Category Archives: Vietnam – Compliance

International regulatory compliance: Anti-corruption, competition law, anti-money laundering

Playing by the rules: what is the value of the Singapore Infrastructure Dispute-Management Protocol in Vietnam?

Can a new Singapore dispute resolution protocol spur efficient infrastructure development in Vietnam?  It’s a question worthy of examination considering a slew of high-profile disputes, delays and cost overruns on major infrastructure projects in Vietnam in recent years.  Even more so considering forecast needs to spend more than US$300 billion on infrastructure in Vietnam over the next decade in order to serve the needs of Vietnam’s rapidly growing economy.

The answer is not clear cut.  While the protocol has clear prima facie value, the current legal framework in Vietnam isn’t supportive of a key fundamental principle: that outcomes of the process are binding on the parties.  However the time is right, and opportunity is ripe, for Vietnam to embrace the concept and make bold policy decisions backed up with legislative action.

New roads, bridges, ports, and power plants are all in high need in Vietnam and the government is hard at work improving the PPP legislation to facilitate and foster the conditions for successful projects.  Many such projects are complex and challenging, with numerous parties involved, and thus prone to disputes, or simply just differences of opinions that need resolving in order that works can complete. As a result, time spent developing, agreeing and implementing dispute resolution terms between involved parties is time well spent.  However it can also be inefficient and often unnecessary for parties to agree bespoke terms on a case-to-case basis.

Cognisant of the issues, and also no doubt sensing a potential market, a number of governmental and non-governmental organizations have developed best-practice standards, protocols and clauses that project investors and contractors can look to for support.  The latest comes from Singapore’s Ministry of Law, keen to cement Singapore’s reputation as a hub for all things infrastructure in Southeast Asia.  The Singapore Infrastructure Dispute-Management Protocol (SIDP) was launched in October 2018 and is intended to help parties involved in large infrastructure projects manage disputes and minimise the risks of time and cost overruns, thus maximizing chances of efficient delivery of infrastructure.

The SIDP doesn’t hide its ambition to serve mega projects, stating in its preamble that it is “designed and recommended for construction or infrastructure projects of more than S$500 million in value”.  Only a relatively small number of projects in Vietnam would fit that criterion though that doesn’t mean that concepts and recommendations underpinning the SIDP couldn’t be replicated by smaller projects.

So, what’s so good about the SIDP? Perhaps the most highlighted feature of SIDP is that it places a heavy emphasis on preventing disputes, or at least de-escalating differences, through detailed procedural terms and collaborative tools.  When parties agree to adopt the SIDP as their dispute resolution protocol, they must appoint a Dispute Board (DB) right at the outset of the project. The DB need not consist of lawyers, but can comprise industry experts and can vary from a single-person board to a multiple-member panel. The DB commences pro-active work right after establishment in the form of regular meetings and site visits.

While regular meetings are quite common in other dispute protocols, site visits are a relatively new feature.  Pursuant to the SIDP, a DB will conduct at least three site visits every 12 months unless otherwise agreed by the parties. The site visits aim at early detection of any potential problems. After each meeting and site visit, the DB will prepare a report with recommendation for early dialogue on real or potential issues, as necessary.

If the DB becomes aware of any differences between parties through site visits or upon request of the parties, the DB may move one step further by interviewing senior representatives of the parties to try to clarify, scope, and articulate the ambit of the differences. Such interviews are relatively informal with a view to enabling the DB to provide recommendations for specific processes or measures to resolve differences, ideally before they blow up or become entrenched or intractable.  These features represent the sensible underlying philosophy of the SIDP, in contrast with more traditional dispute resolution methods, that a ‘stitch in time saves nine’.

That is not to say that the SIDP doesn’t have teeth.  Should the parties involved feel the need to refer a dispute directly to the DB, a number of options are open for the DB to resolve the dispute, including by issuing an opinion on the matter in question or bringing the parties together for formal mediation.  Crucially, the SIDP provides that such opinions or results of mediation are binding on the parties.

There is no question that the SIDP is a well-conceived and thorough tool of great value to large infrastructure project participants. But how would it work in practice in Vietnam?

Operationally there is no reason to doubt that it would work just as intended.  The big issue for Vietnam is around the fundamental agreement of the parties that a DB decision or opinion or a DB-facilitated mediated agreement can be binding on the parties.  Without that, the efficacy of the protocol as a whole is called into doubt, at least from a purely legal perspective.

Take for example a case where a Singaporean-domiciled construction company provides services to a Vietnam-domiciled entity and the parties agree to use the SIDP to manage and resolve disputes.  Imagine that the parties do in fact effectively implement the SIDP during the course of their relationship, resulting in the DB handling a dispute and giving its opinion on the same (or facilitating a mediated settlement between the parties on the same).  Imagine further that the result of that process, agreed to by the parties, is that the Vietnam entity owes $100 million to the Singapore entity. The SIDP itself provides and envisages that the result of the SIDP process is automatically binding on the parties and that the courts of Singapore can act to enforce the same in the event that the Vietnam entity fails to comply.

The fact is however that there is currently no clear mechanism to enforce that against the Vietnam entity in Vietnam.  Vietnam law contains no terms that would enable the Singapore company to automatically enforce the DB decision, or a mediated settlement, against the Vietnam company in Vietnam.  The Singapore company could seek, and presumably obtain, a Singapore court award against the Vietnam entity enforcing the DB decision but then what?  In the absence of a formal bilateral judicial assistance treaty between the two countries, no special option under their bilateral investment treaty, and rare circumstances where a case for reciprocity might be made, there is essentially nil chance that authorities in Vietnam would act to recognize or enforce the Singapore court judgment in Vietnam under Vietnam law. One only has to look at the extreme difficulties international companies have had enforcing foreign arbitral awards in Vietnam – something for which there is an express legal mechanism in Vietnam law – to know that it would be mission impossible to enforce a foreign court decision.

As long as this remains the status quo in Vietnam, the true value of the SIDP in Vietnam is in doubt.  While there is inherent value in pro-actively managing, identifying and resolving disputes, if the final “agreed binding” outcome is, for all intents and purposes, worthless, why go to the bother in the first place?

Of course this is an extreme position and mega infrastructure projects tend to have many facets to them that count in favour of commercial settlements (not least of all government to government links that can add a political element to resolving disputes).  But lenders, contractors and their lawyers are duty bound to consider the harsh legal realities which currently speak against assuming that the SIDP can be an effective tool for use in Vietnam projects, especially where purely local counterparts are involved.

The time is right then for the government of Vietnam to take bold action, similar to its recent ISDS commitments in the CPTPP, to enable private commercial agreements on use of tools like the SIDP to mean something when push comes to shove.  Actions like this are a vital key to unlocking the private funds necessary to finance Vietnam’s vast infrastructure needs.

The opportunity also happens to be on the table right now in the form of a new UN convention on enforcement of international settlement agreements. Otherwise known as the Singapore Convention on Mediation, the convention would do for mediation what the New York Convention does for arbitration: provide an avenue to directly invoke and enforce mediated agreements in Vietnam, ostensibly without the courts re-examining the issues or interfering.  The Singapore Convention on Mediation was adopted by the UN General Assembly in December 2018 and will come into force when signed by at least three States. A signing ceremony for the Convention is expected to take place in August 2019 in Singapore.  One hopes Vietnam will be at the table.

***

For more information about Vietnam infrastructure projects please contact Giles at GTCooper@duanemorris.com.  Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.

New Cyber-security draft decree – better but the show goes on

In October, we reported on a first draft decree to implement the Cyber-security Law and noted many concerns about its overtly stringent terms and, in particular, the threat it caused to development of a thriving e-commerce/ Industry 4.0 landscape.  Since then, the business community, among others, have been vocal on the shortcomings of the draft and offered up many comments and suggestions to address concerns.  With the release of a new draft early Novembers, it appears that the Ministry of Public Security (MPS), the decree’s authors, have listened.

 

The first clue is in the length of the new draft: cut dramatically in size from 66 clauses to just 30, it necessarily doesn’t cover as much ground as the first draft.  But the devil is always in the detail and, although the new draft is considerably less complex, particularly when it comes to issues affecting e-commerce, a close look reveals there are still areas worthy of further advocacy.

 

The question we have been asked most frequently is whether the Cyber-security Law itself, and its impending decree, govern every company on earth accessible over the Internet to Vietnam-based users. Taking the language of the “old” draft at face value, the answer was a clear affirmative, resulting in consequences both unreasonable and unnecessary to impose as well as impossible to enforce in practice, notably an obligation to localize data and establish commercial presences.  The new draft takes a much more balanced and practical approach and suggests that a far more limited number of companies will be subject to these requirements in practice. In particular, these key obligations look set to only apply to companies (whether local or international) which meet all of the following conditions:

 

  • providing one or more of specific services to users in Vietnam, including: (i) telecommunications, (ii) internet storage, (iii) internet data sharing, (iv) web hosting services, (v) e-commerce, (vi) online payment, (vii) payment intermediary, (viii) transportation connection service (think Uber), (ix) social network and social media, (x) e-gaming, and (xi) electronic mail;

 

  • collecting, exploiting, analyzing, and processing the data of Vietnamese users (see below for what amounts to “data”);

 

  • allowing its users to conduct activities prohibited by Articles 8.1 and 8.2 of the Cyber-security Law (i.e. – key Internet-based wrongdoings such as libel, anti-government propaganda, financial fraud etc.); and

 

  • committing wrongdoings covered by Article 8.4.a of the Law [this appears to be a typo as there is no such clause in the Law] or Article 26.2.b of the Law (this obliges companies to prevent sharing of and delete certain kinds of “wrongful” information within 24 hours of receipt of a request from the Vietnamese authorities).

 

While criterion (1) is still very broad, it at least removes from the scope any and all companies that had service-offering websites accessible by Internet from Vietnam (such as our hypothetical Irish bank in our October blog post). Still, many other tech companies such as Amazon, Agoda, Google, Facebook etc. would fall squarely within one or more categories covered there. However, this is just the top of a funnel: even is a company fits within criterion 1 (and therefore almost certainly criterion 2) they will not automatically be required to localize data or establish commercial presences in Vietnam.  Following approaches of other jurisdictions to assess and handle based on risk and conduct, such companies will only be required to take such steps if they fail to comply with what the Cyber-security Law expects them to do (read: cooperate with the government). It is good for business as now they can decide to cooperate and avoid strict monitoring rules.

 

Apart from this new and more tolerant “co-operate-or-comply” philosophy, the data which companies may need to store in Vietnam is also watered down slightly. The list now “only” covers information which can help identify users (i.e. – names, nationalities, occupations, residency, contact information, ID/passport numbers, credit card numbers, health records, biometrics) and other user-created data (i.e. data which users choose to upload, friend lists, groups users join or interact with).  Data such as “philosophical belief” or “political views” are no longer covered in the new draft decree.

 

As ever, there is some bad with the good.  The new draft seems to double down on granting power to the MPS to proactively examine the information systems of companies in Vietnam where it suspects wrongdoing.  There is little or no due process involved in such cases.

 

In conclusion, the MPS has clearly taken on board much of the advice and criticism received following the broad and unworkable first draft decree and this is good news.  Whether this will ultimately be reflected in the final decree however still remains to be seen.

 

For more information about the Cyber-security Law in Vietnam, please contact Giles at GTCooper@duanemorris.com, Le Hau at HNLe@duanemorris.com. Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.

Draft Decree to implement Cybersecurity Law doesn’t dampen concerns

A draft Decree to implement Vietnam’s controversial Cybersecurity Law does little to assuage fears that all online commercial activity will be within its scope, mandating physical presence in Vietnam, expensive, cumbersome data localization and even a new permit.

 

Last June, Vietnam’s National Assembly overwhelmingly passed the Cybersecurity Law and it will take effect on 1 January 2019.  Despite assurances from the Ministry of Public Security (MPS) – author of the Law – that the Law is aimed at ensuring online security and protecting critical information infrastructure, its wide and unclear language caused concern for online commercial service providers whose activities are captured by its scope and worried about the cost and other implications of compliance, particularly with respect to commercial presence and data localization obligations.

 

Since the Law’s approval, many have been waiting to see the government Decree that will effectively interpret and implement the Law.  The Decree will determine whether and how the Law will truly impact online commercial activity.  Will it be business as usual for online commerce, as promised by a government that publicly embraces Industry 4.0, or will data hosting services and compliance officers be working overtime?

 

During the first half of October, two different versions of the draft Decree came into the public sphere. The latest draft, dated 11 October 2018, contains 66 clauses, touching on almost every single issue and clause of the Law itself.  While draft Decrees can and do change, the signs are that restrictions and headaches will remain for companies with online business activities.

 

Take, for example, the question of who will need to establish a commercial presence in Vietnam.  Under the Law, companies providing any kind of services related to or via telecommunication networks or the Internet, and which collect, process, analyze, or exploit the personal data of users in Vietnam (regardless of nationality) will need to establish a representative office or a branch in Vietnam (Article 26.3).  Many wondered whether this was intended to apply to every single company falling within the very broad criteria.  For example, would a bank in Ireland offering online banking services used by a handful of Vietnam-based users be subject to this requirement?  It would seem unnecessary and wholly impractical to say so.  The draft Decree however seems to support such a view.  According to Article 60 of the draft Decree, all companies providing “services through the Internet” will be subject to the requirement to establish a commercial presence in Vietnam (in the form of a branch, a representative office or other type of “establishment”).  “Services through the Internet” is understood very broadly by the draft Decree to include anyone providing: (1) internet connection services, (2) internet access services, (3) data storage, (4) social network, (5) over the top services (think, Netflix), (6) e-commerce, (7) banking and finance, (8) messaging and teleconference services, (9) live chat services, (10) search engines, (11) games, films, music.

 

While this clarifies and elaborates the Law’s general drafting, the long list is troubling as it clearly covers not only tech giants such as Facebook, Twitter, and Google, but also companies simply having auxiliary Internet-based services or the Irish bank in our example.

 

In a similar vein, the draft Decree sheds more light on the data localization rules but does little to assuage fears that the regulations are for the sake of regulation rather than based on risk analysis and purpose-driven policy.  According to Article 61 of the draft Decree, certain personal data will need to be stored in Vietnam by companies for the lifetime of the business, while certain other personal data need only be stored for three years from the date of creation. At any time, the MPS may request companies to provide copies of such data.  On the plus side, there is no indication that companies cannot transfer data abroad, provided they also maintain it in Vietnam. The list of personal data that companies need to store in Vietnam is extensive, including typical information such names, addresses and photos but also extending widely to include biometrics, financial records, health records, political views, and philosophical beliefs (items that need to be stored for the lifetime of the business).  Further information looks worrisome from a civil liberties perspective, including chat logs, and search histories, which will need to be stored for at least three years from creation.

 

Aside from the regulatory compliance burden, these requirements may put companies into difficult positions if they face conflict complying with their own local regulations prohibiting the transfer of data to foreign governments (take, for example, the US CLOUD Act).

 

A brand new element introduced by the draft Decree is an obligation on companies subject to the Law to obtain a special permit from the MPS prior to providing services in Vietnam.  No such requirement is included in the Law itself and this calls into question the legality of the MPS ‘creating’ this new permit obligation.  It’s cause for serious concern if this remains in the final Decree, not least of all because there is no guidance or explanation on procedures, information or timeline required to obtain such a permit.  It is also entirely unclear if this new permit obligation will apply retrospectively to companies already doing business in Vietnam over the Internet.  Any way you look at it, this is harmful for the business environment in Vietnam and contrary to the message delivered by the MPS and government in consultations and meetings about the Law.

 

The only good news in the draft Decree seems to be the decision that companies will have a full year to comply with the Law, meaning, in effect, that even though the Law takes effect on 1 January 2019, companies won’t need to be compliance until January 2020.

 

Time will tell what ultimately stays in and out of the Decree.  The draft is expected to be finalized and formally adopted by the government in the next weeks.

 

For more information about the Cybersecurity Law in Vietnam, please contact Giles at GTCooper@duanemorris.com, Le Hau at HNLe@duanemorris.com. Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.

Vietnam’s New Cyber-Security Law a Headache in the Making

Vietnam’s National Assembly yesterday overwhelmingly approved a heavily-debated Cyber-Security Law that could have significant impact on all online service providers with clients or customers in Vietnam.  While the stated aim of the new Law is to “protect national defense and ensure social order”, it imposes obligations on digital businesses that could have far-reaching and unintended effects without necessarily advancing the Law’s primary objective.  Key among such obligations are data localization and mandatory commercial presence rules that should worry not only tech giants but any company providing online services to customers in Vietnam.

While much of the commentary has focused on social network providers (e.g. – Facebook, Youtube) or ‘pure tech’ behemoths (e.g. – Google), the language of the Law is broad and potentially captures a wide range of business activities and models.  First and foremost, the Law appears to cover all enterprises (whether based onshore or offshore) that “provide services on the telecommunication network, internet, and other value-added services on the internet in Vietnam.”  In the digital age, this wide language covers a vast array of activity and is clearly not limited to social media services.  Take banks as an example.  If a foreign bank provides an online service to a client in Vietnam (including a non-Vietnamese citizen resident in Vietnam), will it be covered by this Law?  The answer is clearly yes according to the wording of the Law.  Another example would be an online booking services company like AirBnB which is accessible to, and used by, residents of Vietnam.  Again, such service activity is clearly covered by the wording of the Law, whether or not that is the true intent.

Once a company is covered by the Law, other requirements may apply.  For example, the Law requires companies to “authenticate upon registration” and “keep confidential” users’ information.  Critically, companies (wherever located) must also cooperate with the authorities to provide information of their users when such users are investigated or deemed to breach laws on cybersecurity.  Companies also need to grant the authorities access to their information system when there is “a serious breach of law or action causing serious loss to the public order and safety.”  Unclear as ever, these regulations will require further elaboration in implementing Decree(s), as well as implementation in practice, before the true implications can be known.

Another significant requirement is data localization.  Compared with earlier drafts, the version approved by the National Assembly appears to narrow down the kinds of companies which must perform data localization.  Nevertheless, the potential scope is broad: companies which “collect, exploit, analyze, or process” personal information, information created by users in Vietnam and data on the relationship of the users must store data locally for a period of time.  However, the language of the Law on this is still very vague and, absent further guidance, open to discretion of the authorities to interpret.  To take previous examples, a bank could be deemed as “collecting, exploiting, analyzing, processing” personal information of users in Vietnam when it establishes or provides online banking services for such clients.  A booking reservation company, or an online film provider (e.g. Netflix) does the same.  Read literally, all such companies will need to ensure data localization within Vietnam.

Not only that, such companies will also be required to establish commercial presences in Vietnam (either a branch or a representative office).  Oddly enough, it is unclear whether establishment of a fully-fledged subsidiary in Vietnam would be sufficient under the Law.  Many companies supply services to their customers in Vietnam via the internet without having a commercial presence in Vietnam.  This kind of blunt instrument will cause uproar and, one presumes, flagrant violations will abound which, for the most part, authorities in Vietnam will be unable to pursue on any practical level (though the desire and ability to shut off access to individual websites may grow over time).  The Law gives some wriggle rooms on this point by assigning the Government to elaborate the commercial presence requirement further and we may find that the scope will be narrowed down.

Many tech and non-tech companies voiced their concerns in the lead up to this Law. However, the National Assembly justifies its approval based on the need to ensure national defense and security.  A National Assembly spokesperson has stated that the regulations are feasible and not contrary to free trade agreements that Vietnam is a party to.  The jury however remains out on both these points.

The Law will take effect on 1 January 2019.  Implementing Decree(s) are expected to elaborate further prior to then though no drafts are available for review at present.

By Giles Cooper and Le Nguyen Duy Hau.  For more information about the new cyber-security regulations in Vietnam, please contact Giles at GTCooper@duanemorris.com, Hau at HNLe@duanemorris.com or any of the lawyers in our office listing.  Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.

Annual Vietnam Labour Law Reporting Obligations

See our handy chart in the link below outlining employers’ annual labour law reporting obligations in Vietnam.

Employment Reporting Obligations in Vietnam_June2017

For questions please contact Giles at GTCooper@duanemorris.com or any of the attorneys in our Vietnam office listings.

Mid Year Labor Law Update

The Labor Code in Vietnam is undergoing a rare revision with changes expected to be confirmed later this year and effective in 2018.  Click the link below for a snapshot of some anticipated changes as well as an update on trade union and social insurance matters.

Asia Employment Law Congress – Duane Morris – 9June2017

For questions about Vietnam labor law, please contact Giles at GTCooper@duanemorris.com or any of the attorneys in our office listings.

Revolve, Rollover and Refinance: New Lending Rules in Vietnam

Revolve, Rollover and Refinance: New Lending Rules in Vietnam

A few years ago the State Bank of Vietnam (“SBV”) started the custom of celebrating the new year by firing a salvo of new regulations during the last working days of the year.  This time it was no different, except that the salvo lasted beyond the Lunar New Year holidays.  On 9 February 2017, the SBV released on its website the last two circulars of 2016 dated 30 December.  The new regulations are of great importance for the country’s banking system and the economy at large as they aim to overhaul the regulatory framework applicable to lending activities of credit institutions[1] and foreign bank branches in Vietnam (hereafter, banks).  Although, it will take some time for banks and their clients to fully assess the impact of the new lending regime, we believe the following three changes introduced by the first of the two circulars – Circular 39/2016/TT-NHNN on credit activities of credit institutions and foreign bank branches (“Circular 39”) – are the most significant.

Revolving loans and rollover of loans.  Despite being quite common in other markets, these two very common international banking practices were not formally permitted in Vietnam.  Circular 39 will allow borrowers having business cycles not exceeding one (1) month to obtain revolving loan facilities from banks for up to three (3) months.  Rollovers will also be possible provided that the borrower does not have non-performing loans and the total tenor of the rolled over loan does not exceed 12 months following the initial disbursement and does not exceed one business cycle of the borrower.

Refinancing.  Similarly to revolving loans or rollover of loans, refinancing was not allowed in Vietnam in the past.  Limited refinancing of cross-border loans was first authorised in 2014[2]. Circular 39 will now allow refinancing of domestic loans as well, provided that all the following conditions are met: (i) the refinanced loans were extended for business purposes (consumer loans remain therefore excluded from refinancing); (ii) the maturity of the refinancing must not exceed the residual tenor of the loans being refinanced; and (iii) the refinanced loans have not been restructured.  Importantly, it is still prohibited for a bank to extend a new loan to refinance another loan granted by the same bank.

Enhanced lenders rights. Circular 39 makes an effort to reinforce the protection of banks as creditors.  For instance, they will now have the right to continue the recovery of unpaid loans even after exhausting all agreed loan recovery methods (e.g. sale of secured assets).  Banks will have the right to claim compensation for damage caused by breaches of loan contracts in addition to penalty interest payments (provided that the principle of compensation for damage caused by breach of contract has been agreed with the client in the loan contract).  They will also have greater freedom in agreeing to reductions or waivers of interest and fees.

Circular 39 will take effect in a month time, on 15 March 2017, and will replace Decision 1627/2001/QD-NHNN dated 31 December 2001 on the lending regime of credit institutions amended on multiple occasions by the SBV over the 15 years of its implementation. With these rather positive changes the SBV hopes to ensure that credit continues to grow despite a challenging global and domestic macro-economic environment while non-performing loans are kept in check.  Whether Circular 39 will help achieve these objectives remains to be seen.  It is still early stages in understanding all the implications of the regulatory step 39.

[1] The term “credit institutions” in Vietnam includes commercial banks, non-bank financial institutions (mainly finance companies), micro-finance institutions and people’s credit funds.

[2] State Bank of Vietnam Circular 12/2014/TT-NHNN dated 31 March 2014 on conditions applicable to foreign borrowings of enterprises not guaranteed by the Government.

 

For more information, please contact partner Giles Cooper at gtcooper@duanemorris.com or special counsel Bach Duong Pham at dbpham@duanemorris.com.