SOC 2 for Vietnamese fintech
Vietnamese fintech faces two distinct compliance pressures at the same time. Externally: US customers and investors ask for SOC 2 reports. Domestically: Vietnamese law, particularly PDPD (Decree 13/2023) and Circular 09/2020/TT-NHNN for digital banking, sets binding obligations. This page maps which framework applies to which situation.
When does US expansion trigger SOC 2?
SOC 2 is not law. No authority mandates it directly. But the situations below make it effectively unavoidable.
Vendor contract with a US enterprise
A US fintech or bank wants to integrate your API into their system. Their security and legal team sends a vendor questionnaire, and one of the first questions is: "Do you have a SOC 2 Type II report?" Without one, the onboarding process typically stops or drags out for months.
Series A/B due diligence with a US fund
From Series A onward, US investment funds commonly include a security checklist. SOC 2 Type II, or at least a concrete roadmap to achieve it within 12 months, is typically expected. Lacking it does not automatically kill a deal, but it forces you to explain and commit to a timeline.
Partnership with a US payment processor or BaaS provider
Stripe, Marqeta, Synapse, and similar BaaS providers commonly require partners to provide security evidence before granting production access. SOC 2 is the most accepted way to meet this requirement, especially when you handle end-user financial data.
SWIFT membership or correspondent banking relationship
Some correspondent banks and SWIFT network participants require independent security control evidence when onboarding new partners from higher-risk markets. SOC 2 Type II provides exactly this kind of evidence, produced by an independent US CPA firm.
Framework comparison for fintech
| Framework | Required by | Covers | When you need it |
|---|---|---|---|
| SOC 2 | US customers, US investors | Data security for service orgs | Selling to US enterprise, raising US capital |
| ISO 27001 | Japan, EU, Singapore customers | Full ISMS | International expansion beyond US |
| PCI DSS | Payment card networks | Cardholder data | Any card payment processing |
| PDPD / Nghị định 13 | Vietnamese law | Personal data of Vietnamese citizens | Operating in Vietnam (mandatory) |
Circular 09/2020/TT-NHNN applies specifically to credit institutions and licensed digital banking fintech in Vietnam, covering information security and technology risk management requirements.
Control overlap between SOC 2 and PCI DSS
If you already have PCI DSS, a meaningful share of SOC 2 controls are already built. Access controls, data encryption, logging and monitoring, incident response management, all appear in both frameworks. That does not mean SOC 2 is free once you have PCI DSS. The audit process is entirely separate: SOC 2 requires a CPA firm licensed by the AICPA, while PCI DSS requires a Qualified Security Assessor (QSA). Evidence collection, the observation period (minimum 6 months for SOC 2 Type II), and how auditors ask questions are also different. But your starting position is significantly better than a fintech with no framework in place.
Compliance stack for Vietnamese fintech
The frameworks you need depend on geography and service type, not a single universal formula.
Frequently asked questions
Does Vietnamese fintech need SOC 2?
It depends on expansion strategy. If targeting the US market or raising capital from US investors, SOC 2 is commonly required during due diligence. If operating only in Vietnam or Southeast Asia, ISO 27001 and PDPD are typically sufficient.
If fintech already has PCI DSS, is SOC 2 still needed?
PCI DSS and SOC 2 serve different purposes. PCI DSS is required for payment card processing; SOC 2 is about B2B data trust for enterprise customers. The two frameworks have some control overlap but do not replace each other. Many US fintech customers require both.
Do US investors require SOC 2 when investing in Vietnamese fintech?
It is commonly raised during Series A and later due diligence, especially with US-based funds. SOC 2 Type II or at least a clear roadmap to achieve it is typically expected. Seed-stage startups face less pressure.
Ready to get audit-ready?
Book a 15-minute call. See the platform. Decide if it fits.
Book Free Demo 15 min, no commitment