Virtual Bank by Fintech Firms – Global Trending, Challenges, Solutions and Experience of Regulating Virtual Banks in Vietnam

Virtual bank by FinTech firms – Global trending, challenges, solutions and experience of regulating virtual banks in Vietnam

TILBURG LAW SCHOOL – MASTER THESIS

INTERNATIONAL BUSINESS LAW (LL.M.)

ACADEMIC YEAR: 2019-2020

Author: Trung Viet Nguyen

SNR: 2046799

Supervisor: PhD. Jamelia Anderson

Second Reader: Prof. Joseph McCahery

June 24, 2020 TILBURG UNIVERSITY The Netherlands Abstract The revolution of innovative digital technology has been changing the way the financial system operates. It is blurring the boundary between physical and digital activities, between the financial institutions and non-financial firms. The technology advancement has an impact on the development of banking systems with the appearance of various innovative banking products and services and the distribution of banking service on financial technology (FinTech) platform. FinTech companies, with the advantage of technology, are currently trying to compete with banks by starting to launch their virtual banks to provide banking products and services to customers. More virtual banks have been licensed in recent years around the world, which benefits not only the banking services providers but also the customers and the market. However, the virtual bank has its drawbacks, such as the cybersecurity and the data privacy protection risks, and how governments can regulate the establishment and the operation of virtual banks. In the Vietnam financial sector, this problem is exacerbated as 70% of the population is unbanked, while the rate of using cash in daily transactions is high. The author concludes that although the Vietnamese government issued some legislation to control the risk of cybersecurity and data privacy, these regulations have not formed a comprehensive legal framework to cover these issues, which may be difficult for FinTech and virtual banks to operate in Vietnam. For the establishment of virtual banks, there are four (4) approaches which can be considered to improve the legal framework in Vietnam when regulating virtual banks, consisting of: (1) the do nothing approach, (2) the specific regulatory approach, (3) the experimentation approach and (4) the case-by-case approach. Each of them has its benefits and drawbacks. For the case of Vietnam, the author concludes that the most applicable approach is the combination of the case-by-case approach, experimentation approach and specific regulatory approach. It is because applying each approach separately in Vietnam will cause several issues, such as the imbalance between regulations applying to virtual banks and traditional banks, or extended timing for the issuance of specific regulations. The objective of this paper is to discuss the global trends and regulations in the most competitive markets and make comparison and connection to the practice and regulations in Vietnam.

Table of Contents

Abstract ...... 1

INTRODUCTION ...... 4

A. Background ...... 4 B. Problem Statement ...... 6 C. Research Questions ...... 7 D. Research Aims & Objectives ...... 8 E. Research Methodology ...... 8 Chapter 1 – Virtual bank and its development trending ...... 10

1.1. Virtual banks ...... 10 1.1.1. What is virtual bank? ...... 10 1.1.2. Difference between Virtual bank and Online banking ...... 11 1.1.3. Benefits of Virtual banks ...... 12 1.2. Development of Virtual Banks in the World ...... 15 1.2.1. General Development ...... 15 1.2.2. Europe...... 17 1.2.3. The United States ...... 18 1.2.4. Asia Pacific (APAC) ...... 19 1.3. Development trend in Vietnam ...... 22 1.3.1. Overview of Virtual banks market ...... 22 1.3.2. No pure virtual bank in Vietnam ...... 24 Chapter Conclusion ...... 24 Chapter 2 – Challenges for Establishment and Operation of Virtual Banks ...... 26

2.1. Cybersecurity Risk and Data Privacy Protection ...... 27 2.1.1. Which customer data to be collected ...... 27 2.1.2. How customer data to be collected and stored ...... 28 2.1.3. Customers concerns about data collection and storage ...... 29 2.1.4. Why do cybercriminals choose to attack the banking sector? ...... 30 2.1.5. How do fraudsters have chances to conduct cybercrime? ...... 31 2.1.6. Challenges in Vietnam’s market ...... 32 2.2. Regulatory Issue ...... 33 2.2.1. Global regulatory trends and difficulty ...... 34

2.2.2. The regulatory issue in Vietnam regarding the operation of virtual banks ...... 36 2.2.3. Regulatory requirements for setting up traditional banks in Vietnam ...... 37 2.2.4. Will the same requirements apply to virtual banks? ...... 40 2.2.5. Market access of foreign FinTech ...... 41 Chapter Conclusion ...... 42 Chapter 3 – Solutions for Challenges: Stories from the world and lessons for Vietnam ...... 44

3.1. Solutions for Cybersecurity and Data Privacy Protection ...... 45 3.1.1. Review of regulations on data privacy in the EU, China and brief on several other countries 45 3.1.2. Review of the Cyber security regulation in EU, China and Singapore ...... 47 3.1.3. What Vietnamese Government can do ...... 49 3.2. Solutions for Issue on Establishment of Virtual Banks ...... 52 3.2.1. Specific regulations ...... 52 3.2.2. Regulatory Sandboxes...... 55 3.3. The most appropriate approach to regulate virtual banks in Vietnam ...... 59 3.4. RegTech – Solutions of Future ...... 60 3.4.1. What is RegTech and its advantages ...... 60 3.4.2. Application of RegTech ...... 61 3.4.3. Potential of applying RegTech in Vietnam ...... 62 Chapter Conclusion ...... 63 CONCLUSIONS ...... 65

BIBLIOGRAPHY ...... 67

Regulations ...... 67 Books, Papers, Articles and Reports ...... 68 Internet Sources ...... 69

INTRODUCTION A. Background “Mastering the Fourth Industrial Revolution” was the theme of the annual World Economic Meeting held in Davos-Klosters in 2016. Currently, the Fourth Industrial Revolution has been occurring actively in developed countries such as the United States, European countries and partly Asia. The Fourth Industrial Revolution is described as the appearance of new technologies which are combined by knowledge of physic, digital, biology, and they have an impact in all sectors, industries and economics.1 Notably, the development of digital technology has been eroding the boundary between the physical and the digital activities and leads human to a change and open up a new era – digital era. In this era, human activities will be supported by digital. Each organization or corporation will need a digital platform, which is appropriate to its business model, to provide its products and services to customers. Banking was a sector which was difficult to change its tradition. However, given that the banking system is a part of the economy and an interconnected sector with high-level technology application, this system will be strongly affected and forced to change.2 In this new era, with the motivation of the development of new digital technology, many traditional banking activities may face a risk of being replaced by digital banking services. The revolution of technology has an impact on the development of banking systems with the appearance of various innovative banking products and services and the distribution of banking service on financial technology (FinTech) platform.3 Given this fact, the banking sector was one of the leading industries applying scientific and technological development in its management and business. That creates a solid background and competitive advantages for the banking sector in the development of the digital economy. Nevertheless, there are certain risks in relation to new technology such as blockchain, big data and Artificial Intelligence (AI). Institutions in the banking sector need to change their governance model, organizational structure and products as well as prepare to face the risk management arisen from cybersecurity and customers’ data privacy protection.4 In that context, banks and banking activities need to change to continue their existence.5 The technology has changed the demand of using services of customers from the traditional way to digital channels via smartphone or laptop instead of going the branches of banks to conduct a series of a complicated procedure.6

1 Ngành Ngân hàng với những thách thức CMCN 4.0 (in English: Banking Industry Facing Challenges arising from the Fourth Industrial Revolution), PhD. Nghiem Xuan Thanh, 27 August 2019, available at http://tapchinganhang.com.vn/nganh-ngan-hang-voi-nhung-thach-thuc-cmcn-4-0.htm 2 Ibid. 3 Fintech - cơ hội và thách thức đối với sự phát triển của hệ thống tài chính, ngân hàng (in English: Fintech – Chances and Challenges to the Development of Banking and Finance System), 18 September 2019, available at http://tapchinganhang.com.vn/fintech-co-hoi-va-thach-thuc-doi-voi-su-phat-trien-cua-he-thong-tai-chinh- ngan-hang.htm 4 PhD. Nghiem Xuan Thanh (n 1) 5 Trụ cột kiến trúc phát triển hoạt động ngân hàng số (in English: Pillars for development of digital banking activities), 20 December 2019, available at http://tapchinganhang.com.vn/tru-cot-kien-truc-phat-trien-hoat- dong-ngan-hang-so.htm 6 (n 3)

Fintech companies, with the advantage of technology, are currently trying to cooperate with banks in developing and distributing Fintech services to customers. They are even trying to compete with banks by starting to launch virtual bank (or, in many cases, interchangeably used “digital-only banks”) to provide banking products and services to customers. Jack Ma, the founder of Alibaba, said: “If banks don’t change, we will change the bank”. We are currently seeing the competition between Fintech companies and traditional banks through the provided products and services, especially through the emergence of the digital-only bank. With no bricks-and-mortar branches, no time-consuming for waiting on the line to receive banking services and reduction of paperwork, it is undeniable to state that virtual banks will be the future of the banking industry. The vast development of technology creates opportunities for fintech companies to apply its modern technology in the banking sector. As a result, more and more digital-only banks have been approved to provide their services to customers. Customers will only need a smartphone or a laptop to open a bank account, transfer money, borrow from the bank or enjoy other banking products and services in the blink of an eye. While the core banking systems being designed in the late 1980s and early 1990s are not flexible and do not focus on the customers, digital banking models being built up based on Fintech solutions will maximize the experience of customers, more convenient and suitable to conditions and demands of customers. Nowadays, basic services provided by a bank are always available in digital space via an application which can be easy to be downloaded on mobile phones or conducted online on the Internet and not depended on branches or transaction offices. Competition on opening bank branches may not be meaningful in the digital era; instead, technology will be the advantage of banks, especially small-scale banks which faced difficulties in past to expand their market shares.7 In Asia, the trend starts in China from 2014; particularly, four digital-only banks have been licensed since that year including WeBank (backed by Tencent); MYbank, developed by Alibaba; AiBank (backed by Baidu); and XWBank.8 South Korea was the next country allowing the foundation of two digital-only banks, which are Kakao Bank, started operation in July 2017 with two million account holders in its first two weeks of life,9 and K Bank. Last year, the Singaporean authority announced that they would issue up to five digital-only banking licenses in 2020, and this number will increase in the near future. This development, therefore, has a positive impact in other countries in the area and there are a certain number of new entrants in other countries in Asia such as Japan, India, and Vietnam. As a result of more approaches to technology and mobile facilities around the world, the use of digital banking services increase.10 In Vietnam, 70.3% of the population living in areas where the approaches to financial and banking services are difficult but the rate of mobile and internet subscribers is at a high rate, around 68.5 million internet users, ranking the 7th position in APAC and the 14th in the world according to Internet World Stats,11 and 43.71

7 Ibid. 8 China Finalizing Laws For Digital-Only Banking, 14 January 2020, available at https://www.pymnts.com/bank-regulation/2020/china-finalizing-laws-for-digital-only-banking/ 9 South Korea Eyeing to Grant more Virtual Banking Licenses, 31 July 2019, available at https://fintechnews.hk/9770/fintechkorea/south-korea-eyeing-to-grant-more-virtual-banking-licenses/ 10 (n 3) 11 https://www.internetworldstats.com/top20.htm, last updated on 30 June 2019.

5 million smartphone users in total, ranking the 14th position in the world, under a report of Statista released in September 2019.12 Additionally, the knowledge of young generation in the information technology area, the outbreak of e-commerce and the low rate of bank account holders are advantage factors in developing digital banking services and especially to establish digital-only banks of Fintech companies in Vietnam.13 Given that there are only around 30% of Vietnamese population having bank accounts, and the rate of using cash as a payment method in Vietnam is high, the Vietnamese government is encouraging the use of non-cash payment method and support the development of fintech companies to provide financial solutions to customers. In practice, several fintech companies have been approved or involved to launch digital banking services in Vietnam at this moment. Many banks are willing to cooperate in motivating the development of Fintech companies. Concurrently, many banks consider changing their business model from traditional banks to digital banks or cooperation with Fintech companies, acquisition or establishment of Fintech companies or initiatives of banks. For example, digital bank Timo of Vietnam Prosperity Joint Stock Commercial Bank (VPBank) or Tien Phong Joint Stock Commercial Bank coordinated with two Fintech companies to launch “Non-security Online Lending” products applicable to SMEs. Nevertheless, none of the FinTech companies is alone providing the services under the form of the digital-only bank in Vietnam.14 The difficulty for a Fintech company to apply for the establishment of its virtual bank arises from obstacles from regulation. B. Problem Statement More and more digital-only banks have been licensed in recent years around the world, and they bring various benefits to the banking services providers themselves, to the customers and also to the market. One of the biggest concerns regarding virtual banks is the cybersecurity and protection of data privacy of the customers. To elaborate, customers using digital banking services may challenge how the providers protect customers’ personal information provided to the banks when they open bank accounts or conduct a transaction. Customers may also challenge that they can be deceived because every transaction will be conducted through an online system. According to several surveys from consultancy companies worldwide, these were the main concerns from customers when they are approached by information about virtual banks. Another question about digital-only banks is that how governments can govern the operation of digital-only banks; particular, whether governments will enact separate and specific regulations on establishment and operation of digital-only banks or they will base on the existing situation in their countries to approve and regulate those banks on a case-by-case basis. In 1997, Bill Gates announced that “We need banking, we don’t need banks anymore”. After more than two decades, the world realizes that this prediction has been vast trending;

12 https://www.statista.com/statistics/748053/worldwide-top-countries-smartphone-users/ 13 (n 3) 14 Fintech Việt hút vốn ngoại: Khi tiềm năng khai phá còn rộng mở (in English: Fintech in Vietnam attracts Foreign capital: When the potential is still broad), 19 August 2019, available at http://tapchinganhang.com.vn/fintech-viet-hut-von-ngoai-khi-tiem-nang-khai-pha-con-rong-mo.htm

6 therefore, this creates a massive challenge in managing and monitoring the banking sector in the Fourth Industrial Revolution.15 C. Research Questions There are some countries in the world have been issuing regulations to govern licensing procedure and operation of virtual banks in their countries such as Hong Kong, the United Kingdom or Korea. Some countries have launched their regulatory sandbox for the FinTech sector while some have been finalising the regulations aiming specifically to the operation of digital-only banks (e.g., China). Nevertheless, there is no same regulation or legal framework for the establishment of the digital-only bank in Vietnam right now. The Vietnamese government has issued several regulations to facilitate the operation of Fintech companies, for example, allowing e-KYC procedure. However, for the establishment of virtual banks by Fintech companies, these regulations are not sufficient. In recent years, the encouragement from the Vietnamese government about the use of non-cash payment method can be a potential path for Fintech companies to develop and provide financial services to customers. Furthermore, virtual banks have to face the challenges regarding data privacy protection and cybersecurity. These problems are the top concerns from individuals and organisations using banking services. Nevertheless, the legal framework for these issues in Vietnam has not been completed and still need to improve. Therefore, the author sets out the two main research questions and sub-questions are as follows: 1. How have other countries regulated virtual banks, in order to mitigate the risks of cybersecurity, data privacy protection and the risks concerning the establishment of virtual banks? 2. How can Vietnamese regulators learn from other jurisdictions to regulate virtual banks to reduce those risks? Sub questions: (i) What are the current regulations in Vietnam regarding the establishment of traditional banks and virtual banks? (ii) How does the current regulation impact the market access of foreign players in the provision of digital banking services? (iii) Are the requirements applicable to traditional banks applied the same to virtual banks? (iv) How do other jurisdictions regulate the establishment of virtual banks by FinTech firms and cybersecurity risks? How can Vietnamese regulators learn from other jurisdictions to complete the legal framework for data privacy protection and cybersecurity?

15 PhD. Nghiem Xuan Thanh (n 1)

(v) What is the most appropriate approach for Vietnam to regulate the establishment of virtual banks? Can RegTech be useful to help Vietnamese regulators to regulate the operation of virtual banks? D. Research Aims & Objectives The goal of this paper is to discuss the global trends and regulations in the world and make comparison and connection to the practice and regulations in Vietnam. This paper will answer questions about how the Vietnamese government can solve the data privacy protection and cybersecurity issues arisen from the operation of virtual banks, and how Vietnam can and facilitate the development of banking industry in Vietnam. Besides, this paper will discuss the potential to apply technology to regulate virtual banks based on lessons from other jurisdictions. To achieve these aims, the author divides this research paper into three Chapters covering these topics. Chapter 1 of this thesis, will provide an overview about virtual banks, explain the difference between virtual banks and online banking services provided by traditional banks, describe benefits of digital-only banks to three main objects: the banks themselves, the customers and the market and analyses the current trending in the world, including the development of this form of business. Chapter 1 will also address a summary on FinTech and digital banking services in Vietnam in the last few years and give some predictions on the trends and potential of digital-only banks in Vietnam. Chapter 2 will discuss the challenges for virtual banks, which include customers’ concerns about cybersecurity and data privacy protection with the operation of virtual banks in the world. Additionally, in this Chapter, the author will discuss challenges for the government to control the operation of virtual banks in Vietnam, which include discussion on whether regulations applicable to physical banks would apply to virtual banks and discuss on the requirements which are main obstacles to the establishment of virtual banks by Fintech companies: capital and revenue requirements. Chapter 3 shows how governments deal with challenges arising from the operation of virtual banks, in which, discusses on regulations in certain countries around the world about data privacy protection, cybersecurity and establishment of the digital-only bank. Besides, Chapter 3 will discuss how Vietnam can learn from those countries, discuss current Vietnamese regulations, including draft regulations, and how Vietnam should handle these challenges. Additionally, Chapter 3 also describes the potential of applying technology for the regulatory purpose (RegTech) in Vietnam based on lessons learned from other countries. E. Research Methodology To answer the research questions, the author will analyse different areas and jurisdictions. The author will focus on the European and Asian markets, where the author recognises the fast growth of virtual banks and have certain development in regulations to govern virtual banks. The author will both analyse the practice in those markets and the issued regulations in those areas. Particularly, the author will analyse the trend in the UK and Germany, where virtual banks appeared quite early in the world. In Asia, the author will study the trend and regulations in China (having borders with Vietnam and has similar regulations to Vietnam),

8 in Korea (one of the countries has the most developed technological innovation), in Hong Kong (where has specific guidelines for the establishment of virtual banks), and Singapore (an ASEAN country with the fastest growth in FinTech and virtual banks in the region). The author will mainly rely on different Internet sources, in both Vietnamese and English and also official databases of academic articles, such as SSRN’s e-Library, or legal documents database (for example, on the official website of the European Union (EU)). The author will also refer to the reports and alerts from various financial institutions, auditors (i.e., Big Four auditing firms) and specific law firm (such as Baker McKenzie). In addition, when discussing the regulations of countries around the world, the research will utilise and assess the legislation and other legal documents published on available public source of different regulators (for instance, General Data Protection Regulations (GDPR) from the EU, or Guideline on Authorisation of Virtual Banks from Hong Kong). Besides, some countries have also been launched RegTech initiative to regulate the business of FinTech firms. Based on what other countries have been doing, Vietnam can learn from them and gain experience to find the most appropriated way to regulate the operation of virtual banks and complete their legal system.

Chapter 1 – Virtual bank and its development trending Chapter 1 covers the introduction of the virtual bank and its overall trending around the world at this moment. The development of financial technology creates excellent opportunities for the emergence of virtual banks operated by FinTech companies. More and more virtual banks have been licensed to enter the financial market. First, this chapter introduces the definition of virtual banks. The first section will also clarify the differences between virtual banks and online banking services provided by traditional banks. One more critical point in the first section of Chapter 1 is that it will analyse the benefits of virtual banks brought to the banks themselves, their customers and the competition in the market. Secondly, chapter 1 will discuss the development trend of virtual banks in the world, specifically in Europe—where this type of bank is growing positively, the United States— where has the most competitive financial market, and in the Asia Pacific (APAC)—an emerging market. Lastly, this chapter will give an overview of the development trend of virtual banks in the Vietnamese market, with the conclusion that Vietnam has not had a pure virtual bank (the one set up and operated by FinTech) yet. In brief, virtual banks have been a trend in the world today in the digital transformation race among FinTech firms and traditional banks. Vietnam, a fast-growing nation in technology with a large amount of investment in FinTech over the past years, cannot stand outside that trend. However, certain obstacles prevent Vietnam from having the first virtual banks by FinTech firms. 1.1. Virtual banks 1.1.1. What is virtual bank? A virtual bank is the one that delivers banking transactions by using electronic devices having a connection with the internet. It is the banking operation model based on the platform of digital technology. More specifically, this is a method and operational process of an organisation entirely based on innovative technology to implement the functions of a bank. What customers conduct at bank branches will be digitalised and integrated into a virtual bank application. In Hong Kong, the definition of “virtual bank” is provided in a regulatory document. Notably, according to Section 1 of Authorisation of Virtual Banks, A Guideline issued by the Monetary Authority under Section 16(10) of Banking Ordinance, “a “virtual bank” is defined as a bank which primarily delivers retail banking services through the internet or other forms of electronic channels instead of physical branches.” Transactions with virtual banks do not need to be conducted at bank branches and will reduce at the maximum of relevant documents. Additionally, customers can be active with their transactions via virtual banks because the transactions can be made any time at anywhere with customers’ smartphones or laptops. A virtual bank can be called interchangeably digital-only bank or challenger bank or neo-bank in this paper. Virtual banks are operated by several parties, either traditional banks or Fintech companies or collaboration between traditional banks and non-bank companies. Many traditional banks have already started the digital banking transformation, in which, they digitise most of its functions or set up their virtual banks in order to enhance their customer services and

10 experience based on the digitalisation in communication, expectation and data. The purpose of the transformation is to compete with the rise of Fintech companies in providing financial services. Many traditional banks choose to cooperate with Fintech companies to create their virtual banks to co-provide services to customers. However, this paper will not discuss virtual banks involving traditional banks. This paper will discuss virtual banks being operated only by Fintech companies. The reason is that the rise of Fintech companies using modern platform-based technology in recent years to provide financial services to customers is trending in the world and also has enormous development potential in the author’s home country, Vietnam. 1.1.2. Difference between Virtual bank and Online banking There might be some misunderstanding between digital-only banking and online banking provided by traditional banks. Many customers have not differentiated these two types of banking services. It is understandable because these two types of banking services are both provided via online channels, and customers can manage their accounts easily via digital means. Customers can only be aware of that they are using the digital banking services provided by a ‘bank’, but some of them cannot distinguish these two forms. They may not know who provides which service, or what services are provided. However, there are a number of differences between them. Online banking is a part of digitalisation in the banking sector, whereas digital-only banking is a new business model, a new approach in the market. Online banking was a part of the business of traditional banks. Traditional banks offer online banking services to customers to facilitate the transactions of customers. Online banking will enhance customers’ experience with their offered traditional banking products and services. Virtual banks can be considered an upgrade of online banking services and will be able to replace the traditional banks. The virtual bank can operate as an independent bank to provide full banking products and services as a licensed traditional bank. The table below highlights a number of factors which can be used to distinguish between the two institutions.

Item Digital-only Banking Online Banking

Level of digitalisation Digitalising all services and products of Including mobile banking and Internet traditional banks banking

Institutional provider FinTech companies or collaboration Banks, as a part of its traditional operation between Fintech companies and banks

Service offering All banking services, including but not Several banking services: limited to, money transfer, money - Money transfer withdrawal, lending, opening and - Bank Account Query managing saving accounts and payment accounts. - Bills payments

Type of customer - Customers open bank accounts - Customers open bank accounts at the onboarding entirely online bank branches - Bank card to be delivered to their door - Once the account is opened, customers sometimes still need to go

- Customers only need to download an to the banks’ branches to sign papers application and enjoy the features of to use the online banking services the virtual banks Table 1 – A broad overview of the difference between digital-only banking and online banking offered by traditional banks 1.1.3. Benefits of Virtual banks Virtual banks are more and more popular, which focused on serving their customers entirely through online means. Virtual banks will bring various benefits to three main objects: the virtual banks themselves, the customers, and the market. This section will discuss the benefits of virtual banks to each object.

1.1.3.1. To Virtual banks The differences between virtual banks and traditional banks bring a competitive advantage for virtual banks in the financial market. For example, all interaction channel with customers is online via mobile devices with a various interface that creates a connection with customers. Virtual banks are quickly adapting to the digital operating model in order to provide more financial products to customers, such as mobile payment, technology-based lending, digital insurance, or digital investment. With the effective operation based on automatic process, virtual banks gain to benefit themselves by reducing costs and fees, increasing processing speed, and ensuring operating efficiency, which helps them to be aware of changes in customers’ behaviours quickly and to keep with the profound change of the market. Furthermore, using innovative technology such as AI or cloud computing creates a potential for improving retail banking operations, resulting in enhancement of customers’ experience. From this point, virtual banks can have a competitive advantage from traditional banks that are not active in using digital technology. First of all, the development of virtual banks reduces transaction costs and increases revenue. For example, virtual banks remove most of the overpriced supportive activities and demand for investment into expensive hardware and software used for the old system. Additionally, virtual banks do not need many employees to operate their system, compared to traditional banks that have to pay salaries for a large amount of staff at physical branches. Furthermore, virtual banks only need to have one physical location for their operation, which will reduce the cost of the office lease. As a result, the costs for the operation of virtual banks are estimated to be reduced by 20% to 40%. Lower costs mean that virtual banks can charge fewer fees and make more money from clients. Secondly, virtual banks can be agile and adapt quickly with the change of market, new technology, or new regulations. Virtual banks can adjust their process based on those changes and launch new products faster, which can help virtual banks to be compliant with the new regulations. Mainly, centralised stored and managed data helps virtual banks to comply with regulations on banking or data privacy protection easier. Virtual banks have an advantage in exploiting and utilising new technology and trend. Connecting and sharing data via open application program interface (API), blockchain

12 technology, Bank as a Platform (BaaP) will have an impact remarkably on the banking business models. The legacy system will restrict the adaptation ability of traditional banks in the new context, while virtual banks have a better competitive advantage in effectively exploiting new technology.

1.1.3.2. To Customers Virtual banks are an excellent solution for customers. Customers do not have to visit brick- and-mortar banks, wait in long lines, and be struggling with tons of paperwork. All customers need to open an account with a virtual bank is a device connecting to the internet and few verification documents. Documents required are simple such as scanned identification cards or passport, copies of tax documents of the account holder, and documents showing the address of the account holder matching with the registered one. It is easy to see benefits to the customers as below, to name a few: - Fast account opening - Quickly checking account through an application - Easily and exclusively accessing accounts through an application, more comfortable with resetting pins or order bank cards - Easily manage expense and other spending - Real-time data analytics Figure 1 below shows an example of how customers can open an account with a virtual bank. Accordingly, a customer of N26 bank (a Germany based virtual bank) can quickly register with the virtual bank and open a bank account in only 8 minutes. It is much more convenient for customers not to waste too much time on this process. The higher satisfaction of customers in the fast process of opening accounts, the more extensive opportunities for virtual banks to attract more customers to receive higher revenue. Nevertheless, there is still one point to note concerning the fast account opening process. Traditional banks usually have a lengthy process to check customers’ data when they open bank accounts for their customers to reduce potential risks that may cause, such as money laundering and terrorist financing. That means a speedy verification process of virtual banks may not always be useful if the banks do not have a mechanism to control the frauds. In comparison, traditional banks, having a long-waiting process to verify customers’ information, may have a better chance to protect the risk for the banking system. This point will be discussed further in Chapter 2 of this paper.

Figure 1 | Bank Account Opening Process of N26 Bank Source: N26 Official Website Virtual banks focus on real-time data analysis, which will allow the banks to notify how much the customers receive and spend. Thanks to this, customers, both individuals and organisations, can effectively manage their budget. Additionally, customers can benefit from better services offered by virtual banks compared to traditional banks. For example, ZA Bank, the first of the eight digital-only banks licensed in Hong Kong, is offering an introductory interest rate of 6% for three-month deposits up to HK$200,000 ($25,000), which includes a 4% top-up.16 On the race to develop the financial market, the key to success is the best experience for customers via various applications, fully integrated services to satisfy most of the financial transaction demands of customers. On this basis, virtual banks are leading physical banks.

1.1.3.3. To the Market The development of virtual banks increases competition in the market. Notably, the appearance of virtual banks forces traditional banks to change themselves and approach to new technology. Managers of traditional banks understand that they have to face the challenges of Fintech firms. If they do not change their business, their banks will be dismissed from the highly-competitive financial market. Indeed, given the development of the non-cash payment method via the mobile application, several banks have to close a number of their branches and remove their automated teller machines. It is only the first consequence of the traditional banks confronting. Traditional banks should not be outside the digital transformation process. They need to redesign their business model and have a strategy to connect their data to build a system serving increased customers’ demands. Traditional banks may consider several approaches to advance their financial services. For example, they may focus on research and apply new digital technology to develop and provide financial services which have at least similar

16 Hong Kong digital bank offers market-beating 6% interest rate, 13 January 2020, available at https://www.finextra.com/newsarticle/35050/hong-kong-digital-bank-offers-market-beating-6-interest-rate

14 quality as Fintech companies or virtual banks are providing. Another approach is that traditional banks may partner with or outsource the technology part to other technology service providers. Improving interaction between banks and customers, what virtual banks are implementing effectively, is also a way for traditional banks to enhance their competitive position. In summary, virtual banks are necessary to help traditional banks to transform and compete equally with those virtual banks in financial sectors, which creates a higher competitive ability of the market and increases the satisfaction of the customers. 1.2. Development of Virtual Banks in the World 1.2.1. General Development Before becoming a banking operating model in the era of technology, virtual banks have been gone through several forms of development. Mainly, when traditional banks have started applying the machinery to deliver banking services, it is the first stage for the formation of virtual banks nowadays. With the appearance of FinTech companies, the banking operation model has developed vastly, and the virtual bank model has been formed. The banking industry has historically been a conservative industry enjoying relatively high entry barriers due to legislation restricting access to non-bank participants. New digital technologies – driven by cloud, mobile, social, and analytics – have significantly lower barriers to entry. Many countries have loosened rules to facilitate banking industry innovation, which results in that many emerging all-digital financial services companies are aggressively pursuing consumers by addressing their needs in fresh and distinct ways, without being burdened by older fewer flexible structures. As a global trend, entrepreneurs have been creating virtual banks or neo-banks, such as Monzo, N26, Atom, and NuBank, to name a few, and obtaining full banking license for those virtual banks to provide a wide range of banking service. These virtual banks have digital technology, which is their core value proposition, to enhance customers the experience of using financial services.17 According to a list of top 100 Fintech companies published by H2 Ventures and KPMG in 2019, nine virtual banks are being in this list (see Figure 2), and these banks are all ranked Leading 50 in this report (See Figure 3).

17 IBM Sales and Distribution, White Paper Executive Summary, June 2015, available at https://www.ibm.com/downloads/cas/XGJGOJWA.

Figure 2 | Top 100 Fintech companies – Sectorial Breakup Source: The Fintech 100 Report by H2 Ventures and KPMG

Figure 3 | Top 100 Fintech companies – Leading 50 Source: The Fintech 100 Report by H2 Ventures and KPMG

1.2.2. Europe

1.2.2.1. United Kingdom The wave of virtual banks in the UK started in 2014, while several leading banks have been licensed for offering full banking services since this year, including: - Atom Bank is the first bank in the UK being set up for smartphones and tablets. It was the first virtual bank being granted a banking license in June 2015, officially launched by the end of that year and opened to all customers in 2016. Atom Bank offers secured loans for SMEs, together with mortgages and Fixed Saver accounts. - Starling Bank is a fully licensed bank founded in 2014 by banker Anne Boden (holding 24% of the bank), having its head office located in London. Starling Bank is a private company and is not a part of any other bank. Starling Bank offers four types of accounts to customers, including personal account, business account, joint account and euro account. It also provides pioneering payment services for businesses. - Monzo was founded by entrepreneur Tom Blomfield in 2015 and received a full and unrestricted banking license from the UK competent authority in February 2017. The license allowed Monzo to hold customer money and offer banking products such as offering four types of bank accounts, saving service and borrowing services. Monzo has been launching in the United States since June 2019. - Monese, founded by Estonian entrepreneur Norris Koppel, has been launched in 31 European countries and attracted two million customers in five years of operation. - Revolut is a British Fintech startup founded in July 2015, providing banking services, including but not limited to GBP and EUR bank accounts, payment, currency and cryptocurrency exchange under a specialised bank license from European Central Bank issued in 2018. It can be seen that the UK-based Fintech companies grabbed opportunities to develop virtual banks. The growth of these banks in the last few years is evidence of the prominent development of virtual banks in the UK. For instance, Monzo reached 3 million customers in September 2019, while by the end of 2019, the number of customers of Revolut was the north of 8 million.

1.2.2.2. Germany In 2013, N26 was founded by Valentin Stalf and Maximilian Tayenthal to provide better banking services, make banking more straightforward and more transparent for millions around the world. Initially, N26 had a partnership with another German bank named Wirecard. The partnership helped N26 to quickly access to market and data in order to attract clients and launch their products while N26 was applying for its banking charter. Three years after the establishment, N26 was officially granted its banking license and started

17 transferring customer data into its infrastructure.18 From that year, N26 has operated independently as a pure virtual bank operated by entrepreneurs. N26 has its strategy to attract its customers that the customers do not need more than eight minutes to sign up with this bank. The registration process does not contain a load of paperwork when customers only need to provide identification documents for verification. N26 has already had more than one million customers since 2013. Currently, N26 has already expanded its business into 25 different countries, such as the United Kingdom, the Netherlands, Spain. Last year, N26 also launched in the United States, one of the biggest financial market in the world, and N26 is reported to have around 250,000 users in this market. N26 is planning to choose Brazil to be its next destination.19 1.2.3. The United States Although Fintech is a global trend, and there are many big technology companies in the United States, Fintech in the US is somehow less developed than many other countries. According to the Fintech 100 report of H2 Venture and KPMG, only 15 Fintech firms are ranked in this list, and none of them is virtual banks. Virtual banks by Fintech companies in the US are not able to challenge traditional banks. The Fintech firms wishing to launch a virtual bank there need to cooperate with the traditional banks. In other words, Fintech firms must rely on traditional banks to exist. Virtual banks available to customers in the US are the partnership between Fintech firms and established and traditional banks. The chance for Fintech companies to obtain bank charters in the US is almost impossible. The only American Fintech company getting a bank charter is Varo, but this company is partnering with the Bancorp Bank. An example for the difficulty of obtaining bank charter by Fintech companies is that, in July 2018, the Office of the Comptroller of the Currency (OCC) accepted the applications for national bank charters from non-depository Fintech companies engaging banking business which was initially considered a fast way for Fintech companies to soon operate like traditional banks. However, many state regulators, including the Independent Community Banking Association (ICBA), later challenged the power of the OCC in issuing such charter. During the next year, no companies applied for a bank charter. In October 2019, a federal district court in New York officially ruled that the OCC does not have the power to issue the charter, which restricted virtual banks to become conventional banks to provide full banking services.20 Understanding that it is difficult for a Fintech firm to be accepted alone to set up a virtual bank, it is still unfortunate for development of virtual banks in the US because we all know how big the American financial market is and the development of both finance and technology in the United States are prominent.

18 Barclay Ballard, The Unstoppable Rise of Neobanks, 11 October 2018, available at https://www.worldfinance.com/banking/the-unstoppable-rise-of-neobanks 19 Ryan Browne, N26 customers feel ‘betrayed’ by the German digital bank’s decision to quit the UK, 17 February 2020, available at https://www.cnbc.com/2020/02/17/n26-customers-feel-betrayed-by-german- digital-bank-for-leaving-uk.html 20 Victor T. Samuel, J.D., MBA, In Spite of U.S. Regulatory Roadblocks, Digital Banks Are Here to Stay, 30 October 2019, available at https://medium.com/@outsourcedkarma/in-spite-of-us-regulatory-roadblocks- digital-banks-are-here-to-stay-71fb9f5049ca

1.2.4. Asia Pacific (APAC) Virtual banks have been taking off across Asia and creating a significant competition in this lucrative market. There have been several virtual banks being introduced and licensed in the last few years, while some non-bank players in several APAC countries are expected to start their businesses next year(s). Figure 4 below describes the name of virtual banks in APAC, together with the development orientation in a few other countries in this sector.

Figure 4 | Virtual Banks in the Asia Pacific Source: Fintech News Singapore Two key elements are driving the APAC digital banking growth: (i) serving the underbanked in emerging markets, in which, virtual banks introduce and offer simple banking and financial services by different accessible means other than branches, and (ii) serving the overbanked in developed markets, in which, virtual banks seek to provide a more exceptional experience to customers at a lower cost.21 Below are the countries where virtual banks have been granted licenses for providing banking services to customers and where virtual banks will be licensed to operate in the coming year(s).

21 The Future of Banking: Virtual and Vital--Online-Only Banks Aim to Transform Taiwan Banking, written by YuHan Lan, 01 August 2019, available at https://www.spglobal.com/en/research-insights/articles/the- future-of-banking-virtual-banks-chase-the-dream-in-asia-pacific

1.2.4.1. China Since 2014, four digital-only banks have been licensed since that year, including WeBank, MYbank, XWBank, and AiBank. - WeBank was granted a private bank license by China’s Banking and Insurance Regulatory Commission (CBIRC) in 2014, became the first virtual bank operating in China’s market. - On 25 June 2015, the Internet-based commercial bank named MYbank was officially launched. In the beginning, the main sponsors of MYbank were Alibaba’s Ant Financial (30%) but also the Shanghai Fosun Industrial Technology Development Co. (25%), Wanxiang Sannong Co. (18%) and Ningbo Jinrun Asset Management (16%).22 - XWBank was founded in De•cem•ber 2016, becoming the third internet bank in China. It was a joint venture of several investors, including Sichuan Yinmi Technology Co Ltd., a subsidiary of the smartphone giant Xiaomi, New Hope Group, and Chengdu Hongqi Chain Co Ltd. The registered capital of the bank was three billion yuan, equivalent to $431.38 million. Up to 2019, after nearly three years of operation, the number of consumers using services of this bank is over 25 mil•lion; and the bank made a to•tal of 84.7 mil•lion loans worth over 270 billion yuan.23 - One year after the appearance of XWBank, China Citic Bank Corp, a mid-tier lender in Chian, and Baidu Inc., a search engine giant, launched a direct banking joint venture called AiBank. The bank has a registered capital of 2 billion yuan. This virtual bank was cooperation between a technology company and a financial service provider. These banks are mainly sponsored and associated with the big technology companies: WeBank (backed by Tencent); MYbank, developed by Alibaba; XWBank (sponsored by Xiaomi), and AiBank (backed by Baidu). Big tech firms have gathered large amounts of data from their operation through social networks, e-commerce, e-payment, and search engine enterprises, allowing them to provide lending service to consumers with their credit scoring mechanisms.24

1.2.4.2. South Korea In 2015, the South Korean government approved a plan for granting preliminary banking licenses to two virtual banks. K Bank and Kakao Bank were the first two virtual banks being licensed in South Korea to provide banking services after the government issued this plan. According to the Korean Financial Services Commission, both banks attracted millions of customers within their first year of operation and granted around 8 trillion won (US$ 7.5

22 Alibaba MYBank, published on 02 December 2016 on https://www.mediaman.com.cn/news/alibaba- mybank/ 23 Sichuan Online Lender XWBank Sees 224% YoY Surge in Net Profits, published in September 2019 on http://www.chinabankingnews.com/2019/08/21/sichuan-online-lender-xwbank-sees-224-yoy-surge-in-net- profits/ 24 (n 4)

20 billion) consumer credit loans.25 However, in 2019, the development of two banks moved differently. K Bank was the first virtual bank receiving banking license in 2016, which was also the first time a new bank had been licensed in South Korea in 25 years, and officially operated in 2017.26 In the first nine months of 2019, pursuant to data from the Financial Supervisory Service, K Bank reported a net loss of 63.5 billion won.27 Kakao Bank was launched in July 2017 by Kakao Corp, the most popular chat application operator in South Korea and Korea Investment Holdings, one of the big securities companies as major shareholders. Under a regulatory banking license, Kakao Bank provides full- banking services, including, lending, offshore remittance, instalment saving account, debit card, and other financial services.28 In contrast to K Bank, Kakao Bank’s net profit was 15.3 billion won ($13.1 million) reported for the first nine months of 2019. Kakao Bank reached over 10 million customers in September 2019 with a deposit total standing at 19.9 trillion won, and lending at 13.6 trillion won.29

1.2.4.3. South-East Asia

a. Singapore According to an announcement made on 28 June 2019, the Monetary Authority of Singapore (MAS), taking the role of the financial regulator, set to issue five digital banking licenses after receiving 21 applications from companies including Singaporean gaming and internet company Razer, south-east Asian ride-hailing group Grab, Alibaba’s fintech unit Ant Financial, Xiaomi, the Hong Kong-listed Chinese smartphone maker, and Sea, the New York-listed tech group.30 It was a substantial change in the banking industry of Singapore after this country opened its market to some leading technology companies in Asia. The MAS will issue two digital full bank (DFB) licenses, which allow the banks to take deposits from and provide banking services to retail and non-retail customer segments, and three digital wholesale bank (DWB) licenses allowing to take deposits from and provide banking services to SMEs and other non-retail customer segments.31 The winners should have initially been announced in June 2020 and expected to start their businesses in Singapore by mid-2021. However, at the time of writing, due to the global impact of Covid-19 pandemic, the MAS decided to extend the assessment period for the award of virtual bank licenses. The new deadline for announcing the successful applicants will be in the second half of 2020. Nevertheless, this initiative of the MAS still shows the force of the Singaporean government to keep up with innovation and fintech developments.

25 Asia’s Emerging Virtual Banks, written by Cindy Li and Paul Tierno, 09 October 2019, available at https://www.frbsf.org/banking/asia-program/pacific-exchange-blog/asias-emerging-virtual-banks/ 26 Ibid. 27 Kakao Bank on track, while K bank falters, 18 November 2019, available at https://www.koreatimes.co.kr/www/biz/2019/11/126_278907.html 28 (n 4) 29 (n 10) 30 Singapore receives 21 application for five digital bank licenses, 7 January 2020, available at https://www.ft.com/content/f9356bdc-3102-11ea-a329-0bcf87a328f2 31 Available at https://www.mas.gov.sg/regulation/Banking/digital-bank-licence

b. Other ASEAN countries The Central Bank of the Philippines gave the green light to Tonik Financial, the first Southeast Asia digital bank based in Singapore, to launch the first virtual bank in this island nation. The new virtual bank – Tonik Digital Bank – will focus on retail deposits and consumer loans and is aiming for the start of operation this year. Tonik Financial was led by the CEO Greg Krasnow, who is the founder of Ukraine’s Platinum Bank and set up Forum, a fintech venture builder based in Southeast Asia. With a $140 billion retail deposit market and $100 billion unsecured lending opportunity, together with that Philippines is one of the top countries having the highest number of internet users in the world, Tonik Financial and the Central Bank of the Philippines believed that the launch of Tonik Digital Bank could bring the best practice through the first digital-only bank in the Philippines.32 In Thailand, there are still no virtual banks being licensed. However, the Bank of Thailand is considering issuing licenses to virtual banks. The movement reflects the vision of the Thai government with changes in technology and the development of the banking sector in a long- term period. New Fintech startups are encouraging competition and disruption in the banking sector in Thailand by offering more opportunities to Thai residents to access and experience innovative financial services and further developing Thailand’s financial ecosystem.33 1.3. Development trend in Vietnam 1.3.1. Overview of Virtual banks market According to a statistic of the State Bank of Vietnam (SBV) shown in Vietnam Retail Banking Forum 2019 held on 28 November 2019, the number of bank account holders in Vietnam was 45.8 million, accounting for 63% of the population. The total transactions conducted via the internet in the first half of 2019 was 204.22 million, increasing by 60.64%, while the total transactions via mobile phone reached 169.86 million, increasing by 109.48% compared to the same period in 2018. However, Vietnam is still a cash-based society with the majority of transactions conducted by paper money. Under the statistic of SBV, the rate of non-cash payment transactions was still low; particularly, only 21% of transactions in Vietnam were conducted via the non-cash payment method. The development of the non- cash payment method in Vietnam has certain drawbacks, such as the financial infrastructure still centralise in big cities, a low number of digital finance users given that financial technology is still developing.34 However, given the development trend of virtual banks in the world, the development of virtual banks in Vietnam cannot be outside of that. Vietnam has the potential to develop virtual banks arising from significant demand from the market, with features of young

32 The Philippines set for the first digital-only bank as Tonik gets green light - Written by Alex Hamilton - 10 January 2020 - https://www.fintechfutures.com/2020/01/the-philippines-set-for-first-digital-only-bank-as- tonik-gets-green-light/ 33 Bank of Thailand Is Considering Issuing Licenses to Digital Banks to Enable Greater Financial Inclusion - https://www.crowdfundinsider.com/2020/01/156804-bank-of-thailand-is-considering-issuing-licenses-to- digital-banks-to-enable-greater-financial-inclusion/ 34 Thanh toán không dùng tiền mặt mới chiếm 21% (in English: Non-cash payment accounts for 21% only), 28 November 2019, available at https://saigondautu.com.vn/tai-chinh/thanh-toan-khong-dung-tien-mat-moi- chiem-21-74648.html

22 population, group of smartphone users being the majority of the young generation with knowledge and willing to use new financial services and products, high rate of the population using the internet with a good pace of growth. Payment via mobile phone is trendy in the world, including Vietnam. The growth of mobile payment service in Vietnam is predicted to be faster in the future because of the growing rate of smartphone users and the popularity of payment via mobile phone. Fintech is also an area that attracts lots of investment from foreign countries. According to Fintech in ASEAN report published by United Oversea Bank (UOB) late 2019, Vietnam ranks second in venture capital funding into Fintech, with 36% of total Fintech investment in South-East Asia, rising by 35.6% compared to 2018 (see Figure 5).35

Figure 5 | Fintech investment in South-East Asia, 2018-2019 Source: Tracxn, as at 30 September 2019, accessed on 18 October 2019 Generally, the virtual banks market in Vietnam is currently a field of commercial banks. The majority of domestic banks in Vietnam have their digitalisation strategy and orientation for the development of virtual banks. Subject to the main customers, banks have their strategy. For example, Orient Commercial Joint Stock Bank (OCB), pushing up retails and serving SMEs, is the owner of OCB Omni to bring convenience and offer the most services to customers. Timo bank, the first virtual bank in Vietnam, lead the evolution of virtual banks with the strategy of fewer branches and transaction offices (only have a meeting point for meeting its customers). Most of the Vietnamese banks are launching virtual banks at the level of transformation of process and communicating means. Only a few banks are conducting digital transformation on the data platform. Each commercial bank continues upgrading its technology and system for automatic transactions. Some banks have started applying AI technology, learning machine, and 24/7 automatic advisory service via chatbot. It is easily seen that Vietnamese banks have been focusing on investment into technology and core banking services in order

35 Vietnam ranks second in fintech investment in South-East Asia, 14 December 2019, available at https://www.thestar.com.my/news/regional/2019/12/14/vietnam-ranks-second-in-fintech-investment-in- south-east-asia

23 to change their management system and customer services and improve competitive ability. As a developing country, Vietnam has just started its initial steps in developing financial services on mobile phones or electronic devices connecting to the internet, and the finance market in Vietnam has lots of potentials to develop in the future. 1.3.2. No pure virtual bank in Vietnam In Vietnam, there is no pure digital-only bank under the purpose of this paper. That means, no fintech companies are being permitted to set up virtual banks in Vietnam alone. Several virtual banks are operating in Vietnam, but they are either created by a traditional bank as its digital branch or by cooperation between a Fintech company and a traditional bank. For example, Timo bank (as mentioned previously) is backed by the Vietnam Prosperity Commercial Joint Stock Company (VPBank). VPBank separated virtual banking distribution service into an independent branch operating on a digital platform with independent products and services and marketing policy. In Chapter 2, besides discussing the challenges for the development of virtual banks in the world, the author will discuss in detail why there is no pure virtual bank in Vietnam and what the challenges may impact on the opportunities of Fintech companies to set up and operate virtual banks in Vietnam. Notably, Chapter 2 will answer critical questions about what the challenges regarding personal data protection and cybersecurity risks, and whether the regulations on the establishment of physical banks will apply the same to virtual banks by Fintech companies in Vietnam. * * * Chapter Conclusion In summary, with the trend of virtual banks by FinTech starting from 2014, we see more and more virtual banks have been licensed to be launched in different geographic areas (i.e., the UK, Germany, China, South Korea, Singapore and other ASEAN nations). It can be opportunities for more entrepreneurs to start focusing on forming their virtual banks to provide financial services to customers. It is often difficult for customers to distinguish between virtual banks and traditional banks given similarities in online services provided. In this chapter, we concluded that several distinctions can be made with regards to their business model, service offering and their operations In short, online banking services form an important aspect of the business model of traditional banks as it relates to providing customers services, but is not the only medium of transacting with customers. In contrast, virtual banks operate as licensed traditional banks but entirely on the digital space and whose only medium of exchange is transacting online. Additionally, we see a number of differences in the way both institutions operate, which is expected to give rise to a number of specific risk exposures. More specifically, traditional banks undergo a number of screening processes, at their physical locations of the bank, before online transactions can be conducted, whereas, with virtual banks, all client onboarding and screening processes are conducted online using a simple questionnaire to assess customer profiles.

On the positive side, these banking structures provide a number of advantages. The development of virtual banks helps to lower transacting costs and make virtual banks to quickly adapt the change of market, the technology and the regulation. Virtual banks facilitate the process of establishing bank accounts for customers. With the application of new technology its operation, virtual banks will increase the customers’ experience. Additionally, the growth of virtual banks can create competition in the banking and finance market. It will force traditional banks to conduct digital transformation in order to compete equally with virtual banks and enhance the satisfaction of customers. Virtual banks are gradually recognised as a trend in the world. The evolution of virtual banks benefits not only the FinTech companies—developers of virtual banks or customers but also motivate the development of banking and financial market. It helps to create competition between traditional banks and the new market-entrants like virtual banks. In Vietnam, although Vietnam has a potential development in FinTech and has a large amount of investment in FinTech sector, virtual banks are still new and need time to approach to customers. At this time, only a few virtual, backed by traditional commercial banks, are operating in Vietnam. There are no virtual banks by FinTech firms in Vietnam at this moment due to the lack of a legal framework for the establishment of virtual banks in Vietnam. In the next chapter, the author will discuss two major issues regarding the operation of virtual banks: first, cybersecurity and data privacy protection issue, and second, regulatory issues.

Chapter 2 – Challenges for Establishment and Operation of Virtual Banks Virtual banks indeed offer a number of benefits to Fintech companies, traditional banks themselves, to customers and to the competition in the market, which motivates the development and transformation of traditional banks. However, there are still several concerns about the operation of virtual banks, such as cybersecurity, data privacy protection, applicable regulations, compliance requirements, customer satisfaction, range of products offered. It is not until the arrival of virtual banks that cybersecurity in the financial services industry is the leading concern. The financial services section in general and banks in particular are frequently the most attacked targets by financial frauds and misconducts. Cybercrime in this sector has grown in quantity and complex. Several reports from professional advisors have also shown that the risk for individual customers to be attacked is higher than the institutions.36 The creation of the digital-only bank increases security risk for customers. Particularly, it leads to the other risk in relation to data privacy protection. Customers have the reason to worry about their personal information when they have to receive various forms of fraud like hacking, phishing, account takeover, etc. They may not be sure if their information will be safe in the system of virtual banks, while everything they do to open a bank account or apply for borrowing will be conducted entirely online. They may have a concern about where the data will be transferred and stored, whether that information would be transferred to third parties or not, and what virtual banks would do to keep their data safe. This concern may limit the use of virtual banks. One more challenge concerning the operation of virtual banks is how governments allow the setup of virtual banks and how they control this form of business. Some governments choose to issue separate regulations applying to virtual banks; some issue general regulatory sandbox for the FinTech sector to govern many aspects of financial technology, including virtual banks. There are still some countries having not issued any legislation to control the operation of virtual banks. One concern about this issue is whether regulations applying to traditional banks would apply to virtual banks. Compliance requirements are always difficulties for customers and financial institutions. Notably, financial institutions need to ensure the Know-Your-Customers (KYC) process and comply with the anti-money laundering and terrorist-financing combat regulations. Another problem for virtual banks is that how these banks deal with urgent requests from customers in case of losing cards, passwords, or money while the communication between digital-only banks and customers is virtual. The interaction and responsiveness of virtual banks in such cases will be one of the top priorities in connection with the satisfaction of customers. One more challenge for virtual banks is the range of products or services to offer to customers. Not many banks obtain full banking licenses to provide comprehensive banking services to customers. They may be limited to specific products, and customers may consider using

36 PwC, Digital Intelligence: Securing Digital Bank Expansion, available at https://www.pwc.com/us/en/industries/financial-services/library/digital-bank-expansion.html

26 traditional banks with more functions instead of switching to more convenient virtual banks that provide fewer services. Additionally, according to a survey of bank account owners in Singapore, Hong Kong and Malaysia, 99% of the 4,500 people surveyed by PricewaterhouseCoopers (PwC) decided to keep their existing bank account when they opened a digital bank account; and nearly 70% stated that their existing account would be used as their primary one.37 It can be understandable, and virtual banks need to be more innovative in the race with traditional banks to be successful. In this Chapter 2, given the scope of the paper, the author would like to focus mainly on two challenges which are the most challenges to the operation of virtual banks globally (and also in Vietnam): (1) Cybersecurity risk and Data privacy protection, and (2) Regulatory issues. 2.1. Cybersecurity Risk and Data Privacy Protection 2.1.1. Which customer data to be collected There are various categories of information collected by virtual banks when transacting with customers. The primary data to be received by virtual banks are personal information of customers, which is traditionally used by traditional banks and financial institutions. This information may include full name, date and place of birth, registered address, email address, mobile phone number, identification document and tax identification document/information. Based on the policy of each virtual bank, the range of collected personal information may be different. For example, some virtual banks require customers to provide a photo for verification; some require a video identification data; some banks require both. Additionally, virtual banks may require customers to provide some information relating to their credit relationship history, such as payment transaction data, saving or lending history. In addition to personal client information and credit history, banks (including virtual banks) and financial institutions are known to use numerous non-traditional data channels to collect and access customers’ information, including the following:

• social network data: contents and number of likes or shares on customers’ social networks.

• behavioural, psychological data: how customers use the ecosystem of virtual banks, how customers connect with virtual banks (e.g., England-based virtual bank Revolut collects records of its discussions with customers.

• telecommunication data: for instance, bunq, a Dutch virtual bank, will collect correspondence between customers and bunq and support data via telephone, chat conversations and email.

• mobile devices using data: an example is that bunq require to collect customers’ device data (such as type of device, operating system, IP-addresses and advertising IDs).

37 Singapore's start-ups; Policygenius' insurance market; fintech M&A takes off, 24 February 2020, available at https://www.ft.com/content/677fe5c2-5737-11ea-a528-dd0f971febbc

The four abovementioned groups are considered the top choices for financial institutions to assess risks about their customers. However, levels of effectiveness in determining good or bad customers based on these groups of data are not equal. Several technological experts mentioned that one key point to develop virtual banks is that users’ data must be encrypted to have a chain of customers’ code. It will be helpful to understand the customers’ demands and also build the trust of customers in using virtual banking services. If virtual banks cannot encrypt the data, they may not be able to gain customers’ trust, and the customers may not be willing to choose to switch to use virtual banks. 2.1.2. How customer data to be collected and stored Without physical branches, virtual banks have the advantage of obtaining all necessary information via digital methods, with the support of advanced technology. Virtual banks, like physical banks and other financial institutions and FinTech companies providing financial services, must verify the customers’ identities prior to processing account opening. This process is essential for virtual banks in protecting themselves from cyberattacks or fraud. However, unlike traditional banks, virtual banks can conduct electronic Know Your Customers (e-KYC) processes to verify customers’ identification and collect customers’ data. Virtual banks may have the opportunity to enhance their customers’ experience by reducing loads of paperwork, administrative time spent, or costs for verification.38 Virtual banks regularly use innovative technology methods to make sure that they can collect sufficient information from the customers and examine that information entirely online. Those methods can be facial recognition (through a photo of customers), fingerprint scanning (quickly to be collected when customers use mobile apps), voice recognition (via video identification chat with customers), or even, in the future, iris scanning.39 Some virtual banks may also use additional methods to collect customers’ data. Revolut, for example, set out a list of ways it will use to collect information provided by customers, including filled forms, registration of customers to use the Revolut app, entering a competition, to name a few.40 All of these methods will help Revolut to be more flexible in collecting data, and it can receive as much data as possible for serving its customers. Similar to what commercial banks or many financial institutions are doing at this moment, digital-only banks try to build their cloud systems to store and manage customers’ data. According to experts, the public cloud infrastructure is believed to meet high-security standards, with encrypted data. Data centres located onsite of traditional banks, in contrast, are considered less secure because they store unencrypted data. Besides, the cloud system

38 Jumio - How eKYC is Streamlining Digital banking - An APAC Perspective, available at https://jumio.pathfactory.com/c/jumio-apac-ekyc-eboo?x=- 5LwNy&utm_source=pathfactory&utm_medium=ppc&utm_campaign=2020_APAC_eKYC_Digital_Bankin g_Guide 39 https://www.moneysupermarket.com/current-accounts/digital-banking/digital-only-guide/ 40 Privacy Policy of Revolut, available at https://www.revolut.com/legal/privacy#what-information-do-you- collect-about-me

28 may help mitigate the damages from frauds (if any) thanks to account details separation in the cloud.41 2.1.3. Customers concerns about data collection and storage The trust issue is the reason why several traditional banks’ customers are afraid of switching to virtual banks. Under a survey conducted by PwC in November 2019, more than a third of people surveyed in Hong Kong, Singapore and Malaysia do not trust virtual banks for personal data (38%, 34%, and 36% respectively).42 Another survey conducted by Marqeta, a payment innovation platform, in the last quarter of 2019 reported that only 14% of US consumers and 10% of consumers from the UK stated that digital-only bank is their main banking option. The percentage of consumers doing the majority of their banking online is 62% in the US and 72% in the UK. More than half of respondents in both areas (54% in the US and 51% in the UK) said that it was riskier to store their money at a digital bank.43

2.1.3.1. Data Privacy Protection From the customers’ perspective, there is a big concern about how their data can be protected in the digital era. They would like to know whether their data can be safe in digital space. Even many people have negative feelings that online banks would not be able to protect customers’ personal and financial information because they do not have proper methods to do so.44 When customers provide information to the financial institutions, they usually have a critical question is whether the information would be appropriately used not to breach their privacy rights. Indeed, data privacy is the most concerning issue from the view of customers. According to a survey made by True Digital in partnership with Strive conducted with more than 1,000 people, most of the respondents did not know how technology companies use their data. Notably, only 19% of surveyed people said that they know about the data usage of those companies. Additionally, 79% felt uncomfortable when the banks use and analyse their private data to offer other products.45 They have a reason to be afraid that their information may not be protected, and their private lives may be violated. Customers may concern about the misuse of the data, whether their data would be transferred to external third parties or not, and if so, whether any essential data would be leaked to any other parties. In some cases, for instance, customers receive calls, messages, or emails from a third party that they never have a contractual relationship before (but such party has a connection with one or maybe more of the customers’ services providers, or even not). That third party may know about (almost) everything of the

41 PwC, Digital Intelligence: Securing digital bank expansion, available at https://www.pwc.com/us/en/industries/financial-services/library/digital-bank-expansion.html 42 Harjeet Baura, APAC Digital Banking Leader, PwC Hong Kong, Digital Banking Customer Survey - Virtual Banking: Customers Take Charge - Are you ready, November 2019 43 Marqeta, 2019 Digital Banking Survey: How consumers are engaging with banking services in 2019, published in Q4, 2019 44 How safe are digital and mobile banking?, 22 April 2020, available at https://www.expatica.com/finance/banking/how-safe-are-digital-and-mobile-banking-16139/ 45 New fintech study reveals brits' data privacy concerns, 23 March 2018, available at https://www.businesscloud.co.uk/news/new-fintech-study-reveals-brits-data-privacy-concerns

29 customers, which is hazardous because it may lead to a breach of data privacy protection right of customers, or even worse, cybercrime.

2.1.3.2. Cybersecurity In the era of the vast development of technology, cybersecurity becomes one of the top concerns in relation to the business of FinTech companies in general and virtual banks in particular. Some customers view that financial transactions that are thoroughly conducted online will be more dangerous than the way traditional banks do. Last year, based on data from a poll on Twitter, a third of people attending the poll were worried about the negative impact banking Trojans and mobile malware on the operation of financial institutions and their customers in 2020.46 In PwC’s 19th Annual Global CEO Survey, 69% of financial services’ CEOs either to some extent or exceptionally had concerns about cyber threats. In comparison, the percentage for the same concerns of CEOs across all sectors was 61%.47 The expanded virtual banking ecosystem will lead to higher risks and difficulties in controlling cybersecurity risks concerning this service. The mass adaption of the API means that more and more information will be uploaded online and stored in the cloud. That leads to the consequence that the data will be a magnet for cyberattacks. These risks will profoundly affect the customers’ trust in the operation and the development of virtual banks. Just a single sign that the virtual banks are hacked or attacked, even that sign may not be correct, can ruin the reputation of the banks as well as reduce the confidence of customers in the banks. 2.1.4. Why do cybercriminals choose to attack the banking sector? Banking has always been a vulnerable sector to cybercrime. As said by the Hong Kong Institute of Bankers chief executive, the banking industry is 300% more likely to face cyberattacks than any other sector.48 In the era of data, money is no longer the main target of fraudsters. What they aim to steal is data. Many criminals try to find gaps in the operation of banks to take customers’ data and financial data. Virtual banks, with their entire business on the Internet and everything about their activity are stored virtually, which will be an objective of cyberattacks. In contrast, physical banks may have chances to avoid, or at least reduce the risk of, the cyberattacks because they may be able to store and back up information onsite.49

46 Top security concerns for the Financial Services industry in 2020, 05 December 2019, available at https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/security-financial- services-industry-2020/ 47 PwC, Financial Services Technology 2020 and Beyond: Embracing disruption, available at https://www.pwc.com/gx/en/industries/financial-services/publications/financial-services-technology-2020- and-beyond-embracing-disruption.html 48 Ray Tsang, Senior Business Development Manager, JOS Hong Kong, Virtual banks VS Traditional banks: The opportunities, risks and security posture, 31 October 2019, available at https://www.jos.com/leaders/virtual-banks-vs-traditional-banks 49 Hong Kong: Virtual banking and data privacy, November 2019, available at https://platform.dataguidance.com/opinion/hong-kong-virtual-banking-and-data-privacy

App-based banks make our lives more convenient. However, this type of bank creates more chances for fraudsters. Notably, three main components of Fintech and virtual banks are data, computing, and interface.50 With a big data storage with advance technology protecting it, virtual banks have competitive advantages in providing financial products to customers. Attacking to the data means the fraudsters may have chances to access a massive database of virtual banks (and the FinTech companies as well), collect data of banks’ customers, and commit a crime based on that information. Depending on which technology will be chosen by virtual banks, we can see a “two side of a coin” effect. On the one hand, banks and their customers will reap benefits from the application of innovative technology. On the other hand, potential technology loopholes can be discovered by hackers, and then they can exploit those weaknesses to harm both banks and customers.51 Many people have probably heard about a technology called the Internet of Things (IoT). In the banking industry, this technology has been applied to help both traditional banks and virtual banks to connect with their customers through various channels. IoT also allows customers to synchronize their devices with banks’ infrastructure (e.g., mobile phone, laptop or tablet connects with the bank system to help customers control their finance). Banks can provide easy-to-access products and services to their customers. It is indeed convenient for parties involved in financial transactions. However, there are risks concerning the development of IoT. With synchronizing devices and the fact that IoT technology mainly relies on cloud computing, fraudsters can spy on, use (without permissions), and steal confidential information of individuals and organizations. Fraudsters may include hackers or business competitors. These parties may use that information for their illegal interests, such as blackmailing or deceiving the target, or selling to competitors, and harm the data- stolen parties. 2.1.5. How do fraudsters have chances to conduct cybercrime? As discussed previously, there are several risks in the operation of virtual banks. They can be either identity theft, account takeover risks, blackmail, deception, or data breach. The critical question is how deceivers could have chances to violate data privacy protection right of customers or commit cybercrime. In my opinion, there are three ways to explain, which have specific connections with each other, as below: The fraud is caused by the unawareness of the customers when entering a contractual relationship with the banks. How many people do read the Terms and Conditions (T&C) of the banks before checking the “agree” box? T&C is several pages long with thousands of words. That is the reason why customers simply click on the box to say “I agree with the Terms and Conditions” without knowing what will happens to their data. The act of agreeing on everything in the T&C indirectly puts the banks’ customers in the position of potentially being harmed by hackers or other forms of cybercriminals. If they are aware of what they give the virtual banks (by reading at least part of data privacy and how the banks can use

50 René M. Stulz, The Ohio State University, NBER, and ECGI, FinTech, BigTech, and the Future of Banks, September 2019, available at http://www.ssrn.com/abstract=3455297 51 Hong Kong: Virtual banking and data privacy, November 2019, available at https://platform.dataguidance.com/opinion/hong-kong-virtual-banking-and-data-privacy

31 their data in the T&C), they may be careful of data sharing. This point, therefore, leads to the second explanation. T&C usually sets out the right of virtual banks to share customers’ data with third parties with the “blind” agreement of the customers. For example, Revolut states in its privacy policy that, whenever customers use the website of Revolut, the bank can collect, amongst others, technical information, including the internet protocol (IP) address used to connect customers’ computer to the Internet; customers’ log-in information; mobile network information; mobile operating system; the type of mobile browser customers use; data stored on customers’ device. The Revolut app will also regularly collect this information to stay up to date.52 Similarly, Bunq provides in its policy that it can collect Device data of customers when customers open a bank account at Bunq. Those device data can be the type of device, operating system, IP-addresses, and advertising ID.53 Bunq also states that Bunq can share specific personal data with third parties (as listed in the Privacy and Cookies Statement of Bunq), with the guarantee that Bunq will keep the sharing to a minimum and ensure that the third parties will handle Bunq’s customers’ data with the same care.54 Having said that, there is still a risk (maybe minor) that the third parties may utilize the customers’ data for their interests that may impact on personal lives of Bunq’s customers. The third explanation for how cybercriminals have chances to attack virtual banks and their customers is the digitization and the vast development of technology. Information stored on the cloud can be accessed by fraudsters using advanced techniques and technology, such as AI to create fake information (photos, videos, for instance), to deceive vulnerable users. For example, fraudsters may trick the users by sending a fake message of someone the users know and requesting the users to provide information of their account for identity theft or account takeovers or to transmit an amount of money to fraudsters. In short, chances for the fraudster to commit cybercrime come from three directions, the unawareness of customers about what they are consent to the banks, the policies of the banks, and the innovation of technology that fraudsters can exploit for their crimes. 2.1.6. Challenges in Vietnam’s market Cybersecurity and data privacy protection are not new issues for the Vietnamese financial market. Many pieces of research, surveys and reports were released showing the danger of cyberattacks, especially in the banking and financial environment in Vietnam. Under a statistic conducted by CompariTech, a Technology services firm, Vietnam ranked 14 in the list of the least cybersecurity countries. Accordingly, 5.7% of mobiles and 11.97% of computers are infected by malware, with 0.5% of users are attacked by financial malware.55

52 https://www.revolut.com/legal/privacy#what-information-do-you-collect-about-me 53 Section 2, Privacy and Cookies Statements of Bunq, available at https://www.bunq.com/assets/media/legal/en/20200512_Privacy_Statement_EN.pdf 54 Section 5, Privacy and Cookies Statements of Bunq, available at https://www.bunq.com/assets/media/legal/en/20200512_Privacy_Statement_EN.pdf 55 Which countries have the worst (and best) cybersecurity, updated on 03 March 2020, available at https://www.comparitech.com/blog/vpn-privacy/cybersecurity-by-country/

Regarding the number of cyberattacking cases, there was an increase of more than 100% compared with 2018. Particularly, according to a statistic of Authority of Information Security (under the Ministry of Information and Telecommunications) and Vietnam Computer Emergency Team, in the first nine months of 2019, there were 3,493 attacks targeting information systems in Vietnam, growing by 104% compared to the same period in 2018.56 In 2018, EY Vietnam researched about cyberattacks in Vietnam. The result showed that there were 8,319 cyberattacks in connection with the banking industry in Vietnam, and 560,000 computers being attacked by malware that can steal bank account information. In the same year, Vietnam ranked seventh globally in light of the target of Trojan in the banking industry.57 Vietnam has not had a comprehensive legal framework for data sharing, exploitation, and storage. That means several commercial banks have not applied cloud computing or blockchain technology widely into their apps. That is also a difficulty virtual banks have to face when they do business and manage to provide financial services to customers. Taking advantage of the lack of a legal framework for the operation of virtual banks, as well as the vulnerability of cyberspace in Vietnam, fraudsters have used certain tricks to deceive banks’ customers. One of the most frequently used methods is that the victims will receive messages (via texts, email, chatting application, etc.). The content of the message usually is a notification of being granted an award and a request to access links or websites provided by fraudsters. Once the victims click on those links, their personal information will be collected, and then the fraudster can utilize that information to access to another database of the victims such as bank accounts, social network accounts, to name a few. Cyberattacks happen every minute, and the mobile device is the common objectives to be suffered. In these attacks, both traditional banks and virtual banks are the most frequent targets of cybercrimes.58 2.2. Regulatory Issue Licensing procedure is frequently troublesome for most of the businesses in Vietnam, not only in the banking sector. Overlapping regulations, complicating, and prolong administrative processes are primary causes of difficulties for companies in applying for licenses to do business in Vietnam. “The most frighten thing in doing digital-only banking in Vietnam is the application for the license,” said CEO of TPBank, one of the commercial banks launching virtual banks in the

56 Ngân hàng Việt đang là đích ngắm của tội phạm mạng (in English: Vietnamese banks are the targets of cybercriminal), 27 November 2019, available at https://vnexpress.net/ngan-hang-viet-dang-la-dich-ngam- cua-toi-pham-mang-4018549.html 57 5 thách thức trong số hóa ngân hàng ở Việt Nam (in English: Five challenges in banking digitalization in Vietnam), 17 May 2019, available at https://vnexpress.net/kinh-doanh/5-thach-thuc-trong-so-hoa-ngan-hang- o-viet-nam-3924598.html 58 Làn sóng số hóa ngân hàng trước thách thức bảo mật (in English: The wave of banking digitalization facing the confidential challenge), 18 December 2019, available at https://tinnhanhchungkhoan.vn/ngan- hang/lan-song-so-hoa-ngan-hang-truoc-thach-thuc-bao-mat-307672.html

Vietnamese market. In response to this statement, an officer of the SBV said that it was also not easy to grant a license for credit institutions to set up a virtual bank in Vietnam. Indeed, the lack of regulatory provisions is the hurdle for even traditional banks to set up their virtual banks in Vietnam and for the regulatory body to issue a license to those virtual banks. Regarding the governance of the operation of FinTech in general and of virtual banks in particular, four approaches are typically used in the world: Do Nothing, Specific Regulations, Experimentation and Case-by-case. “Do Nothing” approach means that the regulators will only impose existing banking regulations to the relevant activities of FinTech.59 “Specific Regulations”, in contrast, means that the regulatory bodies will issue new and specific provisions on the FinTech business operation. “Experimentation” means governments issue regulatory sandbox for FinTech (and virtual banks) to test their products before launching. “Case-by-case” approach, as its name stated, means that the FinTech, being outside the scope of banking and finance regulations, may apply for a specific license or “pilot” license. The regulators will issue such license on a case by case basis, for the FinTech companies to provide banking products to customers, with specific exemptions from existing banking regulations. This section will focus on which approach the world is applying to regulate FinTech, what the difficulties are, and, assuming that Vietnam will use the “Do Nothing” approach, what would be challenges that FinTech and virtual banks have to cope with. Given that there are a lot of requirements for a traditional bank in Vietnam to be established, the author only focuses on three main conditions that may have a lot of impacts and the most significant hurdles to the Fintech companies when they have a plan to set up a virtual bank. The first one will be the capital requirement, which is considered a cornerstone of banking regulation. The second condition will be the source of the capital. The last condition will be the requirement of revenue of the owner, particularly the Fintech companies. 2.2.1. Global regulatory trends and difficulty When regulators decide to control the operation of virtual banks, they possibly want to create an equal environment for both traditional banks and virtual banks. However, one issue stemming from that intention is that how they do that. In the opinion of the author, it is relatively challenging. Traditional banks have been under the control of a strict regulatory framework, from capital requirement to liquidity requirement. For virtual banks operated by FinTech, a question for the lawmakers is that how they will govern the virtual banks properly. On the one hand, if they issue fewer regulations applying to virtual banks and FinTech, there may not be the right approach for the business of physical banks. It is because the virtual banks, with its advancement in technology, may have a better competitive advantage than traditional banks. Traditional banks may lose their customers to virtual banks in such a case. On the other hand, if virtual banks and FinTech are imposed stricter provisions, those regulations may slow the development of virtual banks. If so, the purpose of governments that they try to motivate the evolution of virtual banks may not be reached.

59 An example of this approach is German law. Accordingly, if the business of a FinTech falls under the banking regulations of Germany, that FinTech is required to obtain necessary licenses, including banking licenses, licenses for providing financial services, and payment services licenses.

And FinTech, the owner of virtual banks, may contend a lot of difficulties in changing their business strategies to meet the regulatory requirements. As mentioned above, there are different approaches to the issuance of regulations for virtual banks. Nevertheless, each approach will lead to various challenges that regulators must face. Particularly: - In the first assumption, when a country chooses the “Do Nothing” approach, they will apply the same traditional banks’ rules to virtual banks. One of the main questions is how FinTech and virtual banks satisfy the minimum capital requirement applying to incumbent banks. - The second assumption is that a country chooses to have “Specific Regulations” for virtual banks, so should it be more or less favourable than regulations applicable to physical banks? Will the rules be strict and robust enough to not only create competition between traditional banks and virtual banks but also motivate the growth of virtual banks while the traditional banks still have room for development? - In the third one, although several governments choose to issue a regulatory sandbox for FinTech operation, the number of participants to the sandbox is much smaller than the number of traditional businesses. 60 This leads to one question is how to assess the efficiency of the regulatory sandbox. - In the fourth approach, a country approaches to issue banking license to virtual bank on a case-by-case basis, what should be the criteria that the regulators look at to make their decisions? In such a case, the author doubt that this question will lead back to issues in the first and second approaches. In case when regulators underestimate the development of FinTech and virtual banks and then take no action to regulate the operation of virtual banks, traditional banks may face the risk of losing revenue and probably customers to virtual banks. One example of this is the story of China. In China, the market incurred the consequences of being too open to e-wallet and FinTech. Specifically, China’s traditional banks typically avoided small transactions or transactions being conducted in rural areas. The reason was that those transactions had high risks and would not create revenue for banks. Traditional banks did not realize that a single transaction may be small in scale, but the aggregate number of transactions would create a large-scale market that many banks wish to have. The revenue of traditional banks declined each year because of FinTech and its virtual banks. For instance, in 2018, MyBank (backed by Alibaba) and WeBank (backed by Tencent) dominated traditional banks in all three aspects: assets, revenue, and bad debts. Notably, the total assets of WeBank at the end of

60 Zetzsche, Dirk Andreas and Buckley, Ross P. and Arner, Douglas W. and Barberis, Janos Nathan, Regulating a Revolution: From Regulatory Sandboxes to Smart Regulation (August 14, 2017). 23 Fordham Journal of Corporate and Financial Law 31-103 (2017); European Banking Institute Working Paper Series 2017 - No. 11; University of Luxembourg Law Working Paper No. 006/2017; University of Hong Kong Faculty of Law Research Paper No. 2017/019; UNSW Law Research Paper No. 17-71; Center for Business and Corporate Law (CBC) Working Paper Series 001/2017. Available at SSRN: https://ssrn.com/abstract=3018534 or http://dx.doi.org/10.2139/ssrn.3018534, (“Sandboxes as currently conceived are participants not scalable – the 18 (cohort 1) or 24 (cohort 2) in the UK Financial Conduct Authority sandboxes are insignificant relative to the over 56,000 licenced market participants in the UK”)

2018 passed RMB 220 billion, increasing by 169% compared with the start of the year. WeBank had more than 100 million borrowers (rising by 48%, compared with the same period of 2017), and net income grew 70%, reached RMB 2.47 billion. Similarly, MyBank record a growth of 47% in 2018, hit RMB 6.28 billion. Net revenue of MyBank increased by 66.09%, and MyBank had 12 million borrowers, mainly in the rural market.61 While the virtual banks have kept growing, traditional banks have to close many branches and remove many ATMs. Another issue is relating to business expansion in the international banking market. As we can see, N26 Bank from Germany started to access the American market last year. However, it is not easy for every virtual bank to expand its business across borders. For example, one of the requirements that the MAS, the banking regulator in Singapore, impose on applicants for virtual bank license is that the minimum paid-up capital requirement of the fully digital bank is S$1.5 billion. After acknowledging this information, the CEO of Revolut, Nikolay Storonsky, stated that “it does not make sense to have a banking license here because of the high capital requirements.”62 The local regulatory requirement can genuinely be a hurdle for any Fintech that wishes to expand its business to another country. 2.2.2. The regulatory issue in Vietnam regarding the operation of virtual banks Generally, regulations applicable to FinTech activities in Vietnam have been stopped at provisions on non-cash payment services. Specifically, non-bank parties are allowed to provide intermediary payment services, including switching services, e-clearing services, e- payment gateway services, cash collection, and cash payment services, support services for wire transfer, and e-wallet. Under the draft regulation on non-cash payment services,63 the Vietnamese government proposed to add mobile-money as an intermediary payment service that will allow institutions other than banks to be licensed to provide this service. Vietnam’s market today is open to the establishment of lots of FinTech startups. With the orientation of reducing the usage of cash in transactions, the Vietnamese government encourages the development of FinTech companies that provide technology solutions for financial transactions. Nevertheless, there has not been a specific regulatory framework for FinTech in Vietnam. In fact, the SBV issued a Decision No. 328/QD-NHNN dated 16 March 2017 to establish a Steering Committee on Financial Technology (the “FinTech Steering Committee”). The primary responsibility of the FinTech Steering Committee is consulting and proposing to the Governor of the SBV on (i) the solution on the improvement of the FinTech ecosystem, the legal framework or (ii) the plan for the FinTech development in Vietnam. However, it has been three years since the establishment of the FinTech Steering

61 Ngân hàng số: Cơ hội và thách thức cho hệ thống tài chính Việt Nam (in English: Virtual banks: Opportunities and challenges for the Vietnam’s financial system), 20 August 2019, available at https://baodautu.vn/ngan-hang-so-co-hoi-va-thach-thuc-cho-he-thong-tai-chinh-viet-nam-d105661.html 62 Revolut drops out of Singapore digibank race over high capital requirement, 13 November 2019, available at https://www.businesstimes.com.sg/banking-finance/sff-x-switch-2019/revolut-drops-out-of-singapore- digibank-race-over-high-capital 63 Draft decree amending Decree No. 101/2012/ND-CP on non-cash payments published by the SBV on 6 November 2019

Committee, and there have been no regulations specifically and separately applying to FinTech yet. That means Vietnam has not yet had specific rules for the establishment and operation of digital-only banks (including ones set up by commercial banks that are not in the scope of this paper). Digital-only banks in Vietnam at this moment are either a business segment of a traditional bank or a subsidiary of a commercial bank; there is no pure virtual bank operated in Vietnam (as discussed in Chapter 1). It is difficult for FinTech to apply for a full banking license to launch their virtual banks because there is no regulatory framework supporting this development. Non-regulations means that the regulator may choose to enforce any of the three approaches discussed above. In the next sub-sections, the author will assume that the regulatory requirements for the establishment of traditional banks in Vietnam may apply the same to FinTech and virtual banks (“Do Nothing” approach). With that assumption, the author will discuss and analyse specific requirements under Vietnamese law (i.e., capital requirement and revenue requirement) for a brick-and-mortar bank to be established and analyse the possibility of success of applying those requirements to virtual banks. On 01 June 2020, the SBV issued a draft regulatory sandbox to propose the pilot program for the operation of FinTech in Vietnam. It is a big move from the SBV in the development of FinTech in Vietnam. The details of the regulatory sandbox will be discussed in Section 3.2.2.4. 2.2.3. Regulatory requirements for setting up traditional banks in Vietnam To establish a commercial bank in Vietnam, the shareholders or the owner of the bank need to apply for an Establishment and Operation License (“License”) for the bank. Under the current regulations, there are several requirements that the bank and its shareholders/owners need to satisfy. For each type of bank, namely, joint stock commercial bank,64 joint venture bank,65 and 100% foreign-owned bank,66 the requirements are slightly different.

2.2.3.1. Requirements applicable to the bank According to Law on Credit Institutions of Vietnam, a bank must satisfy the following conditions to be eligible to operate in Vietnam:67

64 A joint-stock commercial bank is the bank established and operated under the form of a joint-stock corporation, having at least three shareholders. 65 Joint venture bank is a bank established by Vietnamese party (including one or several Vietnamese banks) and foreign party (including one or several foreign banks) on the basis of a joint venture contract, having the head office located in Vietnam. A joint venture bank is established and organized in the form of a limited liability company with two to five capital contributing members, and in which one member and related persons are not allowed to hold more than 50% the charter capital. 66 100% foreign-owned bank is a commercial bank that is established in Vietnam with 100% of the charter capital being owned by a foreign credit institution, having the head office located in Vietnam. A 100% foreign-owned bank is established in the form of a one-member limited liability company whose owner is a foreign bank or a limited liability company with two or more members, in which there must be a foreign bank holding 50% of the charter capital. 67 Article 20.1, Law on Credit Institutions.

➢ Its charter capital is at least equal to the legal capital (from 15 January 2020, the legal capital requirement applying to a commercial bank in Vietnam is VND 3,000 billion, equivalent to USD 127.8 million); ➢ Its institutional owner or its founding shareholders or founding members are legal entities which are lawfully operating and have financial capability for capital contribution; ➢ Its managers, executives and supervisory board members fully meet the regulatory criteria and conditions; ➢ Its charter (a.k.a. articles of associations in some jurisdictions) complies with the law; ➢ It has an establishing plan and a feasible business plan, which neither affects the safety and stability of the credit institution system nor creates a monopoly or restrict competition nor create unfair competition within the credit institution system. A joint venture bank or wholly foreign-owned bank must satisfy the following additional conditions: 68 ➢ The foreign credit institution may conduct banking operations under the law of the country in which it is headquartered; ➢ The operations to be conducted in Vietnam are those the foreign credit institution is licensed to conduct in the country in which it is headquartered; ➢ The foreign credit institution’s operations are healthy, and it meets requirements on total assets, financial status, and prudential ratios under the SBV’s regulations: ➢ The foreign institution makes a written commitment to provide supports in finance, technology, governance, administration, and operation for the bank. It guarantees that the bank preserves the actual value of its charter capital not lower than the legal capital and observes regulations on safety assurance under the Law on Credit Institutions; and ➢ A competent foreign authority has signed an agreement with the State Bank on inspection and oversight of banking operations and exchange of information on banking safety oversight and made a written commitment on consolidated supervision of the foreign credit institution’s activities according to international practices.

2.2.3.2. Requirements applicable to the shareholders/owner of the bank Under Vietnamese law, individuals and/or organizations need to meet the following conditions to be a founding shareholder of a joint-stock commercial bank:69 (i) Not be a founding shareholder, owner, founding member, a strategic shareholder of another credit institution;70

68 Article 20.2, Law on Credit Institutions. 69 Article 9, Circular No. 40. 70 Credit institution means an institution conducting one, some or all banking operations. Credit institutions include banks, non-bank credit institutions, microfinance institutions, and people's credit funds.

(ii) All founding shareholders shall be required to own at least 50% of the charter capital when establishing a joint-stock commercial bank, and all of those who are legal persons shall own at least 50% of total shares of founding shareholders; (iii) An individual founding shareholder must satisfy the following additional conditions: (a) holding the Vietnamese citizenship; (b) not being a person being prohibited [from doing business] as provided in the Law on Enterprise; (c) not eligible to use mobilized funding sources and funds borrowed from any organization or individual as the contributed capital; and (d) Be a manager of the enterprise earning profits within a minimum period of 03 consecutive years preceding the year of submission of the application for a business license, or holding an undergraduate or a postgraduate degree in economics or law. (iv) A corporate founding shareholder must (a) be established under Vietnamese law; (b) not allowed to use mobilized funding sources and funds borrowed from any other organization or individual as the contributed capital; (c) adequately perform the obligations of taxes, social insurance in accordance with regulations as of the time of applying for License issuance; (d) have the owner capital be at least VND 500 billion (approximately USD 21.3 million) in five consecutive years before the year of applying for the license; (e) have profitable business operation in five straight years prior to the year of applying for the license; (f) ensure that in case the corporate shareholder is doing in the business requiring legal capital, the owner capital minus the legal capital equal to the committed contributed capital at the minimum based on the figures in the audited financial report of the year preceding to the year of applying for the license. The requirements at point (i) and (iv) will apply the same to the local bank, which is a founding member in the joint venture bank. The foreign founding member of a joint venture bank or the owner of 100% foreign-owned banks must meet the following requirements: (i) Not to seriously violate provisions on banking activities and other provisions of applicable laws of its native country within five latest consecutive years prior to the year applying for the license till the issuance of the license; (ii) To have experience in international operations, is ranked from average and stable upwards by international credit rating organizations, can prove the ability to perform financial commitments and operate ordinary even when the economic situation, condition faces adverse changes; (iii) To be profitable in five consecutive years preceding the year of applying for the license and as of the time of obtaining the license; (iv) The total assets must be approximately USD 10 billion at the end of the year preceding the year of applying for the license; (v) To be assessed by a competent agency of the home country in respect of the capital adequacy ratio, other prudential ratios, to fully comply with regulations on risk

management and making provision as provided for by the home country in the year before the year of applying for the license till the issuance of license; (vi) Not to be the owner, founding member, a strategic shareholder of another Vietnamese credit institution. 2.2.4. Will the same requirements apply to virtual banks? In the scope of this paper, with the assumption that the same requirements will apply to both virtual banks and traditional banks, the author will focus on three requirements that, at this moment, many FinTech may not be able to satisfy: the condition on the minimum capital, the condition on the source of the capital, and the requirement on the profit. Additionally, based on the same assumption, there will be a discussion on the possibility of virtual banks to meet requirements applicable to traditional banks.

2.2.4.1. Minimum capital requirement The imposition of minimum capital standards is the cornerstone of banking regulation. And yet, regulators find themselves at a loss when it comes to specifying “safe” or “appropriate” levels of capitalization.71 For the operation of banks, it is necessary to require the bank and its shareholders/owners to ensure the satisfaction of minimum capital requirement. Regarding the capital requirement, Vietnamese law applies those requirements to both the bank itself and the shareholders or owner of the bank. On the one hand, the to-be-established bank needs to have its charter capital (registered capital) been at least equal to VND 3,000 billion (approximately US$ 127.8 million). This requirement may not be an obstacle for traditional banks because they may have a hefty source of funding from other banks and/or financial institutions. However, this can be a hurdle for a virtual bank being established by a FinTech. How the FinTech raise funding for the operation of the virtual bank may be a great challenge for them. Compared to the minimum capital requirement under Vietnamese law with the one under other jurisdictions, such as Singapore, this amount may not be excessively high for specific institutions. However, in the developing market of Vietnam, this requirement can be considered a barrier for the FinTech to pass. On the other hand, the FinTech itself needs to satisfy the requirement on its owners’ assets, in case the FinTech partners with other companies to set up the virtual bank. Assuming that there will be no specific form as mentioned previously (i.e., joint-stock commercial bank and joint venture bank) to be applied to virtual banks, meaning that the requirement applicable to the institutional founding shareholder of the traditional bank will apply to the FinTech. In such a case, the FinTech needs to ensure its owner capital to be at least VND 500 billion (approximately USD 21.3 million) in five consecutive years. Accordingly, the FinTech needs to satisfy two sub-conditions: minimum owners’ capital in the FinTech and the five straight years of operation. The amount of owners’ equity may not be high, but the FinTech and its owner(s) need to make sure to maintain it in five years before starting to

71 A New Era of Banking: The Landscape After the Battle, by Angel Berges, Mauro F. Guillén, Juan P. Moreno and Emilio Ontiveros

40 apply for virtual banks, which can be another difficulty for the establishment of the virtual banks.

2.2.4.2. Source of capital requirement The regulations on the establishment of commercial banks in Vietnam require that the founding shareholder of the bank is not allowed to use mobilized funding sources and funds borrowed from any other organization or individual as the contributed capital. Assuming that this requirement applies the same to the FinTech, it may not be possible for the FinTech to meet it. The operation of FinTech bases mainly on the fund raised from investors who can be venture capital funds, angel investors, etc. With the sponsorship of those investors, the FinTech have chances to develop their idea and operate their business. The sponsorship can be in the form of cash or debts. In such a case, the FinTech may not avoid using those funding to advance their technology, improve the software, and foster the virtual bank. The feasibility of a FinTech to meet this requirement is relatively low.

2.2.4.3. Profit requirement Besides the requirement of maintaining the owners’ capital in five consecutive years, the FinTech also needs to be profitable in those five successive years before the year of establishment and applying for the license. That will raise another question for FinTech: can they succeed in that? With advanced technology, FinTech should have a competitive advantage in the financial market. However, in the case when traditional banks have been beginning their digital transformation process, the competition in the market is tenser. FinTech needs a dominant solution and strategy to be successful and to be able to compete with traditional banks. Therefore, in a highly competitive area like banking and finance, the profitability of the FinTech can be a question mark. The FinTech can be successful with their finance and technology solutions, but to have profits for five years continuously will be a different story. Therefore, if the requirement on profit applied the same to the FinTech, there would not be a chance for the FinTech to meet it in five consecutive years. 2.2.5. Market access of foreign FinTech Another question the author would like to discuss is whether foreign FinTech can have any chance to enter this market to form virtual banks in Vietnam. Shortly, it may be a “No” answer. The following may be reasons: - The foreign FinTech (maybe the foreign virtual banks like Revolut or N26) needs to be assessed by a competent agency of the home country in respect of the capital adequacy ratio, other prudential ratios and needs fully comply with regulations on risk management and making provision as provided for by the home country. With this requirement, there may be a possibility that rules of the foreign country may not have a proper mechanism to assess the operation of the FinTech or virtual banks. That can be seen as the first obstacle for international FinTech.

- The second reason is the requirement of having total assets of USD 10 billion at the end of the year preceding the year of applying for the license. It may not be unrealistic for the operation of several foreign FinTech (of course, not Big Tech – giant technology companies such as Google or Apple, who are also looking for chances to enter the financial services market). - The third reason is that given the lack of regulations on FinTech in Vietnam, and most FinTech may not want to be regulated like banks, the risk for foreign FinTech to join the Vietnamese market is higher than the opportunity that they can be profitable. Regulatory issues are not the problem of any specific country regarding the establishment and operation of virtual banks. Many countries around the world face this problem when governments try to regulate this area. Each country may have different approaches, and it will bring different outcomes. For Vietnam, the lack of a legal framework for FinTech in general and virtual bank in particular raise a question on how this form of the bank can develop in Vietnam. In case when the regulator chooses to apply the same bank regulations to the FinTech and virtual bank, it may not be a right approach in the context of Vietnam because those regulations will almost prevent the evolution of virtual banks. * * * Chapter Conclusion In summary, although reaping a lot of benefits for the virtual banks themselves, the customers, and the competition of the financial market, there are still significant challenges for the establishment and operation of the virtual banks, such as. cybersecurity and data privacy protection risks and how governments regulate the establishment and operation of virtual banks. As it relates to the risks associated with the use of virtual banks, a major issue data privacy protection and cybersecurity. Notably, virtual banks raise concerns about how they can protect their customers’ personal data. Additionally, virtual banks and banking sector are the target of cybercrime to steal customers personal and financial information or deceive them. Vietnam is one of the countries having been attacked the most by cybercriminal according to several statistics and reports conducted in recent years. However, Vietnam has not had a complete legal framework for data sharing, exploitation, and storage. Therefore, it is difficult for both commercial banks and virtual banks to apply widely new technology in collecting and protection customers’ data. Fraudsters can base on that to attack the customers, for instance, by deceiving them. How Vietnamese regulators govern, and should improve to govern, data privacy protection and cybersecurity risks for customers and the bank themselves will be discussed in the next chapter. Furthermore, the emergence of virtual banks raises a question in jurisdictions on how governments can regulate this new business model. Four approaches are seen in the world: Do Nothing (applying same regulations as to traditional banks), Specific Regulations, Experimentation (e.g., the launch of regulatory sandboxes) and Case-by-case (issuing ad- hoc license). Each of them has its drawbacks to be applied widely in the world. For instance, the do-nothing approach raises the concerns that virtual banks may face the risk of being strictly regulated under the existing regulation. The specific regulations need to ensure the

42 balance of benefits and development of both virtual banks and traditional banks; whereas, with the experimentation approach, the efficiency of this approach is still questionable. The case-by-case approach raises questions on which criteria the regulator will base to assess and license virtual banks. Although Vietnam has an open door to the establishment and operation of lots of FinTech firms, Vietnam has not had a legal framework for the establishment of virtual banks. If the Vietnamese government applies the same regulations as to physical banks with strict requirements on minimum capital, source of capital and revenue, FinTech firms are not in the position to meet those requirements. It is impossible for FinTech to apply for a license to operate a virtual bank in Vietnam by itself. Besides, there may not be any chance for foreign FinTech to access Vietnam’s market where have no regulations on virtual banks but have strict regulations applying to traditional banks. If those regulations are applied to regulate international FinTech, they are enormous hurdles for foreign FinTech firms. In the next chapter, the author will discuss how governments are dealing with those challenges; and, based on the experience of other countries in the world, what Vietnamese regulators can do to build a robust legal framework to motivate the development of virtual banks in Vietnam. In addition, the author will discuss whether the technology can be applied to regulate the virtual bank in the world and the potential of Vietnam to apply RegTech.

Chapter 3 – Solutions for Challenges: Stories from the world and lessons for Vietnam Challenges not only appear in Vietnam, but they are also problems of many jurisdictions. Solving these problems requires a collaboration of both FinTech and regulators. From FinTech’s perspective, they need to research and develop their software, platform to [bring about] better solutions to cybersecurity issue and protect their users’ data. From the regulators perspective, they need to come up with comprehensive legal documents to govern the operation of FinTech and virtual banks effectively. Doing so, regulators can provide opportunities for this type of business to develop and reach to a more significant number of the unbanked population. Governments from different countries are attempting to build a solid legal framework for the operation of FinTech companies and virtual banks. Given two main issues mentioned in the previous chapter, governments should find a way to regulate and solve both challenges in order to facilitate the operation of virtual banks. However, it is difficult to govern the new business model like virtual banks. They operate based on having no brick-and-mortar branch. Governments need to understand the technology behind the operation of virtual banks. Until that, virtual banking business may still appear in the grey area of the law. Some countries have been taking action to deal with data privacy protection and cybersecurity problems, and issue legal documents to govern the business of FinTech and virtual banks. As mentioned in Chapter 2, solutions can be either doing-nothing, issuing specific regulation, experimentation with the launch of regulatory sandboxes, or issuing case-by-case permission or license. This chapter will focus on two types of solutions that are being considered the most by governments: issuing specific regulations and launching regulatory sandboxes. Similar to other countries, Vietnam needs to solve both issues on data privacy and establishment requirements for virtual banks. Based on what is practically happening in other countries, and based on the current internal development, Vietnam can consider the most suitable approach. In this chapter, the author will discuss three possible approaches, from the most ‘traditional’ ways to adapt to the futuristic ones by examining regulatory approaches adopted by other jurisdictions. In each approach, there will include discussion on how governments are dealing with the challenges by such solution, and what Vietnamese regulators can learn from that, to find the most appropriate way for development in Vietnam. The first section will discuss regulatory solutions for cybersecurity and data privacy issue in specific countries and regions (i.e., EU, China, Singapore and a brief on other countries), and then discuss on what Vietnam has done and how to improve it. Vietnam has already issued several regulations on cybersecurity and data privacy protection, but they have not been complete yet. The Vietnamese government should look at what other countries have done to finalize the draft decrees to regulate the cybersecurity and personal information protection risks strictly. The second section will discuss on two approaches from other jurisdictions concerning the operation of virtual banks: specific regulations and regulatory sandboxes, pros and cons of each type of approach, whether Vietnamese regulators can apply each form

44 to the establishment of virtual banks separately. The third section will discuss what will be the most appropriate solution Vietnamese governments can consider. Based on what we analysed in this paper, the Vietnamese government should not adapt to each approach separately. The most appropriate way is to combine several approaches to regulate the establishment and the operation of virtual banks. The last section will discuss on a new way of regulation—RegTech, how governments can apply technology to regulate the operation of FinTech and virtual banks, and the potential of applying RegTech in Vietnam in the future. 3.1. Solutions for Cybersecurity and Data Privacy Protection 3.1.1. Review of regulations on data privacy in the EU, China and brief on several other countries Personal data protection is the privacy right of each person and requires protection from the law. Data privacy protection is one of the most critical matters that many countries are attempting to regulate. Without proper protection, data privacy risk may cause a high risk of cyberattack. Therefore, regulators around the world are trying to mitigate these risks. More than 80 countries issued legal documents to govern personal data protection matter. In this section, the author will discuss the EU regulation and the Chinese regulation on data privacy protection, and go through personal data rules of some other countries.

3.1.1.1. The EU In May 2018, the European Union issued General Data Protection Rules (GDPR) to request companies to comply with clear and particular regulations on collecting personal data, storing data, type of data allowed to share. The GDPR also applies to companies located outside the European territories. Any corporation that violates the GDPR may face a fine up to €20 million or 4% of yearly global revenue. Take British Airway as an example. In July 2019, the competent authority imposed this airline a fine of £183.39 million ($230 million) after its customers’ and financial data of half of billion customers were hacked and stolen.72 According to a survey on GDPR conducted by Baker McKenzie and BearingPoint in 2019, about 98% of respondents started their first GDPR project (most of them started before 2018). However, only two-fifth of surveyed companies invested in GDPR solution. 65% of respondents to the survey struggled to implement GDPR because they lacked resources, while 31% of respondents saw GDPR as an information technology issue.73 Having said that, more than 70% of survey respondents answered that they reap operational benefits from the implementation of GDPR compliance. GDPR internal processes, such as preparation and rolling out of procedures, contract reviews, reviewing consent and information notices, are the next priorities, as stated by respondents.74

72 UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users, 08 July 2019, available at https://techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m- over-gdpr-breach-that-leaked-data-from-500000-users/ 73 Baker McKenzie and BearingPoint, GDPR Survey: Benefits beyond compliance (2019), available at https://www.bakermckenzie.com/en/insight/publications/2020/04/gdpr-survey-benefits-beyond-compliance 74 Ibid.

3.1.1.2. China The National Information Technology Standardization Technical Committee of China (the “TC260”) issued the Information Security Technology – Personal Information Security Specification on 29 December 2017, which took effect from 01 May 2018 (the “Specification”). The Specification is the most essential data privacy protection rule in China.75 TC260 prepared the draft and issued the Specification after the drafters referred to the EU regulations. Thanks to that, the Specification provides for fundamental principles of personal data protection, which will be more specific than what is mentioned in the China Cybersecurity Law (discuss later in Section 3.1.2.2). Some provisions in the Specification has an intersection with the EU requirements. The Specification is marked as a national standard. It means the Specification is a recommended but non-binding rule of China. Nevertheless, it helps regulators in China to reach their target they set for the protection of data privacy. Amendments to the current version of the Specification have been proposed for discussion on specific issues (e.g., the requirement on notice of violation or model on obtaining data protection consent).76 However, there is no further information about when the final version of the amendments will be released.

3.1.1.3. Other countries Israel issued Privacy Protection Regulation in May 2017, audited more than 150 companies from different sectors to assess their levels of data protection compliance. The Israeli government also formed a Privacy Protection Authority. In the same time, Japan issued the Act on the Protection of Personal Information (APPI) to govern all businesses located in Japan or offshore and doing business in Japan. Besides, a Privacy Protection Commission was formed to enhance the management of foreign technology groups such as Google, Facebook or Amazon. Some countries, such as France, Austria, Germany, proposed to impose a 3-per cent tax on revenue of social networks companies. In June 2019, G20 ministries of finance agreed on general rules on a higher tax imposed on a technology company that collect cross-border data of users, starting from 2020. In the US, the number of cases with fines for data privacy violation was 76 in 2019.77 Notably, the US government handled cases concerning the acts of collecting users’ information of two giant technology companies: Facebook and Google illegally. Particular, in July 2019, the Federal Trade Commission imposed a fine of US$ 5 billion on Facebook in relation to Cambridge Analytica scandal on harvesting data of more than 50 million users, in which, Vietnam is one of the top 10 countries being harvested the most. Two months later, FTC fined Google an amount of US$ 150 million for collecting kids’ data illegally via

75 Pernot-Leplay, Emmanuel, China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU? (2020). Penn State Journal of Law & International Affairs, Vol. 8, No. 1, 2020. Available at SSRN: https://ssrn.com/abstract=3542820 76 Id. 77 PwC, Top Policy Trends 2020: Data Privacy, available at https://www.pwc.com/us/en/library/risk- regulatory/strategic-policy/top-policy-trends/data-privacy.html

YouTube application. 3.1.2. Review of the Cyber security regulation in EU, China and Singapore Being aware of the importance of protecting individuals and organisations in connection with the operation of digital products and services, some regulators have been adopting cybersecurity law in the last few years. In the scope of this paper, the author will discuss the development of cybersecurity laws in three jurisdictions, which provide the most suitable and attractive market for virtual banks: the EU, China and Singapore. Based on our analysis, we see that the European and Singaporean regulators provide for more supportive provisions to the operation of the network providers. At the same time, however, the Chinese government set out specific barriers to foreign service providers including localization requirement, with vague provisions.

3.1.2.1. The EU To mitigate the risk of cyberattack and increase the control over cybersecurity, on 12 March 2019, the Members of the European Parliament adopted the EU Cybersecurity Act, which took effect on 27 June 2019. The purpose of this Act is, first to grant the European Union Agency for Cybersecurity (ENISA) a permanent mandate and strengthen the role of the agency in supporting EU to achieve a moderate or high level of cybersecurity. The agency will play a pivotal role in relation to the cybersecurity certification framework. ENISA is expected to support the increase of operational cooperation among the Member States.78 Secondly, in the new era with a broad range of digital products, such as the IoT, and services, the EU Cybersecurity Act forms a broad certification framework to boost the cybersecurity of those products and services in Europe.79 Enterprises in the EU will have their ICT products, services and processes certified once, and the certificates will be valid across the region. The EU Cybersecurity Act has two positive impacts. Firstly, with devices that are cyber secured, EU citizens can trust their daily used devices. Secondly, a single certification with region-wide validity will help companies in the EU save a substantial cost and lift the barriers for market access. Companies do not have to apply several certificates in different countries,80 which open a better chance for their development.

3.1.2.2. China China’s Cyber Security Law was enacted on 01 November 2016, and came into effect on 01 June 2017 (“China CSL”). The enactment had a notable impact on data collection and

78 The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification, 26 June 2019, available at https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity- act-brings-strong-agency-cybersecurity-and-eu-wide-rules-cybersecurity 79 The Cybersecurity Act strengthens Europe’s cybersecurity, 19 March 2019, available at https://ec.europa.eu/digital-single-market/en/news/cybersecurity-act-strengthens-europes-cybersecurity 80 The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification, 26 June 2019, available at https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity- act-brings-strong-agency-cybersecurity-and-eu-wide-rules-cybersecurity

47 processing. China CSL has a wide range of governance and brings China to get closer to international standards. The China CSL sets out the list of focused industries including telecommunications, energy, transport and financial services. However, at the time of release, the China CSL attracted widespread criticism from the public, experts and international community. It was because of the generality and the vagueness of the China CSL. The ambiguity may lead to different explanation and implementation of China CSL from the government. The Chinese government has room to see which way is suitable for their and public interests at a time.81 The China CSL often uses broad and imprecise definitions which raises concerns of uncertainty.82 Additionally, it also gives the legislation a “potentially discriminatory” aspect.83 The core of the CSL is about the protection of personal data. However, there will be only a small number of articles relating to this issue that contains unclear wording. The China CSL governs operators of critical information infrastructure (“OCII”); and (ii) network operators. According to the China CSL, both types of operators must have businesses in China, which raise a concern of exclusion of international players to enter the Chinese market. Specifically, technology companies worry about the case when they are forced to set up their platform located in China if their technology does not meet requirements under the China CSL to achieve certification.84 The authorities will utterly designate OCII. Network products and services of OCII are subject to examination of national security. Until the review is completed, OCII is not able to launch these products and services. Additionally, the OCII is required to store data (both personal data and important data that relates to the national security or state interest) in China. These data can only be sent to offshore when it is necessary, and a security assessment is required and completed.85 It is not clear whether this requirement will apply to network operators or not. It is also unclear what security assessment would be. Network operators, when collecting and using personal information, must publicise the principles of how the information is collected and used, the form and the purposes of the collection and the usage of personal data, and obtain consent from the person whose data is collected.86 Given the big question about the broad range and the unclear of the China CSL, the Chinese regulators have issued two draft guidelines on the China CSL. The first one was released in April 2017 that never took effect, and the second draft was released in June 2019. Nevertheless, just only a few questions have been addressed and answered through these drafts.87

81 (n 75) 82 Id. 83 Hogan Lovells, Asia Pacific Data Protection and Cyber Security Guide, available at https://iapp.org/resources/article/311636/ 84 Id. 85 (n 81) 86 Article 41, the China CSL. 87 (n 81)

3.1.2.3. Singapore Singapore is one of the most attractive markets in Asia for the development of FinTech and virtual banks. On 05 February 2018, the Singapore Parliament passed the Cybersecurity Act 2018. This Act provides for the creation of a Cybersecurity Commissioner as the regulator for the cybersecurity sector. The Cybersecurity Act 2018 also set out the framework of Critical Information Infrastructure (CII) owner, which covers cybersecurity obligation of services providers operating in 11 crucial sectors including, inter alia, banking and finance area. The Cybersecurity Commissioner has the right to appoint a computer system in the covered sectors to be a CII for five years unless earlier withdrawal by the Cybersecurity Commissioner. The legal owners of the CII will be responsible for compliance with the Cybersecurity Act 2018. The Act also support to information sharing to help the government and CII owners to identify incidents or dangers promptly and to prevent cyber-attacks more effectively. Some experts assess that the Act was passed on time to meet public needs, in the context where corporations and individuals in Singapore have been being attacked more frequently by hackers or thefts, which caused the leakage of personal data and corporate financial information.88 3.1.3. What Vietnamese Government can do

3.1.3.1. For cybersecurity issue On 12 June 2018, the National Assembly of Vietnam passed a new Law on Cybersecurity (“Vietnam Cybersecurity Law”), taking effect in January 2019. After one year of implementation, governments and experts have assessed that the Vietnam Cybersecurity Law is effective in detecting and preventing the wrongdoing in the digital space, mitigate the risk of cyberattacks against the citizens. At the time of enactment, the Vietnam Cybersecurity Law was criticised for the requirement that both foreign and domestic online service providers must store personal data of Vietnamese end-users in Vietnam. Offshore service providers are also required to open branches or representative offices in Vietnam and satisfy the data localisation requirements. It can be seen that the drafters of the Vietnamese Cybersecurity Law had looked to the same requirements under the China CSL. The purpose is to control the information and data available on the digital space. This requirement can affect the participation of foreign FinTech companies, which have their data storage outside of Vietnam or on the cloud system. They may not be successful in accessing the Vietnamese market with the hurdle being the data localisation rule.

88 Singapore’s new Cybersecurity Act comes into force: Here’s what you need to know, 06 September 2018, available at https://www.dataprotectionreport.com/2018/09/singapores-new-cybersecurity-act-come-into- force-heres-what-you-need-to-know/

Nevertheless, it is not entirely clear about the enforcement of the Vietnam Cybersecurity Law against foreign organisations in case of failure to comply with having a local presence in Vietnam. In August 2019, the Ministry of Public Security of Vietnam (the “MPS”) released the revised draft decree (the “CSL Draft Decree”) guiding the implementation of the Vietnam Cybersecurity Law. The CSL Draft Decree proposes definitions of cyberspace service providers and the timeline for triggers for data localisation and local office requirements.89 Under the Draft Decree, enterprises which are subject to data localisation and local office requirements include ones providing services of, among others, data storage and sharing on cyberspace, online payment, payment intermediary (the “Cyberspace Service Providers”). The Draft Decree proposes the requirement that the Cyberspace Service Providers must complete the data storage and establishment of branches or representative offices in Vietnam within six months upon the decision of the Minister of Public Security. The Draft Decree provides the types of data to be stored in Vietnam when so requested, which include: (i) Data regarding personal information of service users in Vietnam; (ii) Data generated by service users in Vietnam, including, among others, service account name, credit card information, email address, IP addresses, registered telephone number; and (iii) Data regarding relationships of service users in Vietnam, including family, friends, and groups with whom users connect or interact. The CSL Draft Decree has not been finalised yet. Therefore, it is expected to have future amendments in the final version of the decree guiding the Vietnam Cybersecurity Law. If the current proposals under the CSL Draft Decree remain in the issued document, FinTech and virtual banks will be subject to it. If so, there will be difficulties for the foreign FinTech and virtual banks to take part in Vietnam’s market with the data localisation requirements.

3.1.3.2. For data privacy protection Vietnam is one of the countries having the fastest pace of developing and applying the Internet. The vast development of digital infrastructure and data infrastructure has been improving. However, these developments will go along with the more substantial provision and usage of personal information. The government has to have an appropriate policy to manage effectively, ensure the prevention of, and how to deal with, illegal conduct regarding personal data. Those policies need to be compliant with Vietnamese Constitutions, legal documents as well as international law and customs.90 Vietnamese law does not have a specific centralised regulation that addresses individual and organisational privacy rights. To protect personal information, different provisions are setting out in different legislation including Constitution, Civil Code, Penal Code, Consumer

89 Baker McKenzie, Updates to Draft Decree Detailing Certain Articles of Law on Cybersecurity, 08 October 2019, available at https://www.bakermckenzie.com/en/insight/publications/2019/10/updates-draft-decree- law-on-cybersecurity 90 Bảo vệ thông tin cá nhân thời công nghệ số (in English: Protection of Personal Information in the digital era), 02 March 2020, available at http://doanhnghiephoinhap.vn/bao-ve-thong-tin-ca-nhan-thoi-cong-nghe- so.html

Protection Law, E-Transaction Law, IT Law, Law on Cyber Information Security, Cybersecurity Law, and certain implementing decrees and circulars. Realising the importance of a centralised regulation on personal data protection, with the lesson learned from the EU, from April 2019, the MPS started drafting a data protection decree to regulate this issue. The drafting aims to indicate the goal of the Vietnamese government in creating a legal framework on data privacy protection and meeting the international standards. The first draft decree was published on 27 December 2019, by the MPS (the “Draft Decree”), which provided a broader definition of personal data compared with the definition under sectoral laws and regulations such as the Law on Cyber Information Security or Decree No. 52/2013/ND-CP on E-commerce. Accordingly, “Personal Data” in the Draft Decree is defined as information in the form of symbols, alphabetic letters, numbers, images, sounds or other similar forms that belong to an individual. The Draft Decree also introduced a definition of “sensitive personal data”, which means, among others, political and religious beliefs, ethnicity or race, healthcare status, genetic information, biometric data, and criminal records. Regarding the disclosure of personal data under the Draft Decree, unless the disclosure of personal data is required under the law, the data subjects can require the person disclosing their data to cease such disclosure. Data subjects also can request the person processing their data to end the disclosure unless otherwise required by law. The Draft Decree provides that the personal data processors are entitled to determine the purposes of, procedures and methods for data processing, types of data to be processed and allowed the transfer of personal data to a third party. The personal data processors are obliged to delete or close unnecessary personal data, unless provided otherwise by law, comply with the principle of data quality, ensure the close of controversial personal data until it is proved otherwise, and notify the relevant third party of any changes to personal data. Additionally, the Draft Decree has specific provisions regarding offshore data processing activities. Particularly, Article 4 of the Draft Decree requires offshore Personal Data Processors to appoint a representative in Vietnam. Article 27 also requires the registration with competent authorities of the outbound personal data transfer. The Draft Decree was mostly an outline of the decree because most provisions had not been drafted yet. The MPS is still obtaining comments from the public to continue completing and finalising this draft decree in the future. Certain points that the next draft should make clear are the methods used for personal data protection, how to handle the transfer of personal data inbound and outbound, and who are responsible, competent authorities. The Vietnamese government has opened a gate for banks and financial institutions to conduct e-KYC in the first time setting up a business relationship with customers. Notably, under Article 8.2(a) of Decree No. 87,91 the financial institutions, as reporting entities as

91 Decree No. 87/2019/ND-CP dated 14 November 2019, amending several articles of the Government's Decree No. 116/2013/ND-CP detailing the implementation of several Articles of the Anti-Money Laundering Law ("Decree No. 87")

51 provided under Decree No. 116,92 have the right to choose not to meet the client in person when the relationship is established for the first time. In such a case, financial institutions must have methods and technology to identify and verify the client. Before the Decree No. 87 was issued, the requirement of physical KYC created difficulties for reporting entities when they wanted to transform their business on the digital space. The new regulation is satisfactory progress for financial institutions to develop its business. It will help banks and customers to save time for the KYC process, facilitate the development of digital banking. Nevertheless, lacking specific regulations on data privacy protection will be a hurdle for the operation of commercial banks generally and of virtual banks particularly. Until the issuance of the next draft of the decree on personal data protection, operation of financial institutions and virtual banks may still face particular difficulties. In this context, the Vietnamese government needs to finalise the guiding regulations on personal data protection as soon as possible to create a robust legal framework for the operation of virtual banks in the future. 3.2. Solutions for Issue on Establishment of Virtual Banks Governments have different approaches to solve the dilemma. Several countries have issued or prepared to issue specific regulations to govern the operation of virtual banks inside their territories. Some other governments choose to apply a regulatory sandbox to test the operation of FinTech and also virtual banks. This section will discuss what governments in Europe and Asia, the two biggest markets for virtual banks, have been doing to control and motivate the development of virtual banks. The author will also mention in this section the current regulatory mechanism and development in Vietnam. 3.2.1. Specific regulations

3.2.1.1. What are governments doing solve regulatory challenge on establishment of virtual banks? Regulators of some countries, especially in APAC, issued, or have been finalising, specific regulations to govern the operation of virtual banks. Accordingly, those rules set out several conditions for the applicants to satisfy to obtain a full banking license. Take Singapore, Hong Kong and China as examples.

a. Singapore Singaporean government wishes to create diversity in its banking system in the future. As discussed previously, in 2019, the MAS announced the regulations on issuance of a banking license to virtual banks. Accordingly, the MAS will issue up to two DFB licenses and up to three DWB licenses. Applicants for the DFB or the DWB licenses must satisfy specific requirements, including, inter alia:

92 According to Article 3 of Vietnam AML Law, “reporting entity” refers to both financial and non-financial institutions. Financial institutions being subject to reporting requirement include, among others, ones providing services of the cash deposit, lending, financial leasing, payment, issuance of transferrable instruments, bank guarantee and financial undertaking, foreign exchange. Virtual banks, once established, will be subject to this requirement.

- at least one entity in the applicant’s group with three or more years of track record in operating an existing business in the technology or e-commerce field, - demonstrating the ability to meet and maintain the applicable minimum paid-up capital requirement, and - submitting a feasible plan to facilitate an orderly wind-up if necessary. In addition, the MAS will only consider the DFB applicant companies who are incorporated in Singapore, locate their headquarters in Singapore and are controlled by Singaporeans. For applicants are partnerships between Singapore and foreign entities, the MAS requires an absolute majority stake to be held by the Singaporean entity (and its related parties) as a demonstration of control by Singaporeans. The MAS also set assessment criteria to select the licensees from eligible applicants, which include value proposition of the applicants” business model, the ability to manage a prudent and sustainable digital banking business, growth prospects and other contributions to Singapore’s financial centre.93 Regarding capital requirement, at the entry stage, the DFB licensees must have a minimum paid-up capital of S$15 million, with the requirement of progressively increase in the progression stage. When DFB applicants are fully licensed, the minimum paid-up capital requirement is S$1.5 billion.

b. Hong Kong According to the Guidelines to Authorise Virtual Banks (the “HK Guidelines”) issued by Hong Kong Monetary Authority (HKMA), virtual banks are required to maintain minimum share capital levels of HK$300 million (including paid-up capital and balance of share premium account). For virtual banks incorporated outside Hong Kong, the requirement applies to the institution as a whole.94 The HK Guidelines require a bank or a financial institution, which is in a good standing position and supervised by a competent authority in Hong Kong or elsewhere, to hold more than 50% of the share capital of a bank incorporated in Hong Kong. If the virtual bank applicant is not owned by such a bank or financial institution, the applicant should be held through a holding company incorporated and supervised in Hong Kong. The HK Guidelines allow both financial institutions (including licensed banks in Hong Kong) and non-financial institutions (including technology companies) to apply to own and operate a virtual bank in Hong Kong.95 The HK Guidelines emphasise the paramount of the parent companies of virtual banks. The reason is that virtual banks are new entrants to the market. Thus, the parent companies should meet the supervisory requirements on capital, financial status and technology to support the operation of virtual banks in Hong Kong.

93 (n 31) 94 Section 6, Cap. 155 Banking Ordinance ─ Seventh Schedule Minimum Criteria for Authorization 95 Section 9.9, Chapter 9, HKMA Guidelines to Authorization of Virtual Banks.

According to the HK Guidelines, however, virtual banks will be subject to the same supervisory requirements applicable to traditional banks. Some of these requirements will be [adapted] to be suitable for the online platform operation of virtual banks. For instance, virtual banks are operating in the technology-based business models, which means their directors and executives should have the necessary understanding and experience to run the business in order to provide adequate services.96

c. China The regulations on virtual banks in China have been discussing between the regulator and banks to finalise the rules. Realising the development of virtual banks without strong enough regulatory framework may weaken traditional banks and may create a crack in the financial system in China, the Chinese government has started to provide strict regulations to the operation of FinTech and virtual banks. Mainly, China tried to restrict the capital source and deposit at MyBank and WeBank by requesting these two banks to comply with similar regulations applicable to traditional banks.97 Additionally, according to a report released on 13 January 2020, China is finalising the first virtual bank rules in an attempt to “minimise risk in the financial sector and attract players including foreign lenders”.98 Particularly, the new regulation covers not only virtual banks established and operated by local financial institutions but also foreign financial institutions doing business in China. In the time when data privacy is the top concerns of financial services customers, and the wave of AI and other disruptive technologies supporting financial industry in China, the draft regulation seemed to be considerable progress for the operation of digital-only banks in this most populous country. It allows the virtual banking corporates to partner with other financial institutions and creates chances of foreign parties to join and develop the Chinese financial market. It is reported that about a dozen organisations have been working with several Chines officials on the new regulations. The new rules are expected to create a comprehensive regulation to supervise the fast development of the digital banking sphere.

3.2.1.2. Can specific regulations be alone suitable in Vietnam? Vietnamese regulator is focusing on the completion of the non-cash payment, which allows institutions other than banks to be licensed by the SBV to provide intermediary payment service. Particularly, credit institutions and FinTech in Vietnam is following rules under Decree No. 101 on non-cash payment and Circular No. 46 guiding Decree No. 101. There are rooms for FinTech to provide intermediary payment service in Vietnam. As of 05 May 2020, the SBV grant license of providing intermediary payment service to 34 non-bank institutions.99 Currently, the draft decree to amend Decree No. 101 has been finalising, and

96 Section 9.11, Chapter 9, HKMA Guidelines to Authorization of Virtual Banks. 97 https://baodautu.vn/ngan-hang-so-co-hoi-va-thach-thuc-cho-he-thong-tai-chinh-viet-nam-d105661.html 98 https://www.reuters.com/article/us-china-banks-digital-idUSKBN1ZD0D8 99 List of non-bank institutions granted intermediary payment services license, updated on 05 May 2020, available at https://www.sbv.gov.vn/webcenter/portal/vi/menu/trangchu/tk/hdtt/ctccudvtt?_afrLoop=6690435775978211#%40 %3F_afrLoop%3D6690435775978211%26centerWidth%3D80%2525%26leftWidth%3D20%2525%26rightWidt h%3D0%2525%26showFooter%3Dfalse%26showHeader%3Dfalse%26_adf.ctrl-state%3Dvy0rwg3ft_4

54 the amended decree is expected to be released soon this year. The SBV issued standard of the domestic chip card and primary standard of QR-Code technical features in payment sector in Vietnam to ensure the security and safety and confidentiality in bank card operation and payment via QR-Code, facilitating the increase of functionality for cardholders. It can be seen that the SBV is trying to facilitate the operation of FinTech in Vietnam and motivate the development of application of technology in the financial sector as directed by the Vietnamese government. Nevertheless, given that there is no legal framework for virtual banks to operate in Vietnam, the chance for FinTech to launch their virtual banks in Vietnam is low. If Vietnam takes the same path as other countries as mentioned in Section 3.2.1.1 above to issue specific regulations to govern virtual banks, the government, the SBV and other relevant bodies need to solve three issues: Firstly, time to issue a new regulation may take months or even years. During that period, it is still unclear whether virtual banks can be established and operated in Vietnam or not. Secondly, the SBV and other relevant governmental bodies need to do careful research before issuing the new regulation. The research is to ensure that there will be no overlapping provisions which may cause the existing credit institutions to bear any unexpected risk. Thirdly, the regulator needs to make sure the development of both virtual banks and other licensed financial institutions. The new regulation must not create any conflict of interests among market participants. At this moment, a separate regulation for the establishment and the operation of the virtual banks may not be possible. The regulator needs to consider taking another approach or combine different approaches to create the most appropriate solutions for this issue. 3.2.2. Regulatory Sandboxes

3.2.2.1. What is Regulatory Sandbox? A regulatory sandbox is a platform, containing a set of rules and supervisory requirements, formed by regulators to allow companies (mostly FinTech firms) to test their new business models and innovations under the supervision of the regulator. The new business models are not subject to any existing legal framework. Therefore, the objective of the regulatory sandbox is to support the development of new technologies and FinTech firms, increase the market competition and motivate the growth of the economy.100 The period for a regulatory sandbox generally is from 6 months to one year. Several sandboxes are having a more extended period (24 months) such as Ontario, Abu Dhabi, Arizona.101 This period usually is extendable. A standardised regulatory sandbox includes four phases as follow:

100 (n 60) 101 Ibid.

- Phase 1: Application to participate in the sandbox o The applicant prepare documents to prove that they are eligible to enter into the sandbox (e.g., satisfactory of innovation requirement, risk management requirement, the need for entering the sandbox). o The applicant also needs to prove that they have sufficient preparation to test their products with the sandbox. - Phase 2: Authorisation o The regulator accepts the participant to test their services under the regulatory sandbox o Paperwork needs to be done by the applicant to obtain the authorisation from regulators - Phase 3: Experiment o The participant runs their test of products or services following the rules under the sandbox o The participant will be considered failing the sandbox rules if (i) the risks of the services or products are larger than their benefits, or (ii) the participant fails to comply with laws or (iii) the objective of the sandbox is not achieved. - Phase 4: Validation o The participant will exit the sandbox after the testing period. There are two ways of exit: (i) Successful exit – The applicant applies for a license, or (ii) Failure – The applicant is not allowed to continue providing the product or service. o The sandbox will not replace the licensing process. The successful participant still has to apply for a license after exiting the sandbox. A regulatory sandbox can bring certain benefits to both participants and regulators. Notably, the sandbox helps to reduce innovation cost, create chances for FinTech firms to experiment their business while regulators can have a chance to collect data and learn about the innovation.102

3.2.2.2. Which countries are applying regulatory sandboxes in FinTech? In 2015, the UK was the first country to launch a regulatory sandbox. This sandbox permits both start-ups and licensed companies to test their innovative ideas and business models concerning the financial technology sector.103 The sandbox creates a ‘safe space’ for Fintech

102 Ibid. 103 Fenwick, Mark and Kaal, Wulf A. and Vermeulen, Erik P.M., Regulation Tomorrow: What Happens When Technology is Faster than the Law? (2017). American University Business Law Review, Vol. 6, No. 3, 2017; Lex Research Topics in Corporate Law & Economics Working Paper No. 2016-8; U of St. Thomas (Minnesota) Legal Studies Research Paper No. 16-23; TILEC Discussion Paper No. 2016-024. Available at SSRN: https://ssrn.com/abstract=2834531 or http://dx.doi.org/10.2139/ssrn.2834531

56 firms to experiment with their business with less strict regulation.104 Up to March 2020, 34 jurisdictions introduced their regulatory sandboxes.105 Please see Table 2 below about the list of countries launching sandboxes:

Abu Dhabi Australia Bahrain Brunei Canada September 2018 December 2016 June 2017 February 2017 February 2017

Denmark Dubai Hong Kong Hungary Indonesia February 2018 May 2017 September 2016 and December 2018 September 2018 September 2017 (three sandboxes)

Japan Jordan Kazakhstan Kuwait Lithuania June 2018 June 2018 January 2018 September 2019 September 2018

Malaysia Malta Mauritius Mexico Mozambique October 2018 January 2019 October 2016 March 2018 May 2018

Netherlands Nigeria Philippines Poland Rep. of Korea January 2017 March 2018 November 2017 October 2018 April 2019

Russia Saudi Arabia Sierra Leon Singapore Switzerland April 2018 February 2019 May 2018 June 2016 (Sandbox) August 2017 January 2020 (Sandbox Express)

Taiwan Thailand The UK Arizona April 2018 December 2016 2015 July 2018 Table 2 – List of Jurisdictions introduced Regulatory Sandboxes (up to March 2020)106

3.2.2.3. Challenges of applying Regulatory Sandboxes Success or failure of a regulatory sandbox will depend on several factors. A successful sandbox needs to specify which conditions under the existing regulations will be loosened, with no sectorial restriction. The sandbox needs to open for a new entrant to the market, and also have rooms for existing regulated entities to participate. Additionally, a successful regulatory sandbox will allow participants to choose their target customers but still supervise the participants to ensure the protection of the customers. The policymakers need to consider the right time to regulate advanced technology. If the regulation is issued too early, it can prevent the development of innovation and FinTech. If

104 Patrick Dwyer, Regulatory Sandboxes: ‘Safe Spaces’ for Start-Ups, FINTECH BUSINESS (June 27, 2016), http://www.fintechbusiness.com/blogs/399-regulatory-sandboxes-safe-spaces-for-startups 105 (n 60) 106 Buckley, Ross P. and Arner, Douglas W. and Veidt, Robin and Zetzsche, Dirk Andreas, Building FinTech Ecosystems: Regulatory Sandboxes, Innovation Hubs and Beyond (November 1, 2019). University of Luxembourg Law Working Paper No. 2019-010; European Banking Institute Working Paper Series 2019 – no. 53; UNSW Law Research Paper No. 19-72; University of Hong Kong Faculty of Law Research Paper No. 2019/100; Washington University Journal of Law and Policy, Vol. 61, 2020. Available at SSRN: https://ssrn.com/abstract=3455872 or http://dx.doi.org/10.2139/ssrn.3455872

57 the regulators decide to wait, it will have an impact on the market and the customers. The reason is the technology changes every day while the regulation requires months or even years to be issued. It may be too late for regulators in such a case. The regulatory sandbox is a solution for the regulator. It can be used for FinTech to test their products while regulators can have the chance to learn about the innovation. Given the vast development of technology in this era, regulators need to consider calculating time and taking the proper method to regulate FinTech. The sooner regulators introduce sandbox (or take other actions to regulate FinTech), the faster innovative technology can develop, and regulators can learn about the operation of the FinTech. Additionally, the regulator needs to carefully choose the appropriate candidates to join sandbox because regulators bear the reputational and other risks for this task.107 The sandboxes are not entirely attractive to the FinTech though they have some advantages over the other regulatory approach. The number of participants to the sandboxes is tiny, compared with the number of traditional financial institutions licensed in those countries.108 There are some reasons for that: restrictions on sectors,109 or unclear provisions to be lifted110. Furthermore, individuals or organisations may hesitate to cooperate with FinTech firms in the sandbox, given the uncertainty of how the activities of the participants will be regulated. It will be unclear whether the FinTech firms will be able to provide their services after exiting the sandbox.

3.2.2.4. Regulatory Sandbox in Vietnam – Is it practical alone? In August 2019, the Vietnamese government approved the Plan of Motivating Sharing Economic Model, in which, the government allows the testing of the new policy on the implementation and application of new technologies in this model. Many countries have successfully applied to this model. Therefore, the government hopes that this model can shorten the researching time and the enactment of new laws on virtual banks to catch up with the unstoppable development of technology.111 However, the testing model in practice will be challenging to implement.

107 (n 60) 108 Ibid. (“Sandboxes participants in the UK Financial Conduct Authority sandboxes as currently conceived are not scalable – the 18 (cohort 1) or 24 (cohort 2), are insignificant relative to the over 56,000 licenced market participants in the UK. For this reason, sandboxes need to be made smarter and equipped to self- monitor activity within them, as opposed to just being a process-driven application method for entry, typically for a limited time, to a regulatory safe space, as they are currently.”) 109 Ibid. (Several jurisdictions restrict their sandboxes to licensed financial institutions working with or without FinTech firms (e.g., the Swiss and Hong Kong). A few other jurisdictions restrict the sandboxes to the scope of the regulators. For example, the Thai sandbox is restricted to the scope two competent authorities governing financial services, the Bank of Thailand for banking and the Thai Securities Exchange Commission for securities and investments.) 110 Ibid. (Some regulators choose to disclose the minimum requirements to participate in the sandbox. However, most regulators do not specify which mandatory provisions will be subject to waiver in the sandboxes.) 111 (n 57)

Besides the drawbacks discussed in Section 3.2.2.3 above, big trouble for the FinTech to operate virtual banks will not be solved: licensing process. The reason is, after graduating from the sandbox, the FinTech still needs to apply for the license. Licensing requirements (e.g., capital requirements and revenue requirements) is believed to be a requirement both before and after the period the FinTech is in the sandbox. The SBV released the first draft of the regulatory sandbox on 01 June 2020 (“Draft Regulatory Sandbox”). According to the Draft Regulatory Sandbox, the SBV proposed that there are seven sectors which can be tested in the sandbox, including payment, credit, P2P lending, customer identification support, open API, innovative technology solutions and other supporting services such as credit rating, savings, capital mobilization. The SBV proposed the testing time will be from one to two years. Depending on how the FinTech performs during the experimentation period, the SBV will submit the report on the pilot result to the Prime Minister of Vietnam to decide one of the following circumstances: ceasing the experiment, certifying the completion of the experiment or extending the experiment. With this move, the Vietnamese government seems to decide to take the “Experimentation” approach. However, the Draft Regulatory Sandbox is only the first draft with many points to be considered and discussed before finalization. The SBV is collecting the comments from the public before taking the next steps to issue the final regulatory sandbox. That means, to have an official regulatory sandbox for FinTech (including virtual banks) in Vietnam, it may take one or two more years. Up to that time, if there is any FinTech would like to launch virtual banks, there will not be any legal framework to govern them. It will slow down the innovation in Vietnam. 3.3. The most appropriate approach to regulate virtual banks in Vietnam There is no right or wrong approach to regulate the operation of virtual banks. Vietnamese government needs to find the most appropriate approach to apply in their countries, depending on the social, economic and development conditions. The regulator needs to think of combining different approaches to create the most suitable legal framework for the operation of virtual banks. Given that each approach has its drawbacks if applying in Vietnam (as discussed in Sections 2.2, 3.2.1.2 and 3.2.2.4), the author suggests that Vietnamese regulator should consider the approach as follow:

Step 1 Step 2 Step 3 Step 4 Testing and Regulatory Restricted Special piloting, with Sandbox License for regulations case-by-case Applicant and Full approvals License for Applicant

Special regulation and regulatory sandbox should be a step in the whole process of regulating virtual banks. After the process of testing and piloting, and the period of ‘playing’ in the

59 sandbox, virtual banks can have chances to move to the next step by applying for a license containing certain restrictions. The first three steps provide a useful tool for regulators to acquire knowledge of FinTech firms, increase their understanding of new technologies and new business models, and determine what they have to do next to regulate the technological advancement.112 The regulator will research and analyse data and knowledge collected to form a special regulation for virtual banks. This approach can generate two advantages: (i) the regulators have enough time to issue a new regulation while they do not restrict or limit any development of the innovation, and (ii) the virtual bank will have the chance to both provide services to customers to grow and apply for a full banking license with different requirements compared with the traditional banks. 3.4. RegTech – Solutions of Future There is an idiom in the Chinese culture, which is “Habit cures habit”. To govern the challenges from the vast development of technology, improving technology to control and store customers’ information can be the solutions for Vietnam in the future. Regulators should understand the technologies, their impact on the business model and how to apply them to solve challenges from innovative processes. In the past few years, Regulation Technology (RegTech) emerges as a new solution for regulating innovative technologies. Regulators have started viewing RegTech as an instrument to help learn about the substantial changes and promote the financial services market. This section will discuss what RegTech is, how it can apply to regulate the development of FinTech and virtual banks, and how it can apply in Vietnam in the future. 3.4.1. What is RegTech and its advantages At first, RegTech was used to narrate technology for financial firms to meet the compliance requirement at a reduced cost. Then, the term was broadened, and “RegTech” refers to “all technologies used for the regulatory purpose”, no matter applied by regulators or organisations.113 RegTech brings advantage for regulators to keep pace with the rapid change of the technology and the financial market. It helps regulators to concentrate on how to govern the compliance of the institutions. It creates a new method to regulate the technology-driven business models like virtual banks and their financial products and services. The regulator can have opportunities to “perform their functions more effectively in close to real time”.114

112 (n 60) 113 UNSGSA FinTech Working Group and CCAF. (2019). Early Lessons on Regulatory Innovations to Enable Inclusive FinTech: Innovation Offices, Regulatory Sandboxes, and RegTech. Office of the UNSGSA and CCAF: New York, NY and Cambridge, UK. 114 (n 60)

The application of RegTech will be a long-term process that requires regulators to do researches to set out conditions to use RegTech. Regulators also need to enhance their infrastructure by upgrading their current technology. RegTech needs more time to be effectively implemented than other regulatory methods such as regulatory sandboxes. However, RegTech has sufficient potentials to be a future solution for the regulation of innovative technology and new business models. 3.4.2. Application of RegTech According to the Report of the UNSGSA FinTech Working Group and CCAF, up to 2019, 22 jurisdictions have applied RegTech model, in which, majority of them applied Big Data and Machine Learning as the technologies to employ (see Figure 6 below for more details). Please see below some examples of what jurisdictions are doing to apply technology for their regulatory purpose:115 - One of the most known forms of RegTech is the model used in developing economies to improve the technological efficiency called RegTech for Regulators Accelerator (R2A). This model was formed in 2016. The Bangko Sentral ng Pilipinas (BSP) in the Philippines and the Comisión Nacional Bancaria y de Valores in Mexico have cooperated with R2A. The main goal of the cooperation is to support these regulators technically and guide them through testing the RegTech, by approaching to finding problems and solutions in relation to the operation of FinTech. Thanks to the cooperation, the regulators have developed their digital infrastructure to regulate the financial innovation in their jurisdictions. - The BSP has used an API-driven reporting system which provides instantaneous control of the circumstances of the institutions for better and swift supervision. With the same approach, the Central Bank of Brazil (BCB) deployed a RegTech solution on the website to facilitate the information sharing between the BCB and the services providers. - In the UK, the FCA uses RegTech to improve its regulatory effectiveness and allow regulation to be processed by computers. - A consumer complaint portal was developed by the Bureau of Consumer Financial Protection in the US to facilitate the reporting process for consumers. The abovementioned examples describe how RegTech is applied in the world today, which can be more prevalent in the future. Regulators are trying to research and learn how RegTech works to adapt to their countries.

115 (n 113)

Figure 6 | RegTech Initiatives by Jurisdictions Source: UNSGSA FinTech Working Group and CCAF 3.4.3. Potential of applying RegTech in Vietnam Vietnam is the country having a rapid development in technology usage and application in the banking and finance industry. It is expected that the technology-driven business models will be ubiquitous in the future. That means RegTech can be substantial paramount accordingly. Therefore, the Vietnamese government should consider moving towards the application of technology for its regulatory purpose. This process is not a short-term initiative. Vietnamese government can learn specific lessons from other countries which have already adopted RegTech model, to prepare for a long term to implement RegTech in the financial sector. Based on lessons learned from the adoption of RegTech globally under a report of the UNSGSA FinTech Working Group and CCAF,116 the author summarises four critical points if the Vietnamese government would like to apply RegTech to govern FinTech and virtual banks in Vietnam: (i) The regulator needs to determine correct problems to find the most appropriate solutions to regulate virtual banks. For examples, the operation of virtual banks will be subject to various regulations of data privacy. The regulator may consider adopting RegTech to create a comprehensive digital platform to solve this problem. In the platform, the regulator may require the service providers to

116 Ibid.

provide their information on the data storage, to examine the satisfactory of the service providers in compliance with the personal data protection requirements. (ii) The regulator needs to establish interdisciplinary innovation teams. The variety of knowledge in a team will help the regulator to have a broad view and understanding of technology and its development. The regulator can consider recruiting people from different professional specialities (e.g., engineers, designers) to the digital transformation team. That will create a chance for the regulator to build an effective system for regulating the operation of FinTech and virtual banks. (iii) The regulator needs to do several testing and experiment before adopting RegTech model. Test and experiment will help the regulator to specify the problems correctly. Thanks to the experiment, the regulator can conclude what FinTech and virtual banks should change in their business model or digital facilities to meet requirements under the law. For instance, the regulator can test the RegTech model for the establishment of virtual banks, and review which part of the application is frequently modified to comply with the requirements under the law. Then the regulator may consider finalising the RegTech model to apply widely, to facilitate the later application. (iv) Public engagement plays a pivotal role in helping the regulator to develop solutions or identify new solutions. It will be a chance for the regulator to connect with technology companies or other innovators to bring about new ideas to solve financial-related problems on the business of virtual banks. With the fast-growing of technology in Vietnam and the emergence of technology startup companies, Vietnam has possibilities to adapt and develop the RegTech model in the future. Vietnamese government can consider researching and learning from other jurisdictions to form an appropriate model for the application of RegTech in Vietnam. It is not a short-term plan, but a long-term initiative for the government and relevant competent authorities to consider. * * * Chapter Conclusion In short, each challenge of data privacy and the establishment of virtual banks requires different approaches from regulators. Based on findings in this paper, many countries in the world have been releasing their regulations on data privacy protection. Most of them cover how service provider should collect and protect their customers’ data and imposes specific remedies on breach of data privacy protection. For cybersecurity risk, the paper focuses on three central region and countries, which are the EU, China and Singapore. They are representatives of the most attractive and competitive markets for FinTech and virtual banks in the world. However, the regulations in those jurisdictions are different. While the European and the Singaporean regulations facilitate the operation of service providers on the digital space, the Chinese government create specific barriers for the entrance of foreign services provider with the requirement of data localisation. Vietnam, as a country having fast development in the FinTech sector, can learn from what other countries are doing to finalise its legislation on cybersecurity and personal information protection.

For the regulatory issue, the “Specific Regulation” and “Regulatory Sandbox” approaches are applied widely around the world to regulate FinTech firms and virtual banks. Specific regulation can be an excellent solution. Notably, Singapore and Hong Kong have already issued their specific regulations to regulate virtual banks, while China is in the last steps to finalise its provisions). However, the specific regulation may raise challenges in Vietnam on timing to issue a new specific regulation, how the government make sure the consistency in the specific regulation with other relevant banking provisions, and how the government can balance the benefits and the development of virtual banks and traditional banks. Regarding the “Regulatory Sandbox” approach, Vietnam has already the first draft regulatory sandbox. However, when the final version of the regulatory sandbox is issued is a big concern. Up to that time, there is still a lack of regulation on the establishment of virtual banks in Vietnam. Moreover, the application of regulatory sandbox alone should not be an appropriate move for governments because it does not resolve the licensing obstacles. The regulatory approach for the establishment of virtual banks in Vietnam requires a combined method, which starts with the testing phase, moves to the release of the regulatory sandbox, and finally issues a specific regulation. This approach is not a short-term plan and requires governments (especially Vietnamese regulators) to do careful research. It will help the regulators have time to create a solid legal framework for the operation of virtual banks while it will not prevent the development of the new business model and new technology. Regulating technological services is one of the most difficult challenges facing regulators globally. Regulators can also consider changing and digitising their legal system. Applying technology for the regulatory purpose will increase the ability of the regulators to understand the innovation and supervise effectively financial sector. Vietnam has the potential to adapt to RegTech in regulating the development of FinTech and virtual banks because Vietnam has the fast development of technology. However, the Vietnamese regulators need to consider four critical lessons learned from the application of RegTech of other countries to think of applying RegTech in Vietnam: correct problems findings, the establishment of the interdisciplinary innovation team, testing RegTech model and public engagement.

CONCLUSIONS The development of technology creates opportunities for the growth of FinTech firms and their virtual banks. It will motivate the growth of the worldwide economy. Virtual banks not only benefit themselves (and FinTech firms) but also bring more chances to customers to approach new technology-driven financial services. Besides, virtual banks will motivate traditional banks to transform themselves into the digital model, which will increase the competition inside the banking and finance sector. The operation of virtual banks raises several concerns on data privacy protection and cybersecurity risks. Additionally, it is not easy for FinTech firms to apply for the establishment of their virtual banks due to the lack of a legal framework in most countries around the world. However, regulators from different jurisdictions are taking step by step to regulate, supervise and control the establishment and the operation of virtual banks. Several methods have been applied, from the issuance of a specific regulation on virtual banks, enactment of laws on personal data protection and cybersecurity to applying a new form of regulation, such as the regulatory sandbox or RegTech. Some regulators have chosen to test the operation of FinTech before deciding to take further steps by granting the case-by-case license to virtual banks. All those acts show efforts of regulators to balance the benefits of customers and the development of the new technology and the virtual banks. Vietnam is the fast-growing country in applying technology in the finance sector. Vietnam will not be outside of the scope of the challenges as mentioned above. Nevertheless, there has not been a pure virtual bank operating in Vietnam at this moment. In order to motivate FinTech firms to form their digital-only banks without the need for cooperation with a licensed traditional bank in Vietnam, the Vietnamese regulator should consider researching and learning from other countries. For the issue of data privacy protection and cybersecurity, the Vietnamese regulator needs to complete and finalize the draft decrees regulating the protection of personal information and the Vietnam Cybersecurity Law at the earliest convenience. For the issue of requirements applying to the establishment of virtual banks, the Vietnamese government can consider applying a combined method, which starts with the experimental phase (i.e., issuing ‘pilot’ licenses to virtual banks), then preparing a regulatory sandbox for further tests of virtual banks’ services before moving to a specific regulation to regulate this business model. With this approach, the Vietnamese government can ensure the development of virtual banks and motivate FinTech to form digital-only banks to challenge traditional banks. Concurrently, the government can utilize the testing and experimental phase as the time to learn about technology, to keep up with the innovation of technology. Additionally, the Vietnamese government can consider adapting to RegTech in the future. This approach is not a short-term initiative, but in a more extended period, it will be useful as proved by the practice in other jurisdictions. The Vietnamese regulator should improve their digital infrastructure, consider taking opinions from the public, take several experiments and form multi-disciplinary teams to support the application of RegTech.

The author is optimistic that the Vietnamese government will solve the issues mentioned in this paper concerning the establishment and operation of virtual banks. If so, the Vietnamese financial market will develop with the emergence of new entrants which are virtual banks established by FinTech firms.

BIBLIOGRAPHY Regulations 1. Law No. 47/2010/QH12 passed by the National Assembly of Vietnam on 16 June 2010 regarding credit institutions, as amended and supplemented by Law No. 17/2017/QH14 dated 20 November 2017 (“Law on Credit Institutions”) 2. Law No. 07/2012/QH13 passed by the National Assembly of Vietnam on 18 June 2012 regarding Anti Money Laundering (“AML Law”) 3. On 12 June 2018, the National Assembly of Vietnam passed a new Law on Cybersecurity (“Vietnam Cybersecurity Law”), taking effect in January 2019 4. Decree No. 101/2012/ND-CP of the Government of Vietnam dated 22 November 2012 regarding Non-cash payment, as amended and supplemented by Decree No. 80/2016/ND-CP dated 01 July 2016 and by Decree No. 16/2019/ND-CP dated 01 February 2019 (“Decree No. 101”) 5. Decree No. 116/2013/ND-CP of the Government of Vietnam dated 10 October 2013 regarding the guidance on Law on Anti Money Laundering, as amended and supplemented by Decree No. 87/2019/ND-CP dated 14 November 2019 (“Decree No. 116”) 6. Decree No. 87/2019/ND-CP dated 14 November 2019, amending several articles of the Government's Decree No. 116/2013/ND-CP detailing the implementation of several Articles of the Anti-Money Laundering Law ("Decree No. 87") 7. Circular No. 40/2011/TT-NHNN of the State Bank of Vietnam dated 15 December 2011, regarding the issuance of license and the organization, operation of commercial banks, foreign bank's branches, representative offices of foreign credit institutions, other foreign organizations having banking activities in Vietnam, as amended by Circular No. 17/2017/TT-NHNN dated 20 November 2017, by Circular No. 17/2018/TT-NHNN dated 14 August 2018, by Circular No. 28/2018/TT-NHNN dated 30 November 2018 and by Circular No. 25/2019/TT- NHNN dated 02 December 2019 (“Circular No. 40”) 8. Decision No. 328/QD-NHNN dated 16 March 2017 to establish a Steering Committee on Financial Technology 9. Draft decree amending Decree No. 101/2012/ND-CP on non-cash payments published by the SBV on 6 November 2019 10. China Security Law 11. Banking Ordinance ─ Seventh Schedule Minimum Criteria for Authorization 12. Chapter 9, HKMA Guidelines to Authorization of Virtual Banks

Books, Papers, Articles and Reports

1. A New Era of Banking: The Landscape After the Battle, by Angel Berges, Mauro F. Guillén, Juan P. Moreno and Emilio Ontiveros 2. René M. Stulz, The Ohio State University, NBER, and ECGI, FinTech, BigTech, and the Future of Banks, September 2019, available at http://www.ssrn.com/abstract=3455297 3. Zetzsche, Dirk Andreas and Buckley, Ross P. and Arner, Douglas W. and Barberis, Janos Nathan, Regulating a Revolution: From Regulatory Sandboxes to Smart Regulation (August 14, 2017). 23 Fordham Journal of Corporate and Financial Law 31-103 (2017); European Banking Institute Working Paper Series 2017 - No. 11; University of Luxembourg Law Working Paper No. 006/2017; University of Hong Kong Faculty of Law Research Paper No. 2017/019; UNSW Law Research Paper No. 17-71; Center for Business and Corporate Law (CBC) Working Paper Series 001/2017. Available at SSRN: https://ssrn.com/abstract=3018534 or http://dx.doi.org/10.2139/ssrn.3018534 4. Pernot-Leplay, Emmanuel, China’s Approach on Data Privacy Law: A Third Way Between the U.S. and the EU? (2020). Penn State Journal of Law & International Affairs, Vol. 8, No. 1, 2020. Available at SSRN: https://ssrn.com/abstract=3542820 5. Fenwick, Mark and Kaal, Wulf A. and Vermeulen, Erik P.M., Regulation Tomorrow: What Happens When Technology is Faster than the Law? (2017). American University Business Law Review, Vol. 6, No. 3, 2017; Lex Research Topics in Corporate Law & Economics Working Paper No. 2016-8; U of St. Thomas (Minnesota) Legal Studies Research Paper No. 16-23; TILEC Discussion Paper No. 2016-024. Available at SSRN: https://ssrn.com/abstract=2834531 or http://dx.doi.org/10.2139/ssrn.283453 1 6. Buckley, Ross P. and Arner, Douglas W. and Veidt, Robin and Zetzsche, Dirk Andreas, Building FinTech Ecosystems: Regulatory Sandboxes, Innovation Hubs and Beyond (November 1, 2019). University of Luxembourg Law Working Paper No. 2019-010; European Banking Institute Working Paper Series 2019 – no. 53; UNSW Law Research Paper No. 19-72; University of Hong Kong Faculty of Law Research Paper No. 2019/100; Washington University Journal of Law and Policy, Vol. 61, 2020. Available at SSRN: https://ssrn.com/abstract=3455872 or http://dx.doi.org/10.2139/ssrn.345587 2 7. UNSGSA FinTech Working Group and CCAF. (2019). Early Lessons on Regulatory Innovations to Enable Inclusive FinTech: Innovation Offices, Regulatory Sandboxes, and RegTech. Office of the UNSGSA and CCAF: New York, NY and Cambridge, UK

8. PwC, Digital Intelligence: Securing Digital Bank Expansion, available at https://www.pwc.com/us/en/industries/financial-services/library/digital-bank- expansion.html 9. PwC, Digital Intelligence: Securing digital bank expansion, available at https://www.pwc.com/us/en/industries/financial-services/library/digital-bank- expansion.html 10. Harjeet Baura, APAC Digital Banking Leader, PwC Hong Kong, Digital Banking Customer Survey - Virtual Banking: Customers Take Charge - Are you ready, November 2019 11. PwC, Financial Services Technology 2020 and Beyond: Embracing disruption, available at https://www.pwc.com/gx/en/industries/financial- services/publications/financial-services-technology-2020-and-beyond-embracing- disruption.html 12. PwC, Top Policy Trends 2020: Data Privacy, available at https://www.pwc.com/us/en/library/risk-regulatory/strategic-policy/top-policy- trends/data-privacy.html 13. Baker McKenzie and BearingPoint, GDPR Survey: Benefits beyond compliance (2019), available at https://www.bakermckenzie.com/en/insight/publications/2020/04/gdpr-survey- benefits-beyond-compliance 14. Baker McKenzie, Updates to Draft Decree Detailing Certain Articles of Law on Cybersecurity, 08 October 2019, available at https://www.bakermckenzie.com/en/insight/publications/2019/10/updates-draft- decree-law-on-cybersecurity Internet Sources 1. Ngành Ngân hàng với những thách thức CMCN 4.0 (in English: Banking Industry Facing Challenges arising from the Fourth Industrial Revolution), PhD. Nghiem Xuan Thanh, 27 August 2019, available at http://tapchinganhang.com.vn/nganh- ngan-hang-voi-nhung-thach-thuc-cmcn-4-0.htm 2. Fintech - cơ hội và thách thức đối với sự phát triển của hệ thống tài chính, ngân hàng (in English: Fintech – Chances and Challenges to the Development of Banking and Finance System), available at http://tapchinganhang.com.vn/fintech- co-hoi-va-thach-thuc-doi-voi-su-phat-trien-cua-he-thong-tai-chinh-ngan-hang.htm 3. Trụ cột kiến trúc phát triển hoạt động ngân hàng số (in English: Pillars for development of digital banking activities), 20 December 2019, available at http://tapchinganhang.com.vn/tru-cot-kien-truc-phat-trien-hoat-dong-ngan-hang- so.htm

4. China Finalizing Laws For Digital-Only Banking, 14 January 2020, available at https://www.pymnts.com/bank-regulation/2020/china-finalizing-laws-for-digital- only-banking/ 5. South Korea Eyeing to Grant more Virtual Banking Licenses, 31 July 2019, available at https://fintechnews.hk/9770/fintechkorea/south-korea-eyeing-to-grant- more-virtual-banking-licenses/ 6. https://www.internetworldstats.com/top20.htm, last updated on 30 June 2019 7. https://www.statista.com/statistics/748053/worldwide-top-countries-smartphone- users/ 8. Fintech Việt hút vốn ngoại: Khi tiềm năng khai phá còn rộng mở (in English: Fintech in Vietnam attracts Foreign capital: When the potential is still broad), 19 August 2019, available at http://tapchinganhang.com.vn/fintech-viet-hut-von- ngoai-khi-tiem-nang-khai-pha-con-rong-mo.htm 9. Hong Kong digital bank offers market-beating 6% interest rate, 13 January 2020, available at https://www.finextra.com/newsarticle/35050/hong-kong-digital-bank- offers-market-beating-6-interest-rate 10. IBM Sales and Distribution, White Paper Executive Summary, June 2015, available at https://www.ibm.com/downloads/cas/XGJGOJWA 11. Barclay Ballard, The Unstoppable Rise of Neobanks, 11 October 2018, available at https://www.worldfinance.com/banking/the-unstoppable-rise-of-neobanks 12. Ryan Browne, N26 customers feel ‘betrayed’ by the German digital bank’s decision to quit the UK, 17 February 2020, available at https://www.cnbc.com/2020/02/17/n26-customers-feel-betrayed-by-german-digital- bank-for-leaving-uk.html 13. Victor T. Samuel, J.D., MBA, In Spite of U.S. Regulatory Roadblocks, Digital Banks Are Here to Stay, 30 October 2019, available at https://medium.com/@outsourcedkarma/in-spite-of-us-regulatory-roadblocks- digital-banks-are-here-to-stay-71fb9f5049ca 14. The Future of Banking: Virtual and Vital--Online-Only Banks Aim to Transform Taiwan Banking, written by YuHan Lan, 01 August 2019, available at https://www.spglobal.com/en/research-insights/articles/the-future-of-banking- virtual-banks-chase-the-dream-in-asia-pacific 15. Alibaba MYBank, published on 02 December 2016 on https://www.mediaman.com.cn/news/alibaba-mybank/ 16. Sichuan Online Lender XWBank Sees 224% YoY Surge in Net Profits, published in September 2019 on http://www.chinabankingnews.com/2019/08/21/sichuan- online-lender-xwbank-sees-224-yoy-surge-in-net-profits/

17. Asia’s Emerging Virtual Banks, written by Cindy Li and Paul Tierno, 09 October 2019, available at https://www.frbsf.org/banking/asia-program/pacific-exchange- blog/asias-emerging-virtual-banks/ 18. Kakao Bank on track, while K bank falters, 18 November 2019, available at https://www.koreatimes.co.kr/www/biz/2019/11/126_278907.html 19. Singapore receives 21 application for five digital bank licenses, 7 January 2020, available at https://www.ft.com/content/f9356bdc-3102-11ea-a329-0bcf87a328f2 20. https://www.mas.gov.sg/regulation/Banking/digital-bank-licence 21. The Philippines set for the first digital-only bank as Tonik gets green light - Written by Alex Hamilton - 10 January 2020 - https://www.fintechfutures.com/2020/01/the-philippines-set-for-first-digital-only- bank-as-tonik-gets-green-light/ 22. Bank of Thailand Is Considering Issuing Licenses to Digital Banks to Enable Greater Financial Inclusion - https://www.crowdfundinsider.com/2020/01/156804- bank-of-thailand-is-considering-issuing-licenses-to-digital-banks-to-enable-greater- financial-inclusion/ 23. Thanh toán không dùng tiền mặt mới chiếm 21% (in English: Non-cash payment accounts for 21% only), 28 November 2019, available at https://saigondautu.com.vn/tai-chinh/thanh-toan-khong-dung-tien-mat-moi-chiem- 21-74648.html 24. Vietnam ranks second in fintech investment in South-East Asia, 14 December 2019, available at https://www.thestar.com.my/news/regional/2019/12/14/vietnam- ranks-second-in-fintech-investment-in-south-east-asia 25. Singapore's start-ups; Policygenius' insurance market; fintech M&A takes off, 24 February 2020, available at https://www.ft.com/content/677fe5c2-5737-11ea-a528- dd0f971febbc 26. Jumio - How eKYC is Streamlining Digital banking - An APAC Perspective, available at https://jumio.pathfactory.com/c/jumio-apac-ekyc-eboo?x=- 5LwNy&utm_source=pathfactory&utm_medium=ppc&utm_campaign=2020_APA C_eKYC_Digital_Banking_Guide 27. https://www.moneysupermarket.com/current-accounts/digital-banking/digital-only- guide/ 28. Privacy Policy of Revolut, available at https://www.revolut.com/legal/privacy#what-information-do-you-collect-about-me 29. Marqeta, 2019 Digital Banking Survey: How consumers are engaging with banking services in 2019, published in Q4, 2019

30. How safe are digital and mobile banking?, 22 April 2020, available at https://www.expatica.com/finance/banking/how-safe-are-digital-and-mobile- banking-16139/ 31. New fintech study reveals brits' data privacy concerns, 23 March 2018, available at https://www.businesscloud.co.uk/news/new-fintech-study-reveals-brits-data- privacy-concerns 32. Top security concerns for the Financial Services industry in 2020, 05 December 2019, available at https://www.blueliv.com/cyber-security-and-cyber-threat- intelligence-blog-blueliv/security-financial-services-industry-2020/ 33. Ray Tsang, Senior Business Development Manager, JOS Hong Kong, Virtual banks VS Traditional banks: The opportunities, risks and security posture, 31 October 2019, available at https://www.jos.com/leaders/virtual-banks-vs- traditional-banks 34. Hong Kong: Virtual banking and data privacy, November 2019, available at https://platform.dataguidance.com/opinion/hong-kong-virtual-banking-and-data- privacy 35. Hong Kong: Virtual banking and data privacy, November 2019, available at https://platform.dataguidance.com/opinion/hong-kong-virtual-banking-and-data- privacy 36. https://www.revolut.com/legal/privacy#what-information-do-you-collect-about-me 37. Privacy and Cookies Statements of Bunq, available at https://www.bunq.com/assets/media/legal/en/20200512_Privacy_Statement_EN.pd f 38. Which countries have the worst (and best) cybersecurity, updated on 03 March 2020, available at https://www.comparitech.com/blog/vpn-privacy/cybersecurity- by-country/ 39. Ngân hàng Việt đang là đích ngắm của tội phạm mạng (in English: Vietnamese banks are the targets of cybercriminal), 27 November 2019, available at https://vnexpress.net/ngan-hang-viet-dang-la-dich-ngam-cua-toi-pham-mang- 4018549.html 40. 5 thách thức trong số hóa ngân hàng ở Việt Nam (in English: Five challenges in banking digitalization in Vietnam), 17 May 2019, available at https://vnexpress.net/kinh-doanh/5-thach-thuc-trong-so-hoa-ngan-hang-o-viet-nam- 3924598.html 41. Làn sóng số hóa ngân hàng trước thách thức bảo mật (in English: The wave of banking digitalization facing the confidential challenge), 18 December 2019, available at https://tinnhanhchungkhoan.vn/ngan-hang/lan-song-so-hoa-ngan-hang- truoc-thach-thuc-bao-mat-307672.html

42. Ngân hàng số: Cơ hội và thách thức cho hệ thống tài chính Việt Nam (in English: Virtual banks: Opportunities and challenges for the Vietnam’s financial system), 20 August 2019, available at https://baodautu.vn/ngan-hang-so-co-hoi-va-thach-thuc- cho-he-thong-tai-chinh-viet-nam-d105661.html 43. Revolut drops out of Singapore digibank race over high capital requirement, 13 November 2019, available at https://www.businesstimes.com.sg/banking- finance/sff-x-switch-2019/revolut-drops-out-of-singapore-digibank-race-over-high- capital 44. UK’s ICO fines British Airways a record £183M over GDPR breach that leaked data from 500,000 users, 08 July 2019, available at https://techcrunch.com/2019/07/08/uks-ico-fines-british-airways-a-record-183m- over-gdpr-breach-that-leaked-data-from-500000-users/ 45. The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification, 26 June 2019, available at https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity-act-brings- strong-agency-cybersecurity-and-eu-wide-rules-cybersecurity 46. The Cybersecurity Act strengthens Europe’s cybersecurity, 19 March 2019, available at https://ec.europa.eu/digital-single-market/en/news/cybersecurity-act- strengthens-europes-cybersecurity 47. Hogan Lovells, Asia Pacific Data Protection and Cyber Security Guide, available at: https://iapp.org/resources/article/311636/ 48. Singapore’s new Cybersecurity Act comes into force: Here’s what you need to know, 06 September 2018, available at https://www.dataprotectionreport.com/2018/09/singapores-new-cybersecurity-act- come-into-force-heres-what-you-need-to-know/ 49. Bảo vệ thông tin cá nhân thời công nghệ số (in English: Protection of Personal Information in the digital era), 02 March 2020, available at http://doanhnghiephoinhap.vn/bao-ve-thong-tin-ca-nhan-thoi-cong-nghe-so.html 50. List of non-bank institutions granted intermediary payment services license, updated on 05 May 2020, available at https://www.sbv.gov.vn/webcenter/portal/vi/menu/trangchu/tk/hdtt/ctccudvtt?_afrLoop =6690435775978211#%40%3F_afrLoop%3D6690435775978211%26centerWidth%3 D80%2525%26leftWidth%3D20%2525%26rightWidth%3D0%2525%26showFooter %3Dfalse%26showHeader%3Dfalse%26_adf.ctrl-state%3Dvy0rwg3ft_4 51. Patrick Dwyer, Regulatory Sandboxes: ‘Safe Spaces’ for Start-Ups, FINTECH BUSINESS (June 27, 2016), http://www.fintechbusiness.com/blogs/399- regulatory-sandboxes-safe-spaces-for-startups