Fintech 2022 Comparisons

Last Updated March 24, 2022

Contributed By Chandler MHM Limited

Law and Practice


Chandler MHM Limited recognises the importance of technology in today’s constantly evolving technology-dependent world and the impact it has on business. The firm's priority is to help clients navigate the legal and regulatory challenges in the technology sector. The team, which is based in Thailand, has extensive experience advising technology companies. The firm advises clients across a broad spectrum of technology-related areas, including cybersecurity, data privacy, e-commerce, esports, fintech and health tech. Chandler MHM has a strong, on-the-ground presence in Asia and globally.

Thailand is a pioneer in Southeast Asia in the adoption of 5G technology to improve and expand the country’s capacity for technology such as blockchain, artificial intelligence (AI), Big Data, robotics, cloud computing and machine learning. As a result of the proactive development of its information communication technology (ICT) facilities and the regulatory environment, Thailand is one of the fastest growing fintech markets in ASEAN, and currently has one of the world’s largest consumer bases for fintech mobile banking.

Mobile banking has grown at a very fast pace. Currently there are approximately 75 million mobile bank accounts and the number of mobile online money transfers have surged from 95 million transactions in 2011 to 9.6 billion transactions per year in 2021. Similarly, this development can be illustrated in total funding for Thai fintech firms that had reached USD215.6 million in the first three quarters of 2021, a significant increase over 2020’s USD134 million funding.

Developing Accessibility

The Thai government has been promoting fintech by developing accessibility to government platforms. The BOT has co-operated with global card network service providers to create an innovation called the “Thai QR Code” which facilitates payments via debit cards, credit cards, e-wallet and e-payments through the bank accounts using the Thai QR Code as an intermediary. During the COVID-19 pandemic, the Thai government created the e-wallet application “Pao Tang” to give financial support to people who qualified for the program, as well as to stimulate the Thai economy. Granted-in-aid subsidies will be credited to the application which can be used as intermediate for payment of goods with registered vendors, which has helped Thai people more familiarised with QR Code payment systems and enhanced a new level of fintech adoption in Thailand. Coupled with a push for contactless payments due to the COVID-19 pandemic, fintech has become more widespread and the use of electronic transactions has become more normalised in Thailand.

Apart from electronic payments, the digital asset trading has increasingly captivated the Thai market. Investors and service providers in secondary digital asset markets are still active despite the fact that initial coin offerings (ICO) of digital tokens in Thailand has slowed. In 2021, the first ICO of a real estate backed investment digital token was launched and has gained a lot of attention from the media.

Due to an increase of digital asset products and digital asset players in Thailand, the relevant regulators have issued and will issue a number of guidelines and regulations to regulate transactions contemplated in connection with digital assets especially cryptocurrency trading. For example, in the beginning of 2022, the relevant authorities, BOT, SEC and Ministry of Finance jointly considered setting guidelines and regulations on the usage of digital assets as a means of payment for goods and services.

Digital Asset Exchanges and Investors

As of the time of writing, according to information provided by the SEC, there are eight digital asset exchanges that have been approved in Thailand. However, one of the digital asset exchange operators has been suspended, and their licence may be revoked due to issues with their trading system.

The major players in Thai fintech industry are predominantly financial institutions and traditional non-banking financial institution. They have been adopting technology for their services to facilitate their customers' needs and increase market share. Other players include venture capitals and start-ups.

The main fintech business models in Thailand are as follows.

E-money, E-wallets and E-payment

E-money, e-wallet and e-payment service providers are some of the most significant players in the Thai fintech industry. The recent rise in number of online payments, mobile banking payments and mobile banking users caused financial institutions and non-bank financial operators (“financial services providers”) to adopt financial technology in operations of their normal banking businesses. Their business operations and services could then be conducted or provided through their online platforms instead of physical branches. 

Other than the financial services providers, there are a number of new players in this area; with most entering the industry as venture capital companies and start-up companies. Other investors have decided to co-operate and partner with major social platform business operators. The purpose of co-operation is to use such platforms to reach customers.

For foreign financial services providers that might not be able to secure a full-service licence, due to certain limitations in their own capacity or strict qualifying requirements under Thai law, partnering with legacy financial institutions or full-service licensees are alternate solutions.

Financial institutions or licensees can act as the local service providers under this business model. This type of business model can also help foreign entities in the sense that there will be fewer numbers of licences that the foreign entity has to obtain from the government.

Digital Assets

In 2018, the SEC recognised digital tokens and cryptocurrency as digital assets. Business operators are categorised into two groups, as follows:

Primary market

The business operator in the primary market can be either:

  • an ICO issuer who is looking to raise funds by issuing coins; or
  • an ICO portal who provides offering token digital system services.

There has been one ICO issuer approved by SEC in 2021. Such ICO issuer has issued real estate backed digital tokens. The token holders are entitled to receive revenue shares from the revenue stream of underlying assets of the tokens.

Secondary market

In secondary digital assets market, the service providers related to digital assets that are recognised by Thai regulations and supervised by the SEC, as follows:

  • digital asset exchanges;
  • digital asset brokers;
  • digital asset dealers;
  • digital asset advisory services; and
  • digital asset fund managers.

Digital Lending

Digital lending is an important platform that the financial services providers use to reach new retail customers, eliminate physical limitations, and facilitate business activities with customers. Many financial services providers, especially personal loan providers, are interested in expanding their online services. 

Some financial services providers have chosen to co-operate with social platform operators in providing the digital lending to that platform’s customers and vice versa rather than build up their own (online) platform and obtain licenses.

Peer-to-Peer Lending Platform

Currently, there are few players in peer-to-peer lending due to the lack of information and precedent cases in Thailand. Peer-to-peer lending platforms are electronic platform services that operate as a matchmaker between lenders and borrowers. Its roles also include facilitating loan contracts, and carrying out fund transfers and repayments between the parties. According to the BOT, there are three peer-to-peer lending service operators in the BOT regulatory sandbox testing their systems.


There are both equity and debenture crowdfunding of private and public limited companies through crowdfunding portals Thailand. In this respect, crowdfunding, in which shares or debentures will be issued as consideration, will be deemed as a type of public offering under SEC regulations. A crowdfunding portal operator must obtain a licence from the SEC Office.

Artificial Intelligence Adviser

Many business sectors have adopted computer or artificial intelligence to enhance business efficiency. In Thailand, fintech businesses also use artificial intelligence to advise clients in wealth creation and management.

Currently, the Thai fintech industry is not directly regulated by any specific overarching legislation. However, operators need to comply with certain business-related regulations.

The key regulations related to fintech business activities are as follows.

Payment Systems (including E-money, E-wallet and E-payment)

In order to enhance supervision of payment systems and payment services, the Payment System Act B.E. 2560 (2017) (“Payment System Act”) was enacted and came into effect on 16 April 2018. The main purpose is to regulate the following.

  • Highly important payment systems which are payment systems that are important to the security and stability of payment systems, financial systems, or monetary systems of the country.
  • Designated payment systems which are:
    1. payment systems which are networks between system users that handle fund transfers, clearing or settlement, such as retail funds transfer systems, payment card networks and settlement systems; or
    2. any other payment systems which may affect the public interest, public confidence or stability and security of the payment systems.
  • Designated payment services which are:
    1. provision of credit cards, debit cards, or ATM card services;
    2. provision of e-money services;
    3. provision of accepting electronic payments for and on behalf of others;
    4. provision of e-money transfer services; and
    5. other payment services which may affect payment systems or the public interest.

Digital Assets

The Emergency Decree on Digital Asset Decree B.E. 2561 (2018) (“Digital Asset Decree”) was enacted to regulate offerings of digital assets and businesses undertaking digital-asset-related activities. The Digital Asset Decree aims to enhance the standards of the digital asset market to be in line with international standards and to protect players in the market. Digital assets under this decree means cryptocurrencies and digital tokens that are regulated by the Digital Asset Decree under the supervision of the Ministry of Finance (MOF) and the Office of the SEC.

Digital Lending

On 15 September 2020, the BOT issued Circular No BOT.FhorGorSor. (01) Wor. 977/2563 Re: Criteria, Procedures and Conditions on Digital Personal Loan Business Operations. The purpose of this BOT Circular is to relax the criteria for personal loans for those who do not have regular or proof of income, or those without collateral, and to grant flexibility to personal loan providers in providing personal loans in an electronic form. However, for other types of loans which are not personal loan, Financial Services Providers still have to comply with regulations that do not specifically regulate digital lending.

Peer-to-Peer Lending Platforms

On 29 April 2019, the BOT Notification No SorNorSor. 4/2562 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer Lending Platform Businesses (“Peer to Peer Lending Platform Notification”) was announced in the Government Gazette and became effective on 30 April 2019. This notification prescribes the criteria for peer-to-peer lending platform operators and the other participants in the platform.

A person who wishes to operate a peer-to-peer lending platform must participate in the BOT's regulatory sandbox until completing a successful test and must be able to provide an extensive scope of services in Thailand. Once these conditions are met, the operator may apply for a license from the MOF through the BOT. A peer-to-peer lending platform operator can only act as an online marketplace or matchmaker to facilitate THB loan agreements between lenders and borrowers. Lenders can be either individuals or juristic persons. Borrowers must be individuals.

Electronic Transactions

The Electronic Transactions Act B.E. 2544. (2001) (“Electronic Transactions Act”) supports the legal validity of electronic transactions performed via electronic systems. If a transaction is done in the form of electronic data in accordance with the rules and procedures under the Electronic Transactions Act, the transaction is deemed to be validly binding as if entered into in accordance with other laws governing transactions entered into by other platforms or means.

The criteria and restrictions for charging service fees depend on the type of business, business model and services provided to customers. The criteria for disclosures of services or fees depend on the regulations related the business or business activity that the operator carries out. Generally, the operator has to disclose details of fees that will be charged customers, and the threshold or criteria for setting the fees charged to customers. 

For example, under the Payment System Act, payment service providers must disclose information on service fees, as follows.

  • Information of service fees to customers by notice at all locations that services are provided to service users, or by any other means that will inform service users of the service fees. Service fees must be reasonable. 
  • Information on any changes to service fees by notice at all locations that services are provided to service users, or by any other means that will inform service users of changes to service fees. Advance notice to service users of at least 30 days prior to the effective date of the change in service fees is required if such changes to service fees may be detrimental to service users.
  • Details of service fees must be submitted to the BOT electronically, as permitted by the BOT, as soon as possible from the commencement date of undertaking the business and each time there is a change in service fees.

There are no significant differences between regulations governing fintech operators and regulations governing legacy players. Some fintech business operations are covered by licences already held by legacy players. Both fintech operators and legacy players have to comply with the regulations set out in 2.2 Regulatory Regime. Other relevant laws and regulations applicable to general business enterprises will also apply.

Financial Services

Under the 2019 regulatory sandbox guidelines, the “own sandbox” was introduced in addition to the existing regulatory sandbox under the BOT’s supervision. The regulatory sandbox is a project for financial service providers to test their financial services that incorporate new technologies under controlled conditions.

Financial service operators that can apply for testing in the regulatory sandbox must be:

  • under the BOT’s supervision;
  • financial services or fintech innovation using new technologies which are new or differ in some way to the existing financial services or products in Thailand or an innovation to enhance the efficiency of existing products or services; or
  • financial services which:
    1. are to be developed into infrastructure or standard practices for Thailand’s financial sector and the financial service providers to cooperatively experiment; or
    2. under relevant laws and regulations that are required to test in the BOT’s regulatory sandbox.

The participants consist of financial institutions, companies within a group of financial institutions, non-banks under the BOT’s supervision, fintech firms, and technology firms which wish to experiment with financial services or fintech innovation individually or in conjunction with the previously other participants.


The amended regulatory sandbox regulations that became effective in 2020 give more flexibility to the operator by increasing the types of businesses that can participate. According to the SEC, the types of business under the amended regulatory sandbox regulations cover all activities in capital markets. The additional types of businesses are as follows:

  • intermediaries, ie, securities investment advisory services, private fund management businesses, derivatives agent businesses, derivatives dealing businesses, derivatives advisory services, and derivatives fund management businesses, and the newly added securities brokerage businesses, securities dealing businesses, securities underwriting businesses, mutual fund management businesses and securities borrowing and lending businesses (SBL);
  • know your customer (KYC) providers, gathering and assessing clients’ information; 
  • post-trading service providers, ie, securities clearing houses, securities depository centres, securities registrars, and the newly added derivatives clearing houses; and
  • trading system service providers, ie, electronic trading platforms (ETP), and the newly added securities trading centres and derivatives exchanges.


The Office of the Insurance Commission (OIC) issued a notification on a insurance regulatory sandbox in 2019. The notification allows both life and non-life insurance industry operators to conduct testing in their own sandbox for certain cases.

On 25 March 2021, the OIC Board of Directors announced a notification on criteria of entry into project of testing innovation using of technology supporting insurance services (insurance regulatory sandbox) which replaces the existing notification announced in 2019. In addition, on 17 May 2021, the OIC, by virtue of the aforesaid notification, announced a notification of criteria, procedure and conditions on entry into projects of testing innovation using technology supporting insurance services (insurance regulatory sandbox) which has a purpose of determining the details and procedures of participation in sandboxes and compliance of participants during the period of testing in the sandbox. The main purpose of the announcement of these two notifications are to relax the former criteria and provide more flexibility to participants and the authority.

The jurisdiction of each regulator depends on the type of financial service provision rather than the type of technology the operator of such business adopts. The key regulators of fintech businesses with respect to financial services, securities and insurance in Thailand are, respectively:

  • the MOF and the BOT;
  • the MOF and the SEC; and
  • the OIC.

The BOT has the power to supervise, examine, and analyse the financial status and performance and risk management systems of financial institutions to enhance the stability of the financial status of Thailand. Thus, fintech activities that are related to financial institutions will be predominantly supervised by the BOT, including digital lending and peer-to-peer lending payment systems, e-wallets, e-money and e-payments.

The SEC is a regulatory unit supervising capital markets. Capital markets are the main mechanisms for efficient mobilisation, allocation, and monitoring the utilisation of Thailand’s economic resources. The SEC also governs businesses that crowdfund, including the digital asset industry (cryptocurrencies and digital tokens).

The OIC is the regulatory agency with the mission to supervise and enhance Thailand’s insurance ecosystem. Even though there is no regulation relating to the insurtech in Thailand, certain Thai insurance companies have introduced technology to enhance their businesses and provide insurtech. Such insurtech operations are supervised by the OIC.

The outsourcing restrictions of each business depends on the regulations related to it. Thus, different businesses may have different restrictions on outsourcing. Business operators that conduct designated business activities under the relevant regulations are required to obtain licenses or approval, or register with the competent official. Certain functions in the operations of such designated business that are not the main activities under the respective licences, approval or registration can be outsourced to qualified persons/to the extent that such outsourcing is not circumventing the requirements of licensing, approval or registration.

For example, financial institutions can use IT outsourcing services provided by third parties. However, the guidelines on risk management implementation of third parties must be followed. The guidelines cover risk governance, third party risk management and reporting obligations to the BOT.

Regulations require that payment service providers, such as e-money or e-payment service providers, have protocols for the use of services performed by third parties as follows:

  • a risk management process for the services provided by other service providers or third parties and risk assessments for services that are outsourced on a regular basis;
  • outsourcing agreements that indicate the rights of internal auditors, external auditors and the BOT to perform audits of business operations, and internal controls related to outsourced payments services for service providers or third parties; 
  • a business continuity plan or a disaster recovery plan covering the outsourced service activities; and 
  • risk assessments for any services provided by service providers or third parties in other countries.

Fintech service providers may be considered gatekeepers depending on the business activities of a fintech service provider.

For example, pursuant to Notification of the SEC No GorThor. 19/2561 regarding criteria, conditions and procedures for business operations of digital assets, exchange service providers must have a system that discloses sale and purchase data. This data includes pre-trade information and post-trade information and records of sales and purchases of digital assets must be recorded for the purpose of potential audits.

The Computer Crime Act B.E. 2550 (2007) requires that fintech service providers are:

  • a person who provides services to the public with respect to access to the internet or other mutual communications via computer systems, whether on their own behalf, or in the name of, or for the benefit of, another person; or
  • a person who provides services with respect to the storage of computer data for the benefit of other persons, the fintech service provider shall store computer traffic data for at least 90 days from the date on which the data is input into a computer system.

However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case by case basis, or on a temporary basis. A fintech service provider must keep the necessary information of the service user in order to be able to identify the service user from the beginning of provision of the services. Such information must be kept for an additional period not exceeding 90 days after the service agreement has been terminated.

Failure to comply with the requirements listed carries a fine of not more than THB5,000.

Details of enforcement actions by Thai authorities are generally not available to the public. Most public cases are related to fraud. In the fintech sector, most fraud cases involve alleged Ponzi Schemes.

There have been several enforcement actions and attempts in 2021.

In 2021, the SEC requested the Minister of Finance (MOF) to consider revoking a digital asset exchange licence of one of digital asset exchange operators While the MOF considered revocation, SEC ordered the operator to cease its digital asset exchange operations and return all customers’ assets. This order was issued due to the operator’s violation of the minimum capital requirement for digital exchange operations of THB50 million. The MOF issued an order revoke the licence in October 2021.

On 2 July 2021, SEC filed a criminal complaint against the biggest international digital asset exchange platform provider which according to the available data has no presence in Thailand but allegedly was targeting Thai consumers with the Economic Crime Suppression Division of the Royal Thai Police (ECD) for the commission of offences under the Digital Asset Decree. It was viewed that the platform had solicited the Thai public and investors to use its services, either via its website or social media and that such activities may be considered as conducting a digital asset business in Thailand without a licence.

There are several regulations that fintech business operators must comply with to run their businesses. However, those relating to privacy, cybersecurity, social media and software development are not specific to fintech businesses and apply to all business activities, including those conducted in a more traditional manner.

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was passed to create a regulatory regime and requirements for processing and the protection of personal data in Thailand. The Thai government introduced the PDPA to enhance personal data protection and align with the EU’s General Data Protection Regulation (GDPR).

Furthermore, the Cyber Security Act B.E. 2562 (2019) (CSA) categorises cyberthreats into three levels as follows:

  • non-serious cyberthreats;
  • serious cyberthreats; or
  • critical cyberthreats.

Such threats shall be subject to investigation and the private operator may be required to:

  • provide access to relevant computer data or computer systems, or other information relating to the computer system;
  • monitor the computer or computer systems; and
  • allow officials to test the operations of the computer or computer system, or seize a computer or a computer system.

Auditors may monitor industry participants for accounting purposes. Industry participants may voluntarily perform internal audits for various matters, ie, IT audits. Currently, there are no other organisations that have the power to supervise, regulate or monitor participants in the fintech industry.

Recently in Thailand the Thai Fintech Association was established and registered as a non-profit organisation. The organisation has the main obligation to:

  • be a centre of knowledge of fintech;
  • support public’s use and accessibility to fintech services; and
  • support standardisation of the fintech industry.

At time of writing, the Thai Fintech Association has neither been granted with authoritative power from the regulator, nor have regulations been passed to allow them to supervise the industry participants. However, as regulators appear to be encouraging self-regulation mechanisms in the fintech industry, the Thai Fintech Association may become a key organisation in establishing wider sector policies and standardisation.

The Thai Fintech Association, the Thai Blockchain Association, the Thai Digital Asset Association and the Thai Digital Trade Association were established to support and be the voice of each ecosystem.

Certain regulations restrict a licensee from providing business services other than those covered under the relevant license held by the business operator, or business services/activities that are related to the licensed business activity.

Under the Payment System Act, business operators licensed and engaged in e-money services may not operate other businesses, except for those for which those operators are licences to perform or business activities that support e-money business services.

The Anti-Money Laundering Act B.E. 2542 (1999) (“AML Act”) and the Counter-Financing of Terrorism and Dissemination of Weapons of Mass Destruction Act B.E. 2559 (2016) are two primary laws regulating anti-money laundering in Thailand.  Fintech businesses may be required to comply with these two laws since they may deal with financial activities, such as e-payment systems, money exchange, or financial institutions (as prescribed under the AML Act (the “Specified Operators”)).  If a particular fintech business is included in the scope of the Specified Operators, such fintech operator is required to verify the identity of its customers upon commencement of certain types of activities, conduct customers’ due diligence, and report any suspicious transaction to the relevant authority.

As most fintech companies are carrying out a business as Specified Operators, they have a duty to comply with criteria specified under the law which are as follows:

  • reporting transactions to the Anti Money Laundering Office involving the use of cash or asset in an amount exceeding that prescribed in sub-regulations or suspicious transactions;
  • identifying customers prior to making any transactions;
  • determining policies for customers, money laundering risk management policies and conducting due diligence on customers when making the first transaction; and
  • recording any facts relating to any transaction that has been made.

The criteria under the AML Act results in more procedures and steps for effectuating each transaction and fintech companies may have to establish a compliance department to comply with anti-money laundering criteria. Also, fintech companies may have to prepare a system for storing information of transactions and customers, and the security of such systems.

In addition to the above, in relation to digital assets, other than compliance with the AML Act, the SEC is considering issuance of a regulation regarding the prohibition of issuing or providing services related to "privacy coins" in order to prevent the use of digital asset as tools for illegal actions.

Thailand has not adopted regulations that specify which business operators or activities require use of robo-adviser, although some Thai fintech operators do utilise robo-adviser technology.

Wealth advisors are encouraged to use fintech to generate financial solutions, and to serve as an aiding tool for financial planning under the SEC’s framework. According to the Notification of the Office of SEC No SorThor 31/2561 Re: Rules in Details on Wealth Advisory Service Business, operators must complete the process of client contact and services in five steps as follows:

  • exploring and understanding customers;
  • constructing an investment portfolio;
  • implementing the portfolio according to the asset allocation plan;
  • monitoring and rebalancing the portfolio; and
  • providing consolidated reports for clients' review.

A wealth advisor shall also have an electronic system that can support the actions in bullet points three and four.

Legacy players must comply with the regulations applicable to their traditional business activities and operations, including implementing robo-advisory services. In this regards, legacy players have been very quick to adapt and use robo-advisers in their businesses over the last few years. Private sector banks use robo-adviser-based solutions in developing tools for customer satisfaction, new products and services, and improvements.

The largest use of robo-advisers has occurred with wealth management in developing custom-made trading and wealth solutions.

Records available to the public do not cases of customer complaints related to the use of robo-advisory services.

However, securities and derivatives business operators have an obligation to carry out their business on a best execution basis as specified in the Notification of the Capital Market Supervisory Board No TorThor. 35/2556 Re: Standard Conduct of Business, Management Arrangements, Operating Systems, and Provision of Services to Clients of Securities Companies and Derivatives Intermediaries. As such, securities and derivatives business operators who use robo-advisory technology also have a duty to provide their services on the basis of best execution.

Regulations for both online and offline loan business activities are generally the same. Different regulations apply to the type of loan, not the business operations of the operator/service provider.

For example, a supervised personal loan is a loan provided to the individuals not for commercial purposes. A supervised personal loan cannot be granted which is more than five times the average income per month of a borrower. Pico finance is a personal loan granted to prevent or solve informal debt issues. A pico finance may not exceed THB50,000.

However, in 2021, the BOT has permitted a licensed personal loan business provider to offer digital personal loans services in Thailand under the approval of BOT. Lenders may grant a digital personal loan with a maximum credit amount of THB40,000, and a maximum repayment period of 12 months (effective until 31 December 2022).  Effective rates of interest charged with fees must not exceed 25% per annum. The BOT regulations relaxes certain criteria for the provision of a personal loan and provides some flexibility, such as use alternative data for the financial services providers to provide online lending.

There are no specific underwriting processes for online lenders prescribed by regulations in Thailand. Commercial banks may develop their own underwriting standards and compliance measures. If a loan is made for a certain industry, a specific industrial underwriting standard may apply. The BOT will monitor a commercial bank’s underwriting behaviour and may announce notifications to supervise any type of lending activities to upgrade underwriting standards if it appears that the current standard in the market is too lenient.

As mentioned in item 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, there are no specific regulations for online lending or offline lending. Online lending is subject to the same regulations as offline lending.

Thus, the source of funds, the method of raising funds and restrictions will depend on the of business activity.

Online lending is normally for the individuals in Thailand. As such, syndication of loans is uncommon. However, there are no restrictions to syndicating online loans. 

There are no specific requirements for payment processors to use existing payment rails such as credit cards or electronic payment settlement agencies. However, payment processors have to apply for a licence from the Ministry of Finance as recommended by the BOT, or have to register with BOT in accordance with the Payment Systems Act.

A payment processor who implements new technology into their business operations can apply to participate in the BOT’s regulatory sandbox if all qualifications are met.

Under Thai law, there are specific restrictions for inward remittances. However, outward remittances have to be done through an authorised agent of the BOT (any commercial bank). A remittance of funds may also require permission from the BOI if the purpose of the remittance is restricted. In such cases, the person remitting the money must obtain approval through an authorised bank by submitting supporting documents to a commercial bank prior to the fund transfer.

Nevertheless, if the amount of such remittances is equal to or more than USD200,000, supporting documents are needed to be submitted to the authorised commercial bank. The list of supporting documents is not determined by regulations from the BOT. Each authorised bank is entitled to request any documentation from a person remitting funds based on their discretion on a case-by-case basis, which can vary depending on the underlying transactions (eg, loan, service agreement, sub-licence agreement and purchase price).

E-money Remittances

Outward e-money remittances must be done through an authorised e-money operator. The purpose of outward e-money remittances are generally listed as payment of goods and services to other domiciled in a foreign country.

The BOT issued a notice from the Competent Officer permitting non-bank operators to apply for foreign exchange e-Money (FX e-Money) licences to issue e-money in foreign currencies. These licences allow non-bank operators to make cross-border remittances for their customers’ payment of goods and services. Non-bank e-money service providers are thus able to cater to the demand of customers when travelling.

In general, a fund administrator, in the form of an outsourcing company, that provides the service of supporting the process of managing a fund are not directly regulated by any agencies in Thailand. However, the operators or fund managers must comply with the regulation which is applicable to the outsourcing of their administrative work. The SEC has the power to announce the qualifications and guidelines applicable to the outsourcing of administrative services to funds to third parties. For example, according to the Capital Market Supervisory Notification No TorThor. 60/2561 Re: Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations to [a] Third Party, the operator has to determine the policies, measurements and procedures for outsourcing to a third party to conduct work relating to the operator’s business in accordance with the criteria specified in the notification.

Nevertheless, the scope of administration task of fund is also guided by SEC to ensure that investors are protected, and each fund possesses internal system and policy that are standardised and reliable. 

The contractual terms depend on the commercial issues and other regulations that may apply to a specific financial service provider. However, with regard to outsourcing in connection with the securities service providers, The Notification of the Capital Market Supervisory Board No TorThor. 60/2561 Regarding Rules, Conditions and Procedures for Outsourcing Functions related to a Business Operations to a Third Party specifies required clauses that securities service providers must include in a written contract when obligations for services related to business operations to a third party. Terms required under this Notification in a written contract include the following:

  • duties and responsibilities of the service provider covering at least the following:
    1. liability to the intermediary as a result of the service provider acting or omitting to act intentionally or negligently;
    2. measures and arrangements for the business continuity of the service provider which shall include the outsourced function;
    3. information security, confidentiality and privacy regarding information of the intermediary and clients; and
    4. service provider shall comply with the rules regarding the outsourced function as prescribed by the SEC, the Capital Market Supervisory Board or the SEC Office, including the guidelines specified by the intermediary in compliance with such rules;
  • consent of the service provider for the SEC Office to inspect its operation, retrieve for viewing or examine relevant evidentiary documentation;
  • causes, conditions and procedures for terminating the contract or suspending operation (under such contract); and
  • remuneration and charged expenses.

Digital asset exchanges are trading platforms for both cryptocurrency and digital token. Currently, exchanges for cryptocurrency and digital tokens are subject to the same regulatory regime under the Digital Asset Decree.

Cryptocurrency and digital tokens are both governed under the Digital AssetDecree however the regulatory regime with respect to digital assets operators is substantially similar for both cryptocurrency and digital token.

However, certain cryptocurrencies and digital tokens were prohibited to be listed and traded on licensed digital asset exchange’s platforms, for example, meme tokens, fan tokens and NFTs.

A potential change of the regulatory structure is discussed in the last paragraph of 12.3 Classification of Blockchain Assets.

Cryptocurrency exchanges are subject to a separate regime under the Digital Asset Decree. See 7.1 Permissible Trading Platforms for more information.

The SEC prescribes the listing standards for an initial coin offering (ICO) in the Notification of the Securities and Exchanges Commission No GorJor 15/2561 re: Offering of Digital Tokens to the Public.


According to the listing standards, among other requirements, the applicant for an ICO must be a limited company or a public limited company which is not insolvent. The applicant must also show that the ICO portal has considered that the ICO is in compliant with this Notification. There are also requirements on the underlying assets if the underlying assets of the digital tokens are real estate.

There are also requirements that the offeree must comply with and limitation on the number of digital tokens that can be offered to general investors. The applicant needs to also proves to the Office of the SEC that the business models and smart contracts are enforceable and that the applicant will not take advantage of the investors.

In 2021, the SEC added additional requirements for an ICO of a real estate-backed digital token with the aim of bridging the gap in regulations between the offerings of real estate-backed digital tokens and those of real estate investment trusts (REITs).


Prior to the offering, the issuer must obtain approval from the office of the SEC, submit registration statements and draft prospectuses as indicated in the SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectus have been approved by the SEC. The offer for sale shall be made via the system provider, ICO portal, that is approved by the SEC.

There are no specific order handling rules applicable to digital asset operators.

Currently, peer-to-peer energy trading platform initiatives in the energy sector are on the rise while adoption of peer-to-peer trading platforms in other industries (including fintech) is still rather limited.

This type of platform may not fit into the existing categories of businesses eligible for licences and, therefore, the SEC may need to revise the regulations on digital assets to capture this type of platform.

The duty of best execution is one of the duties imposed on securities and derivatives business operators under the Notification of the Capital Market Supervisory Board No TorThor. 35/2556 Re: Standard Conduct of Business, Management Arrangement, Operating Systems, and Providing Services to Clients of Securities Companies and Derivatives Intermediaries.

In relation to digital asset transactions, there are no specific order handling rules applicable to digital assets operators.

There are no specific rules of payment for order flow applicable to digital asset operators. However, there is a general prohibition on the receipt of benefits in excess of that which should be received or rewarded in normal commercial practice.

Under the Securities and Exchange Act B.E. 2535 (1992), there are various offenses which are aimed to protect market integrity and prevent market abuse. To highlight a few:

  • insider trading – anyone who has material inside information is prohibited from buying of selling of securities to which such inside information is related;
  • market manipulations – trading of securities with an intent to manipulate the market is also prohibited; and
  • misstatement – dissemination of false information with an intent to mislead is also prohibited.

The regulations do not specifically state the criteria for using algorithmic trading for each asset.

However, under the SET Notification Re: Procedures on Trading, Clearing and Settlement of Securities in the Exchange specifying the criteria for the use of computer programs in creating and recording orders automatically (the “Program Trading”) including Algorithmic Trading, an operator who wishes to use the Program Trading has to obtain approval from the SET before using such Program Trading.

The SET also provides guidelines regarding the qualifications and criteria for the Program Trading that will be used in the market.

The Notification of the Stock Exchange of Thailand Re: Persons Involved in the Trading System B.E. 2555 (2012) having the following qualifications are required to register as market makers:

  • be a member or a non-member juristic person certified as a market maker by a member whereby such juristic person shall undertake clearing and settlement through the member;
  • possesses experience as a market maker or possesses personnel with sufficient knowledge and expertise to be trusted to perform the duty of a market maker;
  • possesses a system or procedure that indicates readiness to act as a market maker including sufficient policies and measures for risk management;
  • is not currently prohibited from undertaking registration as a market maker under Clause 12 (2) (never had its registration as an authorised officer revoked as a penalty by the Stock Exchange of Thailand within five years prior to the application for the appointment); and
  • possesses other qualifications as prescribed by the Stock Exchange of Thailand.

Moreover, Thailand Futures Exchanges (TFEX) has also specified that the following qualifications are required to register as market makers:

  • be a member of TFEX or be a [member’s] corporate client who is a member named to TFEX as a market maker or be any other juristic person having a clearing guarantee agreement with a TCH member;
  • have the experience of being a market maker for derivatives trading or have personnel who possess credible knowledge and competency to act as a market maker;
  • have sufficient system readiness or can demonstrate that there is a procedure and readiness to act as a market maker, and also have a risk management policy to deal with potential risk that may arise from [the marker maker’s duty]; and
  • have stable financial status and have no risk that may the affect market maker’s duty.

TFEX may stipulate such additional qualifications as it deems appropriate for persons wishing to be any of the following market makers:

  • a market maker who is either a juristic person customer whose status as a market maker has been notified to TFEX by a member or a juristic person having an agreement with a TCH member to guarantee clearing and contract settlement; or
  • a market maker in Thai baht or US dollar futures.

From a regulatory perspective, there is no distinction between funds and dealers in the algorithmic trading area.

There is no regulation specifically governing programmers and programming under Thai law. However, in relation to programming, an algorithm has to be approved by the authority and the programmers have to be aware of the prohibited characteristics of trading as specified in the Securities and Exchange Act B.E. 2535 (1992) (the “SEC Act”).

There is no specific regulation governing an operator providing financial research services.

The SEC Act specifies measurement and punishment for any persons who spread rumours and information that might cause manipulations or misunderstandings in the securities market.

For example, pursuant to the SEC Act, a person who informs, disseminates, or certifies any statement or information that is false or materially misleading about the financial condition, business operation, the price of securities or any other information related to a securities issuing company in such a manner that is likely to have an effect on the price of securities or the decision making on securities investment shall be subject to the punishment.

In addition, the person spreading rumours that are false may be subject to the Computer Crime Act Criminal Law B.E. 2550 (2007) since the act states that any person involved in importing to a computer system forged computer data, either in whole or in part, or false computer data, in a manner that is likely to cause damage to that third party or the public shall be subject to the punishment.

In respect of the legislation, as mentioned in item 9.2 Regulation of Unverified Information, the SEC shall punish a person who spreads information that can mislead the public.

Underwriting processes differ according to the products and business operators. The insurance laws (ie, the Life Insurance Act B.E. 2535 (1992) and the Non-Life Insurance Act B.E. 2535 (1992)) govern various aspects of the underwriting processes of business operators. In particular, sales and offers of insurance products are heavily regulated.

Given the extent of insurance regulation, insurtechs normally face a number of legal obstacles. Recognising these constraints and at the same time trying to promote innovation in the industry, the Office of Insurance Commission (OIC), the insurance industry regulating entity, has launched the OIC Insurance Regulatory Sandbox and set up the Centre of Insurtech Thailand (CIT) with an aim to promote insurtech.

There are two regulatory regimes:

  • life insurance regime under the Life Insurance Act B.E. 2535 (1992) which covers life and annuities; and
  • non-life insurance regime under the Non-Life Insurance Act B.E. 2535 (1992) which covers property and casualty.

Many aspects of the Acts are similar, but the licences for life insurance and non-life insurance business are separate and the same legal entity cannot engage in both types of business.

There are no overarching regulations that govern regtech generally. Whether regtech providers are subject to any regulations needs to be analysed on a case-by-case basis.

Currently, in Thailand, the area that is considered one of the most advanced in terms of regtech development is electronic authentication and verification of identity (e-KYC).

After the amendment to the Electronic Transaction Act B.E. 2544 (2001) No 4 was enacted, authentication and verification of identity in electronic form became recognised and admitted under Thai law.

Electronic Identity Verification

The BOT has also adopted electronic authentication and verification of identity for the opening of accounts with financial institutions. Previously, financial institutions had to conduct Know Your Customer Processes (KYC) on a face to face basis (physical KYC). Non-face to face KYC has been accepted in practice since the notification of the BOT was adopted. Electronic KYC can be performed by financial institutions for the opening of accounts by customers via online platforms.

In addition to electronic KYC, there is another central platform in Thailand called the National Digital ID Platform (“NDID Platform”). This system collects customer’s information for any financial institutions to use to verify customers. The NDID Platform is an important system for Thai financial institutions to use to verify its customers. Many banks in Thailand have decided to use the NDID Platform to facilitate the KYC process.

The contractual terms of use of service provided by a third party may also be regulated depending on the type of business. Theoretically, certain functions which are not the main activities of financial service providers (which normally requires a licence, approval or registration) can be outsourced to a third party.

For instance, pursuant to the BOT Notification No SorNorSor. 16/2563 Re: Regulations on the Use of Services from Business Partners of Financial Institutions, in order to use a service of a business partner, the financial institution must create guidelines on risk management and customer protection. However, strategic functions must be carried out directly by financial institutions themselves. In addition, financial institutions also have to submit an annual report to the BOT on the use of services provided by business partners that may cause significant risks or impacts on the public at large.

In respect to IT outsourcing, financial institutions have to comply with the guidelines on risk management implementation of third parties. These cover issues such as risk governance, third party risk management and reporting obligations to the BOT.

Non-regulated contractual terms largely depend on the commercial issues and other regulations that may specifically apply with that financial institution. Therefore, contractual terms have to be negotiated and agreed on a case by case basis.

Many of Thai financial institutions, including the Bank of Thailand (BOT), have been keen on adopting blockchain technology.

In 2020, the BOT launched a new blockchain based platform for government bond issuance. This project is a collaborative effort with the Public Debt Management Office, Thailand Securities Depository Co, Ltd, Thai Bond Market Association and several selling-agent banks.

In addition, certain commercial banks in Thailand have adopted blockchain technology in order to develop their operations, such as monitoring the correctness of financial transactions, cross-border transfer of funds, issuing bank guarantees and development other aspects relating to financial infrastructure.

Even though the Bank of Thailand and the Office of the Securities Commission are very cautious about the sale of blockchain-based digital assets and cryptocurrency, they and other local regulators are very positive about blockchain technology and are very keen on utilising the blockchain technology.

The Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) (“Digital Asset Decree”), which governs blockchain assets under a defined term called “digital assets”, separated into two types: cryptocurrency and digital tokens.

“Cryptocurrency” is defined as an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets.

“Digital tokens” are defined as an electronic data unit built on an electronic system or network for the purpose of specifying the right of a person to participate in an investment in any project or business, or to acquire specific goods or services. Digital tokens are further separated into two types: investment tokens and utility tokens.

Regulating Digital Assets

Currently, the SEC regulates digital assets based on the activities of the operators with some differences based on the types of digital assets (eg, there are some differences in requirements with respect underlying assets which are in the form of real estate) by the Digital Asset Decree.

The concept closest to “issuers of blockchain assets” are the “issuer” of digital assets under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018).

The issuer of an initial coin offering (ICO) must be a limited company or a public limited company. Prior to the offering, the issuer shall obtain approval from the office of the SEC, submit registration statements and draft prospectuses as indicated in the SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectus have been approved by the SEC. The offer for sale shall be made via the system provider, the so called ICO portal, which has been approved by the SEC.

A potential change of the regulatory structure is discussed in the last paragraph of 12.3 Classification of Blockchain Assets.

The concept closest to blockchain asset trading platforms under Thai law is “digital asset exchange” under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). “Digital assets exchange” is defined as any centre or network established for purchasing, selling or exchanging digital assets, by means of the matching or finding of parties or the provision of a system or facilities whereby those intending to purchase, sell or exchange digital assets may reach agreements or may be matched.

Digital assets exchange operators must apply for permission. This would be granted by the Minister of Finance upon the SEC’s recommendation. The appointment of directors and executives of the operator must also be in accordance with the notification and such appointment will be valid upon the approval by the Office of the SEC.

The exchanges are obliged to comply with all guidelines specified by the Office of the SEC including source of funds, protection of customers’ assets, and prevention against electronic theft, measures on KYC and a reliable accounting system approved by the SEC. Among other obligations, the operator must segregate the customers’ assets retained from its own assets.


Under the Notification of the SEC Re: Rules, Conditions and Procedures for Undertaking a Digital Asset Business (No 11) ("NFT Regulations"), digital asset exchanges are obliged to set up their listing rules to prohibit token issuers from listing utility tokens or certain types of cryptocurrencies that have the following characteristics:

  • Meme tokens – having no clear objective or substance or underlying substance, and whose price runs on social media trends.
  • Fan tokens – tokenised by the fame of influencers.
  • Non-fungible tokens (NFTs) – a digital creation to declare ownership or grant of right in an object or other specific right. It is unique and not interchangeable with digital tokens of the same category and type at the equal amount.
  • Digital tokens which are utilised in a blockchain transaction and issued by digital asset exchanges or related persons.

Thai law is silent on how funds could invest in blockchain assets.

Virtual currencies are not a defined term under Thai law. However, under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018), “cryptocurrency” is defined as "an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets". Cryptocurrency is different from digital tokens in the sense that it is a medium of exchange while digital tokens, which are another type of blockchain asset defined under the Emergency Decree, has the main purpose of determining the right to participate in an investment or to acquire goods or services.

A potential change of the regulatory structure is discussed in the last paragraph of 12.3 Classification of Blockchain Assets.

“DeFi” is not defined under Thai law. Thus, there is no specific regulation under Thai law regulating DeFi platforms or transactions. However, on a case-by-case basis, if any transaction related to Defi relates to the purchase and sale of digital tokens and cryptocurrency, or other regulated business, operators related to the DeFi business are subject to the Digital Asset Decree.

To determine whether an NFT will be regulated under Thai law, a determination of whether that NFT falls within the definition of a "digital token" under the Digital Asset Decree. Certain NFTs may be considered as utility digital tokens if such NFTs grant the holders a right to obtain any goods, services or assets.

Under the SEC’s guidelines issued on 6 January 2022, there are certain types of NFTs that are exempted from the NFT Regulations and the Digital Asset Decree, including NFTs that are utility tokens with ready-to-use underlying products or services as of the date of offering. To further elaborate, NFTs that are exempted are those that are an asset itself, being inseparable and does not represent any rights or the intention to be utilised as a medium of exchange (eg, NFTs that are created by storing a digital file on an Interplanetary File System (IPFS) issued for the convenience of exchange, and such digital file and NFTs must be transferred together, inseparable, and cannot be modified).

As of now, there is no specific regulation which specifically supports an open banking system.

Even though the BOT has a facilitative approach to encourage all financial institutions to co-operate with one another to create the application programming interface (API), to date, the government has not issued any regulation that provides solid criteria, procedures and conditions for open banking.

Apart from the above, currently, financial institutions have coordinated with the National Digital ID (NDID) to facilitate customers in opening accounts online. The online opening of accounts may be categorised in three cases as follows.

  • Opening a new account in the case such customer has had an existing account opened with the account bank, that customer may open a new account via mobile banking immediately.
  • Opening new an account by using information of identification from other banks kept in the NDID Platform. A customer may be verified and identified across the account banks through the digital platforms of the banks that the customer has opened account with.
  • Opening a new account without information kept in the NDID Platform. In this case, the customer is required to identify themselves in accordance with each bank’s criteria, which may be conducted through mobile banking applications.

As there is no specific regulation for API co-creation, all financial institutions need to comply with the Personal Data Protection Act B.E. 2562 (2019). In doing so this may result in inconvenience and delay.

According to the Personal Data Protection Act, in order to collect, use, disclose and/or transfer personal data, financial institutions must obtain prior written or electronic consent from the individual customer whose personal data would be disclosed. In addition, it is important to note that the consent from the individual has to be the explicit consent.

Chandler MHM Limited

17th and 36th Floors
Sathorn Square Office Tower
98 North Sathorn Road
Silom, Bangrak
Bangkok 10500

+66 2009 5000

+66 2009 5080
Author Business Card

Law and Practice in Thailand


Chandler MHM Limited recognises the importance of technology in today’s constantly evolving technology-dependent world and the impact it has on business. The firm's priority is to help clients navigate the legal and regulatory challenges in the technology sector. The team, which is based in Thailand, has extensive experience advising technology companies. The firm advises clients across a broad spectrum of technology-related areas, including cybersecurity, data privacy, e-commerce, esports, fintech and health tech. Chandler MHM has a strong, on-the-ground presence in Asia and globally.