Vietnam Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Vietnam?

The State Bank of Vietnam (SBV) is the primary AML/CFT regulator. It supervises banks, credit institutions, foreign bank branches, payment service providers, and money transfer operators. The SBV issues binding circulars, conducts on-site inspections, and has authority to impose administrative sanctions and refer cases for criminal prosecution. Its official site is sbv.gov.vn.

Within the SBV sits the Anti-Money Laundering Department (AMLD), which functions as Vietnam's Financial Intelligence Unit (FIU). The AMLD receives suspicious transaction reports (STRs) and cash transaction reports (CTRs), analyzes financial intelligence, shares it with law enforcement, and coordinates with foreign FIUs through the Egmont Group. Vietnam joined the Egmont Group in 2007.

The State Securities Commission (SSC) supervises AML compliance across the securities sector: securities companies, fund management companies, and securities investment funds. It operates under the Ministry of Finance and issues its own sector-specific AML guidance. The SSC's website is ssc.gov.vn.

The Ministry of Public Security handles criminal investigations and prosecutions for money laundering and related financial crimes. Its economic crime units lead major cases, including cross-border laundering and organized financial fraud. The ministry works alongside the AMLD on intelligence-to-prosecution pipelines, and its role has grown considerably following the high-profile banking prosecutions of 2023 and 2024.

The Ministry of Finance oversees AML compliance for insurance companies and certain non-bank financial institutions, coordinating with the SBV on cross-sectoral standards.

What are the key AML and fraud laws in Vietnam?

The Law on Anti-Money Laundering 2022 (No. 14/2022/QH15, effective March 1, 2023) is the foundational statute. It replaced the 2012 law and substantially expanded both the scope of obliged entities and the obligations they carry. The 2022 law added virtual asset service providers to the list of reporting entities, strengthened Customer Due Diligence requirements in line with FATF Recommendation 10, and introduced more detailed beneficial ownership disclosure rules.

Decree 19/2023/ND-CP implements the 2022 law in detail, covering internal control frameworks, risk assessment methodologies consistent with the FATF risk-based approach (Recommendation 1), and record-keeping obligations. The SBV followed with Circular 09/2023/TT-NHNN, which provides sector-specific guidance for credit institutions and foreign bank branches operating in Vietnam.

The Penal Code 2015 (amended 2017) criminalizes money laundering under Article 324. Penalties reach 15 years imprisonment for individuals and fines of up to 10 billion VND (approximately USD 400,000) for corporate offenders. Terrorism financing is addressed under Article 300.

Decree 13/2023/ND-CP on Personal Data Protection (effective July 1, 2023) governs the collection, storage, and processing of personal data. This matters directly for compliance programs: CDD data collected under the AML law is also personal data under Decree 13. Sharing it with group compliance functions abroad requires a documented legal basis. That creates real friction with group-wide AML information sharing obligations, and institutions operating regional compliance hubs need to document the legal basis carefully before they route Vietnamese customer data offshore.

The Law on Credit Institutions 2024 strengthened bank governance following the SCB scandal, tightening rules on cross-shareholding, connected-party lending, and board composition.

What controls do Vietnam regulators expect?

Customer due diligence. The 2022 AML law requires standard CDD for all new customers and periodic re-verification of existing relationships. Enhanced due diligence applies to politically exposed persons, customers from high-risk jurisdictions, and non-face-to-face onboarding. Standard Know Your Customer (KYC) involves identity verification using Vietnam's national ID (CCCD) or passport, address confirmation, and documented understanding of the nature and purpose of the relationship. Simplified CDD is permitted for demonstrably lower-risk scenarios.

Transaction monitoring. Institutions must implement systems capable of detecting unusual transactions against customer profiles and risk classifications. The SBV expects transaction monitoring to run at real-time or near-real-time frequency for higher-risk accounts, with documented alert escalation procedures.

STR and CTR reporting. Suspicious Transaction Reports must be filed with the AMLD within 48 hours of detection. That's one of the tighter STR deadlines in the region. Cash Transaction Reports cover individual transactions of 300 million VND (approximately USD 12,000) or more and must be filed within three working days.

Sanctions screening. Institutions must screen against UN Security Council consolidated lists and Vietnam's national terrorism-related asset freezing lists. The SBV issues updated circulars on targeted financial sanctions implementation, and compliance programs must incorporate these promptly.

Record keeping. CDD records and transaction documentation must be retained for at least five years after the business relationship ends, consistent with FATF Recommendation 11 on Record Keeping.

Internal governance. The law requires a designated AML compliance officer with direct reporting lines to senior management or the board, independent internal audit of the AML program, annual risk assessments, and regular staff training. These aren't aspirational; the SBV tests for them on inspection.

What is unique about compliance in Vietnam?

FATF grey list status. The FATF placed Vietnam on its "Jurisdictions Under Increased Monitoring" list in June 2023, following its 2022 mutual evaluation report. The evaluation identified gaps in beneficial ownership transparency, cross-border cash controls, and international cooperation on asset recovery. Vietnam committed to a remediation action plan. For foreign banks, grey-list status triggers enhanced due diligence obligations on Vietnamese counterparties under most home-country frameworks. Many correspondent banking programs now require specific risk committee sign-off before extending or maintaining accounts for Vietnamese institutions.

Cash dominance and informal channels. The SBV's own financial inclusion data shows that a significant share of the Vietnamese adult population remains outside formal banking. Cash is pervasive in real estate, trade finance, and retail commerce. Transaction monitoring models calibrated for digital-payment economies underperform here; they need deliberate tuning for cash-heavy customer profiles and informal-sector businesses.

Beneficial ownership gaps. The 2022 law introduced Ultimate Beneficial Owner (UBO) disclosure requirements for legal entities. Vietnam still lacks a publicly searchable central beneficial ownership registry accessible to reporting institutions. Compliance teams rely on self-declaration and independent verification. The FATF flagged this as a material gap, and it's an ongoing practical challenge for onboarding corporate customers.

eKYC and digital identity. The SBV permits eKYC for lower-risk account opening under specific conditions. Vietnam's Ministry of Public Security has rolled out the VNeID digital identity platform and chip-based national IDs (CCCD with chip). Banks operating digital onboarding channels in Vietnam need to integrate with these systems, or build equivalent documentary verification processes that satisfy the SBV's technical standards.

VASPs and crypto. As of early 2026, Vietnam has no formal licensing framework for virtual asset service providers. The government has signaled regulatory intent, but no law is in force. Under FATF Recommendation 15 on New Technologies, this gap makes any institution with crypto-linked exposure in Vietnam a higher-risk relationship by default.

Language requirements. All STRs, CTRs, regulatory filings, and internal compliance policies must be in Vietnamese. English-only compliance programs don't satisfy SBV requirements. This is a practical constraint for foreign bank branches that run globally standardized English-language compliance frameworks.

Recent enforcement actions in Vietnam

The SCB / Truong My Lan case (2024) is the largest financial crime prosecution in Vietnamese history. Real estate developer Truong My Lan was convicted in April 2024 on charges including fraud, bribery, and violation of banking regulations. The court found that she had effectively controlled Saigon Commercial Bank (SCB) and directed approximately 2,527 fraudulent loans totaling an estimated $27 billion over more than a decade, using SCB as a vehicle for illegal capital extraction. She received a death sentence. The case exposed critical failures in the SBV's supervisory oversight of connected-party lending and in SCB's own governance controls. It directly prompted the tightened connected-lending and cross-shareholding provisions in the Law on Credit Institutions 2024. Reuters covered the verdict in detail in April 2024.

Administrative sanctions. The SBV has issued administrative fines against multiple credit institutions for AML deficiencies: inadequate CDD documentation, late or missing STR filings, and absent transaction monitoring systems. Under the sanctions regime established by Decree 88/2019/ND-CP and its successors, fines per violation can reach several hundred million VND. These figures are modest by international standards, but the SBV's increased inspection activity since 2023 makes enforcement more likely than it was in the previous decade.

SSC enforcement. The State Securities Commission has sanctioned securities companies for AML failures, including missing customer identification records and undocumented risk assessments. These cases receive less public coverage than banking-sector actions.

For foreign banks considering correspondent relationships with Vietnamese institutions, how home-country regulators handle grey-list country exposure is the more pressing risk. The HSBC 2012 enforcement action and the Standard Chartered 2019 sanctions case both demonstrate the liability that flows back to global banks when AML controls fail in elevated-risk markets. Vietnam's grey-list status puts it squarely in that category for correspondent bank risk reviews.

What foreign banks operating in Vietnam need to know

Licensing. Foreign banks can establish a 100%-foreign-owned subsidiary bank (minimum charter capital: 3 trillion VND), a joint-venture bank, or a branch of a foreign bank. Representative offices cannot conduct banking business. All structures require SBV approval, and licensing timelines typically run 12 to 18 months from initial application to approval.

Local MLRO requirement. The 2022 AML law requires each reporting entity to designate an AML compliance officer with authority to report directly to senior management or the board. This person must be resident in Vietnam. Global banks that run compliance centrally from regional hubs need to ensure the local officer genuinely holds decision-making authority, not just a nominal title for regulatory purposes.

Outsourcing and third-party reliance. CDD can rely on third-party introducers, including group entities in other jurisdictions, but responsibility stays with the local institution. Third-party arrangements must be documented, and the introducer must be subject to equivalent AML obligations. The SBV requires notification of material outsourcing arrangements and can require the arrangement to be unwound if it creates supervisory gaps.

STR timeline pressure. 48 hours is tight. Multi-jurisdiction banks that route STR sign-off through Singapore or Hong Kong compliance hubs frequently miss this window. Build a local escalation path that can deliver within the deadline without waiting for offshore approval. Staff the local compliance function accordingly.

Data localization. Vietnam's Cybersecurity Law 2018 and Decree 13/2023 impose data localization obligations on certain categories of data, including personal data of Vietnamese users. Banks hosting CDD and transaction data on regional cloud infrastructure must assess compliance carefully. Similar tensions between data localization and group compliance architectures arise in Singapore and India, and the resolution approaches from those markets are a useful reference point, though Vietnam's rules differ in detail.

Language. All STRs, CTRs, and SBV correspondence must be in Vietnamese. Build this into your operating model from day one. Retrofitting it after go-live is consistently more expensive and disruptive than getting it right at launch.

How FluxForce supports Vietnam compliance

Vietnam's 48-hour STR deadline, cash-intensive transaction environment, and FATF grey-list status require a compliance platform built for speed and evidence quality. FluxForce provides real-time transaction monitoring calibrated for cash-heavy customer profiles, automated sanctions and PEP screening against UN consolidated lists and local SBV watchlists, and AI-assisted STR drafting with complete audit trails. Every detection decision includes documented evidence that meets the SBV's record-keeping requirements under the 2022 AML law. Deployment options support data residency requirements under Decree 13/2023. Request a demo to see how FluxForce maps to Vietnam's specific obligations.