MONTHLY LEGAL UPDATE – 11/2020: LEGAL UPDATE RELATING TO FINANCE AND CREDIT
1. LEGAL DOCUMENTS ARE EFFECTIVE FROM 01/11/2020
v Name of legal document: Circular No. 09/2020/TT-NHNN issued on 21/10/2020 by the Governor of the State Bank on information system security in banking operations (referred to as the “Circular No. 08/2020/TT-NHNN).v Effective date: 01/01/2021.The content should be noted: Regulation on classification of other information systems which were not regulated in Decree No. 85/2016/ND-CP dated July 01, 2016 of the Government in information system in baking operations.
Specifically, Clause 1, 2, 3, 4, 5, 6 and 7 of Article 5 Circular No. 09/2020/TT-NHNN stipulates: “Article 5. Classification of information systems
1.
For information systems that provide online services to customers, the
institution shall conduct the classification according to the provisions of
Decree No. 85/2016/ND-CP dated July 1, 2016 of the Government on the security
of information systems by classification. For other information systems, it
shall be classified according to the provisions of Clauses 2, 3, 4, 5, 6, 7 of
this Article.
2.
Information system level 1 is an information system that serves internal
activities of the institution and only processes public information.
3.
An information system of level 2 is an information system that has one of the
following criteria:
a)
Information systems serving internal activities of the institution, processing
private information, personal information of users, information restricted to
access according to regulations of the institution but do not processing secret
state information;
b)
The customer service information system does not require 24/7 operation;
c)
Information infrastructure system serving the operation of a number of sections
of the institution or the microfinance institution, the grassroots people's
credit fund.
4. An information system level 3 is an information system that has one
of the following criteria:
a) An information system that processes confidential state information
at Confidential level;
b) An information system serving daily internal operations of the institution
and refusing to stop operating for more than 4 working hours from the time of
shutdown;
c) An information system serving customers that require 24/7 operation
and do not accept to stop operation without prior planning;
d) Payment systems of third party that the institution use for payment
outside the institution's system;
dd) The shared information infrastructure system serving the operation
of the institution and the banking sector.
5. An information system of level 4 is an information system that has
one of the following criteria:
a) An information system that processes confidential state information
at the top confidential level;
b) An information system serving customers that processes and stores
data of 10 million customers or more;
c) The national information system in the banking sector, requires 24/7
operation and does not accept to stop operation without prior plan;
d) An Important payment system in the banking sector in accordance with
regulations of the State Bank;
dd) A shared information infrastructure system for banking sector
operations, requiring 24/7 operation and refusing to stop operation without
prior plan.
6. An information system of level 5 is an information system that has
one of the following criteria:
a) An information system that process confidential state information at
the Absolute Secret level;
b) A national information system in the banking sector serving the
interconnection of Vietnam's activities with the international;
c) A national information infrastructure system in the banking sector
serving the interconnection of Vietnam's activities with the international.
7. In the case of an information system consisting of many component
systems, each of which corresponds to a different level, the information system
level is defined as the highest level in the of the constituent systems.”
v Name of legal document: Circular No. 10/2020/TT-NHNN issued on 02/11/2020 by the State Bank of amendment and addition to a number of articles of the Circular No. 28/2015/TT-NHNN dated December 18, 2015 of the Governor of the State Bank of Vietnam regulating the management and use of digital signature, digital certificate and authentication service of digital signature of the State Bank (referred to as the “Circular No. 10/2020TT-NHNN”).v Effective date: 01/01/2021.Some contents should be noted:
·
Firstly, amending and supplementing
regulations on granting digital certificates.
Specifically, Clause 6 Article 1 Circular
No. 10/2020TT-NHNN stipulates: “Article
1. Amending and supplementing a number of articles of Circular 28/2015/TT-NHNN
...
6. Article 5 (Circular No. 28/2015/TT-NHNN) is amended and supplemented
as follows:
“Article 5. Grant digital certificates
1. When in need of granted digital certificate or supplement profession
of digital certificate, the subscriber-managing organization shall send 01
(one) set of dossier, including:
a) To grant digital certificate and supplement profession of digital
certificate to individuals who are competent:
- An application form for granting digital certificate or
supplementation profession of digital certificate according to Appendix 01
enclosed herewith (Circular No. 28/2015/TT-NHNN);
- An application form for granting digital certificate or
supplementation profession of digital certificate for individuals according to
Appendix 02 (Circular No. 28/2015/TT-NHNN) enclosed herewith;
- Documents proving the legal representative status of a competent
person of an agency or organization as follows:
+ Enterprise registration certificate or certificate of cooperative
registration or documents of equivalent value for enterprises, credit
institutions, foreign bank branches;
+ Appointment decision of the person applying for granting digital
certificate and supplementing profession of digital certificate (for state
agencies).
b) To grant digital certificate and supplement profession of digital
certificate to individuals who are authorized by a person:
- An application form for granting digital certificate or
supplementation profession of digital certificate according to Appendix 01
enclosed herewith (Circular No. 28/2015/TT-NHNN);
- An application form for granting digital certificate or
supplementation profession of digital certificate for individuals according to
Appendix 02 enclosed herewith (Circular No. 28/2015/TT-NHNN);
- Authorization document of the authorized person allowing the
authorized person to represent the organization to sign and approve documents,
documents, reports, transactions on the information system corresponding to the
profession of the digital certificate applied for granting. Authorized person
is not allowed to authorize another person to perform;
- Document certifying the title of the person applying for granting
profession of digital and supplementing profession of digital certificate.
c) To grant digital certificate and supplement profession of digital
certificate to organizations:
- An application form for the granting digital certificate or supplementation
of digital certificate to the organization according to Appendix 02a issued
with this Circular (Circular No. 28/2015/TT-NHNN);
- Establishment decision or decision specifying functions, duties,
powers, organizational structure or certificate of business registration or
certificate of registration of the cooperative or papers of equivalent value.
2. In case a digital certificate has been granted and is still valid
and is requested by the subscriber-managing organization to supplement the
digital certificate profession, the Information Technology Department shall
supplement the profession to the existing subscriber's digital certificate.
3. Time limit for settlement and implementation results
Within 05 working days from the day on which the application for
digital certificate is received, the Department of Information Technology shall
inspect the application, issue digital certificates or supplement digital
certificate profession to subscribers, send digital certificate granting notice
and digital certificate activation code to the email address and text message
to subscribers' mobile phone number. For digital certificates for
organizations, the Information Technology Department shall send notices of
digital certificate granting and digital certificate activation code to the
email address and text message to the mobile phone number of the focal officer
in charge about digital certificate of the subscriber management organization
according to the provisions of Clause 1, Article 14 of this Circular (Circular
No. 28/2015/TT-NHNN).
In case the dossier is invalid, the Information Technology Department
shall refuse to process the dossier and state the reason. Feedback and dossier
processing results comply with Clause 3 Article 4a of this Circular (Circular
No. 28/2015/TT-NHNN).
4. The digital certificate activation code is valid for up to 30 days
from the date the digital certificate is issued. For newly issued digital
certificates, subscribers must activate their digital certificates before the
expiration of the activation code. Guidance documents on activation and renewal
of digital certificates of the State Bank are posted on the State Bank's web
portal. For digital certificates with additional profession added, subscribers
are not required to activate digital certificates.
5. The validity period of a subscriber's digital certificate is
proposed by the subscriber-management organization but must not exceed 05 years
from the date of activation of the digital certificate.””
·
Secondly, amending and supplementing
regulations on extension and change of information about digital certificates.
Specifically, Clause 7 Article 1 of
Circular No. 10/2020/TT-NHNN stipulates: ““Article
1. Amending and supplementing a number of articles of Circular 28/2015/TT-NHNN
...
7. Article 6 (Circular No. 28/2015 / TT-NHNN) is amended and
supplemented as follows:
"Article 6. Renewal and change of digital certificate information
content
1. Digital certificates requested for information renewal or change
must be valid.
2. Effective period of digital certificates:
a) Digital certificates, after being renewed, will be valid from the
time of successful renewal but not exceeding 5 years;
b) Changing the contents of information of a digital certificate does
not change the validity period of a digital certificate.
3. In case of extension or change of information of digital
certificates:
a) The subscriber-management organization requests the extension of the
subscriber's digital certificate at least 10 days before the expiration of the
digital certificate's validity;
b) The subscriber-management organization requests to change the
content of information about the subscriber's digital certificate within 05
working days from the date of the following changes:
- Subscriber changes title, position or working department;
- Subscriber changes information of Identity Card/Citizen's Identity;
- Subscriber changes address information, email, phone.
4. The subscriber-management organization sends 01 (one) set of dossier
to request the renewal or change of digital certificate information, including
the request for renewal or change of digital certificate information content
according to Appendix 03. issued together with this Circular (Circular No.
28/2015/TT-NHNN).
5. Time limit for settlement and implementation results
Within 05 working days from the date of receipt of the dossier for the extension or change of digital certificate content, the Information Technology Department shall inspect the dossier, renew or change the content of digital certificate for subscription. In case the dossier is invalid, the Information Technology Department shall refuse to process the dossier and state the reason. Feedback and dossier processing results comply with Clause 3 Article 4a of this Circular (Circular No. 28/2015/TT-NHNN).
Receive the notice of approval for digital certificate extension, subscriber shall renew digital certificate according to the instruction manual on activation and renewal of digital certificate posted on the Portal of the State Bank.””
