In mid-2019, the Vietnamese government approved the drafting of a Decree Regulating E-Identification and Authentication (“Draft Decree”), one of many efforts aimed at advancing the government’s plan to promote application and development of information technology. Since then, the Ministry of Information and Communication (MIC) has been accepting public comments and has been revising the Draft Decree, with the latest version dated April 29, 2021.
Expected to be promulgated in August 2021, the Decree will be the first to provide a comprehensive legal basis for managing, providing and using e-identification and authentication services in online transactions. Some notable contents are presented below.
Four Levels of E-Identification
Under the latest Draft Decree, different forms of e-identification are classified into four levels, increasing in security and reliability:
Generally, an individual may be identified by multiple e-identities, which are valid for use in different types of online transactions. However, since these transactions vary in their requirements of the level of authentication, each e-identification is valid only in transactions that require the same or lower level of authentication.
Since Level 3 and 4 e-identities are authenticated through some form of direct identification (such as the registrant’s appearance, a direct check of citizen identification card, or electronic connection with citizen identification card), according to Article 5.2 of the Draft Decree, they are qualified to be used in online transactions that otherwise require a citizen identification document by law.
Once an individual has provided an e-identification that meets the authentication level set by the transacting organization, the latter may not demand further identifying information.
Regulations for E-Identification Service Providers
In general, the provision of e-identification and authentication services is carried out based on contractual agreements between the provider and the registrant and between the provider and the transacting organization, unless specified by any other law. The provider must meet general requirements for the storage and update of e-identities, provision and management of authentication tools, and suspension and retrieval of e-identities.
Since Level 3 and 4 e-identifications are more secure and their validity is more ubiquitous than those of Level 1 and 2, providers must satisfy several heightened conditions and requirements prescribed by law to obtain the license to provide Level 3 and 4 e-identification and authentication services. Meanwhile, providers of Level 1 and 2 e-identifications are not subject to any license, they must only comply with general requirements as listed above.
Conditions and requirements imposed by the Draft Decree to obtain the license for Level 3 and 4 provision include:
Among these requirements, the most notable is the deposit of VND 20 billion as a risk management and compensation mechanism in the event that the provider violates any rules leading to suspension of their license. According to the MIC, this proposed amount is estimated based on an average of 1 to 5 million accounts charged at VND 50,000 a year by each provider. The deposit would prevent risks during the dissolution or suspension of operation of the provider, and ensure the secure and reliable transfer of the e-identifications to another provider.