Technical Update - Legal Update July 2023

On 22 June 2023, the State Bank of Vietnam (“SBV”) issued Circular 05/2023/TT-NHNN amending it’s Circular 30/2015/TT-NHNN dated 25 December 2015 on the issuance of license, organization and operation of non-bank credit institutions (“Circular 05”). Circular 05 will take effect on 06 August 2023 with the following notable contents:

• Amending provisions on the order and procedures for issuance of license for establishment and operation of non-bank credit institutions (“License”), in which:

i. The application dossier for the License shall be submitted directly or via postal service to the One-door Division of the SBV (headquarter); and

ii. The SBV will issue a written letter confirming its receipt of the complete and valid application dossier or requesting for supplementation of the submitted application dossier within 10 (ten) working days from its receipt of the application dossier, instead of 30 (thirty) days as prescribed in Circular 30/2015/TT-NHNN.

• Amending and restating the conditions for the License applied to the owner and founding members which are foreign credit institutions, of which the notable conditions are as follows:

i. Having profits for 3 (three) consecutive fiscal years preceding the year in which the application dossier for the License is submitted, and up to the time of submission of supplemental documents to the application dossier for the License;

ii. Having total assets of more than USD10 (ten) billion at the end of the year preceding the year in which the application dossier for the License is submitted;

iii. Not having committed any serious violations against the regulations on banking operations and other laws of the home country in 5 (five) consecutive years preceding the year in which the application dossier for the License is submitted and up to the date of submission of supplemental documents to the application dossier for the License;

iv. Having experience in international operations, being rated stable or higher by international credit rating agencies; and

v. Not being a strategic shareholder, owner or founding member of another credit institution established and operating in Vietnam, etc.

• Adding provisions on the issuance of the License applied to the owner which is a Vietnamese commercial bank subject to the approved compulsory transfer plan, in particular:

i. An owner which is a Vietnamese commercial bank subject to the compulsory transfer establishing a non-bank credit institution in order to implement the approved compulsory transfer plan shall comply with the following provisions:

a. Not being a strategic shareholder, founding shareholder, owner, or founding member of another credit institution established and operating in Vietnam;

b. Not using funds raised or borrowed from other entities, individuals to contribute capital;

c. Fully fulfilling tax and social insurance obligations under prevailing regulations up to the time of submission of the application dossier for the License; and

d. Having a minimum charter capital equal to the total legal capital requirements applicable for commercial banks and non-banking credit institutions as prescribed by law.

ii. The documents relating to the owner which is a Vietnamese commercial bank subject to the compulsory transfer plan for issuance of the License for limited liability non-bank credit institution are as follows:

a. Written authorization(s) of the Vietnamese commercial bank to its representative of capital contribution in the non-bank credit institution;

b. Written confirmation(s) of the tax authority and social insurance authority on the institution’s fulfillment of tax and social insurance obligations; and

c. Curriculum vitae, Criminal record of the legal representative and the authorized representative representing the capital contribution of a Vietnamese commercial bank in a non-bank credit institution.

In the last few months, the Government issued 2 significant regulations on cybersecurity and personal data protection which are (i) Decree 53/2022/ND-CP providing guidance on the implementation of the Law on Cybersecurity (“Decree 53”) and (ii) Decree 13/2023/ND-CP on personal data protection (“Decree 13”).

To ensure the enforcement of the abovementioned regulations on cybersecurity and personal data protection, on 31 May 2023, the Ministry of Public Security (“MPS”) circulated a 3rd version of the draft decree on cybersecurity administrative sanctions (“Draft CASD”) for public consultation. The Draft CASD features an updated list of non-compliances with the cybersecurity and data privacy regulations and also replaces certain regulations covered under the existing Decree 15/2020/ND-CP and Decree 14/2022/ND-CP on administrative sanctions against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions.

Some of the key highlights from the Draft CASD are as follows:

• The Draft CASD will not only apply to entities providing services in Vietnam related to telecommunications, internet, and content services in cyberspace, information technology, cybersecurity, cyberinformation security, but also, to all domestic and foreign individuals and organizations that are involved in processing of personal data in Vietnam and/or of Vietnamese citizens. The entities covered by this broad scope of application of Draft CASD should take steps to ensure they comply with Decree 53 and Decree 13 to avoid any censure once the regulation is officially issued.
• The regulatory time limit for the application of sanctions to normal administrative violations is one (1) year; while the time limit for administrative violations in relation to production, exportation, importation and trading of products and cybersecurity services is two (2) years.
• In brief, Draft CASD governs administrative sanctions in relation to the five (5) main areas: (i) information security; (ii) personal data protection; (iii) cyberattack prevention; (iv) implementation of cybersecurity protection activities; (v) prevention and protection acts against using cyberspace, information technology and electronic means to violate the law on social order and safety.
• Overview of penalties:

− The Draft CASD introduces three (3) classes of penalties with monetary fines being the principal form of penalties. The fines can be applied in addition to, or in lieu of further sanctions or corrective actions.

− The additional sanctions will depend on the nature and severity of the violation and can take the form of suspension of operations or business licenses, confiscation of violating exhibits and expulsion from Vietnam.

− The remedial actions include removal or modification of offending programs or software or products or equipment or it associated information or features, deletion or destruction of offending data, removal or rectification of distorted data, revocation of subscriber information or public apology.

− The Draft CASD will give the Vietnamese supervisory authorities the power to impose sanctions on persons and entities who violate either or both the cybersecurity and the data protection regulations based on its assessment of the severity of the violation.

− Internally committing an infringement, failure to comply with the supervisory authority’s request for remedial action, or lack of collaboration with the authorities can increase the penalties.

− For aggravated violations such as processing personal data for marketing and advertising activities without the data subject’s consent, sale and purchase of personal data and failure to file the impact assessment report with the authorities could attract fines of up to 5% of an organization’s revenue for the preceding financial year or profits in Vietnam in addition to any other remedial measures or sanctions.

− Relevant authorities who have the power to impose administrative sanctions for violations will depend on the nature and severity of the violation include competent officials of the People's Public Security, People's Committees at all levels, Inspectors of the Ministries, Border Guards, and Vietnam Coast Guard, which the Director of the Department of Cybersecurity and High-Tech Crime Prevention (A05) being the regulator with the highest authority.

• As the regulations on personal data protection came into force on 1 July 2023, we expect that this decree on cybersecurity administrative sanctions will be issued in the coming months. This will mean that there will be uptick in enforcement action in the personal data space. Notably, a violation that is liable for punishment can be detected through inspection activities conducted by the relevant authorities or by customers or potential customers who escalate their dissatisfaction to the authorities or through a review of the mandatory filing of an organization’s processing activities or cross border transfer activities. As such, all businesses should in the coming weeks become familiar with their statutory obligations to be able to demonstrate compliance and avoid penalties.