A+ A-

2021/20 “Regulating Digital Credit Scoring in Vietnam” by Nicolas Lainez

About 70 percent of Vietnamese citizens have limited or no access to financial services. Here social distancing markers are placed at the ATM counters amidst concern of COVID-19 coronavirus inside a shopping mall in Hanoi on August 14, 2020. Photo: Manan VATSYAYANA, AFP.


  • About 70 percent of Vietnamese citizens are un(der)banked and have limited or no access to financial services.
  • Their lack of credit histories severely limits their access to credit markets as lenders cannot assess their creditworthiness.
  • Fintech startups provide digital credit scoring services to lenders in Vietnam to assess credit risk of the un(der)banked. Risk assessment is based on alternative data collected from users’ smartphones and processed through machine learning algorithms.
  • Digital credit scoring provides more consistent, efficient, accurate and timely credit scores than traditional scoring based on economic data, especially credit repayment history.
  • Digital credit scoring though raises concerns about unfair discrimination against the underbanked in credit access, the loss of privacy and ability to make choices and personal data protection.
  • This technology is deployed in Vietnam in a legal vacuum. A legal framework is proposed that aims to balance normative trade-offs between innovation and public protection.

* Nicolas Lainez is Visiting Fellow with the Regional Economic Studies Programme at ISEAS – Yusof Ishak Institute.His research is located in the field of economic anthropology, covering credit and household debt, formal and informal finance, migration and trafficking, family and care economies. He is currently working on Financialisation and credit and consumer lending growth in Vietnam.


Big data and artificial intelligence (AI) are transforming the credit industry worldwide. This process is clearly visible in Vietnam, an emerging lower-middle-income economy where credit markets are undergoing rapid liberalization and transformation. Lenders increasingly assess borrowers’ creditworthiness – defined as the likelihood and willingness to repay their loans – using ’digital credit scoring’. This technology combines big data and machine learning algorithms to generate scorecards about loan applicants’ risk profile. It promises efficiency, accuracy and speed in predicting credit risk. With 70 million unbanked and underbanked citizens short on credit history and access to banking services, digital credit scoring emerges as a magic tool to foster financial inclusion in Vietnam. However, it also raises public concern about opacity, unfair discrimination, and privacy threats, especially in the more developed markets.[1]

Regulation is critical to foster innovation while safeguarding public interest. The problem is that Vietnam lags in having regulations covering digital credit scoring. As a result, the lending industry deploys it at scale without a proper regulatory framework. This article addresses this issue from a legal perspective. After describing the pros and cons of digital credit scoring in Vietnam, it suggests novel ways to regulate it. The goal is to provide oversight over this technology and make the process from data collection to credit decisions transparent, accessible and fair. This study’s assumption is that adequate regulation is vital to delivering big data and machine learning’s promise in the financial services market, while ensuring fairness and privacy protection. The legal proposal aims to amend and complement credit and data privacy legislation in Vietnam.


The financial industry is driven by information. In particular, lenders need accurate and up-to-date data on borrowers to determine loan pricing and terms. This is to decrease exposure to bad debt and maximize profit. However, lenders have imperfect information on their customers. Data can be difficult to obtain in countries where financial exclusion prevails and citizens are not sufficiently served by financial institutions. Financial exclusion is high in Southeast Asia. In Vietnam, 70 percent of 98 million Vietnamese are un(der)banked and therefore lack access to formal financial services.[2] Lenders and credit scoring firms assume that many of these individuals seek loans and have the ability to repay them.

To achieve financial inclusion, credit scoring startups take an ’all data is credit data’ approach. They take advantage of the recent introduction of digital technologies and services, new electronic payment systems, and smart devices to collect alternative data. They capitalise on high mobile phone and internet penetration rates in Southeast Asian. In Vietnam, the internet penetration rate reaches 52 percent and smartphone ownership reaches 72 and 53 percent in urban and rural areas, respectively, in 2016.[3] In 2017, 132 million mobile devices were in circulation.[4] Credit scoring firms glean alternative data from borrowers’ mobile devices, which they feed to machine learning algorithms for generating detailed and intimate knowledge about their behaviour and risk profile. These are derived from telco and mobile data, social network data, browser data, e-commerce, and financial transaction data.

Credit scoring startups make an argument for efficiency by comparing their scorecards with traditional scoring based on economic data and simple statistical tools. Their marketing presents the latter as a system of “archaic credit data and scoring technologies of the 70s”.[5] In Vietnam, the Credit Information Center (CIC) under the State Bank is the official public credit registry. It collects, processes and stores credit data, analyses, monitors and limits credit risk, scores and rates credit institutions and borrowers, and provides credit reports and other financial services. It gleans credit data from 670,000 companies and 30.8 million individuals with existing credit history.[6] The CIC operates alongside the Vietnam Credit Information Joint Stock Company (PCB), a smaller private credit registry created by 11 banks in 2007. The CIC and PCB provide essential services to the financial community, but use traditional credit data and scoring methods that limit their reach and scope. The CIC, for instance, takes several days to deliver individual reports and lacks a national credit database system with a unique profile for every citizen.

Credit scoring startups put forward efficiency, accuracy and speed to set themselves apart from credit registries and promote their sophisticated technology. Their predictions offer higher accuracy than traditional scoring because they leverage a much larger number of data points relevant to risk behaviour and analyse them with AI. They also increase speed to provide ’real-time credit decision’, as stated in CredoLab’s privacy policy.[7] Banks and consumer lending companies also seek to provide a ’fast and easy’ credit experience. Kalidas Ghose, CEO of FE Credit, the leading consumer lender in Vietnam and a subsidiary of VPBank, promotes the power of big data to foster financial inclusion and credit growth in Vietnam. At first, FE Credit developed an “enhanced process for instant application in 1 click” that takes less than two days: an SMS is sent to the customer, a “fair price” is calculated based on a “highly reliable score”, the customer applies for a loan on “1 click”, the sales team calls back in less than 30 min, an appointment is made in less than 24 hours to close the deal, and the loan is disbursed within 12 hours. This system leverages telco data provided by Viettel (63.6 million users), Mobifone (20.5 million) and Vinaphone (34.6 million) to assess risk.[8]

As if two days were not fast enough, FE Credit then developed $NAP, an automated lending platform that digitises the loan application process and shortens the time for approval and disbursement to 15 minutes.[9] $NAP reduces customer recruitment cost and lowers the risk of losing them due to cumbersome procedures. According to Ghose, a “strong risk management process”, based on “extensive usage of big data analytics”, has resulted in “an ability to take on higher exposure with better customers, delivering them top-up loans earlier in their lifecycle, and expansion of target base by using alternate behavioral data in partnership with telcos, e-commerce and utility companies” (ibid.). In Ghose’s opinion, new technological practices “have helped us to serve our customer faster, easier, deliver the right product to them, at the right time and right place. And as a result, we can now increase our revenues while reducing risk as well as operations cost” (ibid.). According to FE Credit, $NAP has succeeded in attracting customers – “2 million application downloads, 540,000 application registrations, and 200,000 successful disbursals.[10] $NAP will most likely set the path for a ’fast and easy credit’ experience in Vietnam. Big data and machine learning algorithms are critical to achieving this goal. They deliver accurate predictions at a glance and cut down bureaucracy and human discretion that prevail in traditional credit scoring and human decision, as the narrative goes. They make possible the next frontier of consumer lending: the automation of lending.


Digital credit scoring promises to foster financial inclusion and make customised credit products available to the un(der)banked. But can machine learning algorithms and big data live up to their promise of distributional fairness and privacy protection?

There are conflicting public perceptions of big data and AI. A common assumption is that this technology is truthful, objective and neutral. This positive view gives AI authority over humans to take on heavy responsibilities and make vital decisions. Meanwhile, the general public worries that algorithmic governance may be biased and discriminate against vulnerable groups, including the poor, women and racial, ethnic, religious and sexual minorities.[11] The hidden nature of machine learning algorithms exacerbates these anxieties. Algorithms are popularly described as ’black boxes’ because they run autonomously, especially unsupervised learning. The reason is because they operate sometimes without disclosing even to their programmers how they calculate and what datasets or combinations of datasets they use to predict the most accurate outcomes. For risk assessment, borrowers fail to understand how algorithms make predictions based on data from call and SMS logs and social media networks A widespread fear is that ’opaque’ algorithms will standardise past prejudices and biases into discriminatory rules that will reinforce inequality. If these fears are founded, they ignore an important consideration, which is that the danger of discrimination lies not in algorithms but in humans who classify and rank other humans permanently, and design, programme, and train algorithms to perform certain operations and reach determined outcomes.

Another area where digital credit scoring raises anxieties is consumer autonomy and privacy. Autonomy refers to consumers’ ability to make choices and decisions free from outside influence. Consumer lending markets use credit pricing and customisation to discipline behaviour as well. Loan prices and conditions result from the sorting and slotting of people in “market categories” based on their economic performance.[12] In the US, these market categories are linked to credit scores that determine credit access, pricing and conditions. However, they also determine one’s ’life chances’ because credit scores measure creditworthiness and trustworthiness. A favourable credit score is required to purchase a home, a car, a cellphone on contract with no security deposit, seek higher education, start a new business, and secure a job with a good employer. Conversely, bad scores hamper one’s life chances. Credit scores thus make and undo fates.

In Vietnam, it is too early to observe behaviour change and nudging among consumers based on digital credit scoring, as it at an early stage of deployment. Yet, banks and lending companies increasingly use this technology to assess creditworthiness and make traditional and digital credit widely accessible to borrowers. They also take the initiative to educate people about credit scoring and to advise on how to adjust behaviour to improve scores and chances of obtaining loans.[13] The media pay some attention to digital credit scoring. For instance, there has been a news clip where Vietnamese students are advised on how they are to behave to secure loans and fund their studies and consumption in the US.[14] The journalist shares “the reasons why one should accumulate credit points and how one learns to build credit effectively and safely while living in the US”. These materials reveal the emergence of digital credit scoring and its normative power for guiding behaviour in Vietnam.

A last issue of growing concern is cybersecurity or the fraudulent use of data for profit. In Vietnam, new wealth fuels cybercrime. With rapid economic and digital growth and a growing and impressive number of internet users (66 percent out of 98 million inhabitants) and social media users (60 percent), Vietnam is an “El Dorado for cyber-offenders”.[15] Cyberattacks and data breaches are common. In 2019, the Government Information Security Commission reported 332,029 access attacks (using improper means to access a user’s account or network) and 21,141 authentication attacks (using fake credentials to gain access to resources from a user).[16] These data are just the tip of the iceberg in a country where cybercrime remains largely underreported.[17] The media regularly report data breaches. In 2019, the Maritime Commercial Joint Stock Bank (MSB) suffered a leak of personal data. A list of two million account holders’ names, ID, phone numbers, addresses, birthdates, gender, emails, and occupations was posted in a website trading stolen data. It is unclear if the data were leaked by an employee from the bank or by a hacker who attacked the bank’s database.[18] In 2018, the police dismantled a group of 12 cybercriminals who broke into the server of an unspecified bank to access the accounts of customers who had not subscribed to online banking services. After fraudulently subscribing to these services, they impersonated bank officers and called customers to ask for an OTP to disburse a loan. They use OTPs to log into the accounts of 560 customers to steal VND43 billion (US$1.8 million).[19]


Big data and AI make big promises but pose big challenges as well. These challenges require regulation, oversight and safeguards. However, in its current state, Vietnamese law is ill-equipped to regulate big data and AI, including digital credit scoring. This technology calls for revising credit law, especially matters related to creditworthiness assessment. In Vietnam, credit law is scattered across several instruments. The 2010 Law on Credit Institutions is the general framework, but it addresses creditworthiness tangentially. Other rules appear in circular 39/2016/TT on lending transactions of credit institutions, circular 43/2016/TT on stipulating consumer lending by financial companies, and circular 02/2013/TT on conditions of debt restructuring. The regulations on creditworthiness require creditors and regulators to continually assess and categorise debtors and loans in risk categories. Since these regulations were designed before the advent of AI, they contain gaps and inadequacies.

First, lenders are required to assess borrowers’ creditworthiness using traditional, financial and (non-)credit data (“qualitative and quantitative, business and administration situation”), which they collect from borrowers and the CIC. This framework is inadequate to regulate the gleaning and processing of alternative data by credit scoring startups.

Second, credit law does not ban discrimination against vulnerable borrowers through sensitive characteristics like race, religion, national origin, sex, marital status, and so forth. Vietnam does not have any specific law about discrimination – except the articles 16 in the Constitution and 12 in the law on gender equality. If credit scoring firms collect alternative data comprising sensitive characteristics and use them to assess risk, they may (in)advertently (re)produce unfair discrimination.

Third, credit regulation requires credit institutions to provide borrowers with a reason for rejecting loan applications. However, the law does not grant borrowers the right to correct credit data, appeal human or automated decisions, and request explanations on how decisions are made, and suggestions on how to improve their credit record and scoring to avoid future improper rejections.[20]

On the whole, legal provisions on creditworthiness assessment leave lenders unaccountable for their decisions and adds an extra layer of opacity to credit scoring and decision-making, thereby putting borrowers at a disadvantage.

The goal for industry players from the fintech and finance sectors, for the regulator and for society is to negotiate normative trade-offs between efficiency and fairness, innovation and public interests that are to be represented in the amended regulation.[21]

The regulator could issue a decree that would update credit law. It could limit what data is collected, how it is used, under what circumstances it can be transferred, stored and sold, and whether and how it should be shared with the CIC.

The decree could also ensure that consumers are given the possibility to oversee the entire scoring process and have the right to explanation in case of rejection, appeal for rejection, and correction of credit data to improve their chances of approval in the future.

The decree could also detail safeguards and procedures on how to open the scoring system for inspection by a public regulatory body – for instance the State Bank of Vietnam. The decree could also address the issue of bias and discrimination against vulnerable groups by banning the use of sensitive characteristics.

The regulator could design this decree and negotiate optimal compromises between efficiency and fairness with industry players and civil society organisations.

Another area of concern raised by big data and AI is privacy. Laws on personal data protection are comprehensive but scattered in many statutes and decrees. The reference legislation is Law 86/2015/QH13 on Cyber-Information Security (CIS). Other relevant regulations can be found in Law 67/2006/QH11 on Information Technology (IT).[22] The CIS and IT require data collecting companies to obtain consent from data owners prior to gleaning personal data. For the CIS, consent requirement shall include the “scope and purpose of collection and use of such information” (art 17a). According to the IT, companies must “inform those people of the form, scope, place and purpose of collecting, processing and using their personal information” (art 21.2a). Data owners have the right to “update, alter or cancel their personal information collected or stored” by companies and to stop these companies from “providing such personal information to a third party” (CIS, art 18.1). It also requests data collectors to “delete the stored personal information when they have accomplished their use purposes or the storage time has expired” (CIS, art 18.3). Art 22 of the CIS stresses that data owners have a right to “inspect, correct or cancel such information” (see also art 22 of the IT).

All-in-all, the law provides data owners a comprehensive s​et of rights and protections against companies that collect personal data. It also promotes transparency and accountability. However, it does not delimit what data companies can collect to protect privacy.

This gap is problematic given the severe implications big data and AI have in people’s lives. Legal scholars call for minimising data collection, meaning banning the collection and “processing of certain types of personal data – such as relationship, health and social media data – that are considered intrinsic to a consumer’s identity and autonomy”.[23] This suggestion raises a challenging question: How does one determine what data are intrinsic and therefore non-commodifiable for preserving privacy and intrinsic identities?[24]

This thorny question requires extensive political, societal and legal debate, negotiation, and compromise. The Vietnamese government could address it by launching a consultation with industry players, international bodies, data protection organisations, and civil society associations to determine what personal data should or should not be collected and commodified for credit scoring purposes.

The goal would be to find a compromise between efficiency in risk assessment and credit decision-making while preserving the data owner’s privacy and intrinsic identities. The results of this consultation could be made enforceable by issuing a decree that amends privacy regulations including CIS and IT. Meanwhile, the authorities should ensure that credit scoring firms and local and international lenders operating in Vietnam follow the law on personal data protection to respect privacy.


It is important to follow the deployment and study the impact of digital credit scoring in Vietnam. This technology stirs mixed feelings: excitation over prospects for greater efficiency and potential for fostering inclusion, and concern about discrimination and privacy threats. It is too early for a comprehensive evaluation of the pros and cons of digital credit scoring in Vietnam, as this technology is being deployed as we speak. Nevertheless, regulation is vital to support fintech innovation and positive socioeconomic change.

Given that digital credit scoring thrives in legal limbo in Vietnam, the regulator should address new challenges posed by big data and AI and reflect on normative trade-offs without further ado. Implementing legal safeguards and human oversight to support efficiency and accuracy while preserving public interest and privacy is an imperative. The authorities will also have to make sure that domestic and foreign credit scoring firms and lenders comply with proposed changes in regulation.

ISEAS Perspective 2021/20, 26 February 2021.


[1] Nikita Aggarwal, “The Norms of Algorithmic Credit Scoring,” SSRN Electronic Journal, 2020, https://doi.org/10.2139/ssrn.3569083; Citron Danielle and Franck Pasquale, “The Scored Society: Due Process for Automated Predictions,” Washington Law Review 89, no. 1 (2014): 1–34.

[2] World Bank, The Little Data Book on Financial Inclusion 2018 (Washington DC: World Bank, 2018), 160.

[3] Hai Yen Nguyen, “Fintech in Vietnam and Its Regulatory Approach,” in Regulating FinTech in Asia, ed. Mark Fenwick, Steven Van Uytsel, and Bi Ying, Perspectives in Law, Business and Innovation (Singapore: Springer, 2020), 121.

[4] CSIRO, “Vietnam Today: First Report of the Vietnam’s Future Digital Economy Project” (Hanoi: Commonwealth Scientific and Industrial Research Organisation, 2018), 3.

[5] https://www.trustingsocial.com/about-us (accessed 20 November 2020)

[6] https://cic.org.vn (accessed 20 November 2020)

[7] https://www.credolab.com/privacy-policies/english (accessed 20 November 2020).

[8] Kalidas Ghose, “Financial Inclusion- Leveraging the Mobile Device: The FE Credit Experience” (Hanoi: FE Credit, 2018), https://www.mmaglobal.com/files/speaker_presentations/5._kalidas_ghose_-_fe_credit_.pdf (accessed 20 November 2020).

[9] Saigon Times, “FE Credit Reshapes Vietnam’s Consumer Finance Industry with Its Disruptive ’$nap’ Digital Lending Platform,” Saigon Times, January 11, 2019, https://english.thesaigontimes.vn/65498/fe-credit-reshapes-vietnam’s…nce-industry-with-its-disruptive-$nap-digital-lending-platform.html (accessed 20 November 2020).

[10] https://snap.fecredit.com.vn/en (accessed 20 November 2020)

[11] see, i.e., Safiya Umoja Noble, Algorithms of Oppression: How Search Engines Reinforce Racism (New York: New York University Press, 2018).

[12] Marion Fourcade and Kieran Healy, “Classification Situations: Life-Chances in the Neoliberal Era,” Accounting, Organizations and Society 38, no. 8 (November 2013): 561-572.

[13] FE Credit, “Điểm Tín Dụng Xấu Là Gì? Làm Gì Khi Điểm Tín Dụng Xấu? (Phần I) [What Is a Bad Credit Score? What to Do When a Bad Credit Score? (Part I)],” May 23, 2016, https://fecredit.com.vn/taichinh/diem-tin-dung-xau-la-gi-lam-gi-khi-diem-tin-dung-xau-phan (accessed 20 November 2020).

[14] Anh Duong, “Credit Score (Điểm Tín Dụng) – Yếu Tố Quan Trọng Trong Cuộc Sống Của Du Học Sinh Tại Mỹ [Credit Score: An Important Factor in the Life of International Students in the US],” San Sang Du Hoc, June 28, 2018, https://sansangduhoc.vn/tin-tuc/credit-score-diem-tin-dung-yeu-to-quan-trong-trong-cuoc-song-cua-du-hoc-sinh-tai-my.html (accessed 20 November 2020).

[15] Tech Collective, “Vietnam Suffers the Most Southeast Asia Offline Cyber Attacks Q2 2019,” KrAsia, August 9, 2019, https://kr-asia.com/vietnam-suffers-the-most-southeast-asia-offline-cyber-attacks-q2-2019 (accessed 20 November 2020).

[16] Vietnam Security Summit, “Cyber Security in the AI and Big Data Era: Event Brochure” (Vietnam Security Summit, November 10, 2020), https://securitysummit.vn/docs/2020/Brochure_Vietnam_Security_Summit.pdf (accessed 20 November 2020).

[17] Hai Thanh Luong et al., “Understanding Cybercrimes in Vietnam: From Leading-Point Provisions to Legislative System and Law Enforcement,” International Journal of Cyber Criminology 13, no. 2 (2019): 294.

[18] Lam Bao, “Two Million Account Details from Major Vietnamese Bank Leaked Online,” November 22, 2019, https://e.vnexpress.net/news/news/two-million-account-details-from-major-vietnamese-bank-leaked-online-4016176.html (accessed 20 November 2020).

[19] VNS, “Sophisticated Cyber Crime on the Rise in Việt Nam,” Viet Nam News, August 14, 2018, https://vietnamnews.vn/society/463726/sophisticated-cyber-crime-on-the-rise-in-viet-nam.html (accessed 20 November 2020).

[20] A good credit scoring will differentiate the different grades of credit risk a borrower has and inevitably there will be high risk borrowers that lenders would not want to accept given the high cost of credit that would impact lenders financial performance.

[21] A more comprehensive analysis would require exploring the legal safeguards implemented in more developed markets. See Aggarwal, “The Norms of Algorithmic Credit Scoring” for a brilliant study of the UK case, and Danielle, Citron and Franck Pasquale, “The Scored Society: Due Process for Automated Predictions.” Washington Law Review 89, no. 1 (2014): 1–34 for a study of the U.S. case.

[22] For a description of other laws, see Ha Quyen Hoang Nguyen, “Protecting Personal Data on Cyberspace: Enterprise’s Obligations under the Laws of Vietnam,” December 2, 2019, https://www.inhousecommunity.com/article/protecting-personal-data-cyberspace-enterprises-obligations-laws-vietnam/ (accessed 20 November 2020).

[23] Aggarwal, “The Norms of Algorithmic Credit Scoring,” 17.

[24] For a similar discussion, see also World Bank, CGAP, “Data Protection and Privacy for Alternative Data” (Washington, D.C: World Bank, CGAP, 2018), 13–14.

ISEAS Perspective is published electronically by: ISEAS – Yusof Ishak Institute   30 Heng Mui Keng Terrace Singapore 119614 Main Tel: (65) 6778 0955 Main Fax: (65) 6778 1735   Get Involved with ISEAS. Please click here: /supportISEAS – Yusof Ishak Institute accepts no responsibility for facts presented and views expressed.   Responsibility rests exclusively with the individual author or authors. No part of this publication may be reproduced in any form without permission.   © Copyright is held by the author or authors of each article.Editorial Chairman: Choi Shing Kwok   Editorial Advisor: Tan Chin Tiong   Managing Editor: Ooi Kee Beng   Editors: William Choong, Malcolm Cook, Lee Poh Onn, and Ng Kah Meng   Comments are welcome and may be sent to the author(s).

Download PDF Version