Vietnam’s banking sector is on the brink of a major technological shake-up, as sweeping new cybersecurity regulations are set to take effect on March 1, 2026. The changes, introduced under Circular 77/2025/TT-NHNN by the State Bank of Vietnam, are designed to bolster the security of mobile banking applications in an era where digital transactions have become not just widespread, but essential for daily life.
According to Tri Thức - Znews, these new rules arrive amid a sharp rise in sophisticated cybercrimes, including the use of AI-driven Deepfake technology and the exploitation of fake corporate accounts. The State Bank’s move is a direct response to the growing threat of online fraud and the urgent need to protect customer assets in Vietnam’s rapidly expanding digital economy.
So, what exactly is changing for the millions of Vietnamese who rely on their smartphones for banking? For starters, banks and payment service providers are now required to conduct security evaluations of their mobile banking app versions at least once every three months. This regular assessment, as outlined in Article 5 of Circular 77/2025, is meant to root out vulnerabilities before cybercriminals can exploit them. The aim is clear: keep one step ahead of hackers who are constantly searching for cracks in the system.
But the regulations don’t stop at periodic reviews. From March 1, 2026, customers activating a banking app on a new device—or reactivating their account—will only be allowed to use either the latest version or the most recent version that meets stringent security standards. Downgrading to older, less secure versions is strictly prohibited. According to CafeF, banks must also implement technical measures to prevent any attempts to revert to outdated app versions, closing off a common avenue for cyberattacks.
Perhaps the most striking feature of the new regulations is the way they address device security. The State Bank now mandates that mobile banking apps must automatically log out or stop functioning—and notify the user—if the app detects any signs of tampering or insecurity. These warning signs fall into three main categories: if the device has been rooted, jailbroken, or had its bootloader unlocked; if the app has been tampered with, such as through code injection or repackaging; or if the app is running in an emulated or debug environment, including when Android Debug Bridge is enabled.
This move is expected to have a significant impact on users of imported Android smartphones, particularly those brought in from China. As CafeF reports, many of these devices require users to unlock the bootloader to install international software and services, a process that will now render them incompatible with Vietnamese banking apps. For these users, the new rules could mean a sudden and inconvenient loss of access to online financial services.
But the regulations aren’t just about locking out risky devices. They also require banks to be proactive when vulnerabilities are discovered. If a security flaw is rated as high or severe, banks must immediately block transactions or take other steps to prevent criminals from exploiting the weakness. At the same time, they are required to update their apps to fix the issue as quickly as possible. This rapid response protocol is designed to prevent fraud and asset theft before they can occur—a necessary step, given the speed at which cyber threats can evolve.
The State Bank’s focus on security extends even to biometric authentication. To counter the threat of AI-powered Deepfake attacks, which can mimic a user’s face or voice, the new rules require that all biometric spoof detection systems meet the international ISO 30107 Level 2 standard or an equivalent benchmark. These systems must also be recognized by reputable organizations such as the FIDO Alliance, ensuring that only the most robust solutions are used to verify customer identities.
For the broader banking sector, these changes represent a standardization and tightening of security practices that, until now, were applied unevenly across institutions. Some major banks and e-wallet providers had already begun disabling their apps on rooted or jailbroken devices, but the new regulations will make such measures universal and enforceable across all banks and payment intermediaries.
According to Tri Thức - Znews, the timeline for implementing these measures is clear and ambitious. While the core requirements take effect in March, additional regulations governing online payments for both individual and organizational customers will be rolled out in July and October 2026, respectively. This phased approach is intended to give banks and their customers time to adapt, but the message from regulators is unmistakable: the era of lax security in mobile banking is over.
Of course, not everyone is happy about the changes. Users who favor customizing their smartphones—whether to add new features, install international firmware, or simply tinker—now face a stark choice: keep their modified devices, or retain access to essential banking services. This has sparked some frustration, especially among tech-savvy consumers who see the restrictions as heavy-handed. Yet, as the State Bank and security experts argue, the risks posed by device tampering and outdated software are simply too great to ignore in today’s digital landscape.
On the other hand, many customers and industry observers have welcomed the new rules as a necessary step in the fight against online fraud. With digital banking now a cornerstone of Vietnam’s economy, and with cybercriminals growing ever more inventive, the need for robust, standardized security measures has never been more urgent. As one observer put it, “It’s a trade-off between convenience and security—but with so much at stake, the priority has to be protecting people’s money.”
The State Bank’s regulations also reflect a broader global trend, as countries around the world grapple with the challenges of securing digital financial services. From Europe’s General Data Protection Regulation (GDPR) to the United States’ increasing scrutiny of fintech security, regulators everywhere are tightening the screws on banks and tech companies alike.
For Vietnam, the hope is that these new measures will not only shield customers from the growing menace of cybercrime, but also build public trust in digital banking as a safe, reliable way to manage money in the modern age. It’s a bold step—one that’s sure to spark debate, but that ultimately signals Vietnam’s determination to lead in both innovation and security.
The coming months will show how banks, customers, and the tech industry adapt to this new reality. One thing is certain: after March 1, 2026, the rules of the game for mobile banking in Vietnam will never be quite the same.
