Thông tư 10/2020/TT-NHNN

CIRCULAR

AMENDMENTS TO CIRCULAR NO. 28/2015/TT-NHNN DATED DECEMBER 18, 2015 OF THE GOVERNOR OF THE STATE BANK OF VIETNAM ON MANAGEMENT AND USE OF DIGITAL SIGNATURE, DIGITAL CERTIFICATE AND DIGITAL SIGNATURE CERTIFYING SERVICE OF STATE BANK

Pursuant to the Law on State Bank of Vietnam dated June 16, 2010;

Pursuant to Law on Credit Institutions dated June 16, 2010 and Law on amendments to a number of Articles of the Law on Credit Institutions dated November 20, 2017;

Pursuant to Law on Information Technology dated June 29, 2006;

Pursuant to the Law on E-Transactions dated November 29, 2005;

Pursuant to Decree No. 130/2018/ND-CP dated September 27, 2018 of Government on elaborating to implementation of Law on E-Transactions regarding digital signatures and digital signature authentication services;

Pursuant to Decree No. 16/2017/ND-CP dated February 17, 2017 of the Government on functions, tasks, powers, and organizational structure of the State Bank of Vietnam;

At request of Director General of Department of Information and Technology,

Governor of State Bank of Vietnam promulgates Circular on amendments to Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Governor of the State Bank of Vietnam on management and use of digital signature, digital certificate and digital signature certifying service of State bank (hereinafter referred to as “Circular No. 28/2015/TT-NHNN”).

Article 1. Amendments to Circular No. 28/2015/TT-NHNN

1. Amend Article 1 as follow:

 “This Circular prescribes management and use of digital signature, digital certificate and digital signature certifying service of State Bank of Viet Nam (hereinafter referred to as “State Bank”)."

2. Amend Clause 1 Article 2 as follows:

“Entities affiliated to State Bank; credit institution and branches of foreign banks; State Treasury; Deposit Insurance of Vietnam.”

3. Add Clauses 11, 12, 13, 14, and 15 to Article 3 as follows:

“11. “activation code” refers to information consisting of reference number and verification code used for certification during activation of digital certificates.

12. “activation of digital certificates” refers to the process of generating digital certificate keys consisting of private keys and public keys and storing in secret key storage devices.

13. “competent individuals” refer to heads of State Bank, heads of entities affiliated to State Bank or authorized legal representatives of agencies and organizations prescribed under Article 2 of this Circular.

14. “public service system” refer to website providing public service online of State Bank.

15. “digital certificate operations” refer to operations on information systems in which subscribers may use digital certificates to sign or verify.  A digital certificate may be used for signing and verifying in one or multiple operations on one or multiple information systems. Information systems utilizing digital certificates of State Bank include:

a) Public service systems;

b) Interbanking electronic payment systems;

c) State Bank report systems;

d) Bidding systems and open market operation systems consisting of following operations:

- Bidding and open market;

- Issuance, payment, extension and cancellation of special bonds;

- Refinancing.

dd) Reporting systems of Deposit Insurance of Vietnam;

e) Other systems decided by Governor of State Bank.”

4. Add Clause 4a as follows:

“Article 4a. Methods of sending and receiving documents, text and reports related to digital signature certifying services and processing results

1. Subscriber managing organizations shall send documents, text and reports related to digital certificate and digital signature certifying services to State Bank (via Department of Information Technology) via any of following means:

a) Online via public service systems;

b) Written document and submitted directly at Single-window department or via the postal service; State Bank (Department of Information Technology) shall only receive and process physical copy in following cases:

- Public service systems are unable to operate due to accidents;

- Subscriber managing organizations have not been issued with digital certificates with public services, have expired digital certificates or subscribers have broken secret key storage devices.

2. Subscriber managing organizations have the rights to send master registers, electronic copies scanned from master registers (in PDF format), copies issued from master registers, certified true copies or copies and master registers for comparison of documents, text and reports related to digital certificates and digital signature certifying services of State Bank which are digitally signed by subscriber managing operations utilizing digital certificates of CA-NHNN.

3. Department of Information Technology shall send results on processing and reasons for rejection to subscriber managing organizations electronically via public service systems. In case public service systems encounter accidents, result notice shall be sent to: (i) subscriber managing organizations via postal service or (ii) e-mail of subscribers and individuals or entities in charge of managing digital certificates of subscriber managing organizations.”

5. Add Article 4b as follows:

“Article 4b. Secret key storage devices of subscribers

1. Department of Information Technology is responsible for guiding models and technical specification of secret key storage devices of subscribers conforming to digital signature certifying systems of State Bank and technology development.

2. Department of Information Technology shall provide secret key storage devices to administrative entities affiliated to State Bank. Other subscriber managing organizations shall furnish secret key storage devices according to guidelines of Department of Information Technology.

3. Submission and receipt of secret key storage devices between Department of information Technology and administrative entities affiliated to State Bank shall be made in person or via postal service.”

6. Amend Article 5 as follow:

Article 5. Issuance of digital certificates

1. Upon requested for issuance of digital certificates or additional operations, managing organizations shall submit 1 application consisting of:

a) Issuance or addition of digital certificate operations for competent individuals;

- Written application for issuance and addition of digital certificate operations according to Annex I attached to this Circular.

- Written application and request for additional digital certificate operations for individuals according to Annex 2 attached to this Circular.

- Written documents proving legal representation of competent individuals of agencies and organizations namely:

+ Enterprise registration certificates, cooperative registration certificates or equivalent documents for enterprises, credit institutions or branches of foreign banks;

+ Decisions on assignment of applicants for issuance or addition of certificate operations (for regulatory authorities).

b) Issuance or addition of digital certificates for individuals authorized by competent individuals;

- Written application for issuance and addition of digital operations according to Annex I attached to this Circular;

- Written application for issuance and addition of digital operations for individuals according to Annex 2 attached to this Circular;

- Written authorization of competent individuals permitting authorized persons to represent organizations signing documents, text, reports and trades on information system corresponding to operations of digital certificates requested for issuance. Authorized person must not authorize other individuals for implementation;

- Documents verifying titles of applicants for issuance and addition of digital certificate operations.

c) Issuance and addition of digital certificate operations for organizations:

- Written application for issuance and addition of digital operations for organizations according to Annex 2a attached to this Circular;

- Decision on establishment or decision prescribing functions, tasks, powers and organizational structure, enterprise registration certificates, cooperative registration certificates or equivalent documents.

2. In case digital certificates that have been issued and valid are requested for addition of digital certificate operations by subscriber managing operations, Department of Information Technology shall add existent operations for current digital certificates of subscribers.

3. Deadline and results

Within 5 working days from the date on which applications for issuance of digital certificates are received, Department of Information Technology shall examine the applications, issue digital certificates or add digital certificate operations for subscribers, send notice on issuance of digital certificates and activation code to e-mail address and send text messages to phone number of subscribers. For digital certificates for organizations, Department of Information and Technology shall send notice on issuance of digital certificates and activation code to e-mail address and text messages to mobile number of officials in charge of digital certificates of subscriber managing organizations according to Clause 1 Article 14 of this Circular.

In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular.

4. Activation code of digital certificates shall be valid for up to 30 days from the date on which digital certificates are issued. Regarding new digital certificates, subscribers must activate digital certificates before the activation code expires. Instructions on activating and extending digital certificates of State Bank are uploaded on websites of State Bank. Regarding digital certificates added with operations, subscribers are not required to activate digital certificates.

5. Effective period of digital certificates of subscribers shall be decided by subscriber managing organizations but no more than 5 years from the date on which digital certificates are activated.”

7. Amend Article 6 as follow:

“Article 6. Extension and revision of digital certificates

1. Digital certificates applied for extension or revision must be valid.

2. Validity of digital certificates:

a) Extended digital certificates shall become valid from the date on which application for extension is successfully implemented but for no longer than 5 years;

b) Revision of digital certificates does not alter valid period of digital certificates.

3. Cases in which extension or revision of digital certificates is required:

a) Subscriber managing organizations shall request extension of digital certificates of subscribers at least 10 days before expiry day;

b) Subscriber managing organization shall request revision of digital certificates of subscribers within 5 working days from the date on which any of following changes occurs:

- Subscribers change titles or positions;

- Subscribers change ID cards/Citizen ID cards;

- Subscribers change address, emails or phone numbers.

4. Subscriber managing organizations shall send 1 application for extension or revision of digital certificates consisting of written application for extension or revision of digital certificates according to Annex No. 3 attached to this Circular.

5. Deadline and results

Within 5 working days from the date on which applications for extension or revision of digital certificates are received, Department of Information Technology shall examine applications, extend or revise digital certificates. In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular.

After receiving notice on approving digital certificate extension, subscribers shall extend digital certificates according to instructions on extension and revision of digital certificates uploaded on websites of State Bank.”

8. Amend Article 7 as follow:

Article 7. Suspension of digital certificates

1. Digital certificates of subscribers shall be suspended if:

a) Subscriber managing organizations submit written request for suspension of digital certificates to Department of Information and Technology; or

b) At request of proceeding agencies, police authorities or Ministry of Information and Communications; or

c) Department of Information and Technology detects any error or incident that may affects benefits of subscribers or safety, security of systems providing digital signature certifying services.

2. Period of suspension of digital certificates prescribed in Point a Clause 1 of this Article shall conform to request of subscriber managing organizations. Period of suspension of digital certificates prescribed in Point b Clause 1 of this Article shall conform to request of proceeding authorities, police authorities or Ministry of Information and Communications. Period of suspension of digital certificates prescribed in Point c Clause 1 of this Article shall last until said error or incident has been rectified.

3. Subscriber managing organizations shall send 1 application for suspension of digital certificates consisting of written application for suspension of digital certificates according to Annex No. 4 attached to this Circular.

4. Deadline and results

a) Within 3 working days from the date on which applications for suspension of digital certificates are received according to Point a Clause 1 of this Article, Department of Information Technology shall examine applications, suspend digital certificates and inform subscriber managing organizations with the results.  In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular;

b) Within 3 working days from the date on which information specified under Points b and c Clause 1 of this Article is received, Department of Information Technology shall examine applications and inform subscriber managing organizations in writing about suspension period and reasons.”

9. Amend Point d Clause 2; Clause 3, Clause 4 of Article 8 as follow:

“d) Digital certificates suspended according to Point c Clause 1 Article 7 of this Circular and said error or incident has been rectified.”

“3. Subscriber managing organizations shall send 1 application for recovery of digital certificates consisting of written application for recovery of digital certificates according to Annex No. 5 attached to this Circular.

4. Deadline and results

a) Within 3 working days from the date on which application for recovery of digital certificates according to Points a, b Clause 2 of this Article, Department of Information and Technology shall examine application and recover digital certificates. In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular;

b) Within 3 working days from the date on which information specified under Points c and d Clause 2 of this Article, Department of Information and Technology shall recover digital certificates for subscribers.”

10. Amend Article 9 as follow:

“Article 9. Revocation of digital certificates

1. Subscriber managing organizations may request to revoke digital certificates or annul some digital certificate operations of subscribers. In case of revocation of digital certificates, all digital certificate operations of subscribers shall be revoked.

2. Digital certificates shall be revoked in any of following cases:

a) At request of proceeding agencies, police authorities or Ministry of Information and Communications; or

b) At request of subscriber managing organizations; or

c) Subscriber managing organization decides to revoke operation permit, perform partial or full division, acquire, dissolve or go bankrupt as per the law; or

d) Subscribers are identified to have violated regulations on management and use of secret keys and storage devices thereof on a well-grounded basis; or

dd) Expired digital certificates.

3. Subscriber managing organizations shall send 1 application for revocation of digital certificates consisting of written application for revocation, annulment of digital certificate operations according to Annex No. 6 attached to this Circular.

4. Deadline and results

a) Within 1 working day from the date on which application for revocation of digital certificates according to Points a, b Clause 2 of this Article, Department of Information and Technology shall examine application, revoke or annul digital certificate operations. In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular;

b) Within 1 working day from the date on which information specified under Points c, d and dd Clause 2 of this Article, Department of Information and Technology shall revoke digital certificates of subscribers.”

11. Amend Clause 2 Article 10 as follows:

“2. Subscribers must generate pairs of keys before the expiry date of activation code under notice on provision of digital certificates. In case activation codes are exposed or suspected to be exposed fail to be activated before the expiry date on notice on provision of digital certificates before the subscribers manage to generate pairs of keys but wish to continue to use digital certificates, subscriber managing organizations shall send application for changing activation codes according to Annex 8 under this Circular.”

12. Amend Clause 2 and Clause 3 of Article 11 as follows:

“2. Subscriber managing organizations shall send 1 application for changing key pairs consisting of written application for changing key pairs according to Annex No. 7 attached to this Circular.

3. Within 5 working days from the date on which the applications are received, Department of Information and Technology shall examine, change pairs of keys and send notice on new key pairs and activation code to email addresses and text to mobile numbers of subscribers. For digital certificates for organizations, Department of Information and Technology shall send notice on new key pairs and activation codes to e-mail address and text messages to mobile number of officials in charge of digital certificates of subscriber managing organizations according to Clause 1 Article 14 of this Circular.

In case of inadequate applications, Department of Information Technology shall reject and specify the reason. Feedback and application processing results shall conform to Clause 3 Article 4a of this Circular.

After receiving activation code, subscribers shall activate digital certificates to generate new key pairs before expiry date of activation code according to instructions on activation and extension of digital certificates uploaded on websites of State Bank."

13. Amend Article 14 as follow:

“Article 14. Responsibilities of subscriber managing organizations

1. Appointing individuals or entities in charge of registration and management of documents and reports related to digital certificates, lists of subscribers of organizations; informing Department of Information Technology initially and in case of any change to personnel or entities in charge.

2. Registering and being fully responsible for accuracy of information in documents and reports related to digital certificates of subscribers under management of organizations sent to Department of Information and Technology.

3. Managing, listing and updating list of subscribers in organizations. At least once every 6 months, reviewing and comparing list of digital certificates provided by State Bank with use practical demand and information at subscriber managing organizations. Digital certificates that do not match information, subscriber managing organizations must immediately adopt procedures for changing information, suspending, revoking or annulling digital certificate operations.

4. Periodically and irregularly reporting as specified in this Circular.

5. Guiding, examining and enabling subscribers under management of organizations to use digital certificates and secret keys as stated in this Circular.

6. Promptly informing Department of Information Technology in suspending or revoking digital certificates of subscribers in following cases:

- Secret keys of subscribers are exposed, suspected to be exposed, stolen or illicitly used; or

- Secret key storage devices of subscribers are lost; or

- Subscribers change to different positions that do not require digital certificates to operate; or

- Subscribers temporarily leave positions, resign, retire or decease; or

- Subscribers are affiliated to branches/entities of subscriber managing organizations which have had their banking codes cancelled; or

- Other cases deriving from demands of subscriber managing organizations.

7. Digital certificates granted to organizations must be assigned to individuals for management and use. Assignment must be kept records which specify roles and responsibilities of individuals assigned for management. Individuals assigned for management must perform roles and responsibilities of subscribers specified under this Circular.

8. Subscriber managing organizations which are administrative entities affiliated to State Bank shall promptly recall all secret key storage devices of subscribers which no longer utilize the devices for other subscribers.”

14. Amend Clause 2 Article 15 as follows:

“2. Managing and using codes for accessing devices and data in secret key storage devices safely and secretly throughout effective period and suspension period of their digital certificates; not sharing or lending codes for accessing devices and data in secret key storage devices of digital certificates.  In case of resigning, reassigning or working in positions that do not require digital certificates, transfer secret key storage devices to subscriber managing organizations.”

15. Add Clause 3 to Article 16 as follows:

“3. Signers are responsible for credibility of information subject to their digital signature and shall only issue digital signature on systems when the systems inform validity of the digital certificates.”

16. Amend Article 17 as follows:

“Article 17. Reporting regime

Subscriber managing organizations are responsible for submitting reports to State Bank as follows:

1. Periodic reports:

a) Name of the report: report on reconciliation of the State Bank digital certificate list;

b) Report contents:

- List of certificates  and use status;

- Compare list of digital certificates provided by Department of Information Technology with practical use demands and information in subscriber managing organizations and report list of unmatched digital certificates.

c) Implementing entities: Entities affiliated to State Bank, credit institutions, branches of foreign banks, State Treasury, Deposit Insurance of Vietnam, National Payment Corporation of Vietnam, Vietnam Asset Management Company for credit institutions and other agencies, organizations utilizing State Bank digital signature certifying services;

d) Recipient of reports: Department of Information Technology – State Bank;

dd) Methods of submission and receipt of reports:

- Submission and receipt of reports shall conform to Clause 3 Article 4a of this Circular;

- Subscriber managing organizations shall send reports on digital certificate reconciliation via public service systems using report outline under Annex 9 attached to this Circular.

e) Submission frequency and deadline of reports: on a 6-month basis, on June 20 and December 20 of reporting year at the latest;

g) Conclusion date of report figures:

- Figure conclusion period for reports on the first 06 months shall start from December 15 of the year preceding reporting period to June 15 of reporting period;

- Figure conclusion period for reports on the last 06 months shall start from June 15 to December 14 inclusively of reporting period.

2. Report irregularly at request of State Bank digital signature certifying service providers.”

Article 2.

1. Replace the phrase “Cục Công nghệ tin học” (Information Technology Department) to “Cục Công nghệ thông tin” (Department of Information Technology).

2. Replace Forms 1, 2, 3, 4, 5, 6, 7, 8, and 9 attached to Circular No. 28/2015/TT-NHNN with Annexes 1, 2, 3, 4, 5, 6, 7, 8, and 9 respectively attached to this Circular.

3. Add Annex 2a attached to this Circular.

Article 3. Implementation responsibilities

Heads of entities affiliated to State Bank, credit institutions, branches of foreign banks, State Treasury, Deposit Insurance of Vietnam, National Payment Corporation of Vietnam and Vietnam Asset Management Company for credit institutions are responsible for implementation of this Circular.

Article 4. Implementation clause

1. This Circular comes into force from January 1, 2021.

2. This Circular annuls Clause 6 Article 1 and Clause 4 Article 2 of Circular No. 14/2019/TT-NHNN dated August 30, 2019 on amendments to Circulars regulating periodic reporting regimes of State Bank./.