In September 2018, the Government issues Decree 117/2018 on protection of customers information in banking sectors replacing Decree 70/2000. Decree 117/2018 applies to confidentiality, storage and providing of information by credit institutions and foreign bank branches (collectively referred to as CI) relating to the deposit and asset of customers with the CI. The following points are notable:

·       Decree 117/2018 does not apply to, among other things, information, which is classified as State secrets and which is governed by State secrets regulations. Under the old Decision 151/2003 of the Ministry of Police, information regarding customer deposits with a CI is classified as “State secret” at secret level. It is not clear if this classification still remains valid since Decision 45/2007 of the State Bank, which is based on Decision 151/2003, does not list customer deposit information as a State secret. Decree 117/2018 does not clarify this uncertainty;

·       Customer information of a CI can only be provided without the customer’s consent if the requesting party has the right to request the CI to provide customer information under specific regulations of the law or resolution of the National Assembly. The reference to law and resolution of the National Assembly could mean that the Government or other Ministries cannot issue regulations which allow non-consensual disclosure of customer information of a CI. However, it is not clear how this provision will be enforced since Decree 117/2018 itself is not a law for the National Assembly;

·       A CI is not allowed to provide customer authentication information (secret code, biometrics data, access password and other customer authentication information) to any third party without consent of such customer or other form of agreement with such customer. It seems that if the customer agreed for the CI to provide its authentication information in a general terms and conditions, the CI might be allowed to disclose such information;

·       A third party can only request a CI to provide customer information pursuant to its right purpose, content, scope or regulated authority or upon the consent of the customer and such third party has to be responsible for such request. The third party must keep confidential customer information provided to it, use such information pursuant to the purpose upon which it requires the information to be provided and is not allowed to provide such information to other party without the consent of the customer, unless regulated by law; and

·       A request for customer information from a CI must have supporting documents unless such request relates to a criminal proceeding or national security.

This post is contributed in parts by Nguyen Hoang Duy, an associate at Venture North Law.