With Vietnam’s controversial new Law on Cybersecurity set to take effect on January 1, 2019, the protection of personal information has become a very hot topic for Vietnamese and foreign companies and organizations. In the banking sector, where customer information is particularly sensitive, confidentiality has always been a matter of crucial importance.
In September, the government of Vietnam issued Decree No. 117/2018/ND-CP on confidentiality and dis- closure of customer information of credit institutions and branches of foreign banks (Decree 117). Decree 117 took effect on November 1, 2018, replacing Decree No. 70/2000/ND-CP of 2000 on confidentiality, storage, and disclosure of information related to customer deposits (Decree 70). Below are some notable points of Decree 117.
Governing Scope .
Decree 117 applies broadly to the confidentiality and disclosure of customer information of credit institutions and branches of foreign banks in Vietnam. However, some information is excluded from its purview, including customer information that is (i) classified as state secrets, (ii) provided to the State Bank of Vietnam, or (iii) used for anti-money laundering or anti-terrorism purposes.
Definition of Customer Information
This is the first time that customer information of a credit institution or a branch of a foreign bank has been formally defined under Vietnamese legislation. Under Article 3 of Decree 117, such customer information is defined as information that is provided by the customer, or arises in the course of a customer requesting or a credit institution/bank providing banking products and services, comprising:
(1) Personally identifiable information that contributes to identifying customers, whether individuals or organizations.
As in other Vietnamese data privacy regulations, “personally identifiable information” is defined very broadly, and the phrase “other relevant information” is problematic in that it seems to allow almost any information about the customer to be considered “personally identifiable information.”
(2) Information on accounts, deposits, deposited assets, transactions, securing parties, and other relevant information. (Most of these terms are further defined/clarified in the same article.)
Requests from State Authorities
Competent state authorities—which have been expanded under Decree 117 to include state audit agencies, customs authorities, and tax authorities, among others— can request the disclosure of customer information from credit institutions and branches of foreign banks in order to perform their assigned functions and tasks, provided they comply with the following conditions:
Although Decree 117 requires the authorities to maintain the confidentiality of the customer information they receive, enforcement will be a challenge in practice. By expanding the range of state authorities having the right to request customer information, without any corresponding requirements to improve oversight or secrecy, there is a greater risk of customer information being disclosed, intentionally or unintentionally.
Requests from Non-State Entities
Under Article 11, credit institutions and branches of foreign banks may only disclose customer information to other non-state organizations or individuals in one of the following circumstances:
(1) At the request of an entity specifically authorized to make such request in accordance with codes, laws, and resolutions issued by the National Assembly; or
(2) Upon receiving the customer’s consent in writing or in another form as agreed with the customer.
In a notable change from Decree 70, Decree 117 does not allow credit institutions, without the prior consent of their customers, to share customer information with each other. Although this is in line with Vietnam’s general rules on data privacy, it may cause difficulties for credit institutions, as the exchange of customer information within the banking system is vital for evaluating and mitigating insolvency risks.
Decree 117 specifies the form for requesting disclosure of customer information, which applies to requests made by both state authorities and non-state entities, as well as the procedure and deadlines for financial institutions to carry out the information disclosure (10 working days for simple and readily available information, or 25 working days for complicated and not readily available information), except as otherwise regulated by the relevant laws.
The new decree does not address whether financial institutions may provide access to, disclose, or transfer customer information to third parties located outside of Vietnam. These issues are covered by other legislation, such as the Law on Cybersecurity.
Decree 117 aims to reduce the number of fraudulent transactions and mitigate the risk of outside parties appropriating the personal information and assets of banking customers. While these are worthy goals, the effectiveness and enforcement of Decree 117 remain to be seen.