Mobile banking must meet new security standards from March 1, 2026.

The State Bank of Vietnam (SBV) has officially issued Circular No. 77/2025/TT-NHNN amending and supplementing several articles of Circular 50/2024/TT-NHNN. This new legal document sets stricter requirements for credit institutions in managing their mobile banking systems, aiming to combat increasingly sophisticated forms of cybercrime.

The application's security is assessed periodically, every three months.

According to new regulations effective from March 1, 2026, banks and credit institutions are required to conduct security and safety assessments of all versions of their mobile banking applications at least every three months. This activity aims to review, detect, and promptly fix security vulnerabilities that could be exploited by criminals.

Notably, when customers activate the application on a new device or reactivate the service, credit institutions are only allowed to provide the latest version or the most recent version that fully meets security standards. This regulation also requires institutions to implement technical solutions to completely prevent users from downgrading the application to lower versions, which pose many security risks.

Trading is temporarily suspended upon detection of a critical vulnerability.

Circular 77/2025/TT-NHNN clearly stipulates the procedures for handling security risks upon detection. If a vulnerability is assessed as high or serious, the credit institution must immediately implement control measures, including restricting or suspending transactions. This helps prevent system attacks and the misappropriation of customer assets while awaiting remediation and a new version update.

Furthermore, the Mobile Banking application must be equipped with a feature to automatically detect unauthorized interference. The application will automatically stop or exit the system if it detects that the customer's device shows signs of being rooted, jailbroken, having its bootloader unlocked, running in an emulator environment, or has been injected with malware or debuggers.

Upgrading Deepfake anti-counterfeiting standards.

In response to the surge in AI-powered fraud, the State Bank of Vietnam requires that biometric presentation attack detection (PAD) solutions meet the international standard ISO 30107 level 2 or equivalent.

These solutions need to be recognized by leading reputable organizations such as the FIDO Alliance. Adopting the ISO 30107 Level 2 standard will enhance the ability to identify deepfake image and video attacks, thereby ensuring the highest level of authenticity for every digital banking transaction for Vietnamese users in the future.