Thông tư 29/2011/TT-NHNN

CIRCULAR

DEFINING SAFETY, CONFIDENTIALITY OVER PROVISION FOR BANKING SERVICE ON THE INTERNET 

Pursuant to the Law on the State Bank of Vietnam No.46/2010/QH12 dated June 16, 2010;

Pursuant to the Law on Credit Institutions No.47/2010/QH12 dated June 16, 2010;

Pursuant to the Law on E-Transactions No.51/2005/QH11 dated November 29, 2005;

Pursuant to the Decree No.35/2007/ND-CP dated March 08, 2007 of the Government on E-transactions in the banking activities;

Pursuant to the Decree No.64/2001/ND-CP dated September 20, 2001 of the Government on payment activities via payment service providing organizations;

Pursuant to the Decree No.26/2007/ND-CP dated February 25, 2007 of the Government detailing the implementation of the Electronic Transaction Law on digital signatures and digital signature certification services;

Pursuant to the Decree No.96/2008/ND-CP dated August 26, 2008 of the Government defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to the Decree No.97/2008/ND-CP dated August 28, 2008 of the Government on the management, provision and use of internet services and electronic information on the internet;

The State Bank of Vietnam defines the safety, confidentiality over provision for banking service on the internet as follows:

Chapter 1.

GENERAL PROVISIONS

Article 1. Scope of governing and subjects of application

1. This circular specifies the requirements to ensure safety, confidentiality for the provision for banking services on the Internet.

This Circular applies to all credit institutions, branches of foreign banks providing for banking services on the Internet (hereinafter collectively referred to as the service providers) in Vietnam.

Article 2. Interpretation of terms

In this Circular, the following terms shall be construed as follows:

1. Banking services on the Internet (Internet Banking services) mean the banking services offered via the Internet, including:

a) Information on service providers and services of the providers.

b) Service to look up information such as looking up information of customers, accounts, balance inquiry, and other information.

c) Carrying out online financial transactions, such as account services, wire transfer, credit, and payment via account.

d) Other services as prescribed by the State Bank.

2. Internet Banking system: means a structured set of hardware equipment, software, databases, security and communications networks systems for the management and provision for banking services on the Internet.

3. Clients: mean the organizations, individuals related to use of Internet Banking services.

4. Two-factor authentication: means the authentication method requiring two different factors to prove the correctness of an identity. Two-factor authentication based on the information that the user knows, such as customer number, password, along with something that user has such as one-time password (OTP), random matrix, signs of biometrics, or other supportive devices to prove an identity.

5. Privileged account: means the account accessing into the information technology system to perform special works or access to sensitive data. Privilege accounts are often used for device configuration, system administration, operating system administration, database administration, or professional applications management (such as the root accounts, supervisors, system, and administrator).

Article 3. General principles for the provision of banking services on the Internet by the service providers

1. Assurance of confidentiality

a) Ensure confidentiality of information relating to accounts, deposits, assets, and customers’ transactions in accordance with the law regulations.

b) Customers’ passwords, encryption keys and other key encryptions must be encrypted during the transaction, on the transmission line and stored in the service providers.

2. Assurance of availability

a) Commit the continuous operational capability of the Internet Banking system openly, clearly and to be stated clearly in the service providing contracts with customers. This commitment must include at least a commitment of total time to suspend the system in a year, the time of service provision per day, the time to restore system after the trouble.

b) Meet sufficient resources of the information technology infrastructure and human resources to ensure the continuity in service provision of Internet Banking in accordance with commitment of the service providers to their customers.

c) Develop, promulgate and observe the processes of the Internet Banking system.

d) Use the tools monitoring, tracking the performance of the primary system and the backup system to ensure their continuous operation.

3. Assurance of the integrity

a) Ensure the integrity of information during the processing, storage and transfer between service providers and their customers.

b) The combination of security measures on the administration and technique in:

- Physical access;

- Logical access;

- The process of access, processing, transmission, dump, storage, recovery of data.

4. Client authentication and transaction authentication

a) Ensure authentication and identify customers when they access and use Internet Banking services.

b) Use two-factor authentication on the Internet Banking system as performing payment transactions and other important transactions such as the connection creation between accounts, payment registration to a third party, change of the transaction limit in a day, change of the account information related to personal data of customers (such as address of offices or home, telephone numbers, email addresses and other information to verify customers).

5. Consumer protection

a) Provide for sufficient information on the rights and obligations of the customers before signing the contracts to provide services with customers. In the service providing contract, it must specify that the service provider shall ensure the terms set out in this Article for the customer. The service providers must fully comply with the terms of their responsibilities stated in the service contracts signed with their customers.

b) In the service providing contract, the service provider must specify the security responsibilities of the personal information of customers when they use the Internet Banking service; specify clearly the method that the bank to collect and use customer’s information, commit not selling, disclosing or leaking such information.

c) Take measures to ensure safety and security in case the service providers distribute software to customers via the Internet.

d) To be responsible for checking, warning and implementing measures to prevent and combat fake websites of providing for Internet Banking service of the service provider; at the same time to notify the method to determine the real website to customers.

Chapter 2.

SPECIFIC PROVISION

Article 4. Policy on safety and confidentiality of the systems

Develop and promulgate regulations on safety and confidentiality for Internet Banking system in accordance with regulations on safety, confidentiality for information technology system of the State, banking sector and the regulations on safety and confidentiality of information technology of the units. Periodically at least once a year, the unit must review, modify and perfect these regulations to ensure the suitableness, fullness, and effect of the regulations.

Article 5. Human Resource Management

1. Selecting officials who have the morality, educational level, ability to meet the requirements of professional skill and technology when be assigned tasks related to Internet Banking system.

2. The tasks of system administration; development and maintenance of application software and the system operation must be assigned to each division, different individuals. Ensure the cross control and there is no person to have full rights on the system or can initiate, intervene in the transactions of the Internet Banking system. Having provision for responsibilities and clear decentralization for each group of division or individual listed above. Privileged account on the Internet Banking system must be designed to be accessible only when having key of at least two people and must be strictly controlled over all operations of this account.

3. Having specific, clear regulations, and full implementing the management and supervision of personnel of the third party as accessing to the Internet Banking system. The requirements for safety, security, and agreements need to be specified in contracts with third parties.

Article 6. Media Network

1. To take measures to separate the network partitions to ensure the control of system access.

2. To take measures to detect and prevent intrusion, spreading of malicious code to the system.

3. To develop and implement backup plans for key positions having a high impact level to the network system or that potentially cause cripple for the entire network system of the units when the incident occurs.

4. The wireless connection must used authentication measures to ensure safety.

5. To guarantee bandwidth requirements for Internet Banking services.

6. To update the system patches, update the configuration of network devices and security devices at least every six months. In case of system error detection, it must perform the immediate update.

7. The equipment of network, security, confidentiality, anti-virus software, analysis tools, network management installed in the unit’s network must have the copyright and clear source and origin.

Article 7. Hardware and software of system

1. It must have the server infrastructure and associated equipment for Internet Banking System (hereinafter referred to as Internet Banking server) of full capacity, achieving performance as required, ensuring the access processing speed to meet customers’ needs using the service.

2. Requirements for Internet Banking Server

a) To have high availability features, flexible backup mechanism to ensure continuous operation.

b) To be put in the place where is protected safely and supervised strictly.

c) To separate the logic or physic with the servers operating other professional skills.

3. Requirements for system software:

a) To be reviewed and updated the versions, error patch of system software as recommended by the supplier at least every six months.

b) To make a list of software permitted to install on Internet Banking server and periodically at least every three months to update, inspect, ensure the compliance with this list.

Article 8. Software of application

1. General requirements

a) The requirements for safety, security of operations must be determined before and organizing to implement into the entire cycle of software development from analysis and design stage to the stage of operation and maintenance.

b) The documents on safety and security of the software must be systemized and stored and used according to "confidential" regime.

c) Prior to deploying new applications, it must assess the risks of the deployment process for professional operations, relevant information technology systems and making and implementing plans to limit, overcome the risks.

d) It must be identified, made statistics of activities and abnormal transactions arising in the system.

2. Inspection of the application software test

a) Developing and approving plans and testing scenario for applications offering Internet Banking services, which clearly states the conditions of safety, security required to be met.

b) Detecting and eliminating errors, frauds that can occur when entering input data and security vulnerabilities in the process of inspecting the system test.

c) Writing down the errors and process to deal with errors, especially errors on safety and security in the reports on inspection of the test.

d) Inspection of the test of safety, security features must be taken on the popular browsers like Internet Explorer, Mozilla, Firefox, Google Chrome.

đ) Conducting the test on separate environment and not affecting the normal operation of business; preparing the reports of test results to submit to the competent authorities for approval before being put into use.

e) The use of data for the test process is required to take precaution measures for preventing to be benefited or confused.

3. Management and upgrading of versions

a) For each requirement to change software, it must analyze and assess the impact of changes to the existing systems as well as business and other relevant information technology systems of the units.

b) The software versions include the source program required to be centrally managed, stored, kept secret and have decentralization mechanisms for each member in the manipulation with the files.

c) Information of the versions, update time, the update person of versions must be saved.

d) Each upgraded version must be inspected the test of safety, security features and stability before the official deployment.

đ) The upgrade of version must be based on test results and must be approved by the competent authorities.

e) After the software versions are successfully tested, they must be managed closely; to avoid illegally modified and ready for deployment.

g) Along with the new software version, it must have clear instructions on the changed contents, software update, and other relevant information and must be approved by the competent authority prior to the deployment to customers.

4. Source program control

a) To check the source code, to remove the malicious code sections, the security vulnerabilities (back-door).

b) To appoint specifically individuals to manage the source program of the Internet Banking system.

c) The access to the source program must be approved by the competent authorities and to be monitored and logged.

d) The source program must be kept safely in at least two separate locations.

đ) In case the service provider purchases software from a third party without being handed over the source program, the service provider must require the third party to sign agreement not containing malicious code in the software application delivered to the service provider.

Article 9. Database safe

1. Only use the database management system having copyright and clear origin and has been tested through actual operations of similar domestic or abroad organizations.

2. Database management system used for Internet Banking system must meet the requirements of stable operation; processing, storage of much data volumes by business requirements; with mechanisms to protect and decentralize access to the database resources.

3. To review, update the patches, the error modifications of database management system at least once every six months or right after the supplier's recommendations.

4. To formulate plans of backup, reserve for database to ensure the Internet Banking system of continuous operation when the incident for the database occurs.

5. To decentralize and define strictly for each individual accessing to database. It must log for database access, manipulation for the database configuration.

6. To take measures to prevent attacks of database.

Article 10. Data Encryption

1. To select the encryption algorithm meeting the requirements to ensure the confidentiality and handling capabilities of the Internet Banking system.

2. The encryption algorithm being used must be periodically checked once a year, review the safety level and handle timely weaknesses if any.

3. Not to let an individual perform the entire process of creating the encryption key. The encryption key must be created, modified, distributed, and stored safely.

4. It must ensure to recover encrypted information when necessary.

5. It must have the strict rules on the recovery of encryption keys, including the key destruction and the key restoration.

Article 11. Management of diaries

1. Logging the following events for Internet Banking system:

a) The system access process.

b) The manipulations of system configuration.

c) The events of authentication.

d) The events of grant and revocation of the right to access system and to use service.

đ) Transaction processing.

e) The unusual accesses.

2. Logging customers’ transactions and monitoring financial transactions on the Internet Banking system.

3. The log of the Internet Banking system to be stored, protected safely, and accessible when needed. Time for saving log is at least 03 years.

4. To check the access logs to detect, prevent the abnormal, illegal accesses for at least once a month.

Article 12. Incident management

1. To formulate the incident management process, which must clearly define the responsibilities of related departments, details the steps taken, including notification to the customers and report to the State Bank.

2. The incident management process must be reviewed and updated problems and plans of handling for at least every six months.

3. To apply the technical solutions to detect and handle timely the attacks into the denied services such as use of firewall devices; equipment to detect and prevent intrusion; the specialized equipment warning strike, diverting of network traffic; filter the information packets as being attacked.

4. To request third parties to provide troubleshooting procedures for the services provided by third parties relating to Internet Banking system.

Article 13. Guidance for customer

1. To promulgate regulations in which clearly state the rights and obligations of customers and of the service providers for the provision and use of Internet Banking services.

2. To guide customers the contents of self-ensuring safety in the use of Internet Banking services such as:

a) Method to set a password and protect password.

b) Not sharing the storage equipment of passwords, digital signatures.

c) Not placing options of web browser to allow the user name and password archiving.

d) Escape from the Internet Banking system when not using.

đ) Be careful, limit to use public computers, wireless public network to access the Internet Banking system.

e) Method to access to applicable address of the Internet Banking service of the units.

g) Notice to the service providers of errors and incidents in the course of using the service.

h) Warning of the other risks.

Chapter 3.

REPORT

Article 14. General requirements

The service providers are responsible for submitting reports to the State Bank of Vietnam (Department of Information Technology) as prescribed in Article 15, Article 16 of this Circular.

Article 15. The types of report

1. Report on provision for Internet Banking services:

a) For the units that provided services before the effective date of this Circular: The units send the reports within 10 working days from the effective date of this Circular.

b) For the units that provide services after the effective date of this Circular: The units send the reports at least 10 days prior to the official provision of Internet Banking services.

2. Annual reports:

The service providers must submit annual reports before March 15 every year.

3. Irregular reports:

The service providers shall submit irregular reports when the unsafe incidents occur or affecting the operation of the Internet Banking system within 05 days from the time of the accident or of incident detection.

Article 16. Contents of report

1. Report on Internet Banking services includes the following:

a) Address of website to provide for services.

b) The products and services currently offered.

c) The official date of provision.

d) Unit providing for Internet Banking system products.

đ) The third parties hired or coordinating together with to set up and operate Internet Banking system; the activities related to Internet Banking system with the participation of third parties and forms of participation of third parties.

e) The documents include information technology infrastructure and communications, human resources, process of business technique, the plans for dealing with risk, and other related matters as prescribed in Chapter II of this Circular.

2. The annual report includes the following contents:

a) The products and services of Internet Banking being supplied.

b) The changes of the products, Internet Banking services since the last report.

c) The changes of the documents prescribed at Point e, Clause 1, Article 16 since the last report.

d) Number of customers using the Internet Banking services and customer growth rate compared to the same period of the last year.

đ) The problems have arisen in the period. Incidents are reported at risk group, the damage and remedial measures adopted.

e) Recommendations and proposals.

3. Irregular report includes the following contents:

a) Date and place where the incidents occur.

b) Preliminary description of the incidents, the status of the incidents when they occur.

c) The cause of the problem.

d) Assessment of risk, the impact toward Internet Banking system and other involved systems.

đ) The situation of the damage.

e) The measures that the unit was taken to overcome the problem; prevent and stop risks.

g) Recommendations and proposals.

Chapter 4.

IMPLEMENTATION PROVISIONS

Article 17. Effect

1. This Circular takes effect as from November 04, 2011.

2. The Circular No.09/2003/TT-NHNN dated 05/08/2003 of the State Bank Governor guiding the implementation of some provisions of Decree No.55/2001/ND-CP dated 23/08/2001 of the Government on management, provision and use of Internet and the Circular No.01/2008/TT-NHNN dated 10/03/2008 amending, supplementing the Circular No.09/2003/TT-NHNN shall be invalid since the effective date of this Circular.

3. In the course of implementation, if problems arise, concerned organizations and individuals should promptly reflect to the State Bank of Vietnam (Department of Information Technology at No.64 Nguyen Chi Thanh, Dong Da, Hanoi, Vietnam) for review and settlement.

Article 18. Responsibility for implementation

1. The Information Technology Department is responsible for monitoring and inspecting the implementation of this Circular of the service providers. Each year, through the reports of the units or performance of the site inspection to assess the compliance with provisions and ensure safety, security for Internet Banking system of the units; synthesizing and reporting to the Governor situation of safety, security of Internet Banking services of Vietnam's banking system.

2. Agency inspectors, bank supervisors are responsible for coordinating with the Department of Information Technology to inspect and supervise the implementation of this Circular and handling administrative violations for the violations under the provisions of law.

3. Chief of Office, Director of Information Technology and the heads of units of the Vietnam State Bank, Directors of State Bank-branches in provinces and cities directly under the Central Government, Chairmen of the Management Boards, Chairmen of the members’ Councils, general directors (directors) of credit institutions, branches of foreign banks providing for Internet Banking services shall implement this Circular./.