SOC 2 · Fintech

SOC 2 for Vietnamese fintech

Vietnamese fintech faces two distinct compliance pressures at the same time. Externally: US customers and investors ask for SOC 2 reports. Domestically: Vietnamese law, particularly PDPD (Decree 13/2023) and Circular 09/2020/TT-NHNN for digital banking, sets binding obligations. This page maps which framework applies to which situation.

By pTrackly Compliance Team · Updated July 2026 · AICPA SOC 2 & PCI DSS v4

When does US expansion trigger SOC 2?

SOC 2 is not law. No authority mandates it directly. But the situations below make it effectively unavoidable.

01

Vendor contract with a US enterprise

A US fintech or bank wants to integrate your API into their system. Their security and legal team sends a vendor questionnaire, and one of the first questions is: "Do you have a SOC 2 Type II report?" Without one, the onboarding process typically stops or drags out for months.

02

Series A/B due diligence with a US fund

From Series A onward, US investment funds commonly include a security checklist. SOC 2 Type II, or at least a concrete roadmap to achieve it within 12 months, is typically expected. Lacking it does not automatically kill a deal, but it forces you to explain and commit to a timeline.

03

Partnership with a US payment processor or BaaS provider

Stripe, Marqeta, Synapse, and similar BaaS providers commonly require partners to provide security evidence before granting production access. SOC 2 is the most accepted way to meet this requirement, especially when you handle end-user financial data.

04

SWIFT membership or correspondent banking relationship

Some correspondent banks and SWIFT network participants require independent security control evidence when onboarding new partners from higher-risk markets. SOC 2 Type II provides exactly this kind of evidence, produced by an independent US CPA firm.

Framework comparison for fintech

Framework Required by Covers When you need it
SOC 2 US customers, US investors Data security for service orgs Selling to US enterprise, raising US capital
ISO 27001 Japan, EU, Singapore customers Full ISMS International expansion beyond US
PCI DSS Payment card networks Cardholder data Any card payment processing
PDPD / Nghị định 13 Vietnamese law Personal data of Vietnamese citizens Operating in Vietnam (mandatory)

Circular 09/2020/TT-NHNN applies specifically to credit institutions and licensed digital banking fintech in Vietnam, covering information security and technology risk management requirements.

Control overlap between SOC 2 and PCI DSS

If you already have PCI DSS, a meaningful share of SOC 2 controls are already built. Access controls, data encryption, logging and monitoring, incident response management, all appear in both frameworks. That does not mean SOC 2 is free once you have PCI DSS. The audit process is entirely separate: SOC 2 requires a CPA firm licensed by the AICPA, while PCI DSS requires a Qualified Security Assessor (QSA). Evidence collection, the observation period (minimum 6 months for SOC 2 Type II), and how auditors ask questions are also different. But your starting position is significantly better than a fintech with no framework in place.

Access control Encryption Logging & monitoring Incident response Vulnerability management

Compliance stack for Vietnamese fintech

The frameworks you need depend on geography and service type, not a single universal formula.

Minimum (Vietnam only)
PDPD / Nghị định 13 Mandatory if processing personal data of users in Vietnam. No exceptions.
Thông tư 09/2020/TT-NHNN Mandatory for NHNN-licensed digital banking fintech. Covers system security and technology risk management requirements.
Expanding to SEA / Japan / EU
ISO 27001 Add ISO 27001 when targeting markets that require ISMS certification. Japan and Singapore place particular weight on ISO 27001 in vendor due diligence.
US market or US investors
SOC 2 Add SOC 2 when selling to US enterprise or needing to pass security due diligence from US VC/PE. Type I first for a quick report, Type II later to satisfy long-term enterprise contracts.
Card payment processing (any geography)
PCI DSS v4 Required when processing, storing, or transmitting Visa, Mastercard, or other card network data. SAQ versus ROC level depends on transaction volume and payment integration method.

Frequently asked questions

Does Vietnamese fintech need SOC 2?

It depends on expansion strategy. If targeting the US market or raising capital from US investors, SOC 2 is commonly required during due diligence. If operating only in Vietnam or Southeast Asia, ISO 27001 and PDPD are typically sufficient.

If fintech already has PCI DSS, is SOC 2 still needed?

PCI DSS and SOC 2 serve different purposes. PCI DSS is required for payment card processing; SOC 2 is about B2B data trust for enterprise customers. The two frameworks have some control overlap but do not replace each other. Many US fintech customers require both.

Do US investors require SOC 2 when investing in Vietnamese fintech?

It is commonly raised during Series A and later due diligence, especially with US-based funds. SOC 2 Type II or at least a clear roadmap to achieve it is typically expected. Seed-stage startups face less pressure.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo