The Vietnamese banking sector has proactively embraced, researched, and implemented Industry 4.0 technological innovations in its digital transformation journey. In 2016, the State Bank of Vietnam (SBV) developed and submitted to the Prime Minister for approval the Banking Sector Development Strategy until 2020, with a vision toward 2030. The SBV has also taken the initiative to research and establish a conducive legal framework for digital transformation implementation. One of the breakthrough technologies of Industry 4.0 is Open Application Programming Interface (Open API) data sharing connectivity. This technology has been researched and implemented by numerous Vietnamese banks for payment operations, electronic customer identification, and the provision of innovative financial products and services.
Open Banking – Open API represents a novel domain, both technically and legally, in Vietnam and globally. Implementation challenges extend beyond technological aspects to encompass changes in perception and legal frameworks. The banking sector has initiated Open API implementation, enabling partners to connect, share, and exchange data. However, current Open API development occurs independently at individual banks. Each bank employs different API standards and security protocols, resulting in market fragmentation. This creates difficulties for Fintech companies collaborating with banks, requiring substantial resources, time, and costs to adapt their software to comply with each bank’s Open API standards. Currently, the banking sector lacks common standards for information technology systems, data storage, security, connectivity, and lacks a legal corridor and regulatory guidance on technical standards and Open API implementation roadmap.
On this basis, the State Bank of Vietnam has published a draft Circular on Open API Implementation Regulations in the banking sector to establish clear legal grounds, particularly for secure customer data connectivity and processing.
1. General Regulations on Open API Service Provision
Credit institutions are responsible for implementing Open API services for third parties to facilitate connectivity and data processing in accordance with the Circular’s provisions. The provision of Open API functions must strictly comply with technical standards specified in Article 6 of the Circular.
To ensure transparency, credit institutions must publicly disclose information about Open API services on their official web portals, including the following essential contents:
- Testing Environment (Sandbox): Provision of systems enabling third parties to perform test data connectivity and processing through Open API.
- Integration Technical Documentation: Comprehensive documentation including connection process guidelines, data processing flow diagrams, and detailed technical specifications for each provided Open API function.
2. Key bank responsibilities in Open API service provision
In the context of modern banking technology development, Open API service implementation requires credit institutions to meet strict infrastructure and cybersecurity requirements. According to the Draft Circular, banks must build comprehensive IT infrastructure capable of meeting connection and data processing needs. Notably, information systems serving Open API services must achieve minimum level 3 security and network safety standards as per Government regulations, while complying with State Bank regulations on information security in banking operations.
Partner selection is subject to stringent standards. Credit institutions may only collaborate with entities meeting three basic conditions. First, partners must have information systems ensuring safety and network security equivalent to the bank’s Open API system level, not lower than level 3. Second, partners must be tax-registered entities legally operating in Vietnam. Finally, partners must have experienced personnel in information security, operations, IT system development, and IT legal compliance.
Customer rights protection is a top priority in Open API implementation. Credit institutions must provide tools allowing customers to query data authorized for third-party processing and the right to revoke third-party data processing permissions. Notably, customer data processing time is limited to 180 days from authorization to ensure information security and confidentiality.
3. Essential contents in Open API service provision contracts
Developing an Open API service provision contract requires detailed and strict legal considerations. Information security clauses and data usage scope are core contract elements. Parties must commit to strict compliance with security regulations while ensuring data usage within agreed parameters.
Another crucial contract aspect concerns risk management and incident handling provisions. Contracts must include detailed clauses on information security breach notification procedures. Additionally, information system security level requirements must be clearly specified to ensure system stability and security during operations.
Regarding commercial aspects, contracts must clearly specify service product information and fee structures. This includes detailed descriptions of provided services, service usage conditions, and fee calculation and collection methods (if any).
Finally, contracts must include clear termination clauses, specifically defining termination cases and conditions, as well as parties’ responsibilities during cooperation termination.
Developing a legal framework for Open API in Vietnam’s banking sector represents a significant step in the financial system’s digital transformation. Through detailed regulations on technical requirements, participant responsibilities, and security provisions, this legal framework creates a solid foundation for Vietnam’s open banking ecosystem development.
The focus on information security, customer rights, and system safety requirements demonstrates a strong commitment to building a secure and reliable digital banking environment. With this legal framework, credit institutions and technology partners can confidently develop innovative products and services while ensuring compliance with industry regulations and standards.
See more:
1/ New legal framework for data management in Vietnam
2/ Consumer information under the provisions of the law on consumer protection 2023
3/ Subjects and Fundamental Principles of GDPR
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
