Thông tư 12/2011/TT-NHNN

CIRCULAR

STIPULATING ON THE MANAGEMENT, USE OF DIGITAL SIGNATURES, DIGITAL CERTIFICATES AND DIGITAL SIGNATURE CERTIFICATION SERVICE OF THE STATE BANK

Pursuant to the Law on State Bank of Vietnam No. 46/2010/QH12 June 16, 2010;

Pursuant to the Law on Credit Institutions No. 47/2010/QH12 June 16, 2010;

Pursuant to the Law on Information Technology No.67/2006/QH11 dated 29/6/2006;

Pursuant to the Law on E-Transaction No.51/2005/QH11 dated 29/11/2005;

Pursuant to the Decree No.96/2008/ND-CP dated August 26, 2008 of the Government regulating functions, tasks, powers and organizational structure of the State Bank of Vietnam;

Pursuant to the Decree No.26/2007/ND-CP dated 25/02/2007 of the Government detailing the implementation of the Electronic Transaction Law on digital signature and digital signature certification service;

To implement the Resolution No.60/NQ-CP of the Government on the simplification of administrative procedures under the State Bank of Vietnam’s jurisdiction,

The State Bank of Vietnam (hereinafter referred to as the State Bank) defines the management, use of digital signature, digital certificates and digital signature certification service of the State Bank as follows:

Chapter 1.

GENERAL PROVISIONS

Article 1. Scope of governing

This Circular defines the management, use of digital signature, digital certificates, and digital signature certification service of the State Bank.

Article 2. Subjects of application

1. The organizations and individuals of the State Bank, credit institutions, branches of foreign banks; State Treasury.

2. The other organizations choose to use the service of digital signature certification of the State Bank in the operations of electronic transaction organized by the State Bank.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. "Digital certificate" is a form of electronic certificate provided by the organization of providing digital signature certification service of the State Bank.

2. "Digital signature certification service" means a type of service provided by the organization of providing digital signature certification service of the State Bank. Digital signature certification service includes:

a) Creating key pairs including public keys and private keys for the subscribers;

b) Providing, renewing, suspending, restoring, and withdrawing digital certificates of subscribers;

c) Maintaining online database of digital certificates;

d) Other Service under the provisions of the Decree on signatures.

3. "Subscriber" means an organization or individual as stipulated in Article 2 of this Circular; provided digital certificate by the organization of providing digital signature certification service of the State Bank; accepting the digital certificate and keeping private key corresponding to public key recorded on the digital certificate issued.

4. "Organization of subscriber management" means the units of the State Bank; credit institutions, the State Treasury or other organizations requesting for issuance of digital certificates to organizations and individuals in their organizations and take responsibilities under the law provisions on management of such organizations or individuals.

5. "E-Transactions of the State Bank" mean the activities, service conducted by electronic methods of the State Bank.

6. "Decree on digital signature" means Decree No.26/2007/ND-CP dated 15/02/2007 of the Government detailing the implementation of the Law on electronic transactions on digital signature and service of digital signature certification.

Article 4. Organization providing service of digital signature certification of the State Bank

1. Organization of providing service of digital signature certification of the State Bank (referred to as organizations providing service of digital signature) managed, administered by the Department of Information Technology, and is the only organization of the Bank State to provide service of digital signature certification.

Add: 64 Nguyen Chi Thanh, Dong Da, Hanoi

Tel: (04) 3835 4775 / (04) 3773 1386

Fax: (04) 3835 8135 / 3834 5180

Contact Room: Security Department of information technology, management, and distribution of electronic signatures (CA Department).

2. The organization of providing the service of digital signature of the State Bank of type of organization providing service of specialized digital signature certification.

Article 5. Digital certificates

1. Contents of digital certificate:

a) Name of organization of providing service of digital signature;

b) The name of the subscriber;

c) Name of the subscriber management organization;

d) Number sign of digital certificate;

đ) The validity of digital certificate;

e) The subscriber's public keys;

g) The digital signature of the organization of providing digital signature service;

h) The limitations on the purpose and scope of use of digital certificate;

i) The limited liability of organization of providing service of digital signature;

k) Other information due to purposes of management, use, safety, security defined by the organization of providing digital signature service.

2. Duration of validity of digital certificates:

a) Not exceeding 10 years for the digital certificate of the organization of providing digital signature service;

b) Not exceeding 05 years for the digital certificate of the subscriber.

Article 6. Rights and obligations of the parties

1. Rights and obligations of the organization of providing digital signature service:

a) Organization of providing service of digital signatures has the following rights:

- To allocate, extend, suspend, revoke, recover digital certificates and change key pairs for subscribers upon request;

- To keep for archiving the copies of the to be of the encrypted key pairs of subscribers and may use these only with the permission of the State Bank’s Governor or the person authorized by the State Bank’s Governor;

b) Organization of providing digital signature service has the following obligations:

- To manage and operate the system of technical equipment to provide service of digital signature certification of the State Bank;

- To have reserve plans to maintain operations of providing digital signature certification service of the State Bank safely, continuously;

- To keep for archiving the complete, accurate and updated information of the subscribers for the management of digital certificates during the validity of the digital certificates;

- To distribute keys and digital certificates to subscribers;

- To publish the list of digital certificates issued, suspended, or revoked;

- To ensure security and confidentiality of the subscribers in case of agreement of receiving the authorization to keep for archiving the copies of the subscribers;

- To keep for archiving the information of the subscribers’ digital certificates within a period of at least 05 years after the digital certificates are revoked;

- To organize the destruction of digital certificates and related data which have expired for archiving under the provisions of Article 19 of this Circular in case of having no other specific decision of the competent State agency;

- To guide and create conditions for the organizations of managing subscribers, subscribers to comply with the provisions of this Circular.

c) The organization of providing the digital signature service is not obliged to examine each specific electronic transaction of subscribers.

2. Rights and obligations of organizations of managing subscribers:

a) The organizations of managing subscribers have the following rights:

- To be provided information to guide the order and procedures for allocating, managing and using digital certificates;

- To be requested the organizations of providing the digital signature service to grant, extend, suspend, restore, withdraw the digital certificates, or change the key pairs to the subscribers under their management.

b) The organizations of managing subscribers have the following obligations:

- Be responsible for the accuracy of the information on applications for grant, renewal, suspension, restoration and revocation of digital certificates and change of key pairs of the subscribers under their management;

- Be responsible for sending record of digital certificates by mail or sending directly to the organizations that provide service of digital signature;

- To guide, inspect and create conditions for the subscribers under their organizations’ management to manage and use digital certificates and in accordance with the provisions of this Circular;

- To promptly notify in writing the organization of providing digital signature service to suspend or withdraw the subscribers' digital certificates in the following cases: Subscribers terminate temporarily or terminate their jobs, transfer to other organizations; subscribers transfer to the new works that are no longer to use digital certificates issued and the other cases rising from the needs of organizations of managing subscribers.

3. Rights and obligations of subscribers:

a) Subscribers have the following rights:

- To be provided information to guide the order and procedures for allocating, managing and using digital certificates;

- Through the organizations of managing its subscribers in order to request for grant, renewal, suspension, restoration, and revocation of digital certificates or change of key pairs;

- If necessary, the subscribers can directly send a written request to the organization of providing digital signature service to suspend their digital certificates and be responsible before the law for such request.

b) Subscribers have the following obligations:

- To use for the proper purpose the registered digital certificates;

- To preserve and use the data in the storage device of the under the regime "Confidentiality";

- To promptly notify the organization of providing digital signature service and organization of managing their subscribers in case of detection or suspicion of digital certificates’ safety;

- To comply with other regulations on allocation, management and use of digital certificates.

Chapter 2.

SUBSCRIBERS AND THE ORGANIZATIONS OF MANAGING SUBSCRIBERS

Article 7. Grant of digital certificates

1. Individuals and organizations applying for granting digital certificates must meet the following conditions:

a) To be of the subjects defined in Article 2 of this Circular;

b) To accept the provisions for the subscribers in this Circular.

2. Dossier requesting for issuance of digital certificates, including:

A written request for issuance of digital certificates of the organization of managing subscriber sending to the organization of providing service of digital signature (Form No.7 in the Appendix attached to this Circular), together with the written request for granting digital certificate (Form No. 1 in the Appendix attached to this Circular) of the individual and organization under the organization of managing subscribers.

3. Where self-creating key pairs, subscribers must create the key pairs in the prescribed time in the notice of approval of issuing digital certificates. Where the subscribers have not got conditions to make the key pairs within the prescribed time, the organization of managing subscribers must send documents to the organization of providing digital signature service for extension of time creating the key for the subscribers.

4. The subscribers must use the storage device by the technical standards defined by the organization of providing digital signature service.

Article 8. Extension of digital certificates

1. The digital certificate which is requested for renewal must be ensured the remaining validity of at least 30 days.

2. The organization of managing subscribers shall submit an application for extension of the subscription (Form No.2 in the Appendix attached to this Circular) to the organization that provides digital signature service.

3. Each digital certificate may be extended not exceeding 03 times; the extension period per time is not exceeding 05 years.

Article 9. Suspension of digital certificates

1. The subscriber's digital certificate shall be suspended in the following cases:

a) Upon written request from the subscribers (Form No.3 in the Appendix attached to this Circular) in the cases: the private key is leaked or suspected as leaked; storage device of private key is lost, copied unlawfully or other unsafe circumstances;

b) Upon written request from the competent State agency;

c) Upon written request from the organization of managing subscriber;

d) Having sufficient grounds to identify the subscriber that commits violation of the provisions of this Circular;

đ) The organization of providing service of digital signature found any errors or incidents that may affect the rights of subscriber or of security and safety of the system providing service of digital signature certification.

2. The maximum time to suspend the digital certificate is 06 months.

Article 10. Revocation of digital certificates

1. The subscriber's digital certificate is revoked in the following cases:

a) The digital certificate expired;

b) Upon written request from the competent State agency;

c) Upon written request from the organization of managing subscriber;

d) The organization of managing subscriber, subscriber is dissolved or declared bankrupt according to the law regulations;

e) Having sufficient grounds to identify the subscriber that commits violation of the regulations on management and use of private key and the storage device of private key in this Circular;

2. The digital certificates which are revoked after the expiration of storage shall be destroyed under the provisions of Article 19 of this Circular unless otherwise indicated by the competent State agency.

Article 11. Change of the key pairs

1. Subscribers with requirements of change of the key pairs must ensure the remaining using period of the digital certificates of at least 30 days.

2. The organization of managing subscriber sends the written request to change the subscriber's key pair (Form No. 6 in the Appendix attached to this Circular) to the organization of providing digital signature service.

Article 12. Inspection of digital signatures

1. Before accepting the signer's digital signature, the recipient must check the following information:

a) The validity and scope of use, liability limitation of digital certificates of the signer and digital signatures of the organization of providing the digital signature service;

b) The digital signature must be created by the private key corresponding to public key on the signer's digital certificate.

2. The recipient must bear for all damages caused in the following cases:

a) Failing to comply with the provisions in clause 1 of this Article;

b) Being known or informed on the unreliability of digital certificate and private key of the signer.

Chapter 3.

ORGANIZATION OF PROVIDING DIGITAL SIGNATURE SERVICE

Article 13. Grant, renewal of digital certificates

Organization of providing digital signature service is responsible for:

1. Providing for the organizations and individuals applying for issuance of digital certificates the following information:

a) The scope, limitation of use of digital certificates, security requirements and other information likely to affect the benefits of organizations and individuals applying for issuance of digital certificates;

b) Requirements for the subscribers in the creation, storage, and use of the private keys;

c) The other contents provided by the organization of providing service of digital signature service to ensure the security and safety to the system providing digital signature service.

2. Within 05 working days from the date of receiving complete and valid dossiers of request for grant or extension of validity of digital certificate, the organization of providing digital signature service is responsible for inspection and issuance of digital certificate or renewal of digital certificate to subscriber if it is sufficient conditions or written refusal in which clearly stating the reasons for refusal, if it is insufficient conditions to issue digital certificate.

3. Publishing the list of newly- granted digital certificates to subscribers in the specified time in Article 18 of this Circular.

Article 14. Suspension and revocation of digital certificates

Organization of providing digital signature service is responsible for:

1. Ensuring communication channels to receive requests for the suspension and revocation of digital certificates to operate available 24 hours per day and 07 days per week.

2. Storing information relating to the suspension or revocation of digital certificates in a period of at least 05 years from the time that the digital certificates are suspended or revoked.
3. When having sufficient grounds to suspend and revoke digital certificates, the organization of providing digital signature service must immediately proceed the suspension or revocation of digital certificates, and notify the subscribers and announce the list of suspension or revocation under the provisions in Article 18 of this Circular.

Article 15. Recovery of digital certificates

1. The organization of providing the digital signature service is responsible for considering the restoration of digital certificates to the subscribers in the following cases:

a) Upon written request from the competent State agency;

b) Upon the proposal to restore the subscriber's digital certificate, or of the organization of subscriber management (Form No.4 in the Appendix attached to this Circular) in the case of subscriber or the organization of subscriber management has recommended the suspension of digital certificate previously;

c) Time to suspend digital certificate upon the suspension request has expired;

d) The digital certificates which were suspended according to provisions in point d and point đ clause 1 Article 9 of this Circular and the violations, errors, problems have been overcome.

2. Within 05 working days from the date of receiving complete dossiers as prescribed, the organization of providing digital signature service is responsible for recovery of digital certificates to the subscribers if they are sufficient conditions or sending written refusal if they are insufficient conditions to recover digital certificates.

Article 16. Creation and provision of key

1. A subscriber's key pair can be created by:

a) Subscribers’ self;

b) The organization of providing service of digital signature at the request in writing of the subscriber or of the organization of subscriber management.

2. Where self-creating key pair, the subscribers must conduct in accordance with the provisions creating key of the organization of providing the digital signature service.

3. When the organization of providing the digital signature service creates key pairs to the subscribers, the must be delivered to the subscribers by method of safety and security.

Article 17. Change of subscribers’ key pairs

The organization of providing the digital signature service is responsible for:

1. Ensuring communication channels to receive requests for the change of key pairs to operate available 24 hours per day and 07 days per week.

2. Within 05 working days from the date of receiving complete and valid dossiers requesting for the change of key, the organization of providing digital signature service inspects and changes key pairs to the subscribers if they are sufficient conditions and allocates keys as prescribed in Article 16 of this Circular or sending written refusal if they are insufficient conditions.

3. Storing information related to the operation of changing the key pairs in a period of at least 05 years from the time of change.

Article 18. Updates and disclosure of information

1. The organization of providing the digital signature service is responsible for maintaining 24 hours per day and 7 days per week on its website the following information:

a) Circular of certification of digital signatures and digital certificates;

b) List of valid, suspended, revoked certificates of the subscribers;

c) The other necessary information.

2. Time for updating database of digital certificates of the organization of providing digital signature service:

a) Within 08 working hours from the time of completing the procedure of issuance for the newly granted digital certificates;

b) Right after the completion of the suspension and revocation of digital certificates, or change of the key pair.

Article 19. Destruction of digital certificates

1. Principles of destruction:

a) To ensure destruction of all information on paper and on the storage device;

b) Council of destruction includes the representatives of leaders of the subscriber management organizations and representatives of departments relating to the management and use of digital certificates. The Council carries out the destruction of digital certificates, relevant data, and records Minute on the destruction with the main contents: the types of destroyed documents; method of destruction; conclusion and signatures of the members of the Council of destruction.

2. Method of destruction:

a) To destroy the paper documents by shredding so that they are unable to be restored the original status or burn them completely;

b) To remove for the inability to recover all the information of digital certificates and related data on the storage device.

3. The contents of destruction:

a) The data of digital certificates, key pairs;

b) The other data relating to the issuance, management, and use of digital certificates.

Chapter 4.

IMPLEMENTATION PROVISIONS

Article 20. Violations and handling of violations, complaints, and dispute settlement

The determination of violations and handling of violations, complaints, and dispute settlement on digital signatures and digital signature certification service of the organization of providing digital signature service, subscribers and subscriber management organizations comply with the provisions of the Decree of digital signatures and other provisions of the concerned law.

Article 21. Effects

This Circular takes effect from June 30, 2011 and replaces the Decision No.04/2008/QD-NHNN dated 21/02/2008 of the State Bank Governor promulgating the Regulation of granting, managing, using the digital signatures, digital certificates, and digital signature certification service of the State Bank.

Article 22. Responsibility for implementation

1. The Information Technology Department is responsible for:

a) Guiding, monitoring and inspecting the observance of this Circular of the units of the State Bank, credit institutions, branches of foreign banks and the other organizations that use the digital signature certification service of the State Bank.

b) Studying and implementing the integration of digital signature into the operations, electronic banking service of the State Bank.

2. The inspection agencies, bank supervisors are responsible for coordinating with the Department of Information Technology to inspect the observance of this Circular of the credit institutions, branches of foreign banks.

3. Internal Audit Department is responsible for conducting the internal inspection and audit of the implementation of this Circular for the units under the State Bank.

4. Heads of units under the State Bank, directors of State Bank - branches in provinces and cities under central authority, the chairman of Management Board, General Directors (directors) of credit institutions, branches foreign banks, the State Treasury and the heads of other organizations that use the service of digital signature certification of the State Bank are responsible for implementing and inspecting the execution in their units in accordance with the provisions of this Circular.