Regulatory Sandbox for Fintech Solutions

In light of the rapid and increasingly complex development of Vietnam’s financial technology (Fintech) sector, the need for a structured legal Sandbox to ensure transparency, security, and foster innovation has become more imperative than ever. Nearly four years after the Government of Vietnam issued Resolution No. 100/NQ-CP on September 6, 2021, approving the development of a decree on a regulatory Sandbox for Fintech operations in the banking sector, the Government officially promulgated Decree No. 94/2025/ND-CP (Decree 94) on April 29, 2025. This decree establishes a regulatory Sandbox for Fintech solutions and will take effect on July 1, 2025.
 

Decree 94 marks a significant milestone in Vietnam’s Fintech regulatory landscape by providing a controlled testing environment for credit institutions and foreign bank branches (Credit Institutions), and eligible Fintech companies to pilot new business models, including peer-to-peer lending (P2P Lending), open application programming interfaces (Open API), and credit scoring solutions. The sandbox (Sandbox) is also designed to mitigate potential risks to customers using these Fintech solutions during testing. The outcomes of Sandbox participation will serve as a practical basis for relevant authorities to develop, adjust, and complete the regulatory framework where necessary.
 

This Legal Update outlines the key provisions of Decree 94.
 

1. Scope of Application
Decree 94 establishes a regulatory Sandbox for three categories of Fintech solutions applicable to the banking sector, namely:
 

(i) Credit Scoring: 
(a) Credit scoring refers to a technology-driven solution implemented by Credit Institutions or Fintech companies to assess the creditworthiness of individuals or organisations. 
(b) This solution is intended to support the credit assessment and approval processes of Credit Institutions.
 

(ii) Data Sharing via Open API: 
(a) An Open API is a standardised set of APIs that enable two software components to communicate with one another. These APIs may be utilised by the computer systems of Credit Institutions, Fintech companies, and other third parties.
(b) Such APIs are used to transmit service requests to the systems of Credit Institutions that provide access to the Open API.
 

(iii) P2P Lending Solution: 
(a) The P2P Lending Solution is an information technology-based platform provided by a Fintech company (P2P Lending Companies) to facilitate information exchange and support the formation of lending agreements between borrowers and lenders through a digital interface. 
(b) The currency utilised in P2P Lending transactions must be Vietnamese dong (VND).

2. Subjects and Scope of Participation in the Sandbox
Decree 94 stipulates that Credit Institutions and Fintech companies are eligible to participate in the regulatory Sandbox upon being granted a Certificate of Participation in the Sandbox by the State Bank of Vietnam (SBV). 
 

With respect to the scope of participation in the Sandbox framework for each type of eligible entity:
(i) Credit Institutions may only participate in Credit Scoring and Open API, and are not permitted to engage in P2P Lending Solutions. 
(ii) Fintech companies are permitted to participate in all three Fintech solutions. Under Decree 94, a Fintech company is defined as an organisation other than a Credit Institution, which is lawfully established or registered to operate in the territory of Vietnam. A Fintech company may provide Fintech solutions independently or in cooperation with Credit Institutions to offer such solutions to the market.
 

3. Duration, Geographical Limits, and Scope of the Sandbox
(i) Duration of the Sandbox: Fintech solutions may be licensed and tested within the Sandbox for a maximum period of two years, depending on the nature of the solution and its respective sector, commencing from the date on which the Certificate of Participation in the Sandbox (Certificate) is issued by the SBV. Participating entities may apply for up to two extensions, with each extension not exceeding one additional year.
 

(ii) Geographical limits of the Sandbox: The implementation of the Sandbox for Fintech solutions is restricted within the territory of Vietnam and shall not be conducted on a cross-border basis.
 

(iii) Scope of the Sandbox: Entities participating in the Sandbox may only provide Fintech solutions within the scope expressly specified in their respective granted Certificates.
 

4. Conditions for Participation in the Sandbox
4.1. General Conditions
Entities participating in the Sandbox are required to maintain full compliance with all applicable conditions throughout the Sandbox period. Specifically:
 

(i) For Credit Institutions: Credit Institutions not subject to special control (i.e., those not placed under the direct supervision of the SBV) may be considered for the issuance of a Certificate of Participation in the Sandbox if the proposed Fintech solution satisfies the following criteria:
(a) The solution features technical and operational elements that are not yet specifically governed under the existing legal framework;
(b) The solution demonstrates innovation and delivers tangible value to users, particularly in advancing financial inclusion in Vietnam;
(c) The solution includes a risk management framework, mitigation plans for risks arising during the Sandbox, and mechanisms for consumer protection;
(d) The solution has undergone comprehensive assessment with respect to its functions, features, and practical utility; and
(e) The solution is commercially viable and capable of market rollout upon completion of the Sandbox.
 

(ii) For Fintech companies: A Fintech company may be considered for participation in the Sandbox where its proposed solution meets the criteria above, and the company fulfils the following conditions:
(a) It must be a legal entity duly established and lawfully operating in the territory of Vietnam;
(b) It must not be undergoing dissolution, bankruptcy, division, separation, merger, or conversion; and
(c) The legal representative, the General Director/Director must satisfy the following conditions: (I) hold a university degree or higher in economics, business administration, law, or information technology; (II) possess at least two years of managerial or executive experience in the finance or banking sector; and (III) not fall under any statutory prohibitions applicable to management positions.
 

4.2. Additional Conditions for Providers of P2P Lending Solution 
In addition to the general eligibility requirements outlined above, Fintech entities intending to operate a P2P Lending Solution within the Sandbox must comply with the following conditions at the time of registration and throughout the Sandbox period:
 

(i) The enterprise must be legally incorporated and operating within Vietnam, and must not be a foreign-invested enterprise. While the Law on Investment 2020 no longer uses the concept of “foreign-invested enterprise”, this law defines “foreign-invested economic organisation” as an economic organisation in which foreign investors hold equity or are members/shareholders.
 

(ii) The legal representative, the General Director/Director must satisfy the following requirements:
(a) be Vietnamese citizens with no criminal record and no history of administrative sanctions in finance, banking, or cybersecurity; and 
(b) not concurrently serving as owners or managers of any other entity providing financial services, banking services, pawn services, intermediary payment services, multi-level marketing businesses, or informal lending collectives (referred to in Vietnamese as “hụi, họ, biêu, phường”).
 

5. Procedure for Issuance of the Certificate of Participation in the Sandbox
(i) Eligible entities seeking to participate in the Sandbox must register with the SBV to obtain a Certificate by submitting an application dossier in accordance with the requirements set out in Decree 94. The SBV shall coordinate with relevant ministries to conduct an appraisal of the application, which may include on-site inspection.
 

(ii) Licensed participants are only permitted to provide Fintech solutions strictly within the scope approved under their respective Certificates.
 

(iii) Each Certificate shall be valid for a period of up to two years. Participants may apply for an extension no later than 90 days prior to the expiry date, subject to a maximum of two extensions, with each extension not exceeding one year.
 

(iv) The SBV may terminate the Sandbox participation and revoke the granted Certificate in certain circumstances, including, without limitation, to:
(a) Within 90 days from the date of issuance of the Certificate, a licensed participant fails to commence Sandbox activities, unless delayed due to force majeure.
(b) Severe risks are identified during supervision and inspection, assessed by relevant authorities as posing significant threats to customers or financial stability, along with unresolvable technical failures or legal violations subject to enforceable judgments or administrative penalties.
 

(v) Upon the issuance and entry into force of formal legal provisions governing the relevant Fintech solution, or where the SBV determines that the Fintech solution is not a conditional business line, the SBV may issue a Certificate of Completion of the Sandbox, thereby allowing the Participant to officially roll out the solution in accordance with the prevailing legal framework at the time of completion.
 

6. Obligations of Organisations Participating in the Sandbox
6.1. General Obligations
Organisations participating in the Fintech Sandbox shall assume the following key legal responsibilities:
 

(i) Comprehensive legal liability: Be fully liable under the law for the accuracy, completeness, and veracity of the application dossier; be responsible for all operational activities and the implementation of the Sandbox programme. Full compliance with Decree 94, other applicable laws, and the terms of the Certificate of Participation in the Sandbox is required.
 

(ii) Reporting obligations: Submit both periodic and ad hoc reports as required by relevant State authorities.
 

(iii) Information transparency: Provide clear, accurate, and complete information to customers and relevant stakeholders; comply with applicable regulations on advertising and public communications.
 

(iv) Liability for misinformation: Be held accountable for the provision of false or incomplete information, except where it can be demonstrated that all legally prescribed verification measures were duly applied.
 

(v) Supervision and cooperation: Conduct regular self-monitoring and risk assessments; promptly detect and report any signs of legal non-compliance; cooperate closely with the State Bank of Vietnam and other relevant authorities during the Sandbox period.
 

(vi) Issuance of internal regulations: Develop and implement comprehensive internal policies and procedures covering operational management, internal control, incident response, data security, and dispute resolution, to ensure operational integrity, transparency, and resilience throughout the Sandbox participation.
 

(vii) Performance of contractual obligations: Fulfil all obligations arising under agreements with customers and other relevant organisations and individuals, in accordance with applicable law.
 

6.2. Additional Obligations of P2P Lending Companies 
In addition to the general obligations set out in Section 6.1 above, P2P Lending Companies must comply with the following specific requirements:
 

(i) Prevention of conflicts of interest and internal fraud: Implement appropriate measures to prohibit members of the Board of Management, executive management, or employees from engaging in lending transactions or providing loan guarantees; concurrently, ensure internal controls are in place to prevent fraud or misappropriation of customer assets.
 

(ii) Customer data verification and protection: Apply procedures to authenticate, update, and reconcile customer data; and implement safeguards to prevent forgery or unauthorised alteration of customer information.
 

(iii) Pre-contractual disclosure obligations: Provide customers with full and transparent information regarding loan terms, agreements, interest rates, applicable fees, and respective rights and obligations of the parties, and obtain customer confirmation prior to contract execution.
 

(iv) Contractual compliance: Ensure that all contractual arrangements between lenders, borrowers, the P2P Lending Company, and any relevant third parties are consistent with the prevailing laws of Vietnam.
 

(v) Management of borrower credit limits: Establish and apply borrowing limits for individual borrowers, utilising credit data obtained from the Vietnam National Credit Information Centre (CIC) to ensure compliance with maximum thresholds as prescribed. Breach of this obligation may result in termination of Sandbox participation or non-issuance of the Certificate of Completion.
 

(vi) Transparent disclosure obligations: Publicly disclose the company’s essential corporate information on its official website. Annual financial statements must be independently audited and published in accordance with applicable regulations.
 

(vii) Data retention and security: Maintain complete and accurate records, contracts, and customer data in compliance with Vietnamese law, and ensure data security, system backup, and availability of such information to relevant authorities upon request. 
 

Observation & Conclusion
The promulgation of Decree 94 marks a significant turning point in the Government’s Fintech regulatory policy, clearly reflecting its orientation toward fostering innovation within a controlled legal framework. Nevertheless, several issues remain with respect to Decree 94, including:

• Limited scope of the Sandbox: The Sandbox currently applies to only three solutions within the banking sector, while other prominent Fintech areas, such as blockchain technology and digital banking, are still under governmental discussion.
• Need for more cross-sectoral integration: The Sandbox mechanism is presently limited to banking services, omitting other sectors where Fintech is also being actively applied, such as securities and insurance.
• Unclear eligibility criteria: The conditions for participating in the Sandbox remain largely qualitative, with general references to “innovation” or “positive impact,” but without clear guidance for consistent assessment or implementation.

Notwithstanding, Decree 94 is still expected to lay the groundwork for the sustainable development of the Fintech sector in Vietnam. In the meantime, Fintech companies should proactively invest in technological capabilities, governance, and compliance readiness to fully leverage Sandbox opportunities and prepare for eventual entry into the official market.

Click here to download: Legal Update (EN) - Regulatory Sandbox for Fintech Solutions - June 2025.pdf

This material provides only a summary of the subject matter covered, without the assumption of a duty of care by Frasers Law Company.
The summary is not intended to be nor should be relied on as a substitute for legal or other professional advice.

© Copyright in this article is owned by Frasers Law Company