From the beginning of March 2026, digital banking applications will have to automatically exit or stop operating when detecting signs of fraud, illegal intervention or information security risks. This is a new requirement in Circular No. 77/2025/TT-NHNN of the State Bank of Vietnam, amending and supplementing Circular No. 50/2024/TT-NHNN on safety and security in providing online services in the banking industry.
Tighten control of the installed version released by the Mobile Banking application
A noteworthy point, in Article 5, Circular 77/2025, is the requirement to strictly control the installed version of the Mobile Banking application. According to regulations, service providers must periodically and at least once every 3 months assess the safety and security of software versions that are being installed and used by customers. The assessment aims to identify security vulnerabilities and the possibility of being tampered with by cybercrime.
In case customers activate the Mobile Banking application on a new device or reactivate it, service providers are only allowed to install and use the latest or most recent version to fully meet safety and security requirements. At the same time, units must have technical solutions to prevent downgrading to older versions, posing a risk of exploiting vulnerabilities.
When a security vulnerability is detected that is assessed as high or serious, credit institutions must apply control measures, not allow transactions to be carried out, or apply necessary measures to prevent the abuse of vulnerabilities to attack the network, carry out fraudulent transactions, and appropriate assets. Remediation, handling, and updating of new versions must be implemented immediately according to the prescribed time limit.
Detecting illegal interference, applications must automatically stop
Circular 77/2025 also clearly stipulates the implementation of technical solutions to prevent, combat and detect illegal interferences in the Mobile Banking application installed on customer's mobile devices.
Accordingly, the Mobile Banking application is required to automatically exit or stop operating, and clearly notify customers of the reason if one of three serious risk signs is detected.
First, the application detects that a debugger is attached, the environment where the debugger is operating, the application is running in a simulated environment, a virtual machine, a simulated device, or is operating in a mode that allows the computer to communicate directly with the Android device through the Android Debug Bridge.
Second, application software is embedded with external code during runtime, with behaviors such as monitoring executable functions, recording data logs transmitted through functions, APIs, or applications are interfered with and repackaged.
Third, the customer's device has been unlocked by security systems such as root for Android, jailbreak for iOS, or unlocked by the protection mechanism (unlock bootloader).
