Vietnam Fintech Regulations: What Foreign Companies Should Know

The two principal regulators of Vietnamese fintech are the State Bank of Vietnam (SBV), with authority over banking, payments, and credit activities, and the Ministry of Finance (MOF), with authority over securities, insurance, and certain capital-markets activities. The Ministry of Information and Communications (MIC) regulates the underlying digital infrastructure and personal-data protection, with overlapping authority over fintech that handles personal data.

Two structural features matter. First, Vietnamese financial-services regulation is licence-based, not activity-based: a company is authorised to do a specific list of regulated activities under a specific licence, and other activities are not authorised regardless of how the company describes them. The implication is that fintech business models that span multiple regulated activities (payments + lending + investment products) typically require multiple licences, often held by separate entities.

Second, the regulatory pipeline matters. Vietnamese fintech regulation has been actively updated since 2020 with new decrees on payment intermediaries, e-wallets, peer-to-peer lending, crypto-related activities, and data protection. Several legislative developments are pending in 2026, including a long-awaited fintech-specific decree consolidating sandbox arrangements and clarifying treatment of digital-only banks. Companies entering the market should plan for regulatory change rather than assume the current state is fixed.

Payment intermediary services — broadly, services that facilitate payment between a payer and payee without the intermediary holding a banking licence — are governed primarily by Decree 101/2012/ND-CP and Decree 80/2016/ND-CP, with subsequent amendments and SBV circulars. The decrees identify several payment-intermediary categories, of which the commercially significant are payment gateway services, electronic payment-support services, and e-wallet services.

An e-wallet licence is the most commonly sought fintech licence in Vietnam. Licensing requires a Vietnamese-incorporated entity (a foreign-invested LLC or JSC) with minimum charter capital of VND 50 billion (approximately USD 2 million) fully contributed, qualified key personnel (with specified financial-services experience), an approved technology system that meets SBV's information-security standards, and a partnership with a licensed Vietnamese commercial bank for the underlying settlement and customer-fund safekeeping.

Operational rules for e-wallets are restrictive. Customer balances are capped (currently VND 100 million per individual e-wallet for general use), monthly transaction volumes are capped, and customer funds must be held in a segregated account at the partner bank — not on the wallet operator's balance sheet. KYC requirements have tightened progressively, with full identity verification (eKYC) now standard for all but the smallest accounts.

The licensing process takes 6-9 months from a complete application; the build-up to a complete application (entity establishment, charter capital contribution, technology readiness, partner-bank arrangement, key-personnel appointments) typically takes another 6-9 months. Foreign fintechs entering by acquisition of a licensed e-wallet are common, in part because the alternative is an 18-month timeline to operations.

Lending in Vietnam is a regulated activity that requires either a full banking licence or a consumer-finance company licence. The two pathways have very different capital, governance, and operational implications.

A full commercial-banking licence allows full-spectrum lending and deposit-taking but requires charter capital of VND 3,000 billion (approximately USD 120 million), extensive governance and risk-management infrastructure, and SBV approval that has historically been granted to foreign applicants only sparingly. Foreign-bank subsidiaries and branches are an option, with their own capital and operational requirements. The full-banking path is realistic only for institutional players with regional or global banking pedigree.

The consumer-finance company licence is the more common path for foreign lenders. It allows lending to individuals (consumer loans, vehicle finance, point-of-sale finance) but does not allow deposit-taking. Charter capital is VND 500 billion (approximately USD 20 million), and governance requirements are lighter than for a full bank. Several major foreign lenders operate through consumer-finance company licences, often acquired or established in joint venture with Vietnamese partners.

Peer-to-peer (P2P) lending sits in a regulatory grey zone in Vietnam. SBV has indicated repeatedly that P2P lending without a licence is not authorised, but the specific licensing regime has been pending for several years. The regulatory direction in 2024-2025 has been toward including P2P platforms in a sandbox programme rather than authorising them as a standalone licensed category. Foreign P2P platforms have generally either operated through a Vietnamese licensed-lender partner, paused operations, or restructured into pure technology-services providers.

Vietnamese personal-data protection and data-localisation rules underwent the most significant change in years with the Personal Data Protection Decree (Decree 13/2023, with major implementing developments through 2024-2025) and the implementing framework that came into full effect in 2025. The decree applies to any organisation processing personal data of Vietnamese individuals, regardless of where the organisation is established.

The principal obligations are: lawful basis for processing (consent, contract, legal obligation, vital interest, public interest, legitimate interest); registration of personal-data-processing activities with the Ministry of Public Security for sensitive processing; impact assessments for high-risk processing; data-subject rights including access, correction, deletion, and objection; appointment of a personal-data-protection officer for organisations processing data at scale; and notification of breaches within statutory timeframes.

Cross-border transfer of personal data is permitted but requires either consent of the data subject, contractual safeguards, or an approved cross-border transfer impact assessment registered with the regulator. In addition, the Cybersecurity Law 2018 imposes specific data-storage requirements: certain categories of data — particularly data on Vietnamese users of major online platforms — must be stored on servers within Vietnam, with conditions varying by sector and platform type. Implementing decrees and sub-regulations have refined these requirements through 2024-2025.

For fintech specifically, the practical implication is that customer-data architecture must be designed for Vietnamese residency from the outset. Foreign fintech entrants commonly assume a regional cloud architecture (often Singapore-hosted) is sufficient — for activities involving Vietnamese-user personal and financial data, that assumption is increasingly wrong. I conduct a data-architecture review as part of every fintech market-entry engagement.

Foreign-ownership caps in Vietnamese financial services are among the strictest in the regulated economy. The headline numbers: foreign ownership in Vietnamese commercial banks is capped at 30% in aggregate (with strategic-investor allocations available within the cap); foreign ownership in securities companies is generally capped at 49% with full foreign ownership available in certain categories; foreign ownership in insurance companies is generally permitted up to 100%.

For fintech-specific licences (e-wallet, payment intermediary, consumer finance), the position has been less clear historically. SBV practice has generally permitted full foreign ownership of payment intermediaries and consumer-finance companies, but there have been periodic indications that caps may be imposed on payment-intermediary entities at 49% — discussions that have not crystallised into rules but bear watching.

The practical implication for foreign fintech entrants is that ownership-structure assumptions must be tested at the licensing stage rather than assumed from foreign-investment-law general rules. I provide a foreign-ownership memorandum as part of every fintech market-entry engagement, covering both the headline cap and any sub-sectoral conditions that may apply.

Vietnam has been working toward a comprehensive fintech sandbox programme for several years, with the SBV publishing draft frameworks at various points and individual sectoral sandbox arrangements operating in payments and credit-scoring. As of early 2026, a consolidated sandbox decree is pending but not enacted; sector-specific sandbox arrangements remain the operational reality.

The current sandbox arrangements are most useful for fintech models that do not fit cleanly into existing licensing categories — credit-scoring services, supply-chain finance platforms, certain e-KYC providers, and selected blockchain-based applications. Acceptance into a sandbox typically requires demonstration of innovation, consumer-protection mechanisms, and exit-from-sandbox commitments.

Foreign fintechs should treat sandbox participation as a commercial bridge, not a destination. The sandbox provides regulatory cover for testing and limited deployment but does not substitute for full licensing once the model proves out. Companies that build operations around sandbox status without a clear pathway to full licensing tend to face awkward conversations with the regulator at sandbox renewal.

Anti-money-laundering and counter-financing-of-terrorism obligations apply to all Vietnamese financial institutions and licensed payment intermediaries, governed by the Law on Anti-Money Laundering 2022 (replacing the 2012 law) and implementing decrees. The framework is broadly aligned with FATF standards, with progressive tightening since 2022.

The principal obligations are: customer due diligence (CDD) on onboarding, with enhanced due diligence for high-risk customers including politically exposed persons and customers from high-risk jurisdictions; transaction monitoring with thresholds and red-flag indicators specified by SBV; suspicious-transaction reporting to the SBV's Anti-Money Laundering Department; record-keeping for a minimum of five years; and appointment of a designated AML compliance officer reporting to a board-level governance function.

For fintechs, two operational issues recur. First, eKYC implementations must satisfy CDD requirements that were originally designed for in-person onboarding; the 2023-2024 SBV circulars on eKYC clarified the acceptable architecture but enforcement is still evolving. Second, transaction-monitoring systems must be calibrated to Vietnamese-specific red flags (cross-border patterns, certain merchant categories, unusual account behaviours) rather than imported wholesale from foreign systems. AML programme design is one of the items I review most frequently for foreign fintech clients establishing in Vietnam.