Decree No. 94/2025/ND-CP dated April 29, 2025 on regulatory sandbox in banking sector

THE NATIONAL ASSEMBLY OF VIETNAM --------	SOCIALIST REPUBLIC OF VIETNAM Independence – Freedom – Happiness ---------------
No: 94/2025/ND-CP	Hanoi, April 29, 2025

DECREE

ON REGULATORY SANDBOX IN BANKING SECTOR

Pursuant to Law on Government Organization dated February 18, 2025;

Pursuant to Law on the State Bank of Vietnam dated June 16, 2010;

Pursuant to Law on Credit Institutions dated January 18, 2024;

At the request of the Governor of the State Bank of Vietnam (SBV);

The Government promulgates a Decree on regulatory sandbox in banking sector.

Chapter I

GENERAL PROVISIONS

Article 1. Scope

1. This Decree provides regulations on the regulatory sandbox in banking sector (hereinafter referred to as “Regulatory Sandbox”) for the implementation of new products, services, business models through the application of technology solutions (hereinafter referred to as “Financial technology solutions”).

2. Financial technology solutions (hereinafter referred to as “Fintech solutions”) in the Regulatory Sandbox include:

a) Credit scoring;

b) Data sharing via Open APIs;

c) Peer-to-peer (peer-to-peer) lending

Article 2. Regulated entities

1. Credit institutions, branches of foreign banks stipulated in Law on Credit Institutions (not applicable to Point c, Clause 2, Article 1 of this Decree).

2.  Financial technology companies.

3. Competent authorities.

4. Customers and other organizations and individuals related to the Regulatory Sandbox.

Article 3. Interpretation of terms

In this Decree, the terms below are construed as follows:

1. Financial technology company (hereinafter referred to as "Fintech company”) refers to an organization which is not a credit institution or a branch of a foreign bank licensed or legally registered to operate in Vietnam; independently provides Fintech solutions or cooperates with credit institutions, branches of foreign banks to provides Fintech solutions.

2. Participant in the Regulatory Sandbox refers to a credit institution, a foreign bank branch, or a Fintech company which has been issued with a Certificate of Participation in the Regulatory Sandbox by the SBV.

3. Peer-to-peer lending solution refers to an information technology application solution provided by a peer-to-peer lending company to connect borrowers and lenders, provide assistance for contract conclusion via a digital platform. The currency used in peer-to-peer lending solution is VND.

4. Peer-to-peer lending company refers to a Fintech company which provides the peer-to-peer lending solutions to customers.

5. Open Application Programming Interface - Open API refers to a standardized set of APIs which may be used by computer systems of credit institutions, branches of foreign banks, Fintech companies, and other third parties to send service requests to systems of credit institutions and branches of foreign banks sharing that Open API.

6. Credit scoring refers to a solution applicable to information technology systems of credit institutions, branches of foreign banks, and Fintech companies to score the creditworthiness of an individual or organization supporting the credit approval by credit institutions and branches of foreign banks.

7. Customer refers to an individual or organization which has a contractual relationship with a participant in the Regulatory Sandbox and directly use a Fintech solution provided by such participant.

8. Customers using peer-to-peer lending solutions provided by peer-to-peer lending companies include: Lenders that are juridical entities (including credit institutions, branches of foreign banks), established in accordance with the laws of Vietnam, or individuals hold Vietnamese nationality; Borrowers that are juridical entities (including credit institutions, branches of foreign banks), established in accordance with the laws of Vietnam, or individuals hold Vietnamese nationality.

Article 4. Objectives of the Regulatory Sandbox

1. Promote innovation and modernization in banking sector in order to realize the goal of financial inclusion for the people and enterprises in a transparent, convenient, safe, efficient, and cost-effective manner.

2. Establish a testing environment to assess risks, costs, and benefits of Fintech solutions; assist the development of Fintech solutions to meet requirements of market, legal frameworks, and management regulations.

3.  Mitigate customer risks in Fintech solutions provided by participants in the Regulatory Sandbox.

4. Results of implementing Fintech solution during the Regulatory Sandbox shall be used as a basis for competent authorities to research, develop, and enhance relevant legal frameworks and regulations if necessary.

Article 5. Rules for approving participants for the Regulatory Sandbox

To ensure fairness, objectivity, transparency, and openness, participants in the Regulatory Sandbox  shall be approved as follows:

1. The approval process of participants in the Regulatory Sandbox  must ensures the transparency regarding criteria and conditions, procedures for assessment and selection.

2. Participation in the Regulatory Sandbox does not mean that participants shall meet relevant business and investment conditions stipulated in future regulations.

3. Credit institutions, branches of foreign banks, and Fintech companies which do not apply to participate in the Regulatory Sandbox, or have not been approved to participate in the Regulatory Sandbox shall operate and comply with the current regulations on enterprises, investments, and other relevant laws.

Article 6. Time, space, and scope of the Regulatory Sandbox

1. The maximum testing period of Fintech solutions testing in the Regulatory Sandbox is 02 years, depending on each solution and specific field, calculated from the issuance of the Certificate of Participation in the Regulatory Sandbox by the SBV.  This period may be extended as stipulated in Article  20 of this Decree.

The validity period of the Certificate of Participation in Regulatory Sandbox shall not exceed the validity period (if any) of the establishment license or enterprise registration certificate of the participant.

2. Space:

The Fintech solutions testing in the Regulatory Sandbox shall be implemented within the territory of Vietnam; the cross-border implementation is not allowed.

3. Scope:

a) Participants shall only provide Fintech solutions within the scope specified in the Certificate of Participation in the Regulatory Sandbox;

b) Depending on Fintech solutions and specific proposals of participants in their application, and opinions of the ministries, the SBV shall decide on the scope of Fintech solutions specified in the Certificate of Participation in the Regulatory Sandbox.

c) Peer-to-peer lending companies shall only provide peer-to-peer lending solutions within the scope specified in their Certificate of Participation in the Regulatory Sandbox issued by the SBV as prescribed in this Decree. Peer-to-peer lending companies participating in the Regulatory Sandbox shall not conduct other business activities which are not mentioned in the Certificate of Participation in the Regulatory Sandbox, provide self-insurance measures for customer loans, engage in activities as customer, or provide peer-to-peer lending solutions to pawnshop companies.

Article 7. Rules of preparation and submission of applications for participation in Regulatory Sandbox, testing method adjustment, termination of testing process, testing period extension, and issuance of Certificate of Testing Completion

1. Applications must be prepared in Vietnamese. In cases where documents are issued, authorized, or certified by foreign authorities, organizations, or agencies, they must be legalized in accordance with Vietnamese law (except for the case of exemption from consular legalization in accordance with laws on consular legalization) and translated into Vietnamese.

2. Copies of documents must be certified true copies, copies issued from the original, or copies accompanied by the original for verification as required by law. In cases of online submission, procedures must comply with regulations on electronic administrative procedures.

3. Curricula vitae must be authenticated with a signature in accordance with regulations.

4. Applications shall be submitted by post or in person to the single-window department of the SBV or on the national web portal.

5. Applicants for the issuance of Certificate of Participation in the Regulatory Sandbox, testing method adjustment, termination of testing process, testing period extension, and issuance of Certificate of Testing Completion shall bear legal responsibility for the accuracy of the information provided.

Chapter II

REGISTRATION AND ISSUANCE OF CERTIFICATES OF PARTICIPATION IN THE REGULATORY SANDBOX

Section 1. FOR FINTECH SOLUTIONS STIPULATED IN POINTS A AND B, CLAUSE 2 OF ARTICLE 1

Article 8. Eligibility for participating in the Regulatory Sandbox

1. Credit institutions which are not under special control in accordance with Law on Credit Institutions, branches of foreign banks shall be eligible to participate in the Regulatory Sandbox if the Fintech solution meets the following criteria:

a) Its technical and professional contents have not been specifically and clearly guided for implementation and application by current legal regulations;

b) It is an innovative solution that brings benefits and added value to service users in Vietnam, especially solutions that support and promote the goal of financial inclusion;

c) It has risk management frameworks to mitigate impacts on the banking system and banking - monetary - foreign exchange operations; plans to handle and mitigate risks during the Regulatory Sandbox; and plans to protect consumer rights;

d) It has been inspected and assessed in terms of operations and functions, effectiveness, and usefulness.

dd) It is a feasible solution that can be put into the market after completing the testing process.

2. A Fintech company shall be considered for issuance of a Certificate of Participation in the Regulatory Sandbox when it meets the criteria specified in Clause 1 of this Article and the following conditions:

a) It is a juridical person which is established and operates in Vietnam; is not subject to any full division, partial division, consolidation, merger, conversion, dissolution, or bankruptcy in accordance with regulations.

b) The legal representative, Director General (or Director) must hold a bachelor’s degree in one of the fields of economics, business administration, laws,  or information technology; has at least 02 years of experience working as a manager, an executive of an organization in the financial and banking; and is not a prohibited person as prescribed by laws.

3. Participants shall be responsible for maintaining all requirements during their participation in the Regulatory Sandbox.

Article 9. Application for participating in the Regulatory Sandbox

1. Application for the issuance of Certificate of Participation in the Regulatory Sandbox shall be made using Form No. 01 in Appendix I attached hereto if the applicant is a credit institution or foreign bank branch; and Form No. 02 in Appendix I attached hereto if the applicant is a Fintech company.

2. Description of organizational structure and management for the implementation of Fintech solutions for testing.

3. Resolutions of Board of Members, Board of Directors, General Meeting of Shareholders; documents of authorized representative in accordance with the Charter on approval of project description of Fintech solutions testing in the Regulatory Sandbox.

4. Project description of the Fintech solution testing in the Regulatory Sandbox must include a demonstration of the Fintech solution; potential customers; and the compliance with all criteria specified in Clause 1, Article 8 and guided by Appendix II attached hereto.

5. A regulatory sandbox plan includes: Time, space, and scope of testing; estimated budget; resources; rules of exchange and reporting to the SBV during the testing process; termination of testing to complete obligations within a maximum period of 6 months after the issuance of decision on termination.

6. Personnel documents include: Curriculum vitaes (within the last 6 months before submitting the application), copies of documents proving the professional qualifications and capacities of legal representatives, Director-General (Director), Deputy Director-General (Deputy Director), and core officials implementing Fintech solutions.

7. Copies of documents proving that the applicant is established and operates legally, including: Establishment license or equivalents; Charter; investment certificate of foreign investor (if any).

Article 10. Procedures for participating in the Regulatory Sandbox

1. In cases where the application is sent by post or in person to the single-window department of the SBV, the applicant shall submit 02 sets of application and 06 and 06 CD discs (or 06 USB) storing scanned copies of the application for the issuance of certificate of participation in the Regulatory Sandbox stipulated in Article 9 of this Decree.

2. Within 05 working days from the date on which the application is received, the SBV shall issue a written confirmation of having received an adequate and legitimate application; if the application is inadequate and illegitimate, the SBV shall request the applicant to supplement the application.  The time for supplementing the application shall not be included in the processing time of the application.

Within 05 working days from the date on which the applicant receives a written request to supplement the application, if the applicant fails to re-submit the application or the re-submitted application is still inadequate and illegitimate, the SBV shall issue a written notice and return the application to the applicant

3. Within 90 working days from the date on which the written confirmation is sent, the SBV shall cooperate with relevant ministries to appraise the application, including on-site inspection if necessary.

On the basis of the adequate application, the SBV shall send a written request to collect opinions from relevant ministries. Within 15 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where an on-site inspection is required, the SBV shall send a written request to relevant ministries to appoint officials to participate in the inspectorate. Relevant ministries, within 05 working days from the date on which the written request is received, shall appoint officials to participate in the on-site inspectorate. The on-site inspection must be notified to the applicant at least 3 working days before the inspection.

In cases where the application requires explanation, the SBV shall issue a written request for explanation to the applicant. The applicant is allowed to provide explanations and supplementary documents only once.

If the applicant fails to provide explanations within 30 working days from the date on which the applicant receives a written request, the SBV shall issue a written notice and return the application to the applicant. The time for providing explanations shall not be included in the processing time of the application.

From the date on which the explanation is provided, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

4. After the appraising period stipulated in Clause 3 of this Article, the SBV shall issue a Certificate of Participation for the eligible applicant specified in Article 8 of this Decree.  In case of refusal, a written response shall be provided by the SBV.

5. Within 90 days from the date of receiving the Certificate of Participation, the organization shall implement Fintech solutions within the scope of the Certificate of Participation.

Section 2. FOR peer-to-peer LENDING SOLUTIONS

Article 11. Eligibility for participation in the Regulatory Sandbox

1. The peer-to-peer lending solution shall be considered for issuance of the Certificate of Participation when such solution meets the criteria specified in Clause 1, Article 8 of this Decree and following criteria:

a) It has measures to determine and manage the maximum loan amount for each borrower in the peer-to-peer lending solution provided by itself, report and exploit real-time information about borrowers at the National Credit Information Center of Vietnam to ensure compliance with regulations on the maximum loan amount for each borrower in the peer-to-peer lending solution provided by itself and the maximum loan amount for each borrower in all peer-to-peer lending solutions testing in the Regulatory Sandbox;

b) Disbursement, repayment of loans, interest, and fees for transactions of customers in peer-to-peer lending solutions shall be conducted through their payment accounts at credit institutions, branches of foreign banks, or e-wallets provided by intermediary payment service providers;

c) It has measures to ensure that the contract term between the borrower and the lender using the peer-to-peer lending solution testing in the Regulatory Sandbox shall not exceed 2 years.

2. A Fintech company providing peer-to-peer lending solutions shall be considered for issuance of a Certificate of Participation in the Regulatory Sandbox when it meets the criteria specified in Clause 1 of this Article and the following conditions:

a) It is a juridical person which is established and operates in Vietnam; is not a foreign-invested enterprise; and is not subject to any full division, partial division, consolidation, merger, conversion, dissolution, or bankruptcy in accordance with regulations.

b) The legal representative, General Director (Director) is Vietnamese national; has no criminal record; is not subject to administrative violations in the fields of finance, banking, and cybersecurity; is not concurrently an owner or manager of any financial service provider, bank, pawnshop, or multi-level business enterprise; is not a tontine holder; or is not a member of Board of Directors, Board of Members, Supervisory Board, General Director (Director), Deputy General Director (Deputy Director), or any equivalent position of a credit institution, foreign bank branch, or intermediary payment service provider;

c) The legal representative, Director General (or Director) must hold a bachelor’s degree in one of the fields of economics, business administration, laws,  or information technology; has at least 02 years of experience working as a manager, an executive of an organization in the financial and banking; and is not a prohibited person as prescribed by laws.

d) It must meet the requirements for personnel, infrastructure, and technology for the digital platform serving peer-to-peer lending solution provision as follows:

The information technology system and information storage system must be located within the territory of Vietnam, operate safely and continuously, and have an independent backup technical system to prevent interruptions in case of incidents, especially technical and technological issues.

Data, information of all customers and related parties must be updated, stored, and shared in a highly secure digital platform, ensuring information transparency and disclosure among related parties and information confidentiality of related parties to unrelated parties.

The information technology system must be tested and assessed before operation.

Technical employees must meet the professional qualifications, ensuring the safe and continuous operation of the system.

3. Participants in the Regulatory Sandbox shall be responsible for maintaining all conditions mentioned above during their participation in the Regulatory Sandbox.

Article 12. Application for participating in the Regulatory Sandbox

An application for participating in the Regulatory Sandbox of a Fintech company includes:

1. Application form made using Form No. 03 in Appendix I enclosed herewith.

2. Description of organizational structure and management for the implementation of peer-to-peer lending solutions for participating in the Regulatory Sandbox.

3. Resolutions of Board of Members, Board of Directors, General Meeting of Shareholders; documents of authorized representative in accordance with the Charter on approval of description of peer-to-peer lending solutions for participating in the Regulatory Sandbox.

4. Descriptions of peer-to-peer lending solutions for participating in the Regulatory Sandbox shall be guided in Appendix III attached herewith.

5. A regulatory sandbox plan includes: Time, space, and scope of testing; estimated budget; resources; rules of exchange and reporting to the SBV during the testing process; termination of testing to complete obligations with customers and related parties after the issuance of decision for termination.

6. Personnel documents include: Curriculum vitaes, criminal records (issued within 6 months before submitting the application), copies of documents proving the professional qualifications and capacities of legal representatives, General Director (Director); written confirmation from authorized representative of the entity where the legal representative or General Director (Director) has worked, or copies of documents proving the position and working experience.

7. Copies of documents proving that the Fintech Company is established and operates legally, including: Establishment license or equivalents, Charter.

Article 13. Procedures for participating in the Regulatory Sandbox

1. In cases where the application is sent by post or in person to the single-window department of the SBV, the applicant shall submit 02 sets of application and 06 and 06 CD discs (or 06 USB) storing scanned copies of the application for the issuance of Certificate of Participation in the Regulatory Sandbox stipulated in Article 12 of this Decree.

2. Within 05 working days from the date on which the application is received, the SBV shall issue a written confirmation of having received an adequate and legitimate application; if the application is inadequate and illegitimate, the SBV shall request the applicant to supplement the application.  The time for supplementing the application shall not be included in the processing time of the application.

Within 05 working days from the date on which the applicant receives a written request to supplement the application,

3. Within 90 working days from the date on which the written confirmation is sent, the SBV shall cooperate with relevant ministries to appraise the application, including on-site inspection if necessary.

On the basis of the adequate application, the SBV shall send a written request to collect opinions from relevant ministries. Within 15 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where an on-site inspection is required, the SBV shall send a written request to relevant ministries to appoint officials to participate in the inspectorate. Relevant ministries, within 05 working days from the date on which the written request is received, shall appoint officials to participate in the on-site inspectorate. The on-site inspection must be notified to the applicant at least 3 working days before the inspection.

In cases where the application requires explanation, the SBV shall issue a written request for explanation to the applicant. The applicant is allowed to provide explanations and supplementary documents only once.

If the applicant fails to provide explanations within 30 working days from the date on which the applicant receives a written request, the SBV shall issue a written notice and return the application to the applicant. The time for providing explanations and complete the application shall not be included in the processing time of the application.

From the date on which the explanation is provided, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, the  relevant ministry shall send a written response to the SBV.

4. After the appraising period stipulated in Clause 3 of this Article, the SBV shall issue a Certificate of Participation in the Regulatory Sandbox for the eligible applicant specified in Article 8 and Article 11 of this Decree.  In case of refusal, a written response shall be provided by the SBV.

5. Within 90 days from the date of receiving the Certificate of Participation, the organization shall implement the peer-to-peer solutions within the scope of the Certificate of Participation.

Chapter III

SUPERVISION OF TESTING PROCESS AND END OF TESTING PERIOD

Article 14. Supervision and inspection on testing process

1. The SBV shall supervise and inspect participants in the Regulatory Sandbox through following activities:

a) Supervision of the testing process of participants in the Regulatory Sandbox, including:

Collecting documents, information, data from  reports, information provided by participants specified in Article 15 of this Decree; documents, information, data collected through on-site inspections; information provided by other competent authorities; information provided by organizations, individuals related to the Regulatory Sandbox; other sources of information at the request of the SBV to serve the supervision work. 

Assessing the accuracy of documents, information, and data; in cases where any document, information, or data is detected to be inadequate, incorrect, or inappropriate, request the participant to promptly provide explanation and resend the accurate information.

Consolidating and analyzing documents, information, and data which have been collected, assessed, and inspected.

b) Assessing testing activities of participants in the Regulatory Sandbox and Fintech solutions testing in the Regulatory Sandbox.

The SBV shall assess the testing activities of the participants in the Regulatory Sandbox and the Fintech solutions testing in the Regulatory Sandbox based on the documents, information, data collected as prescribed in Point a, Clause 1 of this Article;

c) Warning and recommendation

In case of detecting potential risks during the testing process, the SBV shall send written warnings and recommendations to the participants in the Regulatory Sandbox.

2. The SBV shall cooperate with competent authorities to conduct on-site inspections of participants in the Regulatory Sandbox as requested by competent authorities or upon detection of risks which are required additional collection of documents, information, and data.

In cases where an on-site inspection is required, the SBV shall send a written request to relevant ministries to appoint officials to participate in the inspectorate. Relevant ministries, within 05 working days from the date on which the written request is received, shall appoint officials to participate in the on-site inspectorate. The on-site inspection must be notified to the participant at least 3 working days before the inspection.

Article 15. Regimes of reporting and information provision

1. The SBV has the right to request participants in the Regulatory Sandbox to provide information related to the testing process periodically and unexpectedly.  On the basis of the assessment of necessity, the SBV has the right to request participants in the Regulatory Sandbox to develop monitoring software and tools serving the reporting and information provision.

2. Participants in the Regulatory Sandbox shall periodically report and unexpectedly provide information about the testing process, risks occurred, and results of implementing the testing for the SBV as prescribed.  Participants in the Regulatory Sandbox shall develop monitoring software and tools as required by the SBV and establish corresponding reporting indicators according to the specific characteristics of Fintech solutions testing in the Regulatory Sandbox as prescribed in this Decree..

3. Reports shall be presented in electronic form. E-reports shall be presented as electronic data files or digital messages transmitted over network or via data carriers, include e-signature of the legal representative of the reporting organization, and comply with sign, transmission code, and file structure as stipulated by the SBV. E-reports shall be sent to the SBV

a) via email system

b) via the reporting information system of the SBV (hereinafter referred to as “reporting information system”);

c) through monitoring software and tools developed by participants in the Regulatory Sandbox as requested by the SBV.

4. Participants in the Regulatory Sandbox are responsible for reporting quarterly on the operational indicators of Fintech solutions testing in the Regulatory Sandbox according to Appendix IV attached hereto through the reporting information system. The quarterly reporting period is from the first day of the first month of the quarter to the last day of the last month of the quarter; quarterly reports must be submitted no later than the 15th day of the first month of the following quarter.

5. Within 15 days from the implementation of the second half of the testing period specified in the Certificate of Participation in the Regulatory Sandbox or written approval for the extension of testing period, participants in the Regulatory Sandbox shall send a report on preliminary assessment of results of implementing the Fintech solutions testing in the Regulatory Sandbox in accordance with Appendix V attached hereto through the reporting information system.

6. Participants in the Regulatory Sandbox shall, at least 90 days before the end of the testing period, shall send their reports on the assessment of testing results in accordance with Appendix V attached hereto through the reporting information system. In case where any participant in the Regulatory Sandbox wishes to amend its testing solutions, terminate its testing process, extend its testing period, or be issued with a Certificate of Testing Completion, such participant shall submit a report on the assessment of testing results in accordance with regulations on procedures for amendments to testing solutions, termination of testing process, testing period extension, or issuance of Certificates of Testing Completion.

7. Participants in the Regulatory Sandbox shall send a report including information on the time of detecting the risk or incident and a brief description of the risk or incident to the SBV via the email address tt@sbv.gov.vn within 24 hours from the time of detecting any disruption in operations or serious risk; and send a written report in accordance with Appendix VI attached  hereto within 3 working days after completing the risk management measures and incident resolution measures through the reporting information system to the SBV.

8. In case of changing the legal representative or the General Director (Director), the participant in the Regulatory Sandbox which is a Fintech company shall, within 30 days from the date of change, send a report to the SBV and provide documents proving that the legal representative or the General Director (Director) meets requirements for participating in the Regulatory Sandbox stipulated in point b, Clause 2, Article 8 for the solutions specified in Points a and b, Clause 2, Article 1 of this Decree; and Clause 2, Article 11 for the peer-to-peer lending solutions.

9. Peer-to-peer lending companies shall report on credit information of customers (including borrowers and lenders) to the National Credit Information Center of Vietnam as decided by the Governor of the SBV. The National Credit Information Center of Vietnam may use credit information collected from peer-to-peer lending solutions in the Regulatory Sandbox to develop a national credit information database and serve the management requirements of the SBV and the risk management of credit institutions, foreign bank branches, peer-to-peer lending companies, and other organizations as decided by the Governor of the SBV.

Article 16. Customer protection

To protect rights and interests of customers during the testing period, participants in the Regulatory Sandbox shall:

1. Issue and provide risk management advice to customers when proving Fintech solutions during the testing period.

2. Inform customers about the use of Fintech solutions during the testing process; ensure accurate an adequate information about the testing solutions, service fees, customers' rights and obligations for each type of solution.

3. Ensure customer information confidentiality during and after the use of testing Fintech solutions, except for cases where there is a request from competent authorities as prescribed by law.

4. Issue regulations on customer information confidentiality in storage and transmission through security, encryption, anonymization, and data masking processes. In cases where organizations collect, use, transfer customer information, they must obtain the consent from the customer and only collect, transfer information to third parties with the permission of the customer or at the request of the competent authority. There must be technical measures for customers to confirm their consent to provide information to third parties.

5. Formulate and ensure compliance with internal procedures and risk control measures to prevent unauthorized access or use of personal data, fraud, and theft of customer personal information.

6. Periodically assess risks; implement risk prevention measures during the testing process; and promptly inform customers about changes in the risk level of Fintech solutions in the Regulatory Sandbox.

7. Establish mechanisms and channels to handle customer complaints. In cases of disputes or complaints, participants in the Regulatory Sandbox shall:

a) Receive and take measures to handle all requests for review and complaints in writing, via hotline, online platforms, or emails within 5 working days from the date on which the request for review or complaint is received;

b) Pay damages to customers according to agreements and legal provisions.

Article 17. Adjustment of testing methods

1. Where there is any adjustment for a Fintech solution testing in the Regulatory Sandbox, participants in the Regulatory Sandbox shall follow the procedures to request the adjustment for such testing solution and may only apply the adjustment after obtaining approval from the SBV.

2. Procedures:

Applicant shall submit an application for adjustment of testing methods made using Form No. 05 in Appendix I attached here to and a Description of adjusted testing methods.

The SBV shall, within 30 working days from the date of receiving an application for adjustment of testing methods, appraise the testing process.

If necessary, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where the application requires explanation, the SBV shall issue a written request for explanation to the applicant. Each applicant is allowed to provide explanations and supplementary documents only once. If the applicant fails to provide explanations or provide supplementary documents within 07 working days from the date on which the written request is issued, the SBV shall issue a written notice and return the application to the applicant. The time for providing explanations shall not be included in the processing time of the application.

Based on the Description of adjusted testing methods, on-site supervision, and feedbacks from relevant ministries (if any), the SBV shall decide on adjustments of testing solutions; in case of refusal, a written response shall be provided.

Article 18. End of testing period

The SBV shall, on the basis of reports on assessment results of participants in the Regulatory Sandbox and supervision process, feedbacks, and opinions of relevant ministries (if any), develop further methods for resolution after the testing period, including: terminating the testing period and revoking Certificates of Participation in the Regulatory Sandbox; extending the testing period; or issuing Certificates of Testing Completion.

Article 19. Termination of testing process and revocation of Certificates of Participation in the Regulatory Sandbox

1. The SBV shall consider for decision on termination and revocation of Certificates of Participation in the Regulatory Sandbox if:

a) The testing period specified in the Certificate of Participation expires or the extended testing period specified in Article 20 of this Decree expires and does not fall under any case of issuing Certificate of Testing Completion stipulated in Article 21 of this Decree;

b) The participant submits an application for termination of testing process made using Form No. 07 in Appendix I attached herewith to the SBV;

c) The participant which has dissolved or gone bankrupt according to regulations submits an application for termination of testing process made using Form No. 07 in Appendix I attached herewith to the SBV;

d) The participant fails to implement the testing within 90 days from the date in which the Certificate of Participation is issued, except in cases of force majeure events;

dd) There are severe risks arising during supervision and inspection processes as assessed by the relevant competent authorities, with the potential to cause significant risks, actual damages to customers or market instability in the financial sector; technical incidents that cannot be rectified, violations against relevant regulations when there are court judgments, enforcement decisions, administrative penalty decisions in effect;

e) The participant fails to rectify damages caused by violations against regulations on requirements and criteria for participating in the Regulatory Sandbox stipulated in Articles 8 and 11 of this Decree within 15 days from the date on which the SBV issues a written notice and send it to the participant.

g) The participant commits any violation against regulations on the Certificate of Participation during the testing process;

h) The peer-to-peer company fails to implement maximum debt management measures for a borrowing party in the peer-to-peer lending solution.

2. Procedures:

a) In cases stipulated in point a, clause 1 of this Article, the SBV shall decide to terminate the testing process and revoke the Certificate of Participation upon the completion of the testing period.

b) In cases stipulated in point b Clause 1 of this Article:

The participant shall submit an application for termination of testing process made using Form No. 07 in Appendix I attached herewith; a report on testing result assessment in accordance with Appendix V attached herewith; and a testing report to the SBV;

Within 30 working days , the SBV shall verify and assess the entire testing process.

If necessary, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where the application requires explanation, the SBV shall issue a written request for explanation to the applicant. The applicant is allowed to provide explanations and supplementary documents only once. If the applicant fails to provide explanations, supplementary documents within 07 working days from the date of receiving a written request, the SBV shall issue a decision on termination of testing and revoke the Certificate of Participation.

In cases where the applicant submits explanations, supplementary documents, the SBV shall, on the basis of the supervision and opinions collected from relevant ministries, decide the termination of testing process and revoke the Certificate of Participation. The time for providing explanations or supplementary documents shall not be included in the processing time of the application.

c) In cases stipulated in point b Clause 1 of this Article:

Within 7 working days from from the date of approving the Decision on dissolution of the enterprise in accordance with Law on Enterprises or from the date of receiving the Declaration of bankruptcy made by the court in accordance with bankruptcy laws, the participant in the Regulatory Sandbox shall submit an application for the termination of testing process made using Form No. 07 in Appendix I attached hereto to the SBV.

The SBV shall, within 10 working days from the date of receiving the application for termination of testing process from the participant, decide to terminate the testing process and revoke the Certificate of Participation.

d) Within 07 working days after the cases mentioned in points d, dd, c, g, and h Clause 1 of this Article, the SBV shall send a termination notice to the participant in the Regulatory Sandbox. Within 15 working days from the date of receiving the notice from the SBV, the participant in the Regulatory Sandbox shall submit a written explanation.

In cases where the participant in the Regulatory Sandbox fails to submit a written explanation or submits an inadequate explanation, within 05 working days, the SBV shall decide to terminate the testing process and revoke the Certificate of participation.

In cases where the participant in the Regulatory Sandbox submit a written explanation, within 30 working days, the SBV shall assess the testing process. If necessary, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where the applicant submits explanations, supplementary documents, the SBV shall, on the basis of the supervision and opinions collected from relevant ministries (if any), decide to terminate the testing process and revoke the Certificate of Participation or provide a written response to continue the testing process.

3. After receiving a decision on termination of testing process from SBV, the participant shall:

a) Immediately implement the plan to terminate the testing process;

b) Timely inform customers about the termination of testing process at least 30 days before the official termination specified in points a and b, Clause 1 of this Article, inform customers about the termination of testing process as soon as the SBV issues a decision on termination of testing process in the case of  termination specified in points c, d, dd, e, g, h, Clause 1 of this Article;

c) Stop introducing and providing Fintech solutions for new customers; publish information about the termination of testing process on its website.

d) Ensure customer rights and have a mechanism for handling complaints and compensating customers in cases where customers suffer losses due to the termination of testing process.

dd) In cases where the participant terminate the testing process of solutions specified in points a and b, Clause 2, Article 1 of this Decree, such participant shall be responsible for resolving rights and responsibilities for customers and related parties within 06 months from the date of issuance of decision on termination of testing process. Peer-to-peer lending companies which terminate the testing process of peer-to-peer lending solutions shall be responsible for resolving rights and responsibilities for customers and related parties after the issuance of decision on termination of testing process.

e) Send a written report to SBV on the results of resolving the rights and obligations of customers after terminating the testing process within 5 days from the date of completing the resolution of customers' rights and obligations.

4. The termination from participating in the Regulatory Sandbox does not mean that the participant fails to meet business and investment conditions stipulated in regulations at the time of termination. Participants are responsible for reviewing and complying with applicable regulations on business operations, investment, and other relevant laws.

Article 20. Extension of testing period

1. Participants may extend the testing period following the procedures for extending the testing period at least 90 days before the end of the testing period.

2. Procedures:

The participant submits an application for the extension of  testing period made using Form No. 09 in Appendix I attached herewith; a report on testing result assessment in accordance with Appendix V attached herewith; and a testing report to the SBV;

The SBV shall, within 45 working days from the date of receiving an application for extension for testing methods, appraise the overall testing process.

If necessary, the SBV shall send a written request to collect opinions from relevant ministries. Within 15 working days from the date of receiving a written request, the relevant ministry shall send a written response to the SBV.

In cases where the application requires explanation, the SBV shall issue a written request for explanation to the applicant. Each applicant is allowed to provide explanations and supplementary documents only once. If the applicant fails to provide explanations or supplementary documents within 07 working days from the date on which the written request is issued, the SBV shall issue a written notice and return the application to the applicant. The time for providing explanations or supplementary documents shall not be included in the processing time of the application.

Based on the report on testing results (including the utility of the solution), on-site supervision, and feedbacks from relevant ministries (if any), the SBV shall decide on extension of testing period; in case of refusal, a written response shall be provided.

3. Each testing period may be extended no more than 2 times, with each extension not exceeding 1 year.

Article 21. Certificate of Testing Completion

1. The Certificate of Testing Completion shall be issued to a participant in Regulatory Sandbox by the SBV:

a) In cases where regulations on Fintech solutions have been completed and come into forces, participants in the Regulatory Sandbox shall be issued with a Certificate of Testing Completion by the SBV and conform to regulations applicable on the date of testing completion;

b) In cases where the implementation of any Fintech solution by participants in the Regulatory Sandbox is assessed as not violating the applicable regulations and such Fintech solution is  not a conditional business activity, the participants in the Regulatory Sandbox shall be issued with a Certificate of Testing Completion by the SBV and deploy it to the market in accordance with regulations applicable on the date of testing completion.

2. Procedures:

The participant submits an application for the issuance of  Certificate of Testing Completion made using Form No. 11 in Appendix I attached herewith and a report on testing result assessment in accordance with Appendix V attached herewith to the SBV;

Within 30 working days , the SBV shall verify and assess the entire testing process. If necessary, the SBV shall send a written request to collect opinions from relevant ministries. Within 10 working days from the date of receiving a written request, each relevant ministry shall send a written response to the SBV.

Based on the report on testing results (including the utility of the solution), on-site supervision, and feedbacks from relevant ministries (if any), the SBV shall issue a Certificate of Testing Completion; in case of refusal, a written response shall be provided.

3. The Certificate of Testing Completion of Fintech solutions in the Regulatory Sandbox is only valid within the scope of this Decree and does not certify the eligibility for investment and business conditions.

Chapter IV

RESPONSIBILITIES OF RELATED PARTIES

Article 22. Responsibilities of participants

1. Take legal liability for the accuracy, truthfulness, and adequacy of the information provided in their applications for participating in the Regulatory Sandbox; take legal liability for the operation and implementation of Fintech solutions during testing period. Comply with this Decree, relevant regulations, and other contents specified in the Certificate of participation in the Regulatory Sandbox during testing period.

2. Report in accordance with this Decree and at request of competent authorities.

3. Provide accurate and adequate information to customers and other relevant organizations and individuals of the Regulatory Sandbox. Comply with laws on advertising and communication.

4. Take legal liability for providing inaccurate or inadequate information to customers, except for the case it can be proven that all measures have been taken to verify the accuracy, adequacy and truthfulness of information.

5. Proactively supervise and assess risks regularly during the testing period; regularly review to detect signs of suspected violations against laws and promptly report them to competent authorities.  Cooperate with the SBV and other competent authorities during the testing process as required.

6. Issue internal procedures and regulations, including: Procedures for implementation and decentralization, authorization, responsibilities of individuals and departments developing and implementing testing to ensure supervising and controlling responsibilities of relevant individuals and departments; Incident handling procedures; Regulations on risk management and internal controls; Regulations on information storage, customer information confidentiality, and personal information leakage prevention mechanisms; Regulations on responsibilities of participants in the Regulatory Sandbox in handling of complaints and disputes between parties related to providing Fintech solutions; Regulations on risk prevention, inspection, and supervision of information technology systems, information storage systems, insurance of safe and continuous operation, formulation of plans and solutions to timely response and address incidents.

7. Carry out responsibilities as agreed with customers and other relevant participants in the Regulatory Sandbox specified in this Decree and related laws.

8. A peer-to-peer lending company shall have additional responsibilities as follows:

a) Take measures to prevent members of the Board of Directors, Executive Board, and employees from participating as customers or guarantors for customers; committing fraudulent or forging or asset misappropriation acts;

b) Take measures to inspect, cross-check, update, and verify customer information and date; take measures to prevent counterfeiting, interference, manipulation, and distortion of information and data;

c) Provide adequate information about contracts, loans, rights, responsibilities, and legitimate interests of customers and related parties, interest rates, and relevant fees to customers before entering into any loan agreement; the provision of adequate information must be confirmed by the customer using peer-to-peer lending solution;

d)  Provide contracts between the lender and the borrower, between the peer-to-peer lending company and the customer, relevant parties complying with applicable regulations.

dd) Take measures to manage the maximum loan amount of each borrower in the peer-to-peer lending solution; extract information from the database of the National Credit Information Center of Vietnam to ensure that at the time of entering into a contract, the borrower does not violate the regulations on the maximum loan amount for a borrower in any and all peer-to-peer lending solutions testing in the Regulatory Sandbox stipulated in point e, Clause 1, Article 24 of this Decree.  In cases where the peer-to-peer lending company participating in the Regulatory Sandbox fails to fulfill these responsibilities, SBV shall consider terminating the testing process or not issuing a Certificate of testing completion for the peer-to-peer lending company.

e) Publish information about the peer-to-peer lending company on its official website. The peer-to-peer lending company must have annual financial reports audited independently and published on its official website;

g) Store documents on the establishment of the peer-to-peer lending company; internal regulations; business processes; contracts between the company, customers, and relevant parties; contracts between borrowers and lenders; data, information of customers, and  relevant parties as per laws. The information and data must be stored securely and confidentially; backed up regularly; ensuring the completeness and integrity of information and data to facilitate inspections, reconciliations, handling of complaints and disputes, and information provision upon request from competent authorities.

Article 23. Responsibilities of customers

1. Provide accurate and adequate information at the request of participants in the Regulatory Sandbox.

2. Be aware of the risks that may arise when using Fintech solutions during the testing process; take responsibility for any risks and losses that may occur during the testing process.

3. Cooperate with participants in the Regulatory Sandbox in handling the rights and responsibilities at the end of the testing process.

4. In addition to the responsibilities specified in Clauses 1, 2, and 3, customers using peer-to-peer lending solutions must also:

a) Borrowers must provide accurate and adequate information about loan purposes, commit to use the loan for legal purposes, ensuring the repayment capacity as agreed in contracts. Borrowers must ensure compliance with regulations on maximum loan amounts stipulated in Point b, Clause 1, Article 24 of this Decree in one or all peer-to-peer lending solutions in the Regulatory Sandbox. In case of violation, borrowers must take measures of debt reduction and may not borrow through the peer-to-peer lending solution in the Regulatory Sandbox until they ensure compliance with regulations on maximum loan amounts stipulated in Point b, Clause 1, Article 24 of this Decree.

b) Lenders must ensure the legitimacy of lending funds and prevent relending;

c) Take measures to ensure that the contract term between the borrower and the lender using the peer-to-peer lending solution within the Regulatory Sandbox shall not exceed 2 years.

Article 24. Implementation

1. The SBV shall

a) On the basis of accurate applications for participating in the Regulatory Sandbox, the SBV shall take charge and cooperate with relevant ministries to appraise applications; assess the compliance with the criteria and requirements specified in this Decree; and issue a Certificate of participation for each specific case.

b) Receive and handle testing solutions; terminate testing processes and revoke Certificates of Participation; extend testing periods; and  issue Certificates of Testing Completion.

c) Monitor implementation, provide guidance, and address any issues arising during testing process; issue warnings upon risk detection for participants in the Regulatory Sandbox.

d) Publish the following information on its website: the number of applications for participating in the Regulatory Sandbox for each solution which are under review and assessment; the number of participants in the Regulatory Sandbox;  information about participants in the Regulatory Sandbox including names, Fintech solutions under testing process, time, space, and scope of test; list of participants issued with Certificates of Testing Completion; list of participants having their certificates revoked.

dd) Take charge of inspection and supervision of testing process of participants in the Regulatory Sandbox;

e) Have the maximum loan amount of each borrower in one or all peer-to-peer lending solutions in the Regulatory Sandbox decided by the Governor of the State Bank.

g) Provide guidance to peer-to-peer lending companies to connect,  report, and verify customer credit information with the National Credit Information Center of Vietnam.

h) Annually consolidate and report to the Prime Minister on the results of implementing this Decree; submit recommendations or proposals for developing management policies for the next stage.

2. Ministry of Science and Technology shall

a) Provide written feedback on applications for issuing Certificates for the participation in the Regulatory Sandbox stipulated in Clause 3 of Article 10, Clause 3 of Article 13 of this Decree, assessing compliance with regulations on standards and technical regulations on electronic transactions for Fintech solutions in the Regulatory Sandbox;

b) Have other responsibilities specified in Clause 4 of this Article.

3. Ministry of Public Security shall

a) Provide written feedback on applications for issuing Certificates for the participation in the Regulatory Sandbox stipulated in Clause 3 of Article 10, Clause 3 of Article 13 of this Decree, assessing compliance with regulations on cyberinformation security, security of information systems by classification for information systems of  Fintech solutions in the Regulatory Sandbox;

b) Have other responsibilities specified in Clause 4 of this Article.

4.  Relevant ministries and authorities within their respective functions and tasks shall coordinate with the SBV in:

a) Providing written feedback on compliance with requirements and criteria for applications for participation in the Regulatory Sandbox; issuing Certificates for participation in the Regulatory Sandbox, Certificates of testing completion, decisions on adjustments of testing solutions, decisions on the termination of testing solutions, and decisions on the revocation of Certificate for participation in the Regulatory Sandbox at the request of the SBV;

b) Inspecting, managing, supervising, and providing guidance, handling of issues arising during the testing process;

c) Consolidating and assessing results of implementation; providing recommendations and proposals for appropriate policies.

Chapter V

IMPLEMENTATION CLAUSES

Article 25. Effect

This Decree shall come into forces from July 01, 2025.

Article 26. Responsibility for implementation

Ministers, heads of ministerial agencies, heads of government agencies, Presidents of People's Committees of centrally-affiliated provinces and cities, relevant organizations and individuals shall be responsible for implementing this Decree.