With Vietnam’s controversial new Law on Cybersecurity set to take effect on January 1, 2019, the protection of personal information has become a very hot topic for Vietnamese and foreign companies and organizations. In the banking sector, where customer information is particularly sensitive, confidentiality has always been a matter of crucial importance.
In September, the government of Vietnam issued Decree No. 117/2018/ND-CP on confidentiality and dis- closure of customer information of credit institutions and branches of foreign banks (Decree 117). Decree 117 took effect on November 1, 2018, replacing Decree No. 70/2000/ND-CP of 2000 on confidentiality, storage, and disclosure of information related to customer deposits (Decree 70). Below are some notable points of Decree 117.
Governing Scope .
Decree 117 applies broadly to the confidentiality and disclosure of customer information of credit institutions and branches of foreign banks in Vietnam. However, some information is excluded from its purview, including customer information that is (i) classified as state secrets, (ii) provided to the State Bank of Vietnam, or (iii) used for anti-money laundering or anti-terrorism purposes.
Definition of Customer Information
This is the first time that customer information of a credit institution or a branch of a foreign bank has been formally defined under Vietnamese legislation. Under Article 3 of Decree 117, such customer information is defined as information that is provided by the customer, or arises in the course of a customer requesting or a credit institution/bank providing banking products and services, comprising:
(1) Personally identifiable information that contributes to identifying customers, whether individuals or organizations.
- For individuals: Full name; specimen signature; electronic signature; date of birth; nationality; occupation; permanent residence, current residence, or place of residence abroad (for foreigners); telephone number; email address; ID card or passport number, date of issuance, and place of issuance; and other relevant information.
- For organizations: Full name; abbreviated name; establishment license or decision; enterprise registration certificate or equivalent document; address of head office; telephone number; fax number; email address; personally identifiable information (as described above) of the legal representative of the organization; and other relevant information.
As in other Vietnamese data privacy regulations, “personally identifiable information” is defined very broadly, and the phrase “other relevant information” is problematic in that it seems to allow almost any information about the customer to be considered “personally identifiable information.”
(2) Information on accounts, deposits, deposited assets, transactions, securing parties, and other relevant information. (Most of these terms are further defined/clarified in the same article.)
Requests from State Authorities
Competent state authorities—which have been expanded under Decree 117 to include state audit agencies, customs authorities, and tax authorities, among others— can request the disclosure of customer information from credit institutions and branches of foreign banks in order to perform their assigned functions and tasks, provided they comply with the following conditions:
- Their request for customer information is in line with the purposes, contents, scope, and jurisdiction stipulated by law or as agreed by the customer, and they must bear responsibility for their requests.
- They have supporting documents to prove the reasons for and objectives of such request, issued by the appropriate-level authority, and in conformity with relevant law, unless such request relates to a criminal proceeding or national security.
- After obtaining the customer information, they must keep it confidential, use it in line with the purpose stated when requesting the information, and not disclose it to any third party without consent of the customer, except where permitted by law.
Although Decree 117 requires the authorities to maintain the confidentiality of the customer information they receive, enforcement will be a challenge in practice. By expanding the range of state authorities having the right to request customer information, without any corresponding requirements to improve oversight or secrecy, there is a greater risk of customer information being disclosed, intentionally or unintentionally.
Requests from Non-State Entities
Under Article 11, credit institutions and branches of foreign banks may only disclose customer information to other non-state organizations or individuals in one of the following circumstances:
(1) At the request of an entity specifically authorized to make such request in accordance with codes, laws, and resolutions issued by the National Assembly; or
(2) Upon receiving the customer’s consent in writing or in another form as agreed with the customer.
In a notable change from Decree 70, Decree 117 does not allow credit institutions, without the prior consent of their customers, to share customer information with each other. Although this is in line with Vietnam’s general rules on data privacy, it may cause difficulties for credit institutions, as the exchange of customer information within the banking system is vital for evaluating and mitigating insolvency risks.
Decree 117 specifies the form for requesting disclosure of customer information, which applies to requests made by both state authorities and non-state entities, as well as the procedure and deadlines for financial institutions to carry out the information disclosure (10 working days for simple and readily available information, or 25 working days for complicated and not readily available information), except as otherwise regulated by the relevant laws.
The new decree does not address whether financial institutions may provide access to, disclose, or transfer customer information to third parties located outside of Vietnam. These issues are covered by other legislation, such as the Law on Cybersecurity.
Decree 117 aims to reduce the number of fraudulent transactions and mitigate the risk of outside parties appropriating the personal information and assets of banking customers. While these are worthy goals, the effectiveness and enforcement of Decree 117 remain to be seen.