Legal, Regulatory & Compliance

Pháp lý, Quy định & Tuân thủ

Types of Law

Type	Who Prosecutes	Standard of Proof	Outcome
Criminal Law Luật hình sự	Government / State	Beyond reasonable doubt (highest burden)	Imprisonment, fines, criminal record
Civil Law Luật dân sự	Private parties (plaintiff vs defendant)	Preponderance of evidence (>50% probability)	Monetary damages, injunctions
Administrative / Regulatory Luật hành chính	Government agency (SBV, BSP, NPC)	Administrative standard (agency-specific)	Fines, license revocation, operational restrictions

Privacy Laws Relevant to FinTech Company X

Law	Jurisdiction	Key Requirements	Breach Notification
Decree 13/2023	Vietnam (SBV/MPS oversight)	Data controller registration with MPS; explicit consent for each processing purpose; data subject rights (access, correction, deletion)	Notify MPS within 72 hours
Data Privacy Act 2012	Philippines (NPC oversight)	Register with National Privacy Commission; appoint Data Privacy Officer; maintain privacy management program; data subject rights	Notify NPC within 72 hours
PCI-DSS	Global (card brands: Visa, Mastercard)	No PAN storage (or encrypt/tokenize); network segmentation; annual assessment (QSA for Level 1); penetration testing; WAF	Notify card brands and acquiring bank immediately upon discovery
GDPR	EU (when processing EU resident data)	Lawful basis for processing; right to erasure; data minimization; Privacy by Design; DPA with processors; DPO appointment (if applicable)	Notify supervisory authority within 72 hours

Intellectual Property & Import/Export Controls

IP Type	Tiếng Việt	Protection	Duration	Key Feature
Copyright	Bản quyền	Automatic upon creation	Life of author + 70 years	Protects expression, not ideas
Patent	Bằng sáng chế	Must register with patent office	20 years from filing	Publicly disclosed; novel invention
Trademark	Thương hiệu	Register or establish through use	Renewable indefinitely	Protects brand identity (name, logo)
Trade Secret	Bí mật thương mại	Must actively maintain secrecy	Indefinite (as long as secret)	No registration — protection ends if secret leaks

Import/Export Controls: The Wassenaar Arrangement restricts export of dual-use technologies including encryption software. Exporting strong cryptography (e.g., AES-256 implementations) to certain countries may require a license. This affects how FinTech Company X distributes mobile SDKs containing encryption libraries across jurisdictions.

Data Breach Notification Summary

The 72-Hour Rule

GDPR, Philippines DPA (RA 10173), and Vietnam Decree 13/2023 all require notification to the relevant authority within 72 hours of discovering a breach. This is one of the most tested numbers in Domain 1.

Contractual Obligations

SLA (Service Level Agreement): Uptime and response time commitments with partners (e.g., 99.9% with Bank A)
NDA (Non-Disclosure Agreement): Protect confidential information shared between organizations
DPA (Data Processing Agreement): Legally required contract between data controller and processor under GDPR/PH DPA — defines processing scope, security obligations, breach notification SLA

Key Terms

Term	Tiếng Việt	Definition
Criminal Law	Luật hình sự	State prosecutes; standard is beyond reasonable doubt
Civil Law	Luật dân sự	Private parties sue; preponderance of evidence standard
PCI-DSS	Tiêu chuẩn bảo mật thẻ	Payment Card Industry Data Security Standard — protects cardholder data
Data Privacy Act	Luật Quyền riêng tư dữ liệu (PH)	Philippines RA 10173 — governs personal data processing in PH
Data Processing Agreement	Thỏa thuận xử lý dữ liệu	Contract between data controller and processor defining obligations
Trade Secret	Bí mật thương mại	Confidential business info protected by active secrecy maintenance
Breach Notification	Thông báo vi phạm dữ liệu	Legal obligation to notify authorities and/or individuals after a breach

Exam Tips

1. Standard of proof: Criminal = "beyond reasonable doubt" (highest); Civil = "preponderance of evidence" (>50%). This distinction is frequently tested in computer crime scenarios.
2. PCI-DSS: No card PAN storage in cleartext — tokenization reduces scope. Even tokenized environments have PCI-DSS obligations but fewer controls required.
3. 72-hour rule: GDPR, Philippines DPA, and Decree 13/2023 all require 72-hour breach notification to the relevant authority. Memorize this number.
4. Trade secret protection: Requires the company to actively maintain secrecy (NDAs, access controls, confidentiality training). If a trade secret is publicly disclosed — even accidentally — protection is lost. Patents are the opposite: must be publicly disclosed.
5. DPA with vendors: Under GDPR and PH DPA, you cannot hand personal data to a processor without a signed DPA. This is a compliance requirement, not just best practice.

Work Application — FinTech Company X

Compliance mapping for Platform C multi-tenant platform:

Philippines (Partner D, Partner C, Partner E, Partner B, Kada): Register with NPC; appoint Data Privacy Officer; document all personal data processing activities in a Personal Information Inventory; implement breach response procedure with 72-hour NPC notification; ensure all data processors (eKYC Vendor, AML Vendor) have signed DPAs.
Vietnam (Partner A, Bank A): Register personal data processing with Ministry of Public Security under Decree 13/2023; document consent records for each processing purpose; implement 72-hour MPS notification procedure; ensure cross-border data transfer compliance if using GCP regions outside VN.
Partner E card processing: PCI-DSS SAQ D or full QSA assessment required; tokenization with Card Processor (card processor) reduces scope but does NOT eliminate obligation; no PAN storage in Platform C database — verify this at integration layer; annual penetration test required.
The 2023 PII incident: Required InfoSec sign-off = classic Due Care + regulatory obligation. Production shutdown was correct — Decree 13/2023 and Canon 1 both require protecting affected individuals first.

Practice Questions

Q1. A hacker is prosecuted for unauthorized access to a bank's servers. What standard of proof must be met to convict them?

A) Beyond reasonable doubt — criminal cases require the highest standard of proof

Rationale: Criminal law (which governs unauthorized computer access) requires the prosecution to prove guilt "beyond reasonable doubt" — the highest legal standard. Civil cases use "preponderance of evidence" (>50%), which is lower. Administrative cases use agency-specific standards.

Q2. Platform C suffers a data breach exposing loan applicant PII in the Philippines. Within how many hours must the company notify the National Privacy Commission?

A) 72 hours — Philippines Data Privacy Act (RA 10173) requires 72-hour breach notification to NPC

Rationale: The Philippines Data Privacy Act requires notification to the NPC within 72 hours of discovering a breach. The same 72-hour window applies under GDPR and Vietnam's Decree 13/2023. This is one of the most tested numbers in Domain 1 legal questions.

Q3. What is the primary PCI-DSS requirement regarding cardholder Primary Account Numbers (PANs)?

A) PANs must not be stored in plaintext — they must be encrypted, truncated, hashed, or tokenized

Rationale: PCI-DSS Requirement 3 prohibits storing sensitive authentication data (including full PANs) in cleartext. Tokenization replaces the PAN with a non-sensitive token, reducing PCI scope. Even with tokenization, the entity must maintain appropriate controls per their PCI-DSS SAQ or full assessment level.

Q4. FinTech Company X's proprietary credit scoring algorithm provides a competitive advantage. An employee copies the algorithm and sells it to a competitor. What type of IP protection is most relevant?

A) Trade secret — proprietary business information actively maintained as confidential

Rationale: A trade secret is information kept confidential that provides competitive advantage. Unlike patents (which require disclosure), trade secrets are protected as long as they remain secret. The employee's disclosure is a breach of trade secret protection, typically actionable under civil law and potentially criminal statutes.

Q5. FinTech Company X engages eKYC Vendor to process biometric data for eKYC. What type of legal instrument is required under the Philippines Data Privacy Act?

A) Data Processing Agreement (DPA) — legally required contract between data controller (FinTech Company X) and processor (eKYC Vendor)

Rationale: Under both GDPR and the Philippines Data Privacy Act, transferring personal data to a third-party processor requires a signed Data Processing Agreement. This contract defines: what data is processed, for what purpose, security obligations, breach notification timeframe, and data return/deletion upon contract end. An NDA alone is insufficient — a DPA is specifically required.

← 03 Governance & Policy 05 Risk Analysis →