Regulations on applying multi-factor authentication in digital payment

According to Department of Payment of the State Bank of Vietnam, in the first quarter of 2019, online payment of Interbank systems processed 37 million transactions valued at 21 quadrillion VND which represents an increase in transactions from Q1 2018 by 23% and in the value of transactions by 17%. According to a PwC consumer survey in 2018 of 27 countries and territories, Vietnam is the fastest-growing market for mobile payments. The growth of online payments in Vietnam is accompanied by a corresponding rise in data security risks, as observed globally too. Payments data are particularly sensitive and data security must be prioritized for account data, personal information, and transaction data. To do so, multi-factor authentication must be applied to ensure access by only authenticated users to increase the level of security of e-wallet accounts, banking accounts,...

Developed economies have issued many standards and regulations to recommend and enforce the use of multi-factor authentication by banks and financial institutions to minimize the cybersecurity risks at login.

In the European Union, Directive (EU) 215/2366 of the European Parliament and of the Council of 25 November 2015, requires Member States to ensure that a payment service provider applies strong customer authentication where payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

In Asia Pacific, specifically in Singapore, the Technology Risk Management Guidelines issued by the Monetary Authority of Singapore in 2013 requires financial institutions should implement two-factor authentication at login for all types of online financial systems and transaction-signing. Financial institutions are to secure the customer authentication process and to protect the integrity of customer account data and transaction details as well as enhance confidence in online systems by combating cyber-attacks targeted at financial institutions and their customers. The Technology Risk Management Guidelines in 2019 further builds on that by requiring multi-factor authentication to be deployed at login for online financial services to secure the customer authentication process. In Hong Kong, the Securities and Futures Commission issued Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading on October 27, 2017 which requires a licensed or registered person to implement two-factor authentication for login to clients' internet trading accounts.

In Vietnam, according to Decision No. 630/QD-NHNN promulgation of the plan for application of security measures to online payment and card payment, taking effect from January 01, 2019: online payment transactions valued above VND 5,000,000 must be authenticated by two-factor authentication. Based on regulatory trends in developed countries and across the world, two-factor authentication will increasingly be required.

It can be observed that in developed countries, multi-factor authentication is required to be applied to the login stage of an internet banking app or to make online payments through an e-commerce account, while in Vietnam, this secured login requirement is only required for the payment stage for transactions type B onwards (above VND 5,000,000). However, Vietnam is making an effort to develop regulations to shape a payment system that is smart, convenient and suitable and supports financial industry digitization and protects the information and property of the user and the payment provider.

The leading banks in the world have applied multi-factor authentication to increase the security of data and boost customers’ confidence and trust in them. In Vietnam, a number of banks have taken the lead to create security programs with multi-factor authentication to comply with Decision No. 630/QD-NHNN, e.g. Techcombank and MB Bank.

In short, based on the regulations on authentication in Vietnam and globally, we can expect banking and payments security to grow in importance, in particular, login authentication. We recommend banks and financial institutions that have not adopted suitable authentication security solutions to consider planning for and implementing secured two-factor authentication before it’s too late.

References:

1. Directive (EU) 215/2366 of the European Parliament and of the Council of 25 November 2015
2. Technology Risk Management Guidelines of the Monetary Authority of Singapore
3. Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading
4. Decision No. 630/QD-NHNN promulgation of the plan for application of security measures to online payment and card payment