Enhancing Confidentiality and Security for Digital Bank Customers

Necessary measures to protect customers’ confidentiality

Recently, under the Government’s direction and guidance, the Banking sector has made continuous efforts and closely coordinated with related ministries and State agencies in the digital transformation endeavor, achieving significant results in key areas: raising awareness, improving legal framework, upgrading infrastructure, applying technology in data utilization, and developing digital banking models as well as ensuring security and safety, etc.

However, besides the convenience and benefits that online banking products and services bring, the banking sector also faces risks and challenges related to security and confidentiality, particularly the threat of cyber-attacks, the use of high technology for fraud, and the criminal appropriation of people's money and bank accounts, with increasingly sophisticated tactics.

In implementing the Banking Sector's Plan for the implementation of Project 06 (Decision No. 06/QD-TTg by the Prime Minister: Approving the Project on Developing Applications of Population Data, Electronic Identification and Authentication for National Digital Transformation in the period 2022-2025, with a vision to 2030) and the Coordination Plan with the Ministry of Public Security to carry out the tasks of Project 06, aiming to apply population data, citizen identification card, and electronic identification accounts for activities in the banking sector, contributing to digital transformation and enhancing the effectiveness in combating various types of crime, the SBV issued Decision No. 2345/QD-NHNN dated December 18, 2023, on implementing security and confidentiality solutions in online payments and bank card payments (Decision 2345), replacing Decision 630/QD-NHNN dated March 31, 2017.

Accordingly, from July 1, 2024, financial institutions and payment intermediaries should take measures to minimize risks in online transactions for individual customers,  in addition to multi-factor authentication solutions as stipulated in Decision 630/QD-NHNN, as follow: (i) Biometric authentication (through citizen identification card’s chip-based data, VneID) for transactions valued over 10 million VND or when the total daily transaction value exceeds 20 million VND; when changing devices in conducting Mobile Banking transactions; (ii) Notifications to customers when there are sign-ins to Internet Banking/Mobile Banking applications on different devices; Storage of information about devices performing customers' online transactions and authentication logs for at least three months.

According to the SBV, the Decision 2345 is aimed to ensure that online banking transactions are carried out by the actual account holders to protect bank customers, reduce frauds and asset appropriation crimes against customers, and prevent the renting, borrowing, or selling of payment accounts and e-wallets for illegal purposes.

The essence of the solutions stipulated in Decision No. 2345 is to verify that the account holder's information matches the information on the citizen identification card issued by the Ministry of Public Security or the information in the national population database, therefore eliminating counterfeit, unauthorized, and illegal accounts. This allows credit institutions to identify and verify customers accurately during payment transactions.

Regarding the technology solutions stipulated in Decision 2345, from July 1, 2024, all banks and payment intermediaries would apply a common policy for individual customers when conducting transactions over 10 million VND or total transactions in one day exceeding 20 million VND, which involves checking the biometric signs (face) of the person conducting the transaction against the face of the account holder verified with the national population database or the chip-based citizen identification card issued by the Ministry of Public Security. Additionally, before individual customers perform their first transaction using the Mobile Banking application or before transacting on a device different from the one used for the last Mobile Banking transaction, customers must re-authenticate their biometric identifiers.

According to SBV statistics, about 70% of individual customer payment transactions in Vietnam are valued under 1 million VND, transactions over 10 million VND account for only about 11% of the total transactions, and the number of people with daily transactions over 20 million VND is less than 1%. Therefore, biometric authentication does not significantly impact user payment transactions.

By the end of 2023, the Ministry of Public Security had issued over 84.7 million chip – based citizen identification cards and 70.2 million VNeID accounts, ensuring "accurate, complete, clean, and live" data. This is an important data input source for the banking sector to accurately identify and verify customers.

Banks actively assist customers

So far, banks have provided specific guidance for customers on registering biometric authentication. The common installation steps on banking applications include: taking photos of both sides of the chip-based citizen identification card, reading information on the citizen identification card using NFC as instructed, and taking a facial photo to complete the setup.

To set up biometrics, customers need to prepare their chip-based citizen identification card and access the "Biometric Setup" feature on the latest version of the bank’s application to follow the setup instructions.

Step 1: Select the "Biometric Setup" feature on the bank's mobile application.

Step 2: Select the functions and enter the minimum limit requiring biometric authentication. In reality, customers can choose a specific limit under 10 million VND to ensure greater security for their accounts.

Step 3: Take photos of both sides of the chip-based citizen identification card

Step 4: Read the information on the citizen identification card as instructed.

Step 5: Take a facial photo to complete the setup.

Additionally, customers can directly visit the bank’s transaction counters where their accounts were opened for guidance on setting up biometrics.

After completing the biometric setup, starting from July 1, for transactions requiring authentication according to the regulations, customers will need to perform three steps for biometric authentication on the bank's mobile application.

Step 1: Enter transaction information as usual (amount, recipient’s information, receiving bank, etc.)

Step 2: For transactions exceeding the limits set by the SBV, the application will activate the phone’s camera to authenticate the customer's facial image.

Step 3: Enter the Smart/SMS OTP to complete the transaction.

Many customers have reported difficulties at the “reading information” step on the citizen identification card due to the different positions of the NFC (Near Field Communication) reader on each device or the lack of NFC integration on older devices. Some customers also do not have a chip-based citizen identification card for setup.

Some people encountered difficulties when scanning the NFC chip of the citizen identification card  during registration on banking apps, primarily affecting users of newer iPhone brand models. Some customers have contributed that Apple Inc places the NFC chip at the top of the phone, so pointing the top of the phone close to the chip on the citizen identification card will ensure successful readings.

According to technology experts, a solution is to enable "Airplane Mode" on the iPhone to disable unnecessary signals, then activate NFC on the phone and position the top of the phone close to the chip on the citizen identification card to guarantee success.

To support customers in overcoming biometric authentication issues for online banking transactions on their phones and ensuring a safe and convenient transaction experience, experts have proposed several solutions:

1. Restart the banking application: This simple step can resolve temporary issues affecting biometric authentication functionality.

2. Ensure adequate lighting and positioning: The surrounding light should be bright enough for the camera to clearly capture the customer's face or fingerprint. Place the phone in a well-lit area with the face/finger centered in the frame, avoiding mirrors or obstructing objects.

3. Clean the phone: Dirt and dust on the camera or fingerprint sensor can hinder recognition. Use a soft, dry cloth to gently clean the phone.

4. Update the banking application: Updating to the latest version of the banking app ensures optimized security features and minimizes errors. Customers can update the app through the App Store or Google Play.

5. Restart the phone: Restarting the phone is a simple but effective step to resolve many technical issues, including those related to biometric authentication.

6. Contact the bank's customer support: If customers have tried all the above solutions but still cannot complete the transaction, they can contact the bank’s customer support for additional advice and assistance.

According to the SBV, for customers who do not have a chip-based citizen identification card (have a valid citizen identification card or ID card as per legal regulations) or for foreign customers or customers using phones without NFC support, to perform online transactions over 10 million VND, they only need to register their biometric information once at the bank's counter. After that, they can perform transactions via the Mobile Banking/Internet Banking application without visiting the counter.

In the future, when the Ministry of Public Security provides electronic identification and authentication services, banks will integrate Mobile Banking/Internet Banking applications with the electronic identification and authentication system to allow customers to register biometric information through the electronic identification account issued by the Ministry of Public Security.

Some Notes for Customers

Amid the complex developments in cybercrime, besides the fact that banks are taking information security measures (such as those under Decision 2345), citizens should also enhance their awareness of online safety and strictly adhere to the guidelines for the safe use of electronic banking services.

To avoid the risk of losing funds from their accounts, customers should take the following notes: For online transaction service passwords, set difficult-to-guess passwords, ensure safety rules are followed, change passwords regularly, and do not use password-saving features for automatic login. Do not provide online banking usernames, passwords, or authentication codes (OTP) over the phone, email, social networks, or websites to anyone, including bank employees.

In the case of a breach or suspected breach of username/password, customers should promptly notify the bank for timely assistance.

In the event of card loss, perform the following steps:

1. Lock the card on the electronic banking application or notify the bank as soon as possible to avoid the risk of losing funds from the card.
2. Limit the use of public computers and public wireless networks when accessing electronic banking systems.
3. Type the web address of electronic banking sites directly instead of choosing available links, and only log in at the bank's official website.
4. Only install applications from official stores like Google Play and the App Store.

When installing applications on devices, check the application developer's information and carefully review the app’s permissions. Regularly update the device's operating system to receive the latest security patches from the manufacturer. Shop and pay online at reputable, licensed websites with clear contact information. Proactively safeguard personal information and account details. Regularly monitor and update security warnings from banks and mass media regarding online payment security.

Research and International Cooperation Department (translation)