In brief
The Ministry of Finance has released a draft circular on electronic transactions in the securities market, intended to replace Circular 134/2017/TT-BTC and Circular 73/2020/TT-BTC ("Draft Circular"). This Draft Circular expands the framework to cover a broader range of online securities services and introduce more flexible and digitized processes for foreign investors, including through global brokers arrangements, in relation to account opening, operation and closure. It also introduces detailed requirements on authentication, data protection and system security, and establishes a new regime governing API-based service provision and third-party interaction. These developments are expected to support evolving market practices, including enhanced cross-border participation and growing interest in global broker models, while strengthening market infrastructure and supporting Vietnam's prospective market upgrade.
This Draft Circular is expected to be issued in 2026.
Key takeaways
1. Enhanced framework for foreign investors and cross-border connectivity
- The Draft Circular introduces more flexible and digitized processes for foreign investors, particularly non-resident investors, in relation to account opening, operation and closure.
- Non-resident foreign investors conducting indirect investment activities in Vietnam may authorize global brokers or another service provider having a contractual relationship with such investors to open, use and close securities trading accounts and securities depository accounts by electronic means with the service provider.
- The service provider must conduct KYC on the foreign investors and the authorized organizations in accordance with AML laws.
- In addition, the Draft Circular supports greater adoption of straight-through processing (STP) between securities companies and custodian banks, reducing manual intervention and improving operational efficiency. These changes are expected to facilitate cross-border participation while maintaining regulatory oversight and system integrity.
2. Risk-based authentication framework for fund transfers
The Draft Circular introduces a tiered authentication approach for withdrawals and outward transfers based on transaction value.
- For transactions below VND 10 million, service providers may apply a range of authentication methods, including OTP, biometrics, device-based authentication, FIDO, digital signatures or multi-channel authentication.
- For transactions of VND 10 million or above, biometric authentication is mandatory, with verification against national ID (chip-based ID card) or the VNeID system.
This represents a notable shift towards strong customer authentication, aimed at enhancing transaction security, reducing fraud risks and protecting investor assets.
3. Formal recognition of eKYC and electronic account lifecycle
- The Draft Circular introduces a comprehensive framework for electronic identification (eKYC), digital onboarding and electronic contracts, covering the full lifecycle of account opening and customer verification in an online environment.
- Account opening and closure via electronic means must be authenticated using prescribed methods (including biometric authentication), and the underlying agreement between the service provider and customer must be executed using digital signatures. For ongoing transactions, authentication must be performed at least for the first transaction in each login session, and service providers are required to implement technical measures to ensure that authentication and transaction execution are conducted on the same device
- These provisions strengthen the legal and operational basis for fully digital account lifecycles, reflecting the increasing prevalence of remote onboarding while enhancing security and integrity of customer interactions.
4. Introduction of API regulatory framework
- For the first time, the Draft Circular establishes a detailed framework governing API connectivity between securities companies and third parties.
- While enabling integration with fintech ecosystems, the Draft Circular makes clear that securities companies retain ultimate responsibility for system safety and financial risks arising from API-based services. This is intended to mitigate risks associated with intermediary platforms and external technology providers.
5. Enhanced requirements on IT infrastructure and cybersecurity
The Draft Circular significantly strengthens requirements on technology infrastructure, system integrity and data security, including:
- Use of licensed IT systems with clear origin, traceability and lifecycle management controls.
- Compliance requirements for outsourced data centers under Vietnamese law, together with safeguards against unauthorized access and data misuse.
- Implementation of robust technical and operational controls, including system segregation, encryption, access management, monitoring and measures to control access to and interaction with customer data storage devices to prevent data leakage.
These measures underscore the regulator's growing focus on data protection, cybersecurity and operational resilience, particularly in light of increasing system complexity and evolving cyber threats in the securities market. They are also likely to require securities companies with less developed technology platforms to undertake system upgrades to meet increasingly stringent standards for online trading.
6. Requirement for transaction limit controls shall be regulated under the Vietnam Stock Exchange's regulations
- Vietnam Stock Exchange is required to issue operational rules to (i) regulate system connectivity between members and the trading system, and (ii) have measures to impose limits on transaction volumes at a given time, where necessary, to ensure system stability and alignment with trading infrastructure capacity.
- The Vietnam Securities Depository and Clearing Corporation (VSDC) is also required to establish operational rules governing system connectivity between members and its electronic communication gateways, in compliance with applicable laws.
This development reflects a more proactive approach to system risk management and market stability, particularly in the context of increasing trading volumes and system complexity.