2026
4 MIN READ
Vietnam's AML regulatory environment has hardened significantly. For businesses operating in financial services, fintech, or digital assets, the question is no longer whether to build an AML program — it's whether the program you have will satisfy the scrutiny of banking partners, regulators, and investors simultaneously.
Why AML Compliance in Vietnam Is Harder Than It Appears
Vietnam has a published AML framework that, read in isolation, appears straightforward. The Law on Anti-Money Laundering establishes the basic obligations — customer identification, record-keeping, suspicious transaction reporting, internal controls. For businesses familiar with comparable frameworks in other jurisdictions, the published requirements do not look exceptional.
The gap between the published requirements and what banking partners and regulators actually assess is where the difficulty lives. Correspondent banks — particularly those headquartered in Singapore, Hong Kong, or Europe — apply their own AML standards when onboarding Vietnamese counterparties and when conducting periodic reviews of existing relationships. Those standards are not calibrated to Vietnam's published requirements. They are calibrated to the correspondent bank's own regulatory obligations, which typically reflect FATF guidance and the requirements of their home jurisdiction regulator.
The practical result is that a business operating in Vietnam can be fully compliant with the published local AML framework and still fail the assessment that matters most to its day-to-day operations — the assessment conducted by its banking partners. Understanding this gap, and building a compliance program that closes it, is the starting point for effective AML compliance in Vietnam.
The Core Components Every Compliant Framework Must Have
A compliant AML framework in Vietnam — one that satisfies regulators, banking partners, and investor diligence teams simultaneously — requires several components working together, not a single policy document.
KYC and KYB policies need to be documented in detail: what information is collected, from whom, through what verification process, and with what frequency of review. Risk-tiered customer classification — distinguishing between standard, enhanced, and simplified due diligence requirements — needs to be explicit and applied consistently. The classification criteria cannot be left to individual judgment; they need to be defined and auditable.
Transaction monitoring rules need to specify thresholds, triggers, and escalation pathways. The rules need to reflect the actual risk environment of the business — not generic thresholds copied from a template. STR procedures need to be documented clearly enough that any trained staff member can follow them. And the governance structure — board-level oversight, compliance officer mandate, reporting lines — needs to be documented and evidenced, not just described.
The Most Common Gaps Found in Practice
The most consistent gap we observe is a framework built for one audience that fails for another. A business that built its AML program to satisfy initial banking onboarding may have documentation that covers the basics but lacks the governance evidence, monitoring history, and training records that an investor diligence team or a more demanding banking partner requires.
Transaction monitoring is frequently either absent in practice or present only nominally. Monitoring rules exist on paper but are not applied systematically. Alert handling procedures describe a process that no one follows. The result is a program that looks compliant in documentation but cannot demonstrate operational effectiveness.
Governance documentation is the other consistent gap. Board minutes that do not reflect substantive compliance discussion, compliance reports that were prepared but never formally considered, training records that cannot be located — these are not minor administrative failures. They are the evidence failures that transform a technical compliance issue into a governance issue, which is a materially different category of concern for both regulators and counterparties.
When the Gaps Become Critical
Compliance gaps in Vietnam become critical at predictable moments. Banking onboarding is the most common trigger: a business applies to open an account or expand its banking relationship, and the bank's compliance team conducts a review that surfaces the gaps. Account opening is refused or the existing relationship is put under enhanced monitoring.
Investor diligence is the second most common trigger. An investor's legal and compliance team conducts a review of the business as part of a funding round or acquisition process. The AML program review surfaces documentation gaps, governance failures, or monitoring deficiencies. The transaction is delayed, repriced, or conditioned on remediation — all of which are expensive outcomes that proactive preparation would have avoided.
Regulatory examination is the third trigger — and the one with the most direct consequences. A regulatory examination that surfaces material gaps in the AML program is not a private matter between the business and the examiner. It creates a record, it may result in sanctions, and it becomes visible to banking partners and counterparties who conduct their own due diligence.
How to Assess Where Your Framework Stands
The starting point for assessing your AML framework is not a self-assessment against the published regulatory requirements. It is an assessment against the standard that your most demanding audience applies — whether that is a correspondent bank, an institutional investor, or the regulatory body most likely to examine you.
A structured gap assessment conducted by an external adviser who understands what those audiences actually look for will surface issues that internal review consistently misses. The reason is straightforward: internal reviewers assess what exists against what they know. External reviewers assess what exists against what sophisticated counterparties expect to find — and the gap between those two standards is almost always larger than the internal view suggests.
Remediation varies significantly in what it requires and how long it takes. Documentation gaps — missing policies, incomplete records — can often be addressed within weeks. Governance failures require board-level engagement and take longer to evidence credibly. Structural gaps in the monitoring program — where the rules themselves are inadequate, not just the records of their application — require time to design, implement, and demonstrate operational effectiveness. Starting the assessment before the pressure point arrives is the difference between having options and having none.
