Vietnam: < REGULATORY SANDBOX FOR FINTECH COMPANIES IN BANKING SECTOR > – UPDATES ACCORDING TO DECREE 94/2025/ND-CP–
We published a newsletter regarding REGULATORY SANDBOX FOR FINTECH COMPANIES IN BANKING SECTOR in Vietnam. To view PDF version, please click the following link.
< REGULATORY SANDBOX FOR FINTECH COMPANIES IN BANKING SECTOR >
– UPDATES ACCORDING TO DECREE 94/2025/ND-CP–
16th July, 2025
One Asia Lawyers Vietnam Office
I. Introduction
On 29 April 2025, the Government of Vietnam issued Decree No. 94/2025/ND-CP (“Decree 94”), formally establishing a Regulatory Sandbox for fintech solutions in the banking sector. Effective from 1 July 2025, Decree 94 provides a legal framework for credit institutions, branches of foreign banks, and fintech companies to pilot innovative financial products and services under the supervision of the State Bank of Vietnam (the “SBV”). This move reflects the government’s commitment to fostering responsible innovation, financial inclusion, and regulatory clarity in a rapidly evolving digital finance landscape.
Previously, One Asia Lawyers Vietnam published a summary of the Draft Decree on 16 September 2024. In this article, we provide a timely update on key changes introduced in the Official Decree compared to the draft version. We also highlight notable opportunities for foreign companies, particularly those seeking entry or expansion in Vietnam’s fintech market, to leverage this sandbox regime as a strategic pathway to scale operations and engage regulators proactively.
II. Updates compared to our previous article
1. Approval criteria to participate in Regulatory Sandbox (Section II in our previous newsletter)
As outlined in Section II of our previous article, the certification regime remains unchanged under Decree 94. Eligible participants include credit institutions, branches of foreign banks, and fintech companies (“Fintech Companies”) that have been granted a Certificate of Registration for Participation in the Regulatory Sandbox by the State Bank of Vietnam (SBV) (“Participating Entities”)[1] .
However, a key update in the Official Decree is the removal of the limitation on the number of Participating Entities. Previously, participation was subject to SBV’s capacity and a capped number of approvals per period. By eliminating this quota, foreign investors now benefit from greater access and flexibility, reducing the risk of being excluded due to numerical constraints. This change reflects a more open, transparent, and investor-friendly regulatory environment, allowing foreign companies to better align sandbox participation with their market entry and product rollout strategies.
2. Fintech solutions covered under the Regulatory Sandbox (Section III in our previous newsletter)
As noted in Section III of our previous article, the Official Decree confirms the same three categories of eligible fintech solutions for the Regulatory Sandbox as the Draft Decree: (i) Credit scoring; (ii) Open application programming interfaces (“Open API”); and (iii) Peer-to-peer lending (“P2P Lending”).
3. Conditions for Fintech Companies (Section III in our previous newsletter)
a) To participate in credit scoring or open API, a fintech company must meet the following conditions:
(i) Corporate requirements: It must be a legal entity established and operating in Vietnam, and must not have undergone any procedures for company division, merger, dissolution, or bankruptcy.
(ii) Legal representative and president requirements: The legal representative and president must hold a bachelor’s degree in economics, business administration, law, or information technology, and have at least two years of practical experience as a manager or executive in financial or banking operations.
b) For fintech companies to engage in P2P lending, the following conditions must be met:
(i) Corporate requirements: The company must be incorporated and conducting business in Vietnam. It must not be a company with foreign investment capital. Not subject to company division, merger, dissolution, or bankruptcy proceedings.
(ii) Legal representative and president requirements: The legal representative and president of the company must be Vietnamese nationals, have no criminal record, not be owners or officers of financial services, banking, or cybersecurity businesses, hold a bachelor’s degree in economics, management, law, or information technology, and have at least two years of practical experience as a manager or executive in financial and banking operations.
(iii) Human Resources, Facilities, and Technology Requirements: Information technology systems and information storage systems must be located within Vietnam, operated securely and continuously, and have an independent backup system separate from the main system to prevent interruptions, even in the event of technical failures. Customer and related party data and information must be updated, stored, and shared on a digital platform with high security, ensuring transparency and disclosure among participants while preventing information leakage to unauthorized parties. Information technology systems must be tested and evaluated prior to operation, and technical staff with specialized knowledge in their respective fields must ensure the safe and continuous operation of the systems.
4. Conditions for Fintech Companies to obtain the Participation Certificate (Section IV in our previous newsletter)
With the official regulations stipulated in Decree 94, the conditions for Fintech Companies to obtain a Participation Certificate have been revised to place stronger emphasis on consumer protection and risk management.
a) For credit scoring and Open API[2]
While the Draft required only one condition (i) mentioned below, the Official Decree now requires applicants to meet five cumulative criteria, including:
(i) The solution contains technical and professional contents have not been specifically and clearly guided for implementation and application by current legal regulations;
(ii) The solution is an innovative solution that brings benefits and added value to service users in Vietnam, especially solutions that support and promote the goal of financial inclusion;
(iii) The solution has risk management frameworks to mitigate impacts on the banking system and banking – monetary – foreign exchange operations; plans to handle and mitigate risks during the Regulatory Sandbox; and plans to protect consumer rights;
(iv) The solution has been inspected and assessed in terms of operations and functions, effectiveness, and usefulness.
(v) The solution is a feasible solution that can be put into the market after completing the testing process.
The other conditions for the company and the legal representative remain the same in the Official Decree.
b) For P2P Lending[3]
In the Draft Decree, P2P Lending solution shall be considered for issuance of the Certificate of Participation when meeting the conditions from (i) to (v) mentioned above. However, the Official Decree states that P2P Lending only have to meet condition (i) and the following:
(vi) The solution has measures to determine and manage the maximum loan amount for each borrower in the peer-to-peer lending solution provided by itself, report and exploit real-time information about borrowers at the National Credit Information Center of Vietnam to ensure compliance with regulations on the maximum loan amount for each borrower in the peer-to-peer lending solution provided by itself and the maximum loan amount for each borrower in all peer-to-peer lending solutions testing in the Regulatory Sandbox;
(vii) Disbursement, repayment of loans, interest, and fees for transactions of customers in peer-to-peer lending solutions shall be conducted through their payment accounts at credit institutions, branches of foreign banks, or e-wallets provided by intermediary payment service providers;
(viii) The solution has measures to ensure that the contract term between the borrower and the lender using the peer-to-peer lending solution testing in the Regulatory Sandbox shall not exceed 2 years.
The other conditions for the company, the legal representative and the requirements for personnel, infrastructure, and technology for the digital platform remain the same in the Official Decree.
5. The application dossier for Fintech Companies to participate in the Regulatory Sandbox (Section V in our previous newsletter)
With the changes introduced in Decree 94, applying to join the Regulatory Sandbox is now more structured. Organizations interested in participating are required to submit a complete application dossier that includes details about their company structure and management, official approvals from leadership, a clear description of the solution they want to test, and a plan for how it will operate during the sandbox period. They must also provide background information on key personnel, along with essential business documents such as their license, company charter, and investment certificate if applicable.
However, it’s important to note that the specific content of each component may vary depending on the type of Participating Entity (e.g., credit institution, fintech company) and the type of solution (e.g., credit scoring, Open API, P2P lending). For example, credit institutions and fintech firms applying for credit scoring or Open API may use different application forms, while the personnel documentation requirements differ between credit scoring/Open API and P2P Lending solutions.
6. Duration of the Regulatory Sandbox and other provisions
As outlined in Section VI and VII of our previous articles, the core timeline of the Regulatory Sandbox remains unchanged in the Official Decree.
The testing period is still up to 2 years, depending on the solution and sector, starting from the issuance date of the Participation Certificate by the State Bank of Vietnam (SBV)[4]. The SBV may grant up to two extensions, with each extension not exceeding 1 year[5]. After the testing period ends, the SBV will determine next steps—such as licensing, revision, or termination—based on assessment reports, supervisory findings, and feedback from relevant ministries (if applicable)[6].
Unlike the Draft Decree, the Official Decree now requires that requests for extension must be submitted at least 90 days before the end of the testing period[7]. This 90-day deadline—previously applied only to final assessment reports—now also applies to extension requests, adding an important compliance timeline for participants to observe.
III. Opportunities for foreign direct investment companies (“FDI companies”)
In addition to creating opportunities for FDI companies to engage in Fintech services, Decree 94 also opens new channels for FDI companies to access alternative funding sources. While FDI companies are not permitted to operate P2P lending platforms, they may still participate as lenders and borrowers. With Decree 94 in effect, FDI companies seeking alternate funding sources can explore the Regulatory Sandbox for P2P lending, which is supervised by the SBV. This framework helps mitigate key risks such as data privacy breaches, credit risk, and consumer protection issues, risks commonly associated with unregulated P2P lending models operating solely under the general provisions of the Civil Code 2015, which often pose disadvantages to borrowers.
To protect users during the sandbox testing period, Decree 94 sets out seven key requirements for P2P lending platform operators, including:
- Issue and provide risk management advice to customers;
- Inform customers about the use of Fintech solutions during the testing
- process including the service fees, customers’ rights and obligations
- Ensure customer information confidentiality during and after the use of testing Fintech solutions;
- Issue regulations on customer information confidentiality in storage and transmission through security, encryption, anonymization, and data masking processes;
- Formulate and ensure compliance with internal procedures and risk control measures to prevent unauthorized access or use of personal data;
- Periodically assess risks;
- Establish mechanisms and channels to handle customer complaints.
These requirements emphasize the protection of sensitive personal financial data and ensure that platforms can effectively manage data privacy risks. By being under the supervision of the SBV, the Regulatory Sandbox provides a more secure and transparent environment for P2P lending. In the long term, this initiative is expected to support inclusive finance, especially in areas where small and medium- sized enterprises, including FDI companies, have limited access to affordable financial services.
Even with the new opportunities Decree 94 offers to FDI companies, certain limitations remain that FDI companies should carefully consider:
- P2P lending companies are prohibited from acting as a lender or borrower on their own platform
- They are not allowed to provide collateral or guarantees for customer transactions;
- They are barred from offering services to pawnshop businesses;
- Cross-border lending and involvement of offshore investors or borrowers are also prohibited.
These restrictions are designed to maintain platform neutrality, minimize conflicts of interest, and reduce regulatory and financial risk exposure.
IV. Conclusion
Decree 94/2025/ND-CP offers new opportunities for FDI companies to participate in Vietnam’s Fintech sector through the Regulatory Sandbox, particularly in credit scoring and data sharing via Open APIs. While FDI companies are not permitted to operate P2P lending platforms, they may still engage as lenders and borrowers under the SBV- supervised sandbox, providing a safer and more transparent alternative to unregulated models. This framework not only enhances legal certainty and data protection but also enables FDI companies to explore innovative funding channels and contribute to inclusive finance in Vietnam.
—–
[1] Article 3.2 Decree 94/2025/ND-CP
[2] Article 8 Decree 94/2025/ND-CP
[3] Article 11 Decree 94/2025/ND-CP
[4] Article 6.1 Decree 94/2025/ND-CP
[5] Article 20.3 Decree 94/2025/ND-CP
[6] Article 18 Decree 94/2025/ND-CP
[7] Article 20.1 Decree 94/2025/ND-CP
