One Infrastructure for Circular 64, AI Law 134, and Decree 13
- Adin Mathitharan
- Lead Marketing Officer/Regional Marketing Manager, WSO2
WFIS Global Vietnam ran two days of panels across digital transformation, AI strategy, cybersecurity, and retail banking. The AI thread ran through almost everything: autonomous customer journeys, explainability in AI decisions, enterprise governance, and predictive analytics. Vietnamese banks are clearly investing.
One question didn't come up: how do you govern AI systems in regulated production, when two overlapping legal frameworks and full State Bank of Vietnam (SBV) oversight both apply to the same systems?
That gap matters because the market has already moved. For example, Sacombank launched its Open API platform in March 2026, connecting corporate clients directly into ERP and treasury workflows they already use. Circular 64's implementation clock started in March 2025. Both the compliance timeline and the AI governance mandate running alongside it are real. The conversation that did not happen at WFIS is the one that determines which banks are operationally ready when the deadlines arrive.
Circular 64 is more than a compliance timeline
Circular 64 defines a three-phase open banking rollout with a full compliance deadline of March 2027. Most banks are reading it as a schedule. Each phase is also a distinct commercial window.
Phase 1 enables market data APIs and the fintech partnerships that run on them. Phase 2 introduces consent-based data access, the foundation for personalised credit, embedded finance, and data-driven product offers that need a richer customer view than a closed stack can provide. Phase 3 adds payment initiation and Banking as a Service, opening the revenue model that comes with embedding bank services inside third-party platforms.
Banks that treat each phase as an audit pass exit 2027 with compliant infrastructure and no commercial edge. Treating each phase as a market entry point produces something different: a new customer acquisition model on the back of the same regulatory work. ICICI Bank's iLens platform uses 150+ API integrations to deliver instant loan decisions, cutting a paperwork-heavy process down to a fully digital one. The compliance work was the foundation. The commercial result came from what each bank built on it.
AI governance is banking's next compliance challenge
Vietnam's AI Law No. 134/2025, effective March 1, 2026, sets specific requirements for AI in financial services: transparency about AI capabilities, mandatory disclosure of human oversight mechanisms, prohibition on AI used to deceive or manipulate, and full audit trails for AI-driven decisions. The financial sector has an 18-month grace period to September 2027
Vietnamese banks are running AI pilots at scale. The risk is not ambition. Gartner warns that over 40% of agentic AI projects will be cancelled by 2027 due to inadequate risk controls. The reason most fail is rarely the AI. It is the enterprise infrastructure that was not ready for production.
The governance challenge is not a model problem. When an AI agent accesses customer data to generate a recommendation or initiate a payment, it needs an auditable identity, realtime verification that the customer's consent covers that specific action, and a log that satisfies the SBV and a compliance officer. Traditional identity and access management was built for human users and service accounts. AI agents are neither.
One infrastructure; three regulatory obligations
Circular 64, Vietnam's AI Law, and Decree 13 each impose obligations on the same underlying systems.
The three regulations overlap more than most banks realize. Circular 64 requires consent management, API governance, and an identity layer for secure data sharing. Vietnam's AI Law needs those same systems queryable in real time, so every AI action can be traced to a specific consent record. Decree 13 then adds data privacy obligations: what data the bank holds, why it holds it, and whether the customer's consent covered that use. Build the consent and identity infrastructure once, at sufficient scope, and it satisfies all three.
Treating these as three separate compliance programmes means building three audit systems and three consent frameworks that will eventually need to be reconciled. One infrastructure decision built correctly means building it once. The consent platform, API management layer, and identity stack required for Circular 64 are the same components required for AI agent governance and Decree 13 compliance.
How banks can build once for open banking and AI
The encouraging news is that banks do not need to build separate governance platforms for Open Banking and AI. The same architectural foundations, including identity, consent, API governance, and policy enforcement, can support both regulatory requirements when designed as a unified platform.
WSO2 has worked with financial institutions across Europe, Australia, the Middle East, and Asia to build secure open banking platforms. The same architectural principles naturally extend to AI governance, enabling banks to manage APIs, identities, consent, and AI agents through a single governance model instead of separate technology stacks.
Three architecture decisions banks should make now
Banks still in Phase 1 or entering Phase 2 have flexibility. By Phase 3, the core architectural choices are fixed.
Is your consent platform a compliance record or a customer asset?
A consent system built to pass an audit records that permission was given. A consent platform built as customer infrastructure records what was permitted and what was declined, then makes that useful: which products suit this customer, what credit limit their shared data supports, and whether the bank has consent to let an AI agent act on their behalf. A minimum-spec build cannot answer those questions. The build difference between the two approaches is not large. The commercial difference, compounded over years of decisions the platform either can or cannot support, is.
Is your API layer designed for regulatory inspection or ecosystem consumption?
Circular 64's intent is a level playing field for the fintech ecosystem, not a bilateral arrangement with one or two named partners. Banks that test against real third-party consumption during Phase 1 arrive at Phase 2 with infrastructure that works under load. The ones that optimize for the audit in isolation tend to find the gaps when the ecosystem shows up.
Will open banking governance and AI governance be built as one platform or two?
Banks that build AI governance as an extension of their open banking architecture will avoid duplicate identity, consent, and audit systems. Those that treat them as independent initiatives risk creating disconnected governance models that become difficult to reconcile over time.
Platforms designed around a unified governance architecture allow banks to manage APIs, identities, consent, and AI agents as part of a single control plane rather than separate technology stacks. WSO2 follows this approach, helping financial institutions extend the same foundation built for Open Banking to support AI governance.
The foundation determines the future
Every session at WFIS touched AI. None addressed how that AI gets governed in regulated production: kept within its permitted scope, and backed by audit trails a regulator will actually accept.
Circular 64 comes with a deadline and a commercial opportunity attached. Vietnam's AI Law adds a governance mandate on the same systems. Decree 13 adds data accountability on top of both. The infrastructure that satisfies all three is the same infrastructure, which means the architecture decisions made in Phase 1 and Phase 2 are the ones that determine whether a bank is compliant, or compliant and ahead.
Circular 64, the AI Law, and Decree 13 all land on the same architecture decisions. If you're weighing those decisions now, talk to one of our experts about what a unified governance platform would look like for your bank.