Data security plays a crucial role in promoting the digital transformation of the finance and banking industry, said Nguyen Viet Hoa, head of community information at Vietnam Blockchain Union, under the Vietnam Digital Communications Association.
As the Vietnamese government advances its national digital transformation agenda, the banking industry as a whole and individual commercial banks are speeding up the digital transformation of all their operations, thereby improving their capacity to provide modern products and services and meet customer needs.
This is clearly reflected in the rise of cashless payment services. Statistics from the State Bank of Vietnam show that non-cash payments amassed around 11 billion transactions in 2023, an increase of nearly 50% year-on-year, with a total transaction value of more than VND200 quadrillion ($8.15 trillion). QR code payments alone increased by nearly 172% in volume and over 74% in value.
Data security: an indispensable foundation
According to Hoa, the finance and banking sector has always been associated with the construction, management and operation of data systems – going from primitive means such as physical books and records, to core banking systems storing billions of digital records every day.
“Throughout that evolution, data security has played a key role in protecting the entire system so that it can operate safely, transparently and effectively. Organizations inside and outside the finance-banking sector have been developing a plethora of solutions to minimize vulnerabilities and the risks of suffering attacks that result in data breaches," Hoa commented.
Hoa remarked that there are currently many international standards that Vietnamese banks can apply to improve their risk control in general and information security in particular. "However, more input from real-life situations is always needed to ensure that the actual practice is updated and effective as technology advances and transforms all the time," he stressed.
Data privacy: an integral counterpart
An equally important task is the implementation of data privacy. According to Huy Pham, founder of RMIT Fintech-Crypto Hub, although Decree 13/2023/ND-CP, effective from July 1, 2023, has issued a legal framework for personal data protection, its implementation in the finance and banking sector will take some time to roll out.
Huy said: “To be able to fully comply with the regulations in Decree 13, financial institutions and banks need to strengthen their control over the processing and storage of personal data from the employee level up because they often interact and communicate directly with customers – possibly through their personal phones. So, serious violations of personal data protection can easily occur. For example, a customer's personal information might be transmitted from one securities company to another via their respective employees without the customer's consent."
Concurrently, the advancement of artificial intelligence (AI), generative AI, and their applications in the finance and banking sector causes growing concerns as to whether customers' personal information could be legally used in AI training.
“Will data subjects have full control over their personal information if financial institutions and banks apply AI in their systems? If these organizations unlawfully use customer data in AI training, how can the data subjects track such activities and potentially initiate a lawsuit?” Huy hinted.
The RMIT expert said that in principle, data subjects can request that organizations not use or remove their personal information when training AI models.
A notable example is OpenAI's ChatGPT tool, which was briefly banned in Italy until the company provided solutions that enabled data subjects in Italy to allow or refuse the use of their personal data in AI training.
However, unlike Google and other search engines, generative AI models such as large language models cannot easily fulfil such requests as oftentimes, they cannot retrieve or remove specific pieces of information on command. Moreover, currently popular large language models are also not transparent – they are essentially “black boxes” and users do not clearly know how the answers are formed.
“Therefore, the government and relevant authorities need to provide specific instructions and regulations on the use of personal data for AI training in the finance and banking sector. At the same time, they should encourage financial organisations and banks to use responsible and explainable AI models,” Huy concluded.
Data security solutions deployed by banks in Vietnam can be divided into five common categories.
Fraud prevention: Prevent unauthorised transactions, impersonation or identify theft via transactions on a spoofed website. Solutions to this problem include two-factor authentication, fingerprint biometrics, and 3D facial recognition.
Data risk control: Build a monitoring system to warn of unusual behaviour in data retrieval, mainly focusing on sensitive information such as personal identification, transaction history, and related financial information.
Network infrastructure security: Apply the latest standards, regularly update patches and processes related to the operation of systems for communication, data transmission, and information encryption between relevant parties in banking transactions.
Phishing attack prevention: With the development of technology, phishing attack methods are increasingly sophisticated and can involve the use of advanced technologies such as "deepfake AI." Countermeasures mainly revolve around raising awareness of suspicious signs.
Preventing loss and unlawful interference of data: Attacks such as injecting malware to steal or change information illegally can be prevented through the application of advanced encryption technology like blockchain, which disperses stored data and prevents unlawful overwriting of information, ensuring the integrity of transaction data.