Foreign businesses entering Thailand often underestimate the real cost of border complexity, not tariffs alone, but route delays, customs valuation inconsistencies, documentation loops, and land-border compliance friction. Mastering these operational nuances determines profitability and timeline predictability in an increasingly interconnected market. Key Points:• Thailand functions as the essential compliance control tower for mainland ASEAN expansion.• […]
In Vietnam’s rapidly digitizing economy, sharing a bank account number has become a routine part of daily life. From receiving a salary and paying bills to making online purchases, these unique identifiers are the backbone of countless financial transactions. This seamless flow of information powers convenience, but it also introduces a critical legal question for many businesses and individuals.
The question is: What kind of personal data is a bank account number under Vietnamese law? This is more than a technicality; the answer determines the level of security and consent required for handling such information. This creates significant compliance challenges for any organization, especially foreign-invested businesses operating with multiple bank accounts.
This article will clarify where a bank account number fits within Vietnam’s data protection framework. It will also explain when an account number becomes sensitive information. Finally, it provides practical guidance for both individuals and businesses to navigate these essential regulations safely and protect every bank account.
Key Takeaways:
- Account Number As Basic Data: A standalone bank account number is considered basic personal data under Vietnam’s data protection laws.
- When It Becomes Sensitive: An account number becomes sensitive personal data only when combined with other account details, such as account balances, a bank statement, or financial transactions.
- Why The Classification Matters: This distinction is vital, as sensitive data requires explicit consent from the account holder and much stricter security measures for processing and storage by any institution.
- Impact On Businesses: For businesses, this difference impacts everything from payroll and direct deposits for employees to customer payment systems, where each payment must be tracked.
- Individual Responsibility: Regardless of the legal classification, individuals should always treat their bank account details as confidential, using secure channels and monitoring their accounts for suspicious transactions.
Understanding Personal Data Under Vietnam’s Legal Framework
The legal basis for data protection comes directly from Vietnam’s Decree No. 13/2023/ND-CP on the Protection of Personal Data, which provides a comprehensive framework aligning with global standards.
For any business handling payments or customer accounts, understanding the local definitions is the first step to compliance. The decree classifies personal data into two distinct categories, each with different handling requirements for the financial institution.
In addition, the Vietnamese government has also issued the Law on Personal Data Protection, which officially takes effect from January 1, 2026, to further improve the legal framework regulating this field.
What Counts As Personal Data
Under the decree 13/2023/ND-CP, personal data is any information that is associated with a specific person or helps to identify them.
This can be in the form of symbols, letters, numbers, images, or sounds. If a piece of information, like a bank account number or card number, can be linked back to a person, it qualifies as personal data that identifies that individual.
Two Main Categories Of Personal Data
The law separates personal data into two buckets: basic and sensitive. This difference is essential for banks and businesses to understand.
- Basic personal data includes general identifiers like name, date of birth, nationality, phone number, and, importantly, bank account numbers on their own. Each bank assigns a unique account number to its customers.
- Sensitive personal data is information that, if leaked, could directly harm an individual’s rights and interests. According to a guide about Decree No. 13/2023/ND-CP from the Australian Chamber of Commerce in Vietnam (AusCham), this includes data on financial information detailed in bank records or a bank statement. Access to these details must be strictly controlled by the financial institution.
Is A Bank Account Number Personal Data?
Yes, a bank account number is unequivocally personal data. A bank account number is a unique code assigned when a person opens a bank account. When combined with a name or a bank’s routing number, it points directly to a specific person, making it personal data by definition. The account number is a vital identifier within the banking system.
The ease with which online banking systems can display a person's name after an account number is entered proves this direct link. The account number identifies the account holder. Every bank account has an associated account number for tracking deposits and withdrawals.
How Banks Encode And Use Account Numbers
To effectively manage millions of accounts, financial institutions use a highly structured system to create and assign these essential identifiers. An account number is more than just a random sequence of digits; it contains specific, coded information that directs the flow of money. Here’s a closer look at how these crucial numbers are constructed and used:
- The Structure of an Account Number: Each number is unique and typically contains two main parts.
- The first set of digits often serves as a bank or branch code, identifying the specific financial institution where the account is held.
- The second set of digits is the individual account identifier, which is unique to the customer and forms a key part of their financial identity.
- The Role of the Routing Number: This is a separate code that works alongside the account number.
- Its purpose is to identify the specific financial institution itself, not the individual's account.
- The routing number ensures that funds from transactions like direct deposits and checks are sent to the correct bank.
- Finding These Numbers: On a personal check or cheque book, these numbers are printed in a specific order at the bottom. The sequence is typically the routing number first, followed by the account number, and then the individual check number.
- International Equivalents: For payments that cross borders, other countries use similar systems to ensure accuracy. The most common are the IBAN (International Bank Account Number) and the Sort Code.
When Does A Bank Account Number Become Sensitive?
This is the critical distinction for many individuals and businesses. A bank account number crosses the threshold from basic to sensitive when it is combined with other financial details that reveal a person's financial condition or activities.
- A simple account number used for a salary transfer is basic personal data.
- That same account number, when bundled with account statements, transaction history, or a debit card number for a loan application, becomes sensitive personal data.
The rule of thumb for businesses and financial institutions is this: If the data only identifies who a person is, it’s likely basic. If the data reveals details about their financial life (like what they spend money on), the account information becomes sensitive. Many online payment systems require access to this level of detail.
This was a pivotal realization for an e-commerce client of Viettonkin Consulting. The business was collecting bank account numbers simply for customer refunds, which fell under basic data processing. However, their plan to launch a "buy now, pay later" feature required access to financial transactions to assess creditworthiness.
This immediately elevated their data processing activities into the sensitive category. It required them to completely overhaul their consent forms and implement higher-level data encryption to protect customer bank accounts. The bank’s involvement also required higher compliance standards for these banking transactions.
Why Classification Matters For Businesses And Individuals
The difference between basic and sensitive data has real-world consequences for how information must be handled by any organization. It affects how banks, businesses, and customers interact with account numbers and financial data.
Different Rules For Basic vs. Sensitive Person Information
Processing basic personal data generally requires notifying the individual and implementing reasonable security for their account. Any business must protect the account numbers it holds as well as develop and comply with its own personal data protection policy.
For sensitive data, the requirements are far more stringent. In addition to the data protection measures that apply to general information, a business or institution must obtain explicit consent that clearly explains the purpose of processing. They must also implement stronger technical and organizational safeguards to protect the account details. Legal analyses, such as a discussion on LawNet (2024) regarding the notification duties of banks, confirm that financial institutions face specific legal obligations to inform customers about how their data is processed.
Real-Life Scenarios
- HR & Payroll: An employer collecting an account number to pay a salary is processing basic data. The employee's consent can often be handled within the employment contract or through other written forms such as confirmation letters/acceptance emails.
- Fintech & Lending: A digital wallet or lending app asking for bank statements or linking to an account to view transactions, this is processing sensitive data. This also requires a separate, explicit consent from the user.
- Public Sharing: Never post an image of your bank card, a cheque, or cheque book online. While the number alone is basic data, it’s a key that fraudsters can use to try and access your bank account and transfer money or carry out other tricks that cause harm to the subject.
How To Protect Your Bank Account And Card Information
Whether data is legally basic or sensitive, all account details should be treated as confidential. Protecting your bank account number and related details is essential for financial security.
Smart Habits For Everyday Protection
- Share securely: Only provide your bank details through secure, encrypted channels. Avoid sending them over public Wi-Fi or in unencrypted emails or phone calls.
- Monitor your accounts: Regularly log into your online banking portal to check your bank statement for any transactions you don't recognize. Early detection is key to mitigating fraud.
- Be vigilant: Question any request for your bank information that seems unnecessary or suspicious. Ask why it's needed and how it will be protected.
- Be proactive: In case you notice signs of a personal data breach, you should immediately contact the relevant parties to take immediate action to minimize damage and protect your rights and interests.
Exercising Your Data Rights
Under Decree 13, individuals have significant rights over their data. A person can ask any organization what account information they hold and request its deletion if it's no longer needed. This applies to all bank accounts.
If you believe your bank account or card data has been misused, you have the right to report it. Contact your bank or Vietnam’s data protection authority to report a leak of your account number or other details. Calling your bank branch directly is often the fastest way to address a concern.
The Bottom Line: Know Your Data To Protect It
For businesses in Vietnam, understanding the classification of a bank account number is essential for compliance. For payroll, bank account numbers are basic data. This streamlines compliance, allowing businesses to use standard data protection policies.
A bank account number is a key to a person’s financial identity, but on its own, it’s classified as basic data. It only becomes sensitive when linked with the contents of the account, such as the balance, transactions, and a full bank statement. Understanding this difference helps everyone act responsibly in Vietnam’s digital economy.
Frequently Asked Questions
Is my bank account number considered sensitive personal data under Vietnam's Decree 13?
No, a bank account number by itself is classified as basic personal data. It only becomes sensitive when combined with other financial information like your account balance, transaction history, or bank statements, which together provide a full picture of an individual's financial details.
What are the main compliance risks for an FDI company handling employee bank account numbers in Vietnam?
The biggest risk for businesses is "purpose creep," which is collecting employee bank account numbers for a basic purpose like payroll but then using them for another purpose without explicit consent. Another major risk is failing to implement adequate security for the list of account numbers, as even a breach of basic data can lead to significant penalties.
In addition, an important provision in the Personal Data Protection Law, effective from January 1, 2026, requires companies to delete employees’ personal data when they no longer work for the company, including bank account information; the company needs to understand this to ensure compliance and avoid violations.
As an HR manager, what is the first step to ensure my company complies with Decree 13 when processing payroll?
The first step is to conduct a data-mapping exercise. Document exactly what employee data is collected, including all bank account numbers, and specify the exact purpose (i.e., "for salary direct deposits only") as well as conducting exchanges and working to obtain consent to use personal information from employees in accordance with the Company's personal data protection procedures and policies.. This ensures the purpose is clearly communicated to employees, providing a clear legal basis for processing each account number.
You may also like: Vietnam's Banking Sector: Decoding New Foreign Investor Shareholding Rules (Decree 69/2025/NĐ-CP)
