- The Vietnamese government is encouraging financial technology or fintech to promote a cashless society and extensive financial inclusion in the country.
- The fintech market is subject to multiple regulations issued by the State Bank of Vietnam for finance matters and the Ministry of Public Security (MPS) for data privacy and cybersecurity matters. The Steering Committee on Financial Technology is the centralized State authority for fintech management.
- Existing regulations neither provide a definition of fintech nor a single comprehensive instrument regulating fintech activities. The government is developing projects and drafting rules to regulate this largely unregulated industry.
- Government plans to promote modern technologies such as e-KYC, Open API, big data, artificial intelligence, blockchain and cloud computing, which supports local fintech development.
- To ensure that fintech promotes financial inclusion and a cashless society, the Vietnamese government needs to design a regulatory framework that is well-balanced to support innovation and ensure consumer protection and financial stability.
* Dang Linh Chi is a Special Counsel based in Baker McKenzie’s Hanoi office and Pham Mai Nhu Thuy is a Legal Assistant, also based in Baker McKenzie’s Hanoi office. 
Financial technology, or fintech, has transformed financial services and introduced ample opportunities for economic development. Vietnam’s share of regional fintech investment rose from only 0.4% in 2018 to 36% in 2019, placing it second only to Singapore (51%) in the ASEAN region. Despite this achievement, the financial areas transformed by fintech in the country are quite limited, with 98% of the funding being concentrated in the payment sector and 1% in blockchain. Also, Vietnam is still considered as having limited range of fintech activities, with fintech in the payment industry accounting for 31%, P2P lending for 17%, and blockchain/crypto for 13% of the market. One of the main factors hindering fintech growth and development is the under-developed regulatory framework where most regulations revolve around fintech activities in the payment industry.
Generally speaking, the fintech regulatory landscape in Vietnam is still at an early stage of development. Traditionally, the government had been quite conservative in terms of currency control. However, to promote financial inclusion and a cashless society via fintech, the government has been willing to allow more relaxed regulations to create more space for innovation. At the same time, the legal framework has also been designed to ensure consumer data privacy and cybersecurity.
This paper discusses the current fintech regulatory development in the country, from fintech development policy, key fintech regulators, regulations on specific forms of fintech and fintech-enabling technologies. It also discusses personal data protection and data localisation requirement, which are important issues relevant to fintech companies and fintech-enabling technology developers. The key challenge for the local government is to design a regulatory framework that is well-balanced and that allows innovation while ensuring consumer protection as well as financial stability.
FINTECH DEVELOPMENT FOR FINANCIAL INCLUSION
Currently, Vietnam has a large proportion of individuals and small- and medium-sized enterprises which remain unbanked or underbanked. For example, only 30% of adults (15 years and above) have accounts with financial institutions in 2018. Also, the rate of cash transactions is high, i.e., 80 % as at 31 December 2019. Meanwhile, the population’s access to information technology and telecommunications (ITC) services is quite impressive, with mobile phone connection at 150%, internet penetration at 70%, and 3G&4G registration at 45% in 2019.
In that context, to promote greater financial inclusion, the government has set the following targets by 2025:
- non-cash payment transactions will increase at the annual rate of 20-25%,
- at least 80% of adults will have accounts opened at banks or other authorised organisations,
- at least 25-50% of adults will have deposit at credit institutions;
- at least 250,000 small- and medium-sized enterprises will have debt balance at credit institutions;
- at least 70% of adults will have credit history information in the credit information system of the SBV.
Fintech development is considered an important strategy to achieve the above targets. More specifically, fintech is included in the government’s plan for regulatory improvement, expansion of financial supply chain channels, diversification of basic financial services, enhancement of the financial infrastructure, and protection of financial consumers. For example, fintech companies are encouraged to actively participate in the financial service supply chain and partner with credit institutions, especially micro-finance organizations and programs.
That is to say that for fintech investors, Vietnam remains largely an untapped market offering an attractive customer base as well as policy incentives. However, such an untapped market poses great challenges for the government in its ambition to use fintech to achieve financial inclusion goals.
As fintech involves both elements of finance and technology, the industry is subject to multiple regulations issued by a number of key regulators. The country’s central bank, the State Bank of Vietnam (SBV), regulates finance-related matters, while the Ministry of Public Security (MPS) oversees data privacy and cybersecurity-related matters. Both the SBV and the MPS are specialised governmental agencies that can directly issue regulations (i.e., in the form of circulars). They can also propose draft regulations to be approved and issued either as decrees (which are of higher order of application than circulars) by the government or as laws (which are of higher order of application than decrees) by the National Assembly. For example, intermediary payment service (IPS), which is the dominant form of fintech activity in Vietnam, is subject to regulations on the establishment and operation of IPS providers, and regulations on anti-money laundering/KYC (Know-Your-Customer). Both are basically designed by the SBV. At the same time, IPS providers that participate in the collection, exploitation, analysis, and/or processing of personal information are also subject to the regulations on personal data protection and cybersecurity. These are basically designed by the MPS.
Among the regulators, the Steering Committee on Financial Technology, which was established by the SBV in March 2017, is the designated centralised state authority for implementing State management of fintech. The Department of Payment under the SBV is the standing unit responsible for implementing tasks assigned by the Committee. The Committee is positioned to, among other functions, develop and complete the fintech ecosystem (including a regulatory framework), and create opportunities for fintech companies following the policy and strategy of the government. So far, the Committee has set targets to research fintech in five services: e-payment, e-KYC, P2P lending, Open API and blockchain application. Also, it has established direct dialogue channels with fintech firms to facilitate active problem solving.
REGULATION ON CERTAIN FINTECHS
At present, Vietnamese laws provide neither a definition of fintech nor a single comprehensive instrument for regulating fintech activities. Current regulations mostly evolve around fintech in the payment industry. That said, the government has been developing projects and draft regulations to regulate thus far unregulated fintech forms.
Intermediary payment service providers
Fintech in the form of IPS is governed by the Decree 101 on non-cash payment and Circular 39 on IPS. IPS includes financial switching service, electronic clearing service, payment gateway service, support service for money collection and payment, support service for electronic money transfer, and e-wallet service.
IPS providers must be locally established enterprises that have obtained a license to provide IPS (“IPS License”) from the SBV. Basically, in order to obtain an IPS License, the applicant must satisfy conditions such as those on the charter capital (i.e., VND 50 billion, approx. USD 2,145,000), service provision plan (which includes processes such as those on technical processes, payment guarantee mechanism and internal control), personnel (e.g., the qualifications of the legal representative and key managerial positions) and technical infrastructure (e.g., those for security of information technology system). After being issued an IPS License, an IPS provider must provide services in accordance with its IPS License and relevant laws. One key operational requirement is that the IPS service provider must implement anti-money laundering measures (e.g., KYC/e-KYC and transaction reporting) in accordance with the laws on anti-money laundering.
Currently, the government is drafting a decree that will replace the Decree 101 on non-cash payment. This is expected to provide more details on IPS, allow outsourcing of certain functions to agents, and release or remove certain licensing requirements to facilitate market access to fintech investors.
Mobile money service providers
In March 2021, the Prime Minister issued Decision 316 on a pilot programme for mobile money service, allowing the use of telecommunications accounts to make payment for goods and services of small value (i.e., the total transaction value limit of VND 10 million (approx., USD 434) per month per mobile money account). The pilot programme will operate for two years from the time the first enterprise is approved to pilot the mobile money service. The result of the pilot programme will be used by regulators to design specific regulations.
Enterprises eligible to apply for the pilot programme must either be (i) a qualified enterprise that has a license to provide e-wallet IPS and a license to establish a ground public telecommunication network using radio frequency bands, or (ii) a subsidiary that is allowed to use telecommunications infrastructure, network and data by its parent company which has a license to establish a ground public telecommunication network using radio frequency bands.
P2P lending service providers
For the lending industry, the SBV is currently working on a pilot programme for P2P lending as part of the Plan on Promoting Sharing Economy. So far, the SBV has confirmed that P2P lending is currently unregulated by Vietnamese laws. There are some P2P lending platforms operated by companies who have registered for the business lines of financial consultancy and financial brokerage. Also, the policy considers P2P lending as a civil transaction rather than a business activity.
REGULATORY SANDBOX FOR UNREGULATED AND UNDER-REGULATED FINTECH
Apart from specific regulations, the government is making efforts to develop a regulatory sandbox as a catch-all instrument for all forms of fintech. This sandbox is currently included in many master plans such as the Strategy for developing information technologies in the banking sector, the Scheme for promoting a sharing economy and the Strategy for national financial inclusion.
In early June 2020, the government issued a draft decree providing for a fintech regulatory sandbox (the “Draft Sandbox Decree”) in the banking sector. Generally, the Decree provides for the sandbox’s purpose, conditions and application procedures, test run requirements and extension/exit scheme, and the obligations of related parties.
More specifically, under the Draft Sandbox Decree, a fintech regulatory sandbox in the banking sector is defined as a legal mechanism established by the government that allows credit institutions, fintech solutions providers, and other innovative organizations to directly test fintech products and services in a closely-controlled environment supervised by relevant State bodies. Fintech areas that can be test run include payment, credit, P2P lending, KYC supports, Open API, solutions applying innovative technologies (e.g., blockchain), and other services supporting banking activities (e.g., credit scoring, savings, fundraising).
In the Draft Sandbox Decree, fintech organisations are organizations that are (i) not banks, (ii) established in Vietnam in accordance with the Law on Enterprises, and (iii) directly providing some banking-related services based on fintech solutions and/or fintech solutions supporting the activities of credit institutions. Fintech organisations must obtain a certificate of registration to participate in the sandbox by submitting a dossier to the Department of Payment of the SBV, which is the standing unit of the Fintech Steering Committee. The SBV will issue the certificate upon approval by the government.
The Draft Sandbox Decree also assigns the SBV with the responsibility to provide further detailed guidance for the implementation of the draft decree. However, it appears that the government’s current focus is on developing a regulatory sandbox for fintech in the banking sector, which will be managed by the SBV. Seeing that fintech could disrupt financial services other than banking activities (e.g., insurance with insur-tech), it is expected that there will be more regulatory development for Vietnam to welcome fintech investors from more diverse financial subsectors.
REGULATIONS ON AND SUPPORT FOR FINTECH ENABLING TECHNOLOGY
Fintech development is enabled by technologies such as e-KYC (electronic Know-Your-Customer), cloud computing, API, IoT (Internet-of-Things), big data, artificial intelligence, and blockchain. Development of such technologies is central to the SBV’s plan on banking digitalisation. SBV has set the goal of issuing a regulatory framework by 2025 for the application of key 4.0 technologies. These technologies include, among others, e-KYC, Open API, big data, artificial intelligence, blockchain, and cloud computing.
The e-KYC is now further enabled by the National Database of Citizen, which was put into operation in late February 2021. It allows the collection and use of basic information on all Vietnamese citizens, which is standardised, digitalised, stored, and managed by an information technology infrastructure that supports State management and transactions of agencies, organisations and individuals.
For cloud computing, banks are allowed to outsource information technology/cloud computing services to third-party service providers upon satisfaction of certain requirements. These cover obligations of the service user, criteria for selecting the service provider and the compulsory contents of the service contract. The SBV expects the number of local banks using cloud computing to reach 60% by 2025 and 100% by 2030. However, currently, local cloud service providers account for only 20% of the market, and the majority are offshore entities. With possible data localisation requirements being imposed on data-based service providers, partnerships with offshore cloud service providers to facilitate widespread use of cloud computing will be challenging.
Aside from the above regulatory initiatives, the Ministry of Science and Technology is also implementing Plan 844 to promote innovative start-ups that have the ability to grow rapidly via exploitation of intellectual property assets, technology, and new business models. The incentives include, among others, support for expenses regarding infrastructure, capital, training and marketing.
PERSONAL DATA PROTECTION AND DATA LOCALIZATION
Fintech companies and fintech-enabling technology developers involved in data-related activities may be subject to regulations on data privacy, data protection, and data security/cybersecurity.
On the issue of data privacy, Vietnam does not have a single comprehensive law that addresses individual and organisational privacy rights. Instead, relevant provisions are contained in various legal instruments such as the Civil Code, the Law on Information Technology, the Law on Protection of Consumers’ Rights, the Penal Code, and the Law on Cyber Information Security. That said, a recent development is the Draft Decree on Personal Data Protection (the “Draft PDPD”), issued by the government in February 2021. Notable proposals under the Draft PDPD include a broad definition of personal data, restrictions on processing of sensitive personal data and cross-border transfer of personal data (which includes data localisation in certain cases). Under the Draft PDPD, the PDPD will take effect on 1 December 2021 with no grace period available.
Regarding data localisation, under the Law on Cybersecurity, both local and offshore enterprises providing services on the telecom network, the Internet, and value-added services on cyberspace (herein referred to as “Cyberspace Service Providers”) which are involved in the collection, exploitation, analysis, and/or processing of personal information, data about users’ relationship and/or data generated by users in Vietnam, are required to store those data in Vietnam for a period specified by the government. Offshore entities will be required to open a branch or a representative office in Vietnam. That said, the data localisation requirement has not been implemented due to lack of details and guidance. Cyberspace Service Provider is yet to be more specifically defined, and it is uncertain whether data must be stored exclusively in Vietnam (i.e., no cross-border transfer) or whether only a copy of the data must be stored in Vietnam.
The data localisation requirement as proposed in the Law on Cybersecurity  and the Draft PDPD has generated heated debates in the private sector. A key concern raised is that the requirement of storing data in Vietnam will increase costs and reduce efficiency for businesses, especially for multinational companies. Another key concern is that companies located in Vietnam may become easy targets of cyberattacks, which may increase exposure to significant data loss, and with the risk of the attackers gaining access to a huge amount of information stored in Vietnam. In addition, the data localisation requirement is regarded by certain market participants to be potentially violating Vietnam’s international commitments under Article 14.11 and Article 14.13 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (or the CPTPP).
Digital payment and e-commerce activities are booming in Vietnam amidst the COVID-19 pandemic. These are driven by an increased demand for low-value transactions at low costs as well as the government’s policy to promote financial inclusion and a cashless society. The fintech industry is expected to grow further in the country. Investors, especially foreign ones, should stay updated with regulatory developments in the industry, especially possible restrictions regarding data privacy and cybersecurity. For fintech to enhance financial inclusion and promote a cashless society, the Vietnamese government will need to design a regulatory framework that is well-balanced and that allows innovation while ensuring consumer protection as well as financial stability.
ISEAS Perspective 2021/75, 7 June 2021
 Dang Linh Chi is a special counsel based in Baker McKenzie’s Hanoi office. Linh Chi focuses her expertise heavily towards the corporate, and banking and financial services sectors. She has substantial experience in and regularly advises on a broad range of banking and finance regulatory matters, capital market transactions, insurance, securities and funds. With fintech as part of her specialised expertise, Linh Chi frequently advises fintech companies, bank card organisations, and providers of payment services and intermediary payment services on their products and operation in Vietnam. Her capabilities also extend to advising domestic and international banks and financial institutions on their investment products. Over the past years, she has been actively participating as a contributor to legal reform efforts and as legal advisor on banking and financial services issues to business and professional associations. Pham Mai Nhu Thuy is a legal assistant based in Baker McKenzie’s Hanoi office. Thuy primarily focuses on banking and financial services, finance and projects, and corporate sectors. She helps the team in preparing regulatory advice, transactional documents and due diligence works for clients in several industries, including fintech.
 UOB, PwC and SFA, FinTech in ASEAN – From Start-up to Scale-up, 2019, p. 7 and 9.
 Fintechnews Singapore, Vietnam Fintech Report 2020, 2020, https://fintechnews.sg/wp-content/uploads/2020/11/Vietnam-Fintech-Report-2020.pdf
 World Bank (2018). The Little Data Book on Financial Inclusion 2018. Washington DC.
 Tapchitaichinh.vn, ““Thanh toán không dùng tiền mặt tại Việt Nam: Thực trạng và giải pháp”“, [Noncash-payment in Vietnam: Current situation and solutions] November 2020, https://tapchitaichinh.vn/ngan-hang/thanh-toan-khong-dung-tien-mat-tai-viet-nam-thuc-trang-va-giai-phap-329639.html#:~:text=Theo%20T%E1%BA%ADp%20%C4%91o%C3%A0n%20D%E1%BB%AF%20li%E1%BB%87u,l%C3%A0%20giao%20d%E1%BB%8Bch%20r%C3%BAt%20ti%E1%BB%81n.
 Vnetwork, ““Các số liệu thống kê Internet Việt Nam 2019”“, [Statistics on Internet in Vietnam] November 2019, https://vnetwork.vn/news/cac-so-lieu-thong-ke-internet-viet-nam-2019.
 Decision No. 149/QD-TTg dated 22 January 2020 of the Prime Minister on approving the Strategy for a national financial inclusion towards 2025, with a vision towards 2030 (the “Decision 149”).
 Decision No. 328/QD-NHNN dated 16 March 2017 of the State Bank of Vietnam on the establishment of Fintech Steering Committee and the supporting units from the Fintech Steering Committee of the State Bank of Vietnam (the “Decision 328”).
 The State Bank of Vietnam, “Hợp tác Ngân hàng – Fintech – Góp phần thúc đẩy phổ cập tài chính” [Bank and fintech partnership – contributing to the promotion of financial inclusion] August 2019, https://www.sbv.gov.vn/webcenter/portal/m/links/cm255?dDocName=SBV400234.
 Decree No. 101/2012/ND-CP dated 22 November 2012 of the Government on non-cash payment, as amended by Decree No. 80/2016/ND-CP and Decree No. 16/2019/ND-CP (the “Decree 101”).
 Circular No. 39/2014/TT-NHNN dated 11 December 2014 of the State Bank of Vietnam on guiding the intermediary payment service, as amended by Circular No. 20/2016/TT-NHNN, Circular No. 30/2016/TT-NHNN, and Circular No. 23/2019/TT-NHNN (the “Circular 39”).
 Decision No. 316/QD-TTg dated 9 March 2021 of the Prime Minister on Approving the implementation of piloting the use of telecommunications account for payment of small value goods and services (the “Decision 316”).
 Decision No. 999/QD-TTg dated 12 August 2019 of the Prime Minister on approving the Plan on Sharing Economy (the “Decision 999”).
 Official Letter No. 5228/NHNN-CSTT dated 8 July 2019 of the State Bank of Vietnam to credit institutions and branches of foreign banks regarding peer to peer lending (the “Official Letter 5228”).
 The State Bank of Vietnam, “Ý kiến của NHNN về lĩnh vực cho vay ngang hàng tại thời gian gần đây”, [Opinions of the State Bank of Vietnam on peer-to-peer lending in recent period], December 2018, https://www.sbv.gov.vn/webcenter/portal/vi/menu/trangchu/ttsk/ttsk_chitiet?centerWidth=80%25&dDocName=SBV355385&leftWidth=20%25&rightWidth=0%25&showFooter=false&showHeader=false&_adf.ctrl-state=3u8h33nbo_14&_afrLoop=6460897095115211#%40%3F_afrLoop%3D6460897095115211%26centerWidth%3D80%2525%26dDocName%3DSBV355385%26leftWidth%3D20%2525%26rightWidth%3D0%2525%26showFooter%3Dfalse%26showHeader%3Dfalse%26_adf.ctrl-state%3Da9bxu47t5_4.
 Decision No. 2655/QD-NHNN dated 26 December 2019 on approving the Strategy for developing information technologies in the banking sector by 2025, with a vision towards 2030 (the “Decision 2655”).
 Decision No. 999/QD-TTg dated 12 August 2019 of the Prime Minister on approving the Scheme for promoting a sharing economy (the “Decision 999”).
 Decision No. 149/QD-TTg dated 22 January 2020 of the Prime Minister on approving the Strategy for a national financial inclusion towards 2025, with a vision towards 2030 (the “Decision 149”).
 Decision No. 2655/QD-NHNN dated 26 December 2019 on the Strategy for developing information technologies in the banking sector by 2015, with a vision toward 2030 (the “Decision 2655”).
 VNExpress, “Khai trương hệ thống cơ sở dữ liệu quốc gia về dân cư” [Commencement of the national database on citizen], 25 February 2021, https://vnexpress.net/khai-truong-he-thong-co-so-du-lieu-quoc-gia-ve-dan-cu-4239980.html
 Circular No. 18/2018/TT-NHNN dated 21 August 2018 of the State Bank of Vietnam on the security of the information system in banking activities (the “Circular 18”).
 Opengovasia, “Vietnam launches digital transformation campaign”, June 2020, link https://www.opengovasia.com/vietnam-launches-digital-transformation-campaign/.
 Decision No. 844/QD-TTg dated 18 May 2016 of the Government on approving the plan of “Supportive policy for national innovative start-up ecosystem to 2025”, as amended by Decision No. 188/QD-TTg (the “Decision 844”).
 Law on Cybersecurity No. 24/2018/QH14 adopted on 12 June 2018 by the National Assembly (the “Law on Cybersecurity”).
 Under the CPTPP: Article 14.11: “each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person”; Article 14.13: “no Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory”.
|ISEAS Perspective is published electronically by: ISEAS – Yusof Ishak Institute 30 Heng Mui Keng Terrace Singapore 119614 Main Tel: (65) 6778 0955 Main Fax: (65) 6778 1735 Get Involved with ISEAS. Please click here: /support||ISEAS – Yusof Ishak Institute accepts no responsibility for facts presented and views expressed. Responsibility rests exclusively with the individual author or authors. No part of this publication may be reproduced in any form without permission. |
© Copyright is held by the author or authors of each article.
|Editorial Chairman: Choi Shing Kwok |
Editorial Advisor: Tan Chin Tiong
Managing Editor: Ooi Kee Beng
Editors: William Choong, Malcolm Cook, Lee Poh Onn, and Ng Kah Meng
Comments are welcome and may be sent to the author(s).