REGULATORY UPDATE: CONTROLLED SANDBOX MECHANISM IN THE BANKING SECTOR UNDER DECREE NO. 94/2025/ND-CP

On April 29, 2025, the Government promulgated Decree No. 94/2025/ND-CP on the Controlled Sandbox Mechanism in the Banking Sector, which will take effect from July 1, 2025.

This Decree serves as an important legal basis for institutionalizing the policy of promoting inclusive finance in conjunction with innovation, while ensuring effective risk control in the application of new financial technology (Fintech) solutions.

1. Scope of Regulation and Applicable Entities

The Decree governs the implementation of new products, services, and business models in the banking sector through the application of Fintech solutions. Three groups of Fintech solutions eligible for participation in the sandbox include:

• Credit scoring;

• Data sharing via Open Application Programming Interfaces (Open APIs);

• Peer-to-peer lending (P2P Lending).

Applicable entities include:
(i) Credit institutions and foreign bank branches;
(ii) Fintech companies;
(iii) Competent state authorities;
(iv) Customers and other relevant organizations and individuals.

2. Objectives and Principles of Implementation

The sandbox mechanism aims to:

• Enable the assessment of risks, costs, and benefits of Fintech solutions in a controlled environment;

• Promote innovation and modernization of the banking sector;

• Provide practical foundations for the formulation and improvement of legal policies.

The selection of participating entities must ensure transparency, fairness, objectivity, and openness. Participation in the sandbox does not grant official business rights until relevant governing regulations are formally issued. 

3. Duration, Scope, and Testing Environment

• Testing duration: Up to 02 years, with a maximum of 02 extensions, each not exceeding 01 year.

• Testing environment: Limited to the territory of the Socialist Republic of Vietnam.

• Testing scope: Determined by the Certificate issued by the State Bank of Vietnam (“SBV”), in accordance with the approved sandbox proposal.

Fintech companies participating in the sandbox must:

• Be legally established entities in Vietnam;

• Have a legal representative and General Director (Director) meeting professional qualifications and experience requirements;

• Possess qualified technological infrastructure and store data domestically;

• For P2P lending companies: have no foreign ownership, not provide loan guarantees, and not participate as borrowers.

Organizations applying for sandbox participation must submit an application dossier to the SBV in accordance with the Decree, including legal documents, a solution description, a testing plan, personnel profiles, and evidence of technological capacity.

The SBV shall appraise the application, coordinate with relevant ministries and agencies for opinions, and issue the Certificate of Participation in the Sandbox Mechanism within the statutory timeline, provided the dossier is valid. 

6. Supervision, Reporting, and Risk Management Mechanism

Participating organizations are required to:

• Submit quarterly reports, mid-term reports, and final reports;

• Provide ad hoc reports upon request or in the event of serious risks;

• Establish monitoring software as required by the SBV;

• Ensure customer protection, including complaint handling and compensation mechanisms.

The SBV has the authority to inspect, supervise, and require adjustments or suspension of sandbox activities in cases of violations or systemic risks.

7. Completion and Post-Sandbox Handling

Depending on implementation outcomes, organizations may:

• Be granted a Certificate of Sandbox Completion;

• Receive an extension of the testing period; or

• Be required to terminate testing and have the Certificate revoked due to violations, failure to meet conditions, or serious risk occurrences.

The Certificate of Sandbox Completion does not replace any business license and solely acknowledges the completion of testing under this Decree.

8. Responsibilities of Relevant Stakeholders

• Participating organizations: Strictly comply with the Decree, bear full legal responsibility for sandbox activities, and protect customer interests.

• Customers: Provide accurate information and fully understand the risks associated with Fintech solutions under testing.

• State Bank of Vietnam: Lead the receipt, appraisal, supervision of sandbox activities, and issuance of relevant decisions.

• Relevant ministries and agencies: Coordinate in reviewing applications, assessing risks, and proposing appropriate regulatory policies.

Decree No. 94/2025/ND-CP takes effect from July 1, 2025.