Vietnam implementation guidance for Anti-Money Laundering Law in effect 1 November 2025

5 January 2026

State Bank of Vietnam Circular No. 27/2025/TT-NHNN (“Circular 27”), providing guidance on the implementation of several provisions of the Law on Anti-Money Laundering (Law No. 14/2022/QH15) (“AML Law”), came into effect on 1 November 2025. It replaces Circular No. 09/2023/TT-NHNN.

The AML Law provides the primary statutory framework for the prevention, detection, and mitigation of money laundering and terrorist financing risks.

It defines the categories of entities to which the AML Law applies (“Reporting Entities”). These categories are set out in further detail below. The AML Law also sets out the Reporting Entities’ core obligations relating to customer due diligence, ongoing monitoring, reporting of suspicious and high-value transactions, record-keeping, and risk-based internal controls. It also establishes the supervisory, coordination, and enforcement roles of competent authorities, together with mechanisms for international cooperation. To read more about the AML Law, please refer to our article “Vietnam Law on Anti-Money Laundering 2022 in effect 1 March 2023”.

Circular 27 serves to operationalise these statutory requirements by detailing the methodologies, reporting procedures, and compliance standards that Reporting Entities must apply when implementing the AML Law.

This article discusses the key highlights of Circular 27.

Reporting Entities under the AML Law

The AML Law applies to the following categories of Reporting Entities:

  • Financial institutions, including banks, non-bank credit institutions, foreign bank branches, and other financial institutions as prescribed under the AML Law;
  • Designated non-financial businesses and professions (“DNFBPs”);
  • Vietnamese organisations and individuals, foreign organisations and individuals, and international organisations engaged in transactions with financial institutions or DNFBPs; and
  • Other organisations and individuals involved in anti-money laundering (“AML”) activities.

Guidance on assessing risk

Circular 27 introduces a core risk assessment framework, requiring Reporting Entities to identify and assess money laundering risks using both environmental and operational indicators. The assessment is structured around two groups of criteria:

  • Money laundering threats, which include threats arising from the Reporting Entity’s external business environment, such as business lines and the countries or territories in which it operates, threats arising from its business activities, including particular customers, the products and services offered, and the methods through which they are delivered; and
  • Conformity of internal AML policies and regulations, assessed in terms of their comprehensiveness and the effectiveness of their implementation.

Reporting Entities must apply a scoring method, assigning each criterion a score from one to five and weighting each score based on its importance. Lower scores correspond to lower threats or higher levels of policy conformity. Weighted scores are then used to determine the level of money laundering threats, the degree of internal policy conformity, and the overall money laundering risk, calculated as the average of the two.

The framework requires entities to update their assessments annually, using information from 1 January to 31 December, and to submit results by 31 March of the following year to the State Bank of Vietnam (“SBV”) and other relevant supervisory authorities. Branches of foreign organisations may apply home-office methods if notified accordingly, provided the results are reported in the prescribed form.

Customer due diligence

Circular 27 requires Reporting Entities to develop a formal money laundering risk management process based on the results of their risk assessments explained above. This process must be approved by a competent senior manager and tailored to the entity’s operational scale and characteristics. At a minimum, it must set out:

·         objectives and scope of AML risk management;

·         how money laundering risks are identified and assessed;

·         customer classification by risk level (low, medium, high) based on customer characteristics, products and services, and geographic factors;

·         procedures for assessing risks before launching new or technologically renewed products; and

·         processes for handling suspicious transactions, incomplete or inaccurate wire-transfer information, and situations where services are provided before Know-Your-Customer (“KYC”) verification is completed.

 


The Reporting Entity must also define the measures applied to customers based on their assigned risk level, including KYC updating, monitoring frequency, and the application of reduced or enhanced measures.

Customers classified as low risk may be subject to reduced measures, such as less frequent KYC updates or reduced transaction monitoring, provided their purpose and nature of business relationships can be determined from existing transactions. Reduced measures cannot be applied in cases involving suspicion of money laundering, terrorist financing, or proliferation financing.

Customers assessed as medium risk must be subject to full KYC measures in accordance with the AML Law. For high-risk customers, Reporting Entities must apply enhanced measures in addition to standard KYC. These include higher-level managerial approval to establish or maintain the relationship; additional information collection, updating, and verification for individuals (e.g. income, employment, and source of funds) and institutions (e.g. revenue and business activities); enhanced transaction monitoring; and more frequent KYC review.

Reporting obligations

Reporting Entities are required to submit reports to the Department of Anti-Money Laundering (“AML Department”) upon detection of transactions of large value or transactions exhibiting suspicious characteristics.

High-value transactions are defined as those with an aggregate value of VND400 million or more, or the equivalent in foreign currency, conducted within a single day. Cash transactions exceeding this threshold must be reported.

Suspicious transactions must be reported regardless of value. These include any transaction suspected of being associated with money laundering or other crimes related to money laundering, terrorist financing, or financing the proliferation of weapons of mass destruction, as provided under Article 26 of the AML Law.

Reports must be filed electronically via the SBV’s reporting system, although paper-based reporting remains permissible where electronic submission is not possible. All reports must be accurate, timely, and retained for regulatory oversight.

Digital transactions

Circular 27 sets out specific AML requirements for electronic money transfers, reflecting the rising risks associated with digital payments, virtual accounts, and FinTech-based delivery channels. Electronic transfers may involve an originator, intermediary, and beneficiary institution, and Reporting Entities are required to ensure that information relating to both the sender and recipient is complete, accurate, and retained throughout the transaction process.

Institutions must distinguish between domestic and cross-border transfers and maintain monitoring systems capable of detecting unusual or suspicious patterns in real time. In addition, Circular 27 sets out detailed rules for electronic fund transfers, providing that domestic transfers of VND500 million or more and cross-border transfers of US$1,000 or more (or equivalent) must also be reported to the AML Department through electronic data transmission, with paper-based reporting permitted only when electronic submission is not feasible.

Internal controls

Reporting Entities must establish, issue, and implement comprehensive internal AML policies and procedures that are tailored to their operational scale, business characteristics, and money laundering risk exposure. These internal regulations must cover the core components of AML compliance, including customer due diligence and identification procedures, customer risk classification, risk management processes aligned with money laundering risk levels, and data retention requirements relating to customer information, transaction records, and assessment results.

Internal AML regulations must also include procedures for applying temporary measures such as transaction suspension or account freezing where necessary, as well as processes for reviewing and reporting suspicious transactions and electronic fund transfers that contain inaccurate or incomplete information.

Circular 27 further requires Reporting Entities to appoint an officer responsible for organising, directing, and monitoring compliance with AML obligations and internal policies. Staff training is mandatory and must cover legal requirements, internal AML processes, red-flag indicators, and risk-specific vulnerabilities associated with the Reporting Entity’s products and services.

Circular 27 also introduces specific governance-related timelines. Reporting Entities must submit their newly issued, amended, supplemented, or replaced internal AML policies and procedures to the AML Department and to the relevant line ministries for non-banking Reporting Entities within 10 days of issuance. In addition, Reporting Entities with an internal audit function must conduct an internal audit of AML compliance each year and submit the internal audit report within 60 days from the end of the financial year. Entities that are not legally required to maintain an internal audit function must still ensure regular monitoring and evaluation of compliance with AML regulations and internal policies.

Transitional arrangements

Circular 27 came into effect on 1 November 2025. Reporting Entities were able to continue to apply existing internal rules and risk management procedures until 31 December 2025.