Innovation, Inclusion, and Interoperability - Vietnam’s Leap into Open Banking

Vietnam is one of Asia's most significant high-growth markets for open banking adoption. With a young, tech-savvy population, rapid digital adoption, and a vibrant fintech ecosystem, the country is uniquely positioned to leapfrog traditional banking models.

Vietnam's financial sector is ripe for mobile-first innovation. The country has roughly 49 financial institutions and an internet penetration rate approaching 80% supported by a youthful, digitally proficient population. Given that nearly half of Vietnam's adults are unbanked or underbanked, tens of millions stand to gain from better access to credit, savings, and payments. Vietnam's open banking trajectory holds not only domestic significance but also global implications.

Open banking allows banks to securely share customer-permissioned data with third-party providers through standardized APIs.

For customers, this enables:

• Better choice – Customers can compare various products and switch between them easily.
• New services – access to a vast area of apps that aggregate accounts, track budgets, or offer faster loans, etc.
• Greater control – Customers get control over their data and decide who can access their data and for how long.

Banks benefit from:

• New revenue streams and products - Banks can partner with FinTechs to create and offer new, personalized products and services, generating new income.
• Enhanced customer loyalty - By providing a better, more convenient customer experience, banks can build stronger relationships and retain customers.
• Operational efficiency - Open banking automates manual processes and reduces transaction costs, which improves overall business efficiency.
• Improved security - The use of secure APIs and enhanced security protocols helps banks reduce fraud and stay compliant with regulations.

The new regulatory blueprint: What Circular 64 mandates

On December 31, 2024, the State Bank of Vietnam (SBV) issued Circular 64/2024/TT-NHNN, a landmark regulation that formally introduces Open Application Programming Interfaces (Open APIs) into Vietnam’s financial ecosystem. Coming into effect on March 1, 2025, this regulation sets out the technical, operational, and legal framework for banks and third-party providers to share financial data through standardized, secure APIs — with explicit customer consent at the heart of the process. It is a clear signal that Vietnam is ready to embrace innovation, aiming for greater financial inclusion, competition, and consumer empowerment.

By mandating Open API adoption, the SBV aims to:

• Foster innovation and competition
• Improve customer choice and service quality
• Enhance financial inclusion
• Support Vietnam’s broader digital transformation agenda

Let’s explore circular’s provisions, implementation roadmap, and its likely ripple effects across banks, fintechs, and everyday customers.

Who must comply? 

While there are different categories of banks, the newly introduced Circular 64 applies to the following categories:

• Commercial banks ( both state-owned and private)
• Cooperative banks
• Foreign bank branches operating in Vietnam

However, it does not apply to:

• APIs handling state secret data
• Internal system integrations
• Connections with the electronic clearing system’s governing body

Core principles of the framework

The SBV is aiming to cater below general principles via bridging Circular 64 into the financial ecosystem:

Legal compliance

• All parties — banks, customers, and third parties — must comply with Vietnam’s laws on the protection, provision, and confidentiality of customer data.
• This includes following the Law on Protection of Personal Data and Law on Cybersecurity, which strictly regulate how personal and financial information is collected, stored, and shared.
• Importantly, data processing is only lawful when it directly serves the respective customer, unless other legal provisions apply. This ensures that customer information cannot be exploited for unrelated commercial purposes.

Purpose limitation

• Data obtained through Open APIs must only be used for the purposes stated in the contract between the parties, and always in compliance with the law.
• For example, if a customer consents to sharing transaction history for credit scoring, the third party cannot use that same data for unrelated marketing unless they secure new, separate consent.
• This principle safeguards against function creep, where data is repurposed beyond the original agreed reason.

Accuracy

• Customer data shared via Open APIs must be current, correct, and complete during its entire lifecycle of processing.
• If errors or discrepancies arise (e.g., mismatched balances, incomplete transaction lists), the responsible parties must promptly correct them according to pre-agreed processes in their contracts.
• This ensures that services relying on API data — such as payments, account aggregation, or loan approvals — remain reliable and trustworthy.

Specific requirements for Open APIs

As per the circular, basic Open APIs must mandate these categories:

• Rates and market data
  • Retrieval of interest rates
  • Retrieval of exchange rates
• Customer data access
  • Consent and authorization management APIs (obtain, refresh, revoke access codes)
  • Account list retrieval
  • Account details retrieval
  • Transaction history retrieval
• Payment and e-wallet operations
  • Payment initiation (initiate, confirm, retrieve status)
  • E-wallet cash-in (deposit, OTP confirmation, status tracking)
  • E-wallet cash-out

The circular also talks about the following technical standards:

• Architecture – Secure, scalable, and interoperable design
• Data exchange - REST being mandatory, and SOAP for the bank’s extended Open APIs
• Data exchange formats – JSON being mandatory and XML for the bank’s extended Open APIs
• Security – OAuth 2.0, OIDC, SAML v2.0, TLS 1.2+, JWE, JWS, PKCS #1, system security level 3 compliance
• Information System Security - ISO27001:2013, TCVN11930:2017 - one of these two being mandatory

As per the circular, when it comes to contracts with third parties, every API connection must be governed by a contract covering:

• Data security commitments
• Purpose and scope of data use
• Notification obligations for breaches
• Service terms and fees
• IT system security classification
• Access rights, termination terms

New responsibilities for banks and fintechs

With the introduction of the new Open APIs/ open banking initiative, banks and third-parties are entrusted with a set of new responsibilities. Let’s look at some of those roles and responsibilities entrusted to banks and third-parties. 

For banks

• Build and maintain IT infrastructure for Open APIs
• Provide consent dashboards for customers
• Limit access duration to 180 days unless otherwise agreed
• Keep access logs for 3 months and store them for 1 year
• Supervise third-party access and prevent unauthorized requests
• Report implementation progress to SBV

For third parties

• Provide tools for customers to view and withdraw consent
• Clearly communicate service terms and instructions
• Have procedures for risk management, complaints, and dispute resolution
• Notify banks of incidents or discrepancies promptly

The path forward: Implementation and strategic opportunities

Adhering to open banking is a structured progression with numerous well-defined milestones. The readiness of financial institutions and the duration required to meet these benchmarks will fluctuate based on their individual maturity levels.

Below is a summary of each milestone defined in Circular 64.

Vendors such as WSO2, with extensive experience in Open API and open banking initiatives, can provide significant value to Vietnamese banks. By leveraging WSO2's established expertise, knowledge, and toolset, they can expedite project execution and ensure adherence to the timelines and milestones set by the SBV.

Phased rollout to ensure readiness

The table below summarizes different types of APIs, their deadlines, and whether they require consent management.

WSO2 has already started working with Vietnamese Banks to deliver these APIs in a timely manner, with the appropriate balance of API management and consent management capabilities.

Strategic upside for banks and fintechs 

The State Bank of Vietnam’s Circular 64 on Open APIs/ open banking is more than a compliance exercise — it’s a catalyst for structural transformation across the financial sector. Its impacts span banks, fintechs, customers, and Vietnam’s national development goals.

For banks and fintechs

• Collaboration potential – With nearly 200 fintech companies now active in Vietnam, banks gain new opportunities to co-create solutions such as digital budgeting apps, faster loan approvals through alternative credit scoring, and embedded finance for e-commerce.
• Efficiency and competitiveness – Standardized APIs reduce integration costs and remove the friction that has historically slowed bank–fintech partnerships. This levels the playing field, allowing both large state-owned banks and smaller joint-stock or cooperative banks to innovate more quickly.
• Regional positioning – Adoption of open banking places Vietnamese banks and fintechs in step with ASEAN peers like Singapore and Thailand, opening doors to cross-border digital financial services.

For customers and financial inclusion

• More control and transparency – With explicit consent dashboards required by Circular 64, Vietnamese customers gain tools to decide who can access their financial data, for how long, and for what purpose.
• Better services in a digital-first economy – As Vietnam now has close to 80% internet penetration and one of the world’s fastest-growing smartphone user bases, customers will benefit from services like multi-bank account aggregation, product comparison tools, and customized offers.
• Expanding access for the underserved – An estimated half of Vietnamese adults remain unbanked or underbanked. Open APIs pave the way for alternative data-driven credit assessments, enabling rural populations, gig workers, and SMEs to access loans and payment services previously out of reach.

National alignment

• Supporting Vietnam’s cashless society vision – Circular 64 directly aligns with the government’s cashless payment roadmap under Decree 52/2024/ND-CP, helping to shift consumer behaviour from cash to digital.
• Driving the digital economy strategy – By embedding open banking into the financial infrastructure, Vietnam strengthens its Industry 4.0 digital transformation agenda, enhancing competitiveness in e-commerce, fintech, and cross-border trade.
• Global alignment – With this move, Vietnam joins the growing list of economies with formal open banking regulations, demonstrating to investors and international partners that the country is ready to operate by global standards while localizing solutions to its high-growth market.

Overcoming the hurdles: Risks and solutions

New initiatives, while promising significant advancements, inevitably introduce a range of associated risks and challenges/vulnerabilities. The implementation of an Open APIs/open banking initiative, similar to its deployment in other regions globally, will encounter a distinct set of inherent risks and challenges. Here’s a breakdown of the key challenges and how they can be mitigated, with a focus on leveraging expert partners like WSO2.

Request a Demo