SBV proposes bimonthly mobile banking security verification

mask

Monday 11/24/2025 - 16:29

From January 1 next year, banks would be required to conduct security assessment of mobile banking applications used by customers every two months in order to detect technical flaws and risks of cybercriminal interference, according to the draft circular designed by the State Bank of Vietnam to revise Circular 50 of 2024.

Customers use the Mobile Money service of Viettel__Photo courtesy of Viettel

The State Bank of Vietnam (SBV) has released a draft circular revising Circular 50/2024/TT-NHNN on safety and security for the provision of online banking services. Once approved, the new regulation would apply to credit institutions, foreign bank branches, payment intermediary service providers, mobile money providers, and credit information companies.

As per the draft, the SBV proposes revising Article 7.3.c to require banks and institutions to conduct assessments to identify technical vulnerabilities and weaknesses, and to evaluate their capacity to prevent and respond to emerging security risks.

For online banking applications developed via web platforms, the SBV requires banks and institutions to ensure defenses against the top ten common security vulnerabilities listed by the Open Worldwide Application Security Project (OWASP). Mobile banking applications must at least meet confidentiality requirements under OWASP’s mobile application security standards.

Noteworthily, the draft adds Clause 1a below Clause 1 of Article 8, on version control for mobile banking applications. Service providers would have to periodically assess, at least once every two months, all application versions installed and used by their customers so as to detect security flaws and evaluate the potential of cybercriminal interference.

Institutions would also have to prevent customers from using software versions that are more than two generations older than the latest version connected to the online banking system.

If a customer activates the application on a new device or reactivates the application, the latest version must be used and technical measures must be implemented to prevent downgrading to earlier versions.

When detecting a security flaw, banks and institutions would immediately block transactions and take corrective actions, including releasing updated versions.

In addition, the SBV proposes revising Article 8.4 to enhance the capability to prevent unauthorized interference with mobile banking applications installed on customers’ devices.

Accordingly, such applications must automatically exit or deactivate if they detect active debugging tools, emulators or virtual machines, code-injection software that monitors application activity or captures data logs, or if the device has been rooted or jailbroken.

The draft also removes Article 11.8 concerning the use of unsecured e-signatures, and revises Clause 9 to clearly provide that the authentication of secured e-signatures refer to the use of digital signatures or foreign e-signatures legally recognized in Vietnam under current regulations on e-signatures.- (VLLF)