1. LEGAL DOCUMENTS ARE EFFECTIVE FROM 01/11/2020
1.1. Circular No. 09/2020/TT-NHNN on information system security in banking operations
-
Name of legal document: Circular No. 09/2020/TT-NHNN issued on 21/10/2020 by the Governor of the State Bank on information system security in banking operations (referred to as the “Circular No. 08/2020/TT-NHNN).
-
Effective date: 01/01/2021.
The content should be noted: Regulation on classification of other information systems which were not regulated in Decree No. 85/2016/ND-CP dated July 01, 2016 of the Government in information system in baking operations.
Specifically, Clause 1, 2, 3, 4, 5, 6 and 7 of Article 5 Circular No. 09/2020/TT-NHNN stipulates: “Article 5. Classification of information systems
1. For information systems that provide online services to customers, the institution shall conduct the classification according to the provisions of Decree No. 85/2016/ND-CP dated July 1, 2016 of the Government on the security of information systems by classification. For other information systems, it shall be classified according to the provisions of Clauses 2, 3, 4, 5, 6, 7 of this Article.
2. Information system level 1 is an information system that serves internal activities of the institution and only processes public information.
3. An information system of level 2 is an information system that has one of the following criteria:
a) Information systems serving internal activities of the institution, processing private information, personal information of users, information restricted to access according to regulations of the institution but do not processing secret state information;
b) The customer service information system does not require 24/7 operation;
c) Information infrastructure system serving the operation of a number of sections of the institution or the microfinance institution, the grassroots people’s credit fund.
4. An information system level 3 is an information system that has one of the following criteria:
a) An information system that processes confidential state information at Confidential level;
b) An information system serving daily internal operations of the institution and refusing to stop operating for more than 4 working hours from the time of shutdown;
c) An information system serving customers that require 24/7 operation and do not accept to stop operation without prior planning;
d) Payment systems of third party that the institution use for payment outside the institution’s system;
dd) The shared information infrastructure system serving the operation of the institution and the banking sector.
5. An information system of level 4 is an information system that has one of the following criteria:
a) An information system that processes confidential state information at the top confidential level;
b) An information system serving customers that processes and stores data of 10 million customers or more;
c) The national information system in the banking sector, requires 24/7 operation and does not accept to stop operation without prior plan;
d) An Important payment system in the banking sector in accordance with regulations of the State Bank;
dd) A shared information infrastructure system for banking sector operations, requiring 24/7 operation and refusing to stop operation without prior plan.
6. An information system of level 5 is an information system that has one of the following criteria:
a) An information system that process confidential state information at the Absolute Secret level;
b) A national information system in the banking sector serving the interconnection of Vietnam’s activities with the international;
c) A national information infrastructure system in the banking sector serving the interconnection of Vietnam’s activities with the international.
7. In the case of an information system consisting of many component systems, each of which corresponds to a different level, the information system level is defined as the highest level in the of the constituent systems.”
1.2. Circular No. 10/2020/TT-NHNN amendment and addition to a number of articles of the Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Governor of the State Bank of Vietnam regulating the management and use of digital signature, digital certificate and authentication service of digital signature of the State Bank
-
Name of legal document: Circular No. 10/2020/TT-NHNN issued on 02/11/2020 by the State Bank of amendment and addition to a number of articles of the Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Governor of the State Bank of Vietnam regulating the management and use of digital signature, digital certificate and authentication service of digital signature of the State Bank (referred to as the “Circular No. 10/2020TT-NHNN”).
-
Effective date: 01/01/2021.
Some contents should be noted:
-
Firstly, amending and supplementing regulations on granting digital certificates.
Specifically, Clause 6 Article 1 Circular No. 10/2020TT-NHNN stipulates: “Article 1. Amending and supplementing a number of articles of Circular 28/2015/TT-NHNN
…
6. Article 5 (Circular No. 28/2015/TT-NHNN) is amended and supplemented as follows:
“Article 5. Grant digital certificates
1. When in need of granted digital certificate or supplement profession of digital certificate, the subscriber-managing organization shall send 01 (one) set of dossier, including:
a) To grant digital certificate and supplement profession of digital certificate to individuals who are competent:
– An application form for granting digital certificate or supplementation profession of digital certificate according to Appendix 01 enclosed herewith (Circular No. 28/2015/TT-NHNN);
– An application form for granting digital certificate or supplementation profession of digital certificate for individuals according to Appendix 02 (Circular No. 28/2015/TT-NHNN) enclosed herewith;
– Documents proving the legal representative status of a competent person of an agency or organization as follows:
+ Enterprise registration certificate or certificate of cooperative registration or documents of equivalent value for enterprises, credit institutions, foreign bank branches;
+ Appointment decision of the person applying for granting digital certificate and supplementing profession of digital certificate (for state agencies).
b) To grant digital certificate and supplement profession of digital certificate to individuals who are authorized by a person:
– An application form for granting digital certificate or supplementation profession of digital certificate according to Appendix 01 enclosed herewith (Circular No. 28/2015/TT-NHNN);
– An application form for granting digital certificate or supplementation profession of digital certificate for individuals according to Appendix 02 enclosed herewith (Circular No. 28/2015/TT-NHNN);
– Authorization document of the authorized person allowing the authorized person to represent the organization to sign and approve documents, documents, reports, transactions on the information system corresponding to the profession of the digital certificate applied for granting. Authorized person is not allowed to authorize another person to perform;
– Document certifying the title of the person applying for granting profession of digital and supplementing profession of digital certificate.
c) To grant digital certificate and supplement profession of digital certificate to organizations:
– An application form for the granting digital certificate or supplementation of digital certificate to the organization according to Appendix 02a issued with this Circular (Circular No. 28/2015/TT-NHNN);
– Establishment decision or decision specifying functions, duties, powers, organizational structure or certificate of business registration or certificate of registration of the cooperative or papers of equivalent value.
2. In case a digital certificate has been granted and is still valid and is requested by the subscriber-managing organization to supplement the digital certificate profession, the Information Technology Department shall supplement the profession to the existing subscriber’s digital certificate.
3. Time limit for settlement and implementation results
Within 05 working days from the day on which the application for digital certificate is received, the Department of Information Technology shall inspect the application, issue digital certificates or supplement digital certificate profession to subscribers, send digital certificate granting notice and digital certificate activation code to the email address and text message to subscribers’ mobile phone number. For digital certificates for organizations, the Information Technology Department shall send notices of digital certificate granting and digital certificate activation code to the email address and text message to the mobile phone number of the focal officer in charge about digital certificate of the subscriber management organization according to the provisions of Clause 1, Article 14 of this Circular (Circular No. 28/2015/TT-NHNN).
In case the dossier is invalid, the Information Technology Department shall refuse to process the dossier and state the reason. Feedback and dossier processing results comply with Clause 3 Article 4a of this Circular (Circular No. 28/2015/TT-NHNN).
4. The digital certificate activation code is valid for up to 30 days from the date the digital certificate is issued. For newly issued digital certificates, subscribers must activate their digital certificates before the expiration of the activation code. Guidance documents on activation and renewal of digital certificates of the State Bank are posted on the State Bank’s web portal. For digital certificates with additional profession added, subscribers are not required to activate digital certificates.
5. The validity period of a subscriber’s digital certificate is proposed by the subscriber-management organization but must not exceed 05 years from the date of activation of the digital certificate.””
-
Secondly, amending and supplementing regulations on extension and change of information about digital certificates.
Specifically, Clause 7 Article 1 of Circular No. 10/2020/TT-NHNN stipulates: ““Article 1. Amending and supplementing a number of articles of Circular 28/2015/TT-NHNN
…
7. Article 6 (Circular No. 28/2015 / TT-NHNN) is amended and supplemented as follows:
“Article 6. Renewal and change of digital certificate information content
1. Digital certificates requested for information renewal or change must be valid.
2. Effective period of digital certificates:
a) Digital certificates, after being renewed, will be valid from the time of successful renewal but not exceeding 5 years;
b) Changing the contents of information of a digital certificate does not change the validity period of a digital certificate.
3. In case of extension or change of information of digital certificates:
a) The subscriber-management organization requests the extension of the subscriber’s digital certificate at least 10 days before the expiration of the digital certificate’s validity;
b) The subscriber-management organization requests to change the content of information about the subscriber’s digital certificate within 05 working days from the date of the following changes:
– Subscriber changes title, position or working department;
– Subscriber changes information of Identity Card/Citizen’s Identity;
– Subscriber changes address information, email, phone.
4. The subscriber-management organization sends 01 (one) set of dossier to request the renewal or change of digital certificate information, including the request for renewal or change of digital certificate information content according to Appendix 03. issued together with this Circular (Circular No. 28/2015/TT-NHNN).
5. Time limit for settlement and implementation results
Within 05 working days from the date of receipt of the dossier for the extension or change of digital certificate content, the Information Technology Department shall inspect the dossier, renew or change the content of digital certificate for subscription. In case the dossier is invalid, the Information Technology Department shall refuse to process the dossier and state the reason. Feedback and dossier processing results comply with Clause 3 Article 4a of this Circular (Circular No. 28/2015/TT-NHNN).
Receive the notice of approval for digital certificate extension, subscriber shall renew digital certificate according to the instruction manual on activation and renewal of digital certificate posted on the Portal of the State Bank.””