Banks are not allowed to send messages containing links to customers.

The State Bank issued Circular 50 regulating safety and security in online banking services, effective from early 2025.

One of the new regulations mentioned in the Circular is that banks do not send SMS messages or emails to customers containing hyperlinks to access electronic news sites, except in cases requested by customers.

This request is made in the context of brandname scam messages (sending messages to customers' phones) that have been rampant recently. That is, scam messages appear in the same stream as bank messages, asking customers to access a link from which their information is stolen, leading to the risk of losing money.

SMS messages with the bank’s name are often broadcasted via fake BTS stations to users’ phones. Because the scammers name the messages the same brand, the phones will be included in the bank’s message stream, enticing customers to click on fraudulent links.

Asking banks not to send messages or emails containing links can help customers recognize that SMB branded messages that "trick" customers into clicking on links are scams.

In addition to the above regulations, the Circular also mentions many other contents on safety and security. For example, electronic banking applications will not allow the password memory function. At the same time, credit institutions need to have solutions to prevent, combat and detect acts of illegal interference in Mobile Banking applications installed on customers' mobile devices.

For individual customers, the bank must have a verification function when the customer accesses for the first time or accesses using a device different from the most recent access device. The minimum customer verification includes matching the correct SMS OTP or Voice OTP, and matching the correct biometric information if specialized regulations stipulate the collection and storage of customer biometric information.