaging, SWIFT has introduced the Customer Security Framework, comprising mandatory and advisory controls for system protection, access management, and incident detection and response. Several jurisdictions also maintain their own rules, such as the United States’ Regulation E on electronic fund transfers and the European Union’s General Data Protection Regulation (GDPR) governing personal data protection.

Vietnam’s legal framework regulating data confidentiality and privacy in e-banking

In Vietnam, data protection and privacy are addressed across a wide range of legal documents. The 2013 Constitution establishes the fundamental principles on privacy and personal data protection, stating in Article 21 that “everyone has the right of inviolability of private life, personal secrets and family secrets; and has the right to protect his/her honor and reputation; the security of information about private life, personal secrets and family secrets shall be guaranteed by law.” These rights are reinforced in Article 38 of the 2015 Civil Code, which provides that private life, personal secrets and family secrets are inviolable and protected by law; the collection, storage, use and disclosure of such information require the consent of the relevant individual or family members, unless otherwise provided by law.

Complementing these provisions, the 2023 Law on Protection of Consumer Rights entitles consumers to the protection of their lives, health, honor, reputation, assets, personal information, and other lawful rights and interests when engaging in transactions and using goods and services^{^[2]}. The 2015 Law on Cyberinformation Security further stipulates that individuals must protect their own personal information and comply with legal requirements when providing such information online^{^[3]}. Together, these documents affirm not only the rights of consumers but also the responsibilities of individuals in safeguarding their personal data.

With respect to e-banking, the State Bank of Vietnam (SBV), as authorized by the Government, has issued several regulations forming the legal basis for ensuring confidentiality and security in digital banking services. Circular 35/2016/TT-NHNN on the safety and security of Internet banking services, amended by Circular 35/2018/TT-NHNN, requires credit institutions to secure their Internet banking applications^{^[4]}, inform customers of necessary technical requirements such as compatible mobile devices^{^[5]}, and provide guidance on safe use practices, such as avoiding the use of jailbroken devices when installing Internet banking or OTP-generating applications^{^[6]}.

The 2024 Law on Credit Institutions further reinforces confidentiality obligations, requiring credit institutions and foreign bank branches to protect customer information, whether provided by customers or generated during the process of asking for or receiving banking services^{^[7]}. This demonstrates that Vietnam’s law recognizes the obligation to protect customer information even prior to the establishment of a formal banking relationship. Government Decree 117/2018/ND-CP on confidentiality and provision of customer information by credit institutions elaborates on these obligations, stipulating that customer information must be kept confidential throughout its collection, management, use and storage, and that the duty of confidentiality is not time-limited. Disclosure of customer information is permitted only in accordance with law.

In addition, Government Decree 13/2023/ND-CP on personal data protection grants data subjects the rights to know how their personal data are processed, to refuse the processing, and to request authorities to delete, grant access to, and restrict the processing of, their personal data, unless otherwise provided by law^{^[8]}. To further strengthen protection in the digital banking environment, the SBV issued Circular 50/2024/TT-NHNN on safety and security for online banking services, including Internet banking, mobile banking, online payment, and intermediary payment services, applicable to credit institutions, foreign bank branches, payment intermediaries and credit information companies.

Overall, Vietnam’s legal framework places strong emphasis on protecting customer information in e-banking transactions, requiring both institutions and users to uphold responsibilities in ensuring data confidentiality and privacy across digital platforms. However, the legal framework for data protection and privacy in e-banking still faces limitations.

First, the legal system lacks consistency and synchronization. For example, the 2010 Law on the State Bank of Vietnam and the 2024 Law on Credit Institutions require credit institutions to provide operational information to the SBV and allow them to receive from the SBV information on customers with credit relations, but neither law provides detailed or consistent rules on data processing and management, including data collection, digitization, quality assurance, or storage. These laws are silent about applying high technologies in data processing. Decree 117/2018/ND-CP does not clearly address customer consent or mechanisms for information sharing between customers and credit institutions, leading to inconsistency and difficulties in the use of data within relevant databases.

Additionally, Vietnam so far has no unified regulations on data standards or data sharing among credit institutions, leading to ad hoc and insecure data connections. Rapid technological development has also outpaced legislative updates. As a result, banks remain hesitant about launching new digital products for fear of legal risks and the absence of an adequate regulatory corridor.

Second, significant gaps remain in the legal framework for cross-border data management. The 2025 Law on Personal Data Protection (effective as of January 1, 2026) introduces detailed provisions on cross-border transfer of personal data, marking significant progress in strengthening the national legal framework for data protection. The Law defines technical concepts such as data de-identification; establishes the requirement to assess the impact of cross-border transfer of data; and specifies conditions, principles and responsibilities for entities engaged in data transfer, along with state authority for licensing and oversight.

However, the feasibility and effectiveness of these provisions still depend on the enactment of forthcoming implementing regulations, including clearer technical standards, detailed procedures, and transparent legal mechanisms for managing the economic value of personal data. Uniform guidance on sanctions is also necessary to ensure effective enforcement.

Third, considerable challenges persist in addressing violations of privacy and data security. Enforcement of the 2025 Law on Personal Data Protection is hindered by jurisdictional constraints, as many violations, particularly those occurring in social media, originate from anonymous or overseas accounts. Sanctions, though strengthened, remain less stringent than international benchmarks. Although the Law introduces heavier administrative penalties, including fines of up to 5 percent of the violating entity’s revenue in the preceding fiscal year for certain serious violations and penalties amounting to 10 times the illicit gains for data-trading offenses, these levels are still significantly lower than international standards such as the GDPR, which imposed fines of up to EUR 20 million or 4 percent of global annual turnover in the preceding fiscal year for the most serious breaches. This reduces the overall deterrent effect on large technology companies.

Solutions to improve the legal framework and ensure effective implementation

Improving the legal framework

The Government, regulatory bodies (including the authority specialized in personal data protection), and commercial banks should prioritize completing subordinate legislation and internal regulations to implement the 2025 Law on Personal Data Protection. This work must ensure consistency and harmonization with other specialized laws, such as the Law on Cybersecurity and the Law on Cyberinformation Security, to eliminate overlaps and legal gaps in the digital era.

At the same time, it is required to promptly issue detailed regulations on administrative and civil sanctions referred to in the 2025 Law on Personal Data Protection, particularly those specifying methods for calculating fines based on revenue or illicit gains for violating entities. A specialized regulatory framework is also needed for managing data on cross-border payment transactions in order to effectively control risks related to money laundering, tax evasion and other cybercrimes.

Banks themselves must also establish clear security policies, including staff responsibilities for sensitive information processing, data protection, and risk management. These policies must be widely disseminated to all staff members to enhance security awareness. Banks should additionally maintain quick response procedures to handle security incidents and ensure specialized teams are ready to respond to emergencies. Periodical security audits and assessments remain essential to identify vulnerabilities and promptly adjust security policies. At the same time, banks should comply with international standards such as ISO 27001 to ensure legality and effectiveness in information protection.

Strengthening oversight and management by the SBV

The SBV plays a critical role in conducting periodical inspections and assessments of information security practices at credit institutions to detect vulnerabilities and require remediation. Regular inspections help banks enhance their ability to prevent risks, update security measures in response to emerging threats, and improve their cybersecurity incident response plans.

To perform this role effectively, the SBV should issue security standards that are specific for credit institutions; develop a periodical risk-assessment system and inspection schedule; engage experts in attack simulation to identify vulnerabilities; review the source code of banking applications to detect weaknesses; require banks to update security policies, data processing procedures, and access control mechanisms in line with new standards; and provide training in security protocols and methods for identifying information security risks.

Inspection results should be thoroughly analyzed and reported to identify shortcomings and corresponding corrective measures. Based on these assessments, banks must upgrade their technological systems, improve internal security policies, and invest in modern security solutions to guarantee the resilience and safety of the banking system.-

[1] The Vietnamese version of this article is published in Tạp chí Nghiên cứu Lập pháp, available at: https://lapphap.vn/Pages/TinTuc/212081/Bao-mat-du-lieu-va-quyen-rieng-tu-trong-dich-vu-ngan-hang-dien-tu--Goc-nhin-phap-ly-va-thuc-trang-tai-Viet-Nam.html.

^{^[2]} Article 4 of the 2023 Law on Protection of Consumer Rights.

^{^[3]} Article 16 of the 2015 Law on Cyberinformation Security.

^{^[4]} Articles 7 and 8 of Circular 35/2016/TT-NHNN.

^{^[5]} Article 17 of Circular 35/2016/TT-NHNN.

^{^[6]} Article 18 of Circular 35/2016/TT-NHNN.

^{^[7]} Articles 13, 14 and 140 of the 2024 Law on Credit Institutions.

^{^[8]} Articles 3 and 9 of Government Decree 13/2023/ND-CP.

Vietnamlawmagazine

See also

Vietnam will continue to be a voice for dialogue, peace, and creativity: UNESCO Representative

Improving the IP legal framework to drive innovation and investment

Toward 14^th National Party Congress: Sustainable development tied to institutional improvement

Strengthening intellectual property policy in Vietnam’s digital economy

Proposal to abolish provincial- and commune-level land use master plans to improve land efficiency

VNA – symbol for enduring Vietnam – Cambodia solidarity, friendship

VNA shows strong performance as leading external communications agency: Swiss scholar

Vietnam affirms growing role, leadership in ASEAN: Malaysian expert

Vietnam highly evaluated as key shipping hub

Self-reliance, resilience – defining elements in Vietnam’s development journey: Malaysian scholar