Protecting the digital transformation achievements of the banking industry in the new normal

	Three packages to help businesses with digital transformation
	Applying technology to develop tourism in the new climate
	Digital transformation is "key" for sustainable agricultural development

Security risks and information safety always go hand in hand in the digital transformation process of the banking industry. Photo: Huu Linh

The risk is getting higher

Major General Nguyen Van Giang, Deputy Director of the Department of Cyber ​​Security and High-Tech Crime Prevention under the Ministry of Public Security, said that in 2021, many cases related to crimes using technology have been detected with a total loss of hundreds of billions of Vietnamese dong.

In addition, through inspections, many cases of insecurity and information safety were detected and handled, and documents and data of banks were leaked, mainly information related to borrowers.

Regarding the cause, Major General Nguyen Van Giang said that while criminals are constantly improving their capabilities and using more sophisticated tricks, the bank's customers still lack self-protection skills in cyberspace, when they are careless, easily deceived, accessing fake websites, providing information to the subject leading to property damage.

In addition, there is a situation where bank employees follow the target of increasing the number of customers without complying with regulations on customer identification and money laundering, leading to the situation that bank accounts, credit cards are rampant, difficult to control, potentially dangerous to be used for illegal activities such as money laundering and terrorist financing. The security of customer information of banks still has loopholes, and there is a situation of illegal buying and selling of customer information.

In addition, the coordination between the police, the State Bank and commercial banks when a case related to payment activities arises is still slow, mainly according to administrative procedures and has not been applied publicly and has not built a process throughout from receiving information, processing information, blocking accounts, verifying, investigating and handling objects.

The legal provisions on anti-money laundering, blocking payment accounts according to the Criminal Procedure Code, exchanging and providing information still have loopholes, omissions, inconsistent with reality, difficult to apply to keep property for the victim.

“When developing these laws, we only focus on the subject who is the legal owner of the payment account, the person who commits the crime, without considering the situations such as the user of the payment account made by others to commit a crime, there is an offense but the accused has not been identified, the payment account does not exist, i.e. it was opened with a false identity document, the current account holder is not the one to be accused," said Major General Nguyen Van Giang.

Meanwhile, from the perspective of an enterprise providing solutions for information security system assessment, penetration testing and monitoring for the banking and financial sector, Phan Trong Quan, Head of Penetration Testing and Evaluation Department at VNPT Cyber ​​Immunity said that Circular 09/2020/TT-NHNN stipulates very clearly about ensuring information security, penetration testing and incident monitoring, however, the application of some banks is only theoretical. Specifically, according to the provisions of Circular 09, banks must periodically evaluate their systems, however, some banks only conduct internal audits and use automatic scanning tools to perform assessments. According to Quan, the use of automatic scanning tools cannot detect all vulnerabilities related to banking operations. In addition, there are some bugs such as the new system being tested but connecting to real data.

Supplement regulations, strengthen preventive measures

Experts say that digital transformation and electronic payments are an inevitable trend. However, with the increased risk of crime using technology and the above problems, the coordination and prevention work of relevant units must also change. Major General Nguyen Van Giang said that, in addition to raising awareness for officials, bank employees and customers, it is necessary to enhance the potential of people and means through training. Especially, invest in building a network security monitoring and operating system to monitor and promptly prevent acts of intrusion and network attacks; deploy a system to prevent targeted attacks, maintain regular assessment of weaknesses, security holes in information technology systems of banks and financial systems.

Major General Nguyen Van Giang also suggested studying, amending and supplementing legal provisions on anti-money laundering such as Decree 102/2012/ND-CP on non-cash payments, Circular 23/2014/ TT-NHNN guiding the opening and use of payment accounts, Circular 19/2016/TT-NHNN regulating bank card activities, especially regulations on delaying transactions, blocking payment accounts, refusing card payments to ensure easy deployment, retaining assets for the State, banks and people.

For banks, Robert Trong Tran, Deputy General Director of Cyber security and Technology Risk Services at Ernst & Young Vietnam Co., Ltd. recommends that meetings on the bank's digital transformation strategy should be with the participation of the information security department. In addition, officers in charge of information security, when presenting to the Board of Directors, need to explain the bank's information security issues and the damage that vulnerabilities can cause.

“They need to thoroughly understand the banking operations and convert technical language into business language so that the board of directors can easily understand the role and influence of information security,” Robert Trong Tran said.

Regarding the situation that banks are afraid to share information about information security incidents, Vu Quoc Khanh, Vice Chairman of the Vietnam Information Security Association, said that banks can participate in the national incident response network and implement incident reporting regulations.

"When participating in this network, banks will be assured of security and the amount of information will only be released to the necessary level, enough to warn other units to take preventive measures," Khanh said.