Total interruption time of providing all payment services and online payment intermediary services shall not exceed 04 hours/year, interruption time of providing services shall not exceed 30 minutes/time...
The State Bank of Vietnam is drafting a Circular amending and supplementing a number of articles of Circular No. 15/2024/TT-NHNN dated June 28, 2024 of the Governor of the State Bank of Vietnam regulating the provision of non-cash payment services.
Article 19 of Circular No. 15/2024/TT-NHNN stipulates the responsibilities of payment service providers:
1. Notify and guide customers to use the payment services they provide; promptly respond to or handle questions and complaints from organizations and individuals using payment services within the scope of their obligations and powers.
2. Make payment transactions promptly, safely and accurately according to agreements with organizations and individuals using payment services; publicly post payment service fees.
3. Payment service providers are responsible for promptly correcting mistakes and errors in payment transactions in cases where the payment orders of organizations and individuals using payment services are not properly implemented; they are responsible for coordinating with relevant payment service providers to recover mistakenly transferred or over-transferred amounts when making payment transactions in accordance with the provisions of law.
4. Payment service providers must comply with the provisions of law on electronic transactions and on ensuring safety, security, and risk management in banking activities. Issue risk management mechanisms: identify risks, classify types of risks that occur for each type of service provided, secure and ensure the integrity and accuracy of data information related to transactions, have measures to assess, control, prevent risks, and comply with the provisions of law.
5. Payment service providers are obliged to notify and warn customers to recognize and avoid risks when using payment services and to comply with the content of the agreement signed with the payment service provider; to guide organizations and individuals using payment services on the obligation to self-secure account information, other identification factors and electronic means used in payment, to avoid being exploited, scammed and cheated.
6. Payment service providers must implement measures to identify customers; control, detect, and report large-value transactions, electronic money transfers, and suspicious transactions to competent state agencies in accordance with the provisions of the law on anti-money laundering and other relevant legal provisions.
7. Payment service providers must be responsible for compensating for damages caused by their own faults according to the provisions of law.
8. Payment service providers are responsible for applying measures and solutions to ensure that customer verification information is checked and matched correctly during payment transactions.
9. Payment service providers shall, based on the provisions of this Circular and relevant legal provisions, issue internal procedures for providing non-cash payment services at their units and be legally responsible for their units' internal procedures.
10. Perform other responsibilities as prescribed in this Circular and relevant legal provisions.
The State Bank said that the Law on Credit Institutions 2024 stipulates: Clause 5, Article 10 - Responsibilities of credit institutions and foreign bank branches in protecting customers' rights: "5. Publicly announce official transaction time. In case of stopping transactions at one or several transaction locations during official transaction time or stopping transactions by electronic means, at least 24 hours before the time of stopping transactions, credit institutions and foreign bank branches must post information about the suspension of transactions at the transaction location or on the electronic information page of the credit institution or foreign bank branch..."
Article 14. Data security and ensuring continuous operation: "Credit institutions and foreign bank branches must ensure information system security, data security and continuous operation in accordance with regulations of the Governor of the State Bank and other relevant legal provisions".
The Law on Network Information Security stipulates in Clause 1, Article 3: "1. Network information security is the protection of information and information systems on the network from unauthorized access, use, disclosure, interruption, modification or destruction to ensure the integrity, confidentiality and availability of information".
Circular 41/2024/TT-NHNN stipulates the supervision and implementation of supervision of important payment systems and payment intermediary service provision activities as prescribed in Clause 2, Article 17: "2. Payment intermediary service providers are responsible for providing information to the Supervisory Unit immediately upon detecting an incident that causes a disruption of more than 30 minutes in payment intermediary service provision activities...".
Circular 50/2024/TT-NHNN stipulates the safety and security of providing online services in the banking sector: Article 16 stipulates the responsibilities of the unit (credit institution, foreign bank branch, payment intermediary service provider) in ensuring continuous operation. Clause 2, Article 17 stipulates: The unit must inform customers about the terms of the agreement on providing and using Online Banking services, including at least: c) Commitment to the ability to ensure continuous operation of the Online Banking system, including at least: the time of service interruption at one time, the total time of service interruption in one year, except for cases of force majeure or system maintenance and upgrades notified by the unit.
Circular 09/2020/TT-NHNN dated October 21, 2020 regulating information system security in banking operations stipulates: Clause 4, Article 5: Level 3 information system is an information system that meets one of the following criteria: b) The information system serves the organization's daily internal operations and does not accept downtime for more than 4 working hours from the time of downtime; c) The information system serves customers requiring 24/7 operation and does not accept downtime without prior planning. Clause Article 49: Principles for ensuring continuous operation "1. The organization shall implement the following minimum requirements: a) Analyze the impact and assess the risks of interruption or downtime of the information system;…".
In addition, recently, the State Bank (Payment Department) has received feedback from people and customers when: (i) Some banks/intermediary payment organizations reported errors that prevented them from logging into the application or making transactions, especially during peak periods (holidays, Tet), causing customers to be upset and feel very inconvenient when they could not scan the QR code for payment, or there was network congestion, cash transactions were suspended even though the customer's account had been deducted but the recipient had not received the money; (ii) Some banks did not make an official announcement, or handled the problem slowly, or performed system maintenance and upgrades without prior notice.
According to the State Bank, the addition of regulations on maximum interruption time for online payment/payment intermediary services is necessary to protect customers' rights and enhance the responsibility of service providers on the basis of balancing technical requirements, implementation capabilities and customer benefits as a basis for supplementing strict measures and sanctions for handling violations.
Most countries set a maximum downtime of about 4 hours per year. Some EU countries have stricter requirements, for example, specifying a maximum downtime of 15 minutes per incident, requiring banks to have a backup plan and backup system to ensure service continuity, and requiring organizations to conduct regular checks and report on system status. Sanctions for violations: Violations of the maximum downtime will result in fines or revocation of operating licenses.
Some countries also have similar regulations such as: (i) Singapore stipulates a maximum downtime of 4 hours/year . Banks must conduct regular checks and report on the status of the system. Organizations must have a contingency plan and backup system to ensure continuity of service. (ii) China stipulates a maximum downtime of 4 hours/year. Organizations must conduct regular checks and report on the status of the system.
In the draft, the State Bank plans to add Clause 2a and Clause 2b to Article 19 of Circular No. 15/2024/TT-NHNN. as follows:
2a. Payment service providers and payment intermediary service providers are responsible for implementing measures to ensure the smooth and continuous provision of payment services and payment intermediary services. The total interruption time of all payment services and online payment intermediary services shall not exceed 04 hours/year, and the interruption time of service provision shall not exceed 30 minutes/time, except in cases of force majeure or system maintenance and upgrades that have been notified 03 days in advance.
2b. Payment service providers and payment intermediary service providers shall be responsible for reporting to the State Bank within 04 hours upon discovering an incident that causes a disruption of more than 30 minutes in the provision of payment services or payment intermediary services (including cases of force majeure or maintenance or system upgrades that have been notified 03 days in advance) according to Appendix 05 issued with this Circular. Within 03 working days from the date of completion of troubleshooting, payment service providers and payment intermediary service providers shall be responsible for submitting an incident report with full contents according to Appendix 05 issued with this Circular.
Specify the minimum information required to accompany a money transfer transaction
In addition, the State Bank also plans to supplement Clause 3a and Clause 3b, Article 19 of Circular No. 15/2024/TT-NHNN as follows:
3a. Payment service providers are responsible for checking and controlling legal and valid payment orders, ensuring that the payment account number and payment account name in the customer's payment account opening and usage agreement are correctly displayed when making payment transactions and are fully displayed on payment documents.
3b. When performing payment authorization services, money transfer services via payment accounts or without payment accounts, the payment service provider serving the payer is responsible for providing the payment service provider serving the beneficiary, upon request, with the minimum information related to the transaction, including:
a) Information about the payer, including: Name of the payer, payment account number of the payer or transaction reference number (when there is no payment account), Permanent registered address or identification number of the payer;
b) Information about the beneficiary, including: Name of the beneficiary, Payment account number of the beneficiary or transaction reference number (when there is no payment account).
The State Bank explained the addition of the content of Clause 3a with the reason: In reality, there have been a number of cases where banks have allowed customers to use aliases and nicknames instead of payment account numbers and names to create names similar to reputable brands to commit fraud and violate the law. In addition, the use of aliases and nicknames in payment transactions can lead to the risk of transferring money by mistake due to not fully displaying the account number and account name when making a payment order.
Previously, Article 8 and Article 11 of Circular No. 46/2014/TT-NHNN dated December 31, 2014 of the Governor of the State Bank guiding non-cash payment services had regulations on elements on payment documents. In the 2021 Multilateral Assessment Report of Vietnam, the Asia- Pacific Group on Money Laundering (APG) assessed Vietnam as "compliant" with recommendation criterion No. 16.5. If the regulations on information accompanying money transfer transactions are removed, it may affect Vietnam's compliance rating.
The clear regulation of the minimum information accompanying the money transfer transaction and the responsibility to provide the above information on the one hand meets the requirements of the APG Recommendation, and also creates a legal basis for payment service providers serving beneficiaries to request payment service providers to provide information about the remitter to serve the process of reviewing information of the parties participating in the transaction.
The above draft is being solicited for comments on the State Bank of Vietnam's Electronic Information Portal.
Wisdom
Source: https://baochinhphu.vn/thoi-gian-gian-doan-cung-ung-dich-vu-thanh-toan-truc-tuyen-khong-vuot-qua-30-phut-lan-102250715171759862.htm
Comment (0)