Vietnam Proposes Regulatory Sandbox for Banking Sector: Draft Decree Guidelines

Posted by Written by Melissa Cyrill Reading Time: 5 minutes

A new Vietnam Draft Decree proposes a Regulatory Sandbox in the banking sector focused on three solutions, provided either by credit institutions or fintech companies – credit scoring, open application programming interface (API), and P2P lending.

It is an effort on the part of the government to regulate technology-based applications in an increasingly digitized banking and financial sector, prevent risks such as money laundering and terrorist financial, and ensure that fintech and non-banking financial companies can engage in fair competition with financial institutions.

On March 4, 2024, the State Bank of Vietnam (SBV) issued a Draft Decree on establishing a Regulatory Sandbox in the banking sector. The Law on Credit Institutions No. 32/2024/QH15, dated January 18, 2024, provides a legal basis for the issuance of this Draft Decree.

The Draft Decree has been submitted by the SBV to the Government.

Scope of application

The Draft Decree states that participation in the Regulatory Sandbox will be open to entities classified as either a credit institution under the Law on Credit Institutions or a fintech company.

Solutions must operate exclusively within Vietnam, as cross-border supply is not permitted. Each solution’s activities are restricted to their approved scope by the SBV, with no changes to customer numbers or transaction limits permitted during the Regulatory Sandbox term.

The Draft Decree outlines three fintech solutions to be included in the Regulatory Sandbox: credit scoring, open API, and P2P lending.

The draft decree has gone through seven revisions since 2023, per media reports. The latest version excludes five other solutions present in the previous version, namely payment services, credits, client identification support services, solutions utilizing innovative technologies like blockchain, and additional banking supporting services such as savings and capital mobilization. The central bank made this decision due to limited sources of implementation.

Requirements for eligible entities

According to the Draft Decree, eligible entities must obtain a Registration Certificate to participate in the Regulatory Sandbox. Eligible entities are mandated to launch their solutions within 90 days of receiving the Registration Certificate from the SBV.

To qualify for this certificate, solutions offered by eligible entities must meet the following conditions:

  • The solution’s technical and business aspects must not be clearly regulated under current regulations for implementation and application.
  • The solution must demonstrate innovation, providing benefits and added value to users in Vietnam, particularly promoting financial awareness.
  • The solution must incorporate a risk management framework that minimizes negative impacts on the banking system and financial/foreign exchange operations, along with a feasible plan for addressing and mitigating risks during the testing period.
  • The solution must undergo a comprehensive review by eligible entities regarding its operation, functionality, usefulness, and practicality.
  • The solution must be viable for market deployment following completion of the Regulatory Sandbox.

Additionally, fintech companies must meet specific conditions:

  • For P2P lending companies, they cannot engage in pawnshop businesses, and their management teams must not include individuals holding positions in financial institutions, foreign bank branches, or intermediary payment service providers. Legal representatives and general directors of P2P lending companies must hold a bachelor’s degree or higher in economics, business administration, law, or information technology, with at least two years of managerial experience in banking and finance.
  • Other fintech companies must be legally incorporated and operating within Vietnam, without undergoing certain organizational changes or being subject to special controls as defined by the Law on Credit Institutions. Similarly, legal representatives and general directors must hold relevant qualifications and managerial experience.

Reporting requirements

Eligible entities enrolled in the Regulatory Sandbox are mandated to furnish the SBV with regular and ad hoc reports throughout the program’s duration. They are entrusted with delivering timely updates and ad hoc information pertaining to the Regulatory Sandbox, emerging risks, and program outcomes to the SBV. Furthermore, these entities bear the responsibility of devising reporting standards tailored to the specialized nature of their solutions.

Quarterly reports detailing the operational performance of the solutions must be furnished by eligible entities, with a deadline no later than the 12th day of the subsequent quarter. Moreover, these entities must generate preliminary evaluation reports on the implementation outcomes of the solutions, either after six months or one year (depending on the approved duration for each solution) from the issuance date of the Registration Certificate. These reports should encompass various aspects including solution deployment, operational status, market acceptance levels, technical challenges, security measures, fraud risks, anti-money laundering risks, terrorist financing risks, and risks associated with financing weapons of mass destruction.

Eligible entities are obligated to promptly notify the SBV via email at within 24 hours of any incidents causing disruptions or serious risks. A written report must subsequently be submitted within three working days after resolving the incident.

Customer protection obligations

To ensure the protection of customers’ legal rights and interests while utilizing the Solutions, Eligible Entities must fulfil the following obligations:

  • Provide customers with risk advisory guidelines when using the solution during the Regulatory Sandbox period.
  • Inform customers of the solution’s usage under the Regulatory Sandbox and furnish accurate, comprehensive, and transparent information regarding the solution, including service fees, customer rights, and obligations for each solution.
  • Safeguard the safety and confidentiality of customer information both during and after the solution’s usage, unless compelled to provide such information by competent state agencies as per the law.
  • Enforce regulations to safeguard customer information during its storage and transmission, employing security mechanisms such as encryption, anonymization, and data concealment. If collecting, using, or transferring customer information, Eligible Entities must (a) inform customers of the purpose of information usage beforehand, (b) utilize the information solely for the stated purpose, and (c) ensure the accuracy and sufficiency of data collection. Transfer of customer information to third parties is permissible only after obtaining customer consent, using technical measures to verify such consent.
  • Establish and enforce internal regulations and risk control measures to prevent unauthorized access, use of personal data, fraud, and personal information theft.
  • Conduct regular risk assessments, implement preventive risk measures during the Regulatory Sandbox period, and promptly inform customers of any changes in the risk level of the solution.
  • Establish a dedicated customer complaints department to address claims or complaints from customers.

Proposed testing period

The Regulatory Sandbox shall operate for a maximum of two years, beginning from the issuance of the Registration Certificate. The duration may vary based on factors such as the complexity and innovation of the solution, determined at the SBV’s discretion. Upon completion of the Regulatory Sandbox:

  • Eligible entities may request an extension if the official legal framework for the solution has not been established. This request, accompanied by a report on the Sandbox’s results, must be submitted to the SBV at least 90 days before the Sandbox’s expiry. Extensions are limited to a maximum of two times, each not exceeding one year.
  • Eligible entities shall receive a Completion Certificate under two circumstances:
    (a) If the official legal framework for the solution is promulgated and, in effect, they can operate in compliance with current regulations.
    (b) If the solution’s implementation is evaluated as not violating existing regulations, they can officially deploy the solution to the market.

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, China, and India. For editorial matters, contact us here and for a complimentary subscription to our products, please click here. For assistance with investments into Vietnam, please contact us at or visit us at

Dezan Shira & Associates assists foreign investors throughout Asia from offices across the world, including in Hanoi, Ho Chi Minh City, and Da Nang. We also maintain offices or have alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.