Sign inBook a Demo

Market Insights

Data Sovereignty for Agentic AI in Vietnam and ASEAN BFSI: A Field Guide

For banks and insurers in Vietnam and across ASEAN, the question is no longer whether to adopt agentic AI — it is how to adopt it without unwinding the data-locality work that took the last decade to put in place. A field guide to the regulatory floor in 2026, how an agent's reasoning loop changes the data surface across storage, inference, memory, telemetry, and egress, the architecture patterns that hold up at audit, and a checklist to run before an autonomous agent reads live customer data.

STSteve Tran
·
datasovereigntybfsivietnamaseanagenticaicompliancedecree13mascloudthinker
Cover Image for Data Sovereignty for Agentic AI in Vietnam and ASEAN BFSI: A Field Guide

Data Sovereignty for Agentic AI in Vietnam and ASEAN BFSI: A Field Guide

For banks and insurers in Vietnam and across ASEAN, the question is no longer whether to adopt agentic AI. It is how to adopt it without unwinding the data-locality work that took the last decade to put in place. This is a field guide for risk officers, heads of architecture, and compliance leaders in BFSI — the regulatory floor as it stands in 2026, the way an agent's reasoning loop changes the data surface, the architecture patterns that hold up against an audit, and a checklist a team can run before allowing an autonomous agent to read live customer data.

1. Why this is the conversation in 2026, not 2024

Two things changed between 2024 and 2026.

The first is that agentic AI graduated from prototype to production for cloud and engineering operations. Banks in Singapore, Vietnam, and Indonesia are no longer asking whether an agent can resolve a production incident or review a Merge Request — they have seen it work. They have measured the mean time to resolution drop. They have watched code-review backlogs shrink. Now they want to extend the same model to customer-touching workloads: collections journeys, KYC review queues, dispute triage, lending policy enforcement. Those workloads sit on top of the most regulated data in the bank.

The second is that the regulatory perimeter for cross-border data sharpened across the region. Vietnam's Decree 13/2023/ND-CP on personal data protection took effect on July 1, 2023, and Decree 53/2022/ND-CP — the implementing decree for the 2018 Cybersecurity Law — added explicit storage and processing obligations for foreign service providers serving Vietnamese users. Singapore's MAS published the FEAT (Fairness, Ethics, Accountability, Transparency) principles for AI in financial services and updated Notice 658 to cover model providers. Indonesia tightened OJK Circular 11/2022 on cloud and AI carve-outs. Malaysia's BNM, the Philippine BSP, and the Bank of Thailand all moved.

The result is that the question every regulated CIO in the region is now asking is the same: if we put an agentic system in front of our production banking data, where does that data actually live, and who can see it?

This piece tries to answer that question concretely.

2. Data sovereignty is not data residency

It is tempting to reduce sovereignty to a single field on a procurement checklist: does the cloud region sit inside the country. That is necessary. It is not sufficient.

For an agentic system, sovereignty is the property that data — including the inferences drawn from that data — never leaves the jurisdictional, contractual, and technical boundary the regulator has accepted, at any point in the agent's reasoning loop. That includes five distinct surfaces:

  • Storage. Where the raw data is at rest.
  • Inference. Where the model that processes the data is hosted, and whose hardware it runs on.
  • Memory. Where the agent's learned context, embeddings, summaries, and runbooks are persisted.
  • Telemetry. Where the logs, traces, and audit records of what the agent did are written.
  • Egress. Whether the agent's intermediate or final outputs leave the boundary through a webhook, an API, or a model-provider callback.

An agentic system that hosts data inside the country but ships every prompt to a model endpoint in a different jurisdiction has not solved the sovereignty problem. It has moved the problem from the database layer to the model layer.

This is the core idea every BFSI architecture decision in 2026 turns on. The shape of the answer is layered: each of the five surfaces has to live inside the boundary, or sit behind a documented cross-border transfer regime the bank can defend at audit. Anything else is a finding waiting to happen.

3. The Vietnamese floor

For a bank, an insurer, or a regulated fintech serving customers in Vietnam, the operative instruments are:

  • Decree 13/2023/ND-CP on personal data protection. Defines personal data and sensitive personal data, the consent regime, the cross-border transfer regime, and the impact-assessment obligation. Importantly, the cross-border transfer regime requires the data controller to file a Transfer Impact Assessment ("TIA") with the Ministry of Public Security before transferring personal data abroad — and to keep that TIA current for the lifetime of the transfer.
  • Decree 53/2022/ND-CP, implementing the Cybersecurity Law of 2018. Establishes the in-country data-storage obligation for certain foreign service providers, the licensing path, the requirement to maintain a Vietnam-based representative office for in-scope services, and the cooperation duty when authorities request data.
  • Law on Credit Institutions (2024 revision) and the State Bank of Vietnam's circulars on the outsourcing of IT operations. For an agentic system that touches the core banking platform, the SBV outsourcing regime is the operative one. The bank retains primary liability for everything the agent does, and the SBV expects the bank to maintain inspection rights all the way through to the vendor's runtime.

The practical upshot for an agentic deployment in Vietnam is that every layer in the sovereignty list above has to either run inside Vietnam, or sit behind a documented TIA filing that the bank can defend at audit. "The model lives in another jurisdiction but the data does not leave Vietnam" is not a defensible posture, because the prompt and the response are personal data once they are derived from a customer file.

The same logic applies to the agent's memory. If the agent persists a summary of a customer dispute as part of its learned context, that summary is personal data. If the persistence layer is hosted out-of-country, that is a cross-border transfer.

4. The wider ASEAN map

For a regional bank or a fintech with ASEAN-wide ambitions, six regulatory environments matter alongside Vietnam.

Singapore runs the Personal Data Protection Act (PDPA), MAS Notice 658 on outsourcing, and the FEAT principles for AI in financial services. Cross-border transfers are permissible if the receiving party is held to a "comparable standard." For agentic AI, the FEAT principles translate into specific model-governance obligations the bank must attach to any third-party agent — explainability of decisions, accountability for outcomes, and a documented process for human review of consequential actions.

Indonesia runs UU PDP (Law 27/2022) and OJK Circular 11/2022 on cloud-based services for banks. The data controller has primary liability for any agentic system's behaviour. POJK on IT risk management requires the bank to retain the right to audit the cloud provider — including, by extension, the agent runtime. BI Regulation 23/2021 on payment systems adds in-country processing requirements for payment-related personal data.

Malaysia runs BNM's Risk Management in Technology (RMiT) policy document and the PDPA 2010 (amended 2024). RMiT puts material outsourcing under prior BNM consent — most agentic systems with production access to a Malaysian bank's core systems qualify. RMiT also asks for evidence of "data localisation" for material workloads.

The Philippines runs the Data Privacy Act (Republic Act 10173) and BSP Circular 982 on cloud services. The BSP's posture is risk-based: critical workloads can sit on cloud, but the bank must demonstrate that the data is recoverable into a local environment and that the agent runtime is in scope for the bank's business continuity plan.

Thailand runs the PDPA (2019) and the Bank of Thailand's IT risk standards. PDPA's cross-border transfer regime mirrors the GDPR's adequacy / safeguards model.

The pattern across the six is consistent: data residency is the floor; the bank's own accountability for what the agent does with the data is the ceiling. An agentic system that satisfies the residency rule but cannot produce a verifiable trail of what the agent did, why, and with whose data, will fail the second test — and the second test is the one a regulator runs after the first incident, not before procurement.

5. How an agent's reasoning loop changes the data surface

The threat model for a traditional banking analytics workload is well understood. Data sits in a controlled store, a query runs, a result returns, an audit log records who asked what. Network controls and IAM bound the surface.

An agent loop is different.

A single customer-facing query — "why was this disbursement delayed" — triggers a sequence. The agent decomposes the question. It calls a tool to read the customer record. It calls a second tool to query the disbursement system. It summarizes the result in its working memory. It calls a third tool to read the approval policy. It drafts a response. It calls a fourth tool to log the interaction. It may decide to escalate to a human reviewer with the relevant context attached.

Every step is a data touchpoint. Every step potentially carries personal data into the model context. The implications for sovereignty are concrete:

  • The model is the new data plane. Whatever data the agent reasons over is, at the moment of inference, in the model's working memory. If that model is hosted in another jurisdiction, the data has crossed the border — even if the database it came from never moved.
  • Agent memory is its own residency surface. Most agentic systems persist embeddings, summarized runbooks, and learned patterns. Those persisted artifacts derive from production data and inherit its sensitivity classification. They have to live in-country alongside the source data.
  • Tool calls are auditable events the regulator now expects. When the agent invokes a tool against a banking system, that invocation is materially the same as a human analyst pulling a query. The same audit standard applies. The agent's chain-of-thought, however, is not the audit log — it is the agent's internal reasoning, and a regulator will want the durable log of intent and outcome, not the reasoning trace.
  • Prompt injection is a sovereignty issue, not just a security issue. A successful prompt injection that causes the agent to exfiltrate a customer record to an attacker-controlled endpoint is a cross-border transfer of personal data with no TIA filing behind it. The risk classification belongs in the bank's privacy register, not just the security one.

The implication is that the controls a bank already runs against its data warehouse and core banking systems must extend to the agent runtime — and the agent runtime needs its own controls that the data warehouse did not need: prompt-injection defence, model-output filtering, and per-tool egress policy.

6. Architecture patterns that hold up

Five patterns are the ones that survive an audit, in our experience deploying with regulated customers across the region.

In-country inference

The model that processes customer data runs on infrastructure in the same jurisdiction as that data. For Vietnam, that means a Vietnam-region deployment — whether on a hyperscaler region in-country, a sovereign cloud, or a customer-owned datacenter. Cross-region inference is reserved for non-personal data (synthetic test fixtures, code-only review of public modules, public API documentation lookups) and is policy-gated rather than ad-hoc.

For models that do not yet have an in-region SKU at the hyperscaler the bank already uses, the right answer is usually to host the model on the bank's own GPUs inside the country, not to make an exception. The hyperscaler exception is what regulators ask about first.

Customer-managed encryption keys

The keys that decrypt data presented to the agent are held in a customer-controlled KMS. The agent runtime authenticates to KMS for each invocation; the key never leaves the customer boundary. Key rotation, audit, and revocation are the customer's, not the vendor's. The bank's auditor can produce a key-usage log on demand and tie every decryption back to a specific agent invocation.

Memory in the customer boundary

The agent's learned context — runbooks, embeddings, accepted patterns, summarized incident histories — persists inside the customer's account. The vendor's control plane never holds it. For CloudThinker, this is the MemGraph posture: the team's institutional memory is theirs, in their boundary, with the vendor running the compute that writes into it but never the storage that holds it. We describe how it sits across the four agents on the platform overview and at length in the MemGraph technical post.

The reason this matters for regulators is simple: the MemGraph is derived from production data. Inheriting the source's sensitivity classification is the right default, and the only durable way to preserve that classification is to keep the storage where the source data already lives.

Sandbox-isolated runtime

Each agent execution runs in a per-tenant sandbox with no shared state and no path to another tenant's data. For CloudThinker, this is described at sandbox-secure execution and private connectivity and is the default for every customer. The sandbox is also the boundary where prompt-injection defences run — an injected instruction that asks the agent to call an out-of-policy URL is denied at the sandbox egress gate, not at the model.

The combination of per-tenant isolation and explicit egress allow-listing is what answers the regulator's question of "what could go wrong if a single tenant is compromised."

Auditable tool invocation

Every tool call the agent makes is logged with the prompt context, the inputs, the outputs, and the policy decision that allowed it. The log is replayable. The replay can be presented to a regulator's office. For CloudThinker this is enforced by the Guardrails Engine on the platform overview and the Connections architecture, which is the same architecture we shipped for SOC 2 attestation and is described in the Connections blog.

Replay is not the same as observability. A regulator does not want a Grafana dashboard — they want a deterministic trail that, given the same inputs and the same policy version, produces the same outcome. That is the bar.

A regulated deployment that satisfies all five patterns is one we have seen pass an SBV outsourcing review, a MAS Tier-1 outsourcing assessment, and an OJK cloud review without architectural modification.

7. How CloudThinker is built for this

CloudThinker is an agentic infrastructure-operations platform. It is not a banking product — it is the substrate that the DRE, CostOps, SecOps, and Code Review agents run on. The reason we are talking to BFSI teams in the region about sovereignty is that the same substrate that runs the agents is the one that has to hold the data-residency, key-management, and memory-locality guarantees the regulator will ask about.

The shape of the platform follows from the five patterns above:

  • Region-scoped runtime. CloudThinker runs in the customer's region of choice. For Vietnam customers, we run in a Vietnam region with no cross-region inference path enabled by default. The agent runtime, the MemGraph, the audit log, and the telemetry layer all sit inside the same regional perimeter.
  • Connections without persistent copies. CloudThinker Connections reads from the customer's stack on-demand, scoped to the tool call, with no persistent replication into our control plane. Database reads stay in the database. Logs stay in the customer's log platform. The agent reasons on the data in the moment of inference and does not keep a copy. The detail is on the connection-tiers post: CloudThinker Connections — How We Securely Connect to Your Infrastructure.
  • MemGraph in the customer's account. The team memory the four agents write into — runbooks, accepted patterns, ADR-linked decisions — persists inside the customer boundary, on customer-managed storage and under customer-managed keys. We describe the architecture in the MemGraph post.
  • Graduated autonomy. Every agent action is policy-gated under Auto Mode. For a regulated workload, the default is propose, never apply — and the policy can be raised one risk class at a time, with the audit trail attached. The full posture is described on the Security page.
  • On-prem option. For customers whose regulator does not accept hyperscaler regions as in-country — typically state-owned banks in the region — CloudThinker is deployable into the customer's own datacenter, with the same control-plane shape as the SaaS offering. The agent runtime, the MemGraph, and the policy engine all sit inside the bank's perimeter.

The combination is what the platform describes as "one platform, not a stack of agents" and "centralized MemGraph for the team": the agents share the same substrate, the substrate carries the controls, and the controls are visible to the regulator at audit.

8. A field checklist for BFSI leaders considering agentic AI

We use this checklist with risk officers in the early scoping phase of an engagement. It is opinionated, and it is the minimum bar we would ask a vendor — including ourselves — to clear.

  1. Can the vendor produce a network diagram showing the path of personal data from the customer's environment to the model and back, end to end, in writing?
  2. For each model invocation, where does the model run, and on whose hardware?
  3. Where does the agent's memory persist? Is it inside the customer's account or inside the vendor's control plane?
  4. What persistent artifacts does an agent run produce, and what is the residency posture of each one?
  5. Is there a customer-managed KMS path for every decryption the agent performs?
  6. Are tool invocations logged with sufficient fidelity to replay them in a regulator's office, deterministically?
  7. What is the prompt-injection threat model the vendor will present at audit, and what specific controls back it?
  8. If the regulator requires a Transfer Impact Assessment, can the vendor provide the data points the TIA template needs, in the regulator's format?
  9. Is the agent runtime sandboxed per tenant, or is there shared state with other tenants?
  10. What is the policy gate that prevents an agent from autonomously executing a state-changing operation on production, and who approves it?

A vendor that cannot answer all ten on a first conversation is not ready for BFSI in this region. Neither is a deployment that has not been walked through these questions before going live.

We have produced this checklist as a one-page document for risk teams to attach to their procurement file; if it would be useful, contact our team and we will share it.

Closing

The opportunity in front of BFSI teams in Vietnam and across ASEAN is the same opportunity engineering teams in the rest of the world had eighteen months ago: agentic systems that take routine work off the plate and let the senior people focus on the hard problems. The risk is different. The data is more sensitive, the regulator is closer, and the cost of getting it wrong is measured in licenses, not just outage minutes.

The way through is not to slow down. It is to pick a substrate that was built to hold the controls a BFSI regulator will ask for — region-scoped, customer-keyed, memory-local, sandbox-isolated, audit-replayable — and to put the agents to work on the workloads where the controls are clearest first. Internal cloud and engineering operations are usually the right place to start. Customer-facing workloads come after the first audit cycle has been walked through end to end.

If you are scoping an agentic deployment for a regulated workload in the region, contact our team — we will walk you through the deployment shape and the audit posture we have used with banks already live in production.