Open Banking is one of the requirements in the roadmap towards digital banking in the present and the future. It creates a joint ecosystem where banks, fintech, and other third parties connect and share data through application programming interfaces (“APIs”). Open APIs in the banking sector are APIs of banks that allow third parties to process data for their own use or to provide products and services to customers. To complete the legal framework for Open API, on 23 July 2024, the State Bank of Vietnam (“SBV”) published the draft circular regulating the implementation of Open API in the banking industry (“Draft Circular”) with the following highlights:
Principles for Open API Implementation
When implementing Open API, the parties comply with the regulations on confidentiality, information provision, and protection of personal data. Data during processing must be exploited and used for the right purpose in the agreement between a bank and a third party.
Furthermore, the Draft Circular requires banks to provide Open API services to third parties for data connection and processing. The provision of Open API must comply with the technical standards list and the Open API functions list as standardized in the Draft Circular. In addition to the list of Open API functions mentioned in the Draft Circular, banks may provide additional Open API functions based on actual needs.
Open API Service Disclosure
Under the Draft Circular, banks are required to publish Open API services on their electronic portal with minimum contents such as (i) a testing system to provide third parties for connecting and processing test data via Open API, (ii) documents for connecting and processing data for Open API testing system including the processing of connections, data processing flows and detailed information for each Open API function, and (iii) list of Open API functions as regulated in the Draft Circular.
Open API Implementation Roadmap
The Open API implementation by commercial banks in Vietnam will be divided into 3 phases in accordance with the Draft Circular as follows:
- Open API functions that allow querying information that banks must publish and disclose according to the law: Within 12 months from the effective date of the adopted circular.
- Open API functions that allow querying customer information with the customer’s consent: Within 18 months from the effective date of the adopted circular.
- Open API functions that allow initiating payment orders and money transfers: Within 24 months from the effective date of the adopted circular.
Conditions for Third Parties
Banks have the right to refuse or suspend cooperation with third parties that does not meet at least the following conditions:
- Have an information system that serves the purpose of connecting and processing third-party data, ensuring safety and cybersecurity that meets at least the equivalent level of the bank’s Open API system, but not lower than level 3 as prescribed in the Government’s decree on ensuring information system safety by level;
- Be a legally operating entity with a tax identification number still active in Vietnam; and
- Ensure personnel with experience for each position: information security, operations, development of information technology systems, and legal compliance in information technology.
Open API Service Contract
The Open API service contract template between the bank and the third party must contain at least content as follows:
- Commitment to the confidentiality of information;
- Commitment to use the data provided by the bank within the correct scope and purpose;
- The third party must notify the bank when detecting employees who violate information security regulations regarding the Open API services;
- Information about products and services;
- Information about service fees (if any);
- Termination clauses; and
- Clauses stating that the information system for connecting and processing data via Open API must reach level 3 or higher.
The Draft Circular is currently past the deadline for collecting feedback. It is expected to be finalized and approved in the last months of 2024.
