In light of the rapid and increasingly complex development of
Vietnam's financial technology
(Fintech) sector, the need for a
structured legal Sandbox to ensure transparency, security, and
foster innovation has become more imperative than ever. Nearly four
years after the Government of Vietnam issued Resolution No.
100/NQ-CP on September 6, 2021, approving the development of a
decree on a regulatory Sandbox for Fintech operations in the
banking sector, the Government officially promulgated Decree No.
94/2025/ND-CP (Decree 94) on April 29,
2025. This decree establishes a regulatory Sandbox for Fintech
solutions and will take effect on July 1, 2025.
Decree 94 marks a significant milestone in Vietnam's Fintech
regulatory landscape by providing a controlled testing environment
for credit institutions and foreign bank branches
(Credit Institutions), and eligible
Fintech companies to pilot new business models, including
peer-to-peer lending (P2P Lending), open
application programming interfaces (Open
API), and credit scoring solutions. The sandbox
(Sandbox) is also designed to mitigate
potential risks to customers using these Fintech solutions during
testing. The outcomes of Sandbox participation will serve as a
practical basis for relevant authorities to develop, adjust, and
complete the regulatory framework where necessary.
This Legal Update outlines the key provisions of Decree 94.
1. Scope of Application
Decree 94 establishes a regulatory Sandbox for three categories of
Fintech solutions applicable to the banking sector, namely:
(i) Credit Scoring:
(a) Credit scoring refers to a technology-driven solution
implemented by Credit Institutions or Fintech companies to assess
the creditworthiness of individuals or organisations.
(b) This solution is intended to support the credit assessment and
approval processes of Credit Institutions.
(ii) Data Sharing via Open API:
(a) An Open API is a standardised set of APIs that enable two
software components to communicate with one another. These APIs may
be utilised by the computer systems of Credit Institutions, Fintech
companies, and other third parties.
(b) Such APIs are used to transmit service requests to the systems
of Credit Institutions that provide access to the Open API.
(iii) P2P Lending Solution:
(a) The P2P Lending Solution is an information technology-based
platform provided by a Fintech company (P2P Lending
Companies) to facilitate information exchange and
support the formation of lending agreements between borrowers and
lenders through a digital interface.
(b) The currency utilised in P2P Lending transactions must be
Vietnamese dong (VND).
2. Subjects and Scope of Participation in the
Sandbox
Decree 94 stipulates that Credit Institutions and Fintech companies
are eligible to participate in the regulatory Sandbox upon being
granted a Certificate of Participation in the Sandbox by the State
Bank of Vietnam (SBV).
With respect to the scope of participation in the Sandbox
framework for each type of eligible entity:
(i) Credit Institutions may only participate in Credit Scoring and
Open API, and are not permitted to engage in P2P Lending
Solutions.
(ii) Fintech companies are permitted to participate in all three
Fintech solutions. Under Decree 94, a Fintech company is defined as
an organisation other than a Credit Institution, which is lawfully
established or registered to operate in the territory of Vietnam. A
Fintech company may provide Fintech solutions independently or in
cooperation with Credit Institutions to offer such solutions to the
market.
3. Duration, Geographical Limits, and Scope of the
Sandbox
(i) Duration of the Sandbox: Fintech solutions may
be licensed and tested within the Sandbox for a maximum period of
two years, depending on the nature of the solution and its
respective sector, commencing from the date on which the
Certificate of Participation in the Sandbox (Certificate) is issued
by the SBV. Participating entities may apply for up to two
extensions, with each extension not exceeding one additional
year.
(ii) Geographical limits of the Sandbox: The
implementation of the Sandbox for Fintech solutions is restricted
within the territory of Vietnam and shall not be conducted on a
cross-border basis.
(iii) Scope of the Sandbox: Entities
participating in the Sandbox may only provide Fintech solutions
within the scope expressly specified in their respective granted
Certificates.
4. Conditions for Participation in the
Sandbox
4.1. General Conditions
Entities participating in the Sandbox are required to maintain full
compliance with all applicable conditions throughout the Sandbox
period. Specifically:
(i) For Credit Institutions: Credit
Institutions not subject to special control (i.e., those not placed
under the direct supervision of the SBV) may be considered for the
issuance of a Certificate of Participation in the Sandbox if the
proposed Fintech solution satisfies the following criteria:
(a) The solution features technical and operational elements that
are not yet specifically governed under the existing legal
framework;
(b) The solution demonstrates innovation and delivers tangible
value to users, particularly in advancing financial inclusion in
Vietnam;
(c) The solution includes a risk management framework, mitigation
plans for risks arising during the Sandbox, and mechanisms for
consumer protection;
(d) The solution has undergone comprehensive assessment with
respect to its functions, features, and practical utility;
and
(e) The solution is commercially viable and capable of market
rollout upon completion of the Sandbox.
(ii) For Fintech companies: A Fintech company
may be considered for participation in the Sandbox where its
proposed solution meets the criteria above, and the company fulfils
the following conditions:
(a) It must be a legal entity duly established and lawfully
operating in the territory of Vietnam;
(b) It must not be undergoing dissolution, bankruptcy, division,
separation, merger, or conversion; and
(c) The legal representative, the General Director/Director must
satisfy the following conditions: (I) hold a university degree or
higher in economics, business administration, law, or information
technology; (II) possess at least two years of managerial or
executive experience in the finance or banking sector; and (III)
not fall under any statutory prohibitions applicable to management
positions.
4.2. Additional Conditions for Providers of P2P Lending
Solution
In addition to the general eligibility requirements outlined above,
Fintech entities intending to operate a P2P Lending Solution within
the Sandbox must comply with the following conditions at the time
of registration and throughout the Sandbox period:
(i) The enterprise must be legally incorporated and operating
within Vietnam, and must not be a foreign-invested enterprise.
While the Law on Investment 2020 no longer uses the concept of
"foreign-invested enterprise", this law defines
"foreign-invested economic organisation" as an economic
organisation in which foreign investors hold equity or are
members/shareholders.
(ii) The legal representative, the General Director/Director
must satisfy the following requirements:
(a) be Vietnamese citizens with no criminal record and no history
of administrative sanctions in finance, banking, or cybersecurity;
and
(b) not concurrently serving as owners or managers of any other
entity providing financial services, banking services, pawn
services, intermediary payment services, multi-level marketing
businesses, or informal lending collectives (referred to in
Vietnamese as "hụi, họ, biêu,
phường").
5. Procedure for Issuance of the Certificate of
Participation in the Sandbox
(i) Eligible entities seeking to participate in the Sandbox must
register with the SBV to obtain a Certificate by submitting an
application dossier in accordance with the requirements set out in
Decree 94. The SBV shall coordinate with relevant ministries to
conduct an appraisal of the application, which may include on-site
inspection.
(ii) Licensed participants are only permitted to provide Fintech
solutions strictly within the scope approved under their respective
Certificates.
(iii) Each Certificate shall be valid for a period of up to two
years. Participants may apply for an extension no later than 90
days prior to the expiry date, subject to a maximum of two
extensions, with each extension not exceeding one year.
(iv) The SBV may terminate the Sandbox participation and revoke
the granted Certificate in certain circumstances, including,
without limitation, to:
(a) Within 90 days from the date of issuance of the Certificate, a
licensed participant fails to commence Sandbox activities, unless
delayed due to force majeure.
(b) Severe risks are identified during supervision and inspection,
assessed by relevant authorities as posing significant threats to
customers or financial stability, along with unresolvable technical
failures or legal violations subject to enforceable judgments or
administrative penalties.
(v) Upon the issuance and entry into force of formal legal
provisions governing the relevant Fintech solution, or where the
SBV determines that the Fintech solution is not a conditional
business line, the SBV may issue a Certificate of Completion of the
Sandbox, thereby allowing the Participant to officially roll out
the solution in accordance with the prevailing legal framework at
the time of completion.
6. Obligations of Organisations Participating in the
Sandbox
6.1. General Obligations
Organisations participating in the Fintech Sandbox shall assume the
following key legal responsibilities:
(i) Comprehensive legal liability: Be fully
liable under the law for the accuracy, completeness, and veracity
of the application dossier; be responsible for all operational
activities and the implementation of the Sandbox programme. Full
compliance with Decree 94, other applicable laws, and the terms of
the Certificate of Participation in the Sandbox is required.
(ii) Reporting obligations: Submit both
periodic and ad hoc reports as required by relevant State
authorities.
(iii) Information transparency: Provide clear,
accurate, and complete information to customers and relevant
stakeholders; comply with applicable regulations on advertising and
public communications.
(iv) Liability for misinformation: Be held
accountable for the provision of false or incomplete information,
except where it can be demonstrated that all legally prescribed
verification measures were duly applied.
(v) Supervision and cooperation: Conduct
regular self-monitoring and risk assessments; promptly detect and
report any signs of legal non-compliance; cooperate closely with
the State Bank of Vietnam and other relevant authorities during the
Sandbox period.
(vi) Issuance of internal regulations: Develop
and implement comprehensive internal policies and procedures
covering operational management, internal control, incident
response, data security, and dispute resolution, to ensure
operational integrity, transparency, and resilience throughout the
Sandbox participation.
(vii) Performance of contractual obligations:
Fulfil all obligations arising under agreements with customers and
other relevant organisations and individuals, in accordance with
applicable law.
6.2. Additional Obligations of P2P Lending
Companies
In addition to the general obligations set out in Section 6.1
above, P2P Lending Companies must comply with the following
specific requirements:
(i) Prevention of conflicts of interest and internal
fraud: Implement appropriate measures to prohibit members
of the Board of Management, executive management, or employees from
engaging in lending transactions or providing loan guarantees;
concurrently, ensure internal controls are in place to prevent
fraud or misappropriation of customer assets.
(ii) Customer data verification and protection:
Apply procedures to authenticate, update, and reconcile customer
data; and implement safeguards to prevent forgery or unauthorised
alteration of customer information.
(iii) Pre-contractual disclosure obligations:
Provide customers with full and transparent information regarding
loan terms, agreements, interest rates, applicable fees, and
respective rights and obligations of the parties, and obtain
customer confirmation prior to contract execution.
(iv) Contractual compliance: Ensure that all
contractual arrangements between lenders, borrowers, the P2P
Lending Company, and any relevant third parties are consistent with
the prevailing laws of Vietnam.
(v) Management of borrower credit limits:
Establish and apply borrowing limits for individual borrowers,
utilising credit data obtained from the Vietnam National Credit
Information Centre (CIC) to ensure compliance with maximum
thresholds as prescribed. Breach of this obligation may result in
termination of Sandbox participation or non-issuance of the
Certificate of Completion.
(vi) Transparent disclosure obligations:
Publicly disclose the company's essential corporate information
on its official website. Annual financial statements must be
independently audited and published in accordance with applicable
regulations.
(vii) Data retention and security: Maintain
complete and accurate records, contracts, and customer data in
compliance with Vietnamese law, and ensure data security, system
backup, and availability of such information to relevant
authorities upon request.
Observation & Conclusion
The promulgation of Decree 94 marks a significant turning point in
the Government's Fintech regulatory policy, clearly reflecting
its orientation toward fostering innovation within a controlled
legal framework. Nevertheless, several issues remain with respect
to Decree 94, including:
- Limited scope of the Sandbox: The Sandbox currently applies to only three solutions within the banking sector, while other prominent Fintech areas, such as blockchain technology and digital banking, are still under governmental discussion.
- Need for more cross-sectoral integration: The Sandbox mechanism is presently limited to banking services, omitting other sectors where Fintech is also being actively applied, such as securities and insurance.
- Unclear eligibility criteria: The conditions for participating in the Sandbox remain largely qualitative, with general references to "innovation" or "positive impact," but without clear guidance for consistent assessment or implementation.
Notwithstanding, Decree 94 is still expected to lay the groundwork for the sustainable development of the Fintech sector in Vietnam. In the meantime, Fintech companies should proactively invest in technological capabilities, governance, and compliance readiness to fully leverage Sandbox opportunities and prepare for eventual entry into the official market.
Click here to download: Legal Update (EN) - Regulatory Sandbox for Fintech Solutions - June 2025.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
