Fintech 2023 Comparisons

Last Updated March 23, 2023

Contributed By Chandler MHM Limited

Law and Practice


Chandler MHM Limited recognises the importance of technology in today’s constantly evolving technology-dependent world and the impact it has on business. The firm’s priority is to help clients navigate the legal and regulatory challenges in the technology sector. The team, which is based in Thailand, has extensive experience advising technology companies, and advises clients across a broad spectrum of technology-related areas, including cybersecurity, data privacy, e-commerce, esports, fintech and health tech. Chandler MHM Limited has a strong, on-the-ground presence in Asia and globally.

Thailand is a pioneer in Southeast Asia in the adoption of 5G technology to improve and expand the country’s capacity for deep technology such as blockchain, artificial intelligence (AI), big data, robotics, cloud computing and machine learning. As a result of proactive development of its information communication technology (ICT) facilities and the regulatory environment, Thailand is one of the fastest-growing fintech markets in ASEAN, and currently has one of the world’s largest consumer bases for fintech mobile banking.

According to the Bank of Thailand’s (BOT) latest data published as of the publication of this article, the volume of e-payment in Thailand has consistently been increasing. Internet and mobile banking are the most popular e-payment channels with approximately 136.8 million accounts and more than 2,033 million transfers and payment transactions in November 2022.

Developing Accessibility

The Thai government has been promoting fintech by developing accessibility to government platforms. The BOT has co-operated with global card network service providers to create an innovation called the “Thai QR Code” which facilitates payments via debit cards, credit cards, e-wallet and e-payments through bank accounts using the Thai QR Code as an intermediary.

During the COVID-19 pandemic, the Thai government created the e-wallet application “Pao Tang” to give financial support to people who qualified for the programme, as well as to stimulate the Thai economy. Granted-in-aid subsidies will be credited to the application which can be used as intermediaries for payment of goods with registered vendors. This has helped the people of Thailand become more familiarised with QR Code payment systems and has enabled a new level of fintech adoption in the country. Coupled with a push for contactless payments due to the COVID-19 pandemic, fintech has become more widespread and the use of electronic transactions has become more normalised in Thailand.

In addition, the BOT together with central banks of four ASEAN countries (ie, Indonesia, Malaysia, the Philippines and Singapore) jointly signed a memorandum of understanding to strengthen and expand the cross-border payment system, which includes the development of an interoperable QR code and fast payment.

Regulatory Impact on the Digital Asset Market and Business

There have been several significant regulations and guidelines regarding the digital asset market and business from relevant regulators issued throughout 2022, pushing digital asset business operators to face numerous additional obligations in their business operation and marketing plans. Among these, the most impactful included the Securities and Exchange Commission of Thailand (SEC), in joint consideration with the BOT and the Ministry of Finance (MOF), enacting a notification prohibiting digital asset business operators from the usage of digital assets as a means of payment for goods and services. This led to the abrupt decline in the use of digital assets as a means of payment. The SEC also put in place regulations applying more restrictions on business – ie, the prohibition of privacy coins to prevent the use of digital assets as tools for illegal actions, or a limitation on the advertising of digital assets.

The SEC has also added a digital asset custodian to one of the regulated businesses under the Emergency Decree on Digital Asset Businesses BE 2561 (2018) and introduced rules on the management system for the custody of digital assets and cryptographic keys. Moreover, in early 2023, the SEC proposed draft regulations on ready-to-use utility tokens in order to enhance protection for investors.

Upcoming Framework for Virtual Banks

Due to the rapid development in digital finance, almost all business operators in Thailand, whether banks or non-banks, have been focusing on providing services via digital channels. The BOT, with the objective of promoting financial inclusion and competition in the financial market, has announced its guidelines for public hearing in granting first-round virtual bank licences for up to three qualified operators to start business in the restricted phase for approximately three to five years, before moving to the full-functioning phase. In this regard, the BOT aims to open for application within the second quarter of 2023, conclude its considerations, and then grant the licences by 2024.

The major players in the Thai fintech industry are predominantly financial institutions and traditional non-banking financial institutions. They have been adopting technology for their services to facilitate customers’ needs and to increase market share. Other players include venture capitalists and start-ups.

The main fintech business models in Thailand are as follows.

E-money, E-wallets and E-payment

E-money, e-wallet and e-payment service providers are some of the most significant players in the Thai fintech industry. The recent rise in the number of online payments, mobile banking payments and mobile banking users caused financial institutions and non-bank financial operators (financial service providers) to adopt financial technology in the operations of their normal banking businesses. Their business operations and services could then be conducted or provided through their online platforms instead of at physical branches. 

Other than financial service providers, there are a number of new players in this area, with most entering the industry as venture capital companies and start-up companies. Other investors have decided to co-operate and partner with major social platform business operators. The purpose of co-operation is to use such platforms to reach customers.

For foreign financial service providers that might not be able to secure a full-service licence, due to certain limitations in their own capacity or strict qualifying requirements under Thai law, partnering with legacy financial institutions or full-service licensees are alternative solutions.

Financial institutions or licensees can act as the local service providers under this business model. This type of business model can also help foreign entities in the sense that there will be fewer licences that the foreign entity must obtain from the government.

Digital Assets

In 2018, the SEC recognised digital tokens and cryptocurrency as digital assets. Business operators are categorised into two groups, as follows.

Primary market

The business operator in the primary market can be either:

  • an ICO issuer which is looking to raise funds by issuing coins; or
  • an ICO portal which provides offering token digital system services.

There was one ICO issuer approved by the SEC in 2021, and another in 2022. Issued digital tokens have been real estate-backed and project-backed digital tokens. For the first ICO project, the token-holders are entitled to receive revenue shares from the revenue stream of underlying assets of the tokens.

Secondary market

In the secondary digital assets market, service providers related to digital assets that are recognised by Thai regulations and supervised by the SEC are as follows:

  • digital asset exchanges;
  • digital asset brokers;
  • digital asset dealers;
  • digital asset advisory services;
  • digital asset fund managers; and
  • digital asset custodians.

Digital Lending

Digital lending is an important platform that financial service providers use to reach new retail customers, eliminate physical limitations, and facilitate business activities with customers. Many financial service providers, especially personal loan providers, are interested in expanding their online services. 

Some financial service providers have chosen to co-operate with social platform operators in providing the digital lending to that platform’s customers, and vice versa, rather than build up their own (online) platform and obtain licences.

Peer-to-Peer Lending Platform

Currently, there are few players in peer-to-peer lending due to the lack of information and precedent cases in Thailand. Peer-to-peer lending platforms are electronic platform services that operate as matchmakers between lenders and borrowers. The platform’s role also includes facilitating loan contracts, and carrying out fund transfers and repayments between the parties. According to the BOT, one peer-to-peer lending service operator has obtained a licence to operate business from the MOF. Additionally, two operators are testing their systems in the BOT regulatory sandbox.


There is both equity and debenture crowdfunding of private and public limited companies through crowdfunding portals in Thailand. In this respect, crowdfunding, in which shares or debentures are issued as consideration, is deemed as a type of public offering under SEC regulations. A crowdfunding portal operator must obtain a licence from the Office of the SEC.

Artificial Intelligence Advisers

Many business sectors have adopted computer or artificial intelligence to enhance business efficiency. In Thailand, fintech businesses also use artificial intelligence to advise clients in wealth creation and management.

Currently, in Thailand the fintech industry is not directly regulated by any specific overarching legislation. However, operators need to comply with certain business-related regulations.

The key regulations related to fintech business activities are as follows.

Payment Systems (Including E-money, E-wallet and E-payment)

In order to enhance supervision of payment systems and payment services, the Payment Systems Act BE 2560 (2017) (the “Payment Systems Act”) was enacted and came into effect on 16 April 2018. Its main purpose is to regulate the following.

  • Highly important payment systems, which are payment systems that are important to the security and stability of payment systems, financial systems, or monetary systems of the country.
  • Designated payment systems, which are:
    1. payment systems that are networks between system users that handle fund transfers, clearing or settlement, such as retail funds transfer systems, payment card networks, settlement systems, etc; or
    2. any other payment systems which may affect the public interest, public confidence or stability and security of the payment systems.
  • Designated payment services, which are:
    1. provision of credit cards, debit cards or ATM card services;
    2. provision of e-money services;
    3. provision of accepting electronic payments for and on behalf of others;
    4. provision of e-money transfer services; and
    5. other payment services which may affect payment systems or the public interest.

Digital Assets

The Emergency Decree on Digital Asset Businesses BE 2561 (2018) (the “Digital Assets Decree”) was enacted to regulate offerings of digital assets and businesses undertaking digital asset-related activities. The Digital Assets Decree aims to enhance the standards of the digital assets market to be in line with international standards and to protect players in the market. Digital assets under this decree mean cryptocurrencies and digital tokens that are regulated by the Digital Assets Decree under the supervision of the MOF and the Office of the SEC.

Digital Lending

On 15 September 2020, the BOT issued Circular No BOT.FhorGorSor (01) Wor 977/2563 Re: Criteria, Procedures and Conditions on Digital Personal Loan Business Operations. The purpose of this BOT circular is to relax the criteria for personal loans for those who do not have regular or proof of income, or for those without collateral, and to grant flexibility to personal loan providers in providing personal loans in an electronic form. However, for other types of loans which are not personal loans, financial service providers still have to comply with regulations that do not specifically regulate digital lending.

Peer-to-Peer Lending Platforms

On 29 April 2019, BOT Notification No SorNorSor 4/2562 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer Lending Platform Businesses (the “Peer-to-Peer Lending Platform Notification”) was announced in the Government Gazette and became effective on 30 April 2019. This notification prescribes the criteria for peer-to-peer lending platform operators and the other participants in the platform.

A person who wishes to operate a peer-to-peer lending platform must participate in the BOT’s regulatory sandbox until completing a successful test and must be able to provide an extensive scope of services in Thailand. Once these conditions are met, the operator may apply for a licence from the MOF through the BOT. A peer-to-peer lending platform operator can only act as an online marketplace or matchmaker to facilitate THB loan agreements between lenders and borrowers. Lenders can be either individuals or juristic persons. Borrowers must be individuals.

Electronic Transactions

The Electronic Transactions Act BE 2544 (2001) (the “Electronic Transactions Act”) supports the legal validity of electronic transactions performed via electronic systems. If a transaction is performed in the form of electronic data in accordance with the rules and procedures under the Electronic Transactions Act, the transaction is deemed to be validly binding as if entered into in accordance with other laws governing transactions entered into by other platforms or means.

The criteria and restrictions for charging service fees depend on the type of business, business model and services provided to customers. The criteria for disclosures of services or fees depend on the regulations related to the business or business activity that the operator carries out. Generally, the operator has to disclose details of fees that will be charged to customers, and the threshold or criteria for setting the fees charged to customers. 

For example, under the Payment Systems Act, payment service providers must disclose information on service fees, as follows.

  • Information of service fees to customers by notice at all locations that services are provided to service users, or by any other means that will inform service users of the service fees. Service fees must be reasonable. 
  • Information on any changes to service fees by notice at all locations that services are provided to service users, or by any other means that will inform service users of changes to service fees. Advance notice to service users of at least 30 days prior to the effective date of the change in service fees is required if such changes to service fees may be detrimental to service users.
  • Details of service fees must be submitted to the BOT electronically, as permitted by the BOT, as soon as possible from the commencement date of undertaking the business and each time there is a change in service fees.

There are no significant differences between regulations governing fintech operators and regulations governing legacy players. Some fintech business operations are covered by licences already held by legacy players. Both fintech operators and legacy players have to comply with the regulations set out in 2.2 Regulatory Regime. Other relevant laws and regulations applicable to general business enterprises will also apply.

Financial Services

Under the 2019 regulatory sandbox guidelines, the “own sandbox” was introduced in addition to the existing regulatory sandbox under the BOT’s supervision. The regulatory sandbox is a project for financial service providers to test their financial services that incorporate new technologies under controlled conditions.

Financial service operators that can apply for testing in the regulatory sandbox must be as follows.

  • Under the BOT’s supervision.
  • Financial services or fintech innovation using new technologies which are new or differ in some way to the existing financial services or products in Thailand or an innovation to enhance the efficiency of existing products or services.
  • Financial services which:
    1. are to be developed into infrastructure or standard practices for Thailand’s financial sector and the financial service providers to co-operatively experiment; or
    2. under relevant laws and regulations, are required to test in the BOT’s regulatory sandbox.

The participants consist of:

  • financial institutions;
  • companies within a group of financial institutions;
  • non-banks under the BOT’s supervision;
  • fintech firms; and
  • technology firms which wish to experiment with financial services or fintech innovation individually or in conjunction with the previous other participants.


The amended regulatory sandbox regulations that became effective in 2020 give more flexibility to the operator by increasing the types of businesses that can participate. According to the SEC, the types of business under the amended regulatory sandbox regulations cover all activities in capital markets. The additional types of businesses are as follows:

  • intermediaries – ie, securities investment advisory services, private fund management businesses, derivatives agent businesses, derivatives dealing businesses, derivatives advisory services, derivatives fund management businesses, the newly added securities brokerage businesses, securities dealing businesses, securities underwriting businesses, mutual fund management businesses and securities borrowing and lending (SBL) businesses;
  • know your customer (KYC) providers, gathering and assessing clients’ information; 
  • post-trading service providers – ie, securities clearing houses, securities depository centres, securities registrars, and the newly added derivatives clearing houses; and
  • trading system service providers – ie, electronic trading platforms (ETPs), and the newly added securities trading centres and derivatives exchanges.


The Office of the Insurance Commission (OIC) issued a notification on an insurance regulatory sandbox in 2019. The notification allows both life and non-life insurance industry operators to conduct testing in their own sandbox for certain cases.

On 25 March 2021, the OIC’s board of directors announced a notification on criteria of entry into projects of testing innovation using technology supporting insurance services (insurance regulatory sandbox) which replaces the existing notification announced in 2019. In addition, on 17 May 2021, the OIC, by virtue of the aforesaid notification, announced a notification of criteria, procedures and conditions on entry into projects of testing innovation using technology supporting insurance services (insurance regulatory sandbox) which determines the details and procedures of participation in sandboxes and compliance of participants during the period of testing in the sandbox. The main purpose of the announcement of these two notifications is to relax the former criteria and provide more flexibility to participants and the relevant authority.

The jurisdiction of each regulator depends on the type of financial service provided rather than the type of technology the operator of such business adopts. The key regulators of fintech businesses concerning financial services, securities and insurance in Thailand are, respectively:

  • the MOF and the BOT;
  • the MOF and the SEC; and
  • the OIC.

The BOT has the power to supervise, examine and analyse the financial status and performance and risk management systems of financial institutions to enhance the stability of the financial status of Thailand. Thus, fintech activities that are related to financial institutions will be predominantly supervised by the BOT, including digital lending and peer-to-peer lending payment systems, e-wallets, e-money and e-payments.

The SEC is a regulatory unit supervising capital markets. Capital markets are the main mechanisms for efficient mobilisation, allocation and monitoring the utilisation of Thailand’s economic resources. The SEC also governs businesses that crowdfund, including the digital asset industry (cryptocurrencies and digital tokens).

The OIC is the regulatory agency with the mission to supervise and enhance Thailand’s insurance ecosystem. Even though there is no regulation relating to insurtech in Thailand, certain Thai insurance companies have introduced technology to enhance their businesses and provide insurtech. Such insurtech operations are supervised by the OIC.

The outsourcing restrictions of each business depend on the regulations related to it. Thus, different businesses may have different restrictions on outsourcing. Business operators that conduct designated business activities under the relevant regulations are required to obtain licences or approvals, or to register with the competent official. Certain functions in the operations of such designated business that are not the main activities under the respective licences, approval or registration can be outsourced to qualified persons/to the extent that such outsourcing is not circumventing the requirements of licensing, approval or registration.

For example, financial institutions can use IT outsourcing services provided by third parties. However, the guidelines on risk management implementation of third parties must be followed. The guidelines cover risk governance, third-party risk management and reporting obligations to the BOT.

Regulations require that payment service providers, such as e-money or e-payment service providers, have protocols for the use of services performed by third parties, as follows:

  • a risk management process for the services provided by other service providers or third parties and risk assessments for services that are outsourced on a regular basis;
  • outsourcing agreements that indicate the rights of internal auditors, external auditors and the BOT to perform audits of business operations, and internal controls related to outsourced payment services for service providers or third parties; 
  • a business continuity plan or a disaster recovery plan covering the outsourced service activities; and 
  • risk assessments for any services provided by service providers or third parties in other countries.

A fintech service provider may be considered a gatekeeper depending on the business activities of the fintech service provider.

For example, pursuant to SEC Notification No GorThor.19/2561 regarding criteria, conditions and procedures for business operations of digital assets, exchange service providers must have a system that discloses sale and purchase data. This data includes pre-trade information and post-trade information, and records of sales and purchases of digital assets must be recorded for the purpose of potential audits.

The Computer Crime Act BE 2550 (2007) requires that a fintech service provider is:

  • a person who provides services to the public with respect to access to the internet or other mutual communications via computer systems, whether on their own behalf, or in the name of, or for the benefit of, another person; or
  • a person who provides services with respect to the storage of computer data for the benefit of other persons – the fintech service provider must store computer traffic data for at least 90 days from the date on which the data is put into a computer system.

However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case-by-case basis, or on a temporary basis. A fintech service provider must keep the necessary information of the service user in order to be able to identify the service user from the beginning of provision of the services. Such information must be kept for an additional period not exceeding 90 days after the service agreement has been terminated.

Failure to comply with the listed requirements carries a fine of not more than THB5,000.

In 2022, the SEC became more active in supervising digital asset markets and businesses, and a more scrutinising approach from the SEC was seen in enforcement actions and attempts.

For example, the SEC penalised offenders in three cases for creating fake volume in digital asset exchanges, and in one case for insider trading by an executive of the company. The SEC has ordered fines and payment of the SEC’s investigation costs to business operators and relevant offenders. The SEC has also ordered a ban on the relevant offenders from trading and futures contracts of digital assets, and prohibited them from being directors or executives of licensed digital asset operators for a certain period.

On 7 September 2022, the SEC filed a complaint with the police against an overseas cryptocurrency exchange operator and its CEO for failure to meet the SEC’s order. To elaborate, the SEC conducted an investigation on the business operation of such exchange and requested the operator to provide relevant information – ie, details about wallets keeping customers’ digital assets and transactional information regarding the deposit and withdrawal of digital assets. However, the CEO of such operator failed to fully provide the requested information to the officers, and without an acceptable reason. The SEC, therefore, filed the complaint to initiate criminal procedures for the exchange.

There are several regulations that fintech business operators must comply with to run their businesses. However, those relating to privacy, cybersecurity, social media and software development are not specific to fintech businesses and apply to all business activities, including those conducted in a more traditional manner.

The Personal Data Protection Act BE 2562 (2019) (PDPA) was passed to create a regulatory regime and requirements for processing and the protection of personal data in Thailand. The Thai government introduced the PDPA to enhance personal data protection and align with the EU’s General Data Protection Regulation (GDPR).

Furthermore, the Cyber Security Act BE 2562 (2019) (CSA) categorises cyberthreats into three levels, as follows:

  • non-serious cyberthreats;
  • serious cyberthreats; or
  • critical cyberthreats.

Such threats shall be subject to investigation and the private operator may be required to:

  • provide access to relevant computer data or computer systems, or other information relating to the computer system;
  • monitor the computer or computer systems; and
  • allow officials to test the operations of the computer or computer system, or seize a computer or a computer system.

Auditors may monitor industry participants for accounting purposes. Industry participants may voluntarily perform internal audits for various matters – ie, IT audits. Currently, there are no other organisations that have the power to supervise, regulate or monitor participants in the fintech industry.

The Thai Fintech Association was recently established in Thailand and registered as a non-profit organisation. The organisation has the main obligation to:

  • be a centre of knowledge of fintech;
  • support the public’s use and accessibility to fintech services; and
  • support standardisation of the fintech industry.

At the time of writing, the Thai Fintech Association has not been granted authoritative power from the regulator, nor have regulations been passed to allow it to supervise industry participants. However, as regulators appear to be encouraging self-regulation mechanisms in the fintech industry, the Thai Fintech Association may become a key organisation in establishing wider sector policies and standardisation.

The Thai Fintech Association, the Thai Blockchain Association, the Thai Digital Asset Association and the Thai Digital Trade Association were all established to support and be the voice of each ecosystem.

Certain regulations restrict a licensee from providing business services other than those covered under the relevant licence held by the business operator or business services/activities that are related to the licensed business activity.

Under the Payment Systems Act, business operators licensed and engaged in e-money services may not operate other businesses, except for those which such operators are licensed to perform or business activities that support e-money business services.

The Anti-Money Laundering Act BE 2542 (1999) (the “AML Act”) and the Counter-Financing of Terrorism and Dissemination of Weapons of Mass Destruction Act BE 2559 (2016) are two primary laws regulating anti-money laundering in Thailand. Fintech businesses may be required to comply with these two laws since they may deal with financial activities – ie, e-payment systems, money exchanges or financial institutions (as prescribed under the AML Act (the “Specified Operators”)). If a particular fintech business is included in the scope of the Specified Operators, such fintech operator is required to verify the identity of its customers upon commencement of certain types of activities, conduct customer due diligence, and report any suspicious transaction to the relevant authority.

As most fintech companies carry out business as Specified Operators, they have a duty to comply with criteria specified under the law, as follows:

  • reporting transactions to the Anti-Money Laundering Office involving the use of cash or assets in an amount exceeding that prescribed in sub-regulations, or suspicious transactions;
  • identifying customers prior to making any transactions;
  • determining policies for customers, money laundering risk management policies and conducting due diligence on customers when making the first transaction; and
  • recording any facts relating to any transaction that has been made.

The criteria under the AML Act result in more procedures and steps for effectuating each transaction, and fintech companies may have to establish a compliance department to comply with anti-money laundering criteria. Also, fintech companies may have to prepare systems for storing information of transactions and customers, and ensure the security of such systems.

Thailand has not adopted regulations specifying which business operators or activities require use of robo-advisers, although some Thai fintech operators do utilise robo-adviser technology.

Wealth advisers are encouraged to use fintech to generate financial solutions and to serve as an aiding tool for financial planning under the SEC’s framework. According to the Office of SEC’s Notification No SorThor 31/2561 Re: Rules in Details on Wealth Advisory Service Business, operators must complete the process of client contact and services in five steps, as follows:

  • exploring and understanding customers;
  • constructing an investment portfolio;
  • implementing the portfolio according to the asset allocation plan;
  • monitoring and rebalancing the portfolio; and
  • providing consolidated reports for clients’ review.

A wealth adviser must also have an electronic system that can support the actions in the third and fourth points above.

Legacy players must comply with the regulations applicable to their traditional business activities and operations, including implementing robo-advisory services. In this regard, legacy players have been very quick to adapt and use robo-advisers in their businesses over the last few years. Private sector banks use robo-adviser-based solutions in developing tools for customer satisfaction, new products and services, and improvements.

The largest use of robo-advisers has occurred with wealth management in developing custom-made trading and wealth solutions.

Records available to the public do not show cases of customer complaints related to the use of robo-advisory services.

However, securities and derivatives business operators have an obligation to carry out their business on a best-execution basis as specified in the Notification of the Capital Market Supervisory Board No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangements, Operating Systems, and Provision of Services to Clients of Securities Companies and Derivatives Intermediaries. As such, securities and derivatives business operators who use robo-advisory technology also have a duty to provide their services on the basis of best execution.

Regulations for both online and offline loan business activities are generally the same. Different regulations apply depending on the type of loan, not on the business operations of the operator/service provider.

For example, a supervised personal loan is a loan provided to individuals, not corporations. A supervised personal loan cannot be granted where it is more than five times the average income per month of a borrower with average monthly income of THB30,000 or above. PICO finance is a personal loan granted to prevent or solve informal debt issues. A PICO finance may not exceed THB50,000 or THB100,000, depending on the types of PICO finance operators.

However, in 2021, the BOT permitted a licensed personal loan business provider to offer digital personal loan services in Thailand under the approval of the BOT. Lenders may grant a digital personal loan with a maximum credit amount of THB20,000. Effective rates of interest charged with fees must not exceed 25% per annum. The BOT regulations relax certain criteria for the provision of a personal loan and provide some flexibility, such as with the use of alternative data for financial service providers to provide online lending.

There are no specific underwriting processes for online lenders prescribed by regulations in Thailand. Commercial banks may develop their own underwriting standards and compliance measures. If a loan is made for a certain industry, a specific industrial underwriting standard may apply. The BOT will monitor a commercial bank’s underwriting behaviour and may announce notifications to supervise any type of lending activities to upgrade underwriting standards if it appears that the current standard in the market is too lenient.

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, there are no specific regulations for online lending or offline lending. Online lending is subject to the same regulations as offline lending.

Thus, the source of funds, the method of raising funds and restrictions will depend on the business activity.

Online lending is normally for individuals in Thailand. As such, syndication of loans is uncommon. However, there are no restrictions on syndicating online loans. 

There are no specific requirements for payment processors to use existing payment rails such as credit cards or electronic payment settlement agencies. However, payment processors have to apply for a licence from the MOF as recommended by the BOT, or have to register with the BOT in accordance with the Payment Systems Act.

Payment processors who implement new technology into their business operations can apply to participate in the BOT’s regulatory sandbox if all qualifications are met.

Under Thai law, there are specific restrictions for inward remittances. However, outward remittances must be performed through an authorised agent of the BOT (any commercial bank). A remittance of funds may also require permission from the BOT if the purpose of the remittance is restricted. In such case, the person remitting the money must obtain approval through an authorised bank by submitting supporting documents to a commercial bank prior to the fund transfer.

Nevertheless, if the amount of such remittances is equal to or more than USD200,000, supporting documents need to be submitted to the authorised commercial bank. The list of supporting documents is not determined by regulations from the BOT. Each authorised bank is entitled to request any documentation from a person remitting funds at their discretion on a case-by-case basis, which can vary depending on the underlying transactions (eg, loan, service agreement, sub-licence agreement, purchase price, etc).

E-money Remittances

Outward e-money remittances must be performed through an authorised e-money operator. The purpose of outward e-money remittances is generally listed as payment of goods and services to others domiciled in a foreign country.

The BOT has issued a notice from the competent officer permitting non-bank operators to apply for foreign exchange e-money (FX e-money) licences to issue e-money in foreign currencies. These licences allow non-bank operators to make cross-border remittances for their customers’ payments of goods and services. Non-bank e-money service providers are thus able to cater to the demand of customers when travelling.

In general, a fund administrator, in the form of an outsourcing company, that provides the service of supporting the process of managing a fund is not directly regulated by any agencies in Thailand. However, operators or fund managers must comply with the regulation which is applicable to the outsourcing of their administrative work. The SEC has the power to announce the qualifications and guidelines applicable to the outsourcing of administrative services of funds to third parties. For example, according to Capital Market Supervisory Board Notification No TorThor 60/2561 Re: Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations to a Third Party, the operator has to determine the policies, measurements and procedures for outsourcing to a third party to conduct work relating to the operator’s business in accordance with the criteria specified in the notification.

Nevertheless, the scope of the administration task of the fund is also guided by the SEC to ensure that investors are protected, and that each fund possesses internal systems and policies that are standardised and reliable. 

The contractual terms depend on the commercial issues and other regulations that may apply to a specific financial service provider. However, for outsourcing in connection with securities service providers, Capital Market Supervisory Board Notification No TorThor 60/2561 Regarding Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations to a Third Party specifies required clauses that securities service providers must include in a written contract regarding obligations for services related to business operations to a third party. Under this notification, terms required in a written contract include the following.

  • Duties and responsibilities of the service provider covering at least the following:
    1. liability to the intermediary as a result of the service provider acting or omitting to act intentionally or negligently;
    2. measures and arrangements for the business continuity of the service provider which must include the outsourced function;
    3. information security, confidentiality and privacy regarding information of the intermediary and clients; and
    4. that the service provider must comply with the rules regarding the outsourced function as prescribed by the SEC, the Capital Market Supervisory Board or the Office of the SEC, including the guidelines specified by the intermediary in compliance with such rules.
  • Consent of the service provider for the Office of the SEC to inspect its operation, and to examine or retrieve for viewing relevant evidentiary documentation.
  • Causes, conditions and procedures for terminating the contract or suspending operation (under such contract).
  • Remuneration and charged expenses.

Digital asset exchanges are trading platforms for both cryptocurrency and digital tokens. Currently, exchanges for cryptocurrency and digital tokens are subject to the same regulatory regime under the Digital Assets Decree.

Cryptocurrency and digital tokens are both governed by the Digital Assets Decree; however, the regulatory regime with respect to digital asset operators is substantially similar for both cryptocurrency and digital tokens.

Nonetheless, certain cryptocurrencies and digital tokens were prohibited from being listed and traded on licensed digital asset exchange platforms; for example, meme tokens, fan tokens and NFTs.

A potential change of the regulatory structure is discussed under Regulating Digital Assets in 12.3 Classification of Blockchain Assets.

Cryptocurrency exchanges are subject to a separate regime under the Digital Assets Decree. See 7.1 Permissible Trading Platforms for more information.

The SEC prescribes the listing standards for an initial coin offering (ICO) in SEC Notification No GorJor 15/2561 re: Offering of Digital Tokens to the Public.


According to the listing standards, among other requirements, the applicant for an ICO must be a limited company or a public limited company which is not insolvent. The applicant must also show that the ICO portal has considered that the ICO is in compliance with this notification. There are also requirements on the underlying assets if the underlying assets of the digital tokens are real estate.

There are also requirements that the offeree must comply with, and limitations on the number of digital tokens that can be offered to general investors. The applicant must also prove to the Office of the SEC that the business models and smart contracts are enforceable and that the applicant will not take advantage of the investors.

In 2021, the SEC added additional requirements for an ICO of a real estate-backed digital token with the aim of bridging the gap in regulations between the offerings of real estate-backed digital tokens and those of real estate investment trusts (REITs).


Prior to the offering, the issuer must obtain approval from the Office of the SEC, and submit registration statements and draft prospectuses as indicated in the SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the ICO portal, that is approved by the SEC.

There are no specific order handling rules applicable to digital asset operators.

Currently, peer-to-peer energy trading platform initiatives in the energy sector are on the rise while adoption of peer-to-peer trading platforms in other industries (including fintech) is still rather limited.

This type of platform may not fit into the existing categories of businesses eligible for licences and, therefore, the SEC may need to revise the regulations on digital assets to capture this type of platform.

The duty of best execution is one of the duties imposed on securities and derivatives business operators under Capital Market Supervisory Board Notification No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangement, Operating Systems, and Providing Services to Clients of Securities Companies and Derivatives Intermediaries.

For digital asset transactions, there are no specific order handling rules applicable to digital asset operators.

There are no specific rules of payment for order flow applicable to digital asset operators. However, there is a general prohibition on the receipt of benefits in excess of that which should be received or rewarded in normal commercial practice.

Under the Securities and Exchange Act BE 2535 (1992), various offences are listed, aimed at protecting market integrity and preventing market abuse, including:

  • insider trading – anyone who has material inside information is prohibited from the buying or selling of securities to which such inside information is related;
  • market manipulations – trading of securities with an intent to manipulate the market is also prohibited; and
  • misstatement – dissemination of false information with an intent to mislead is also prohibited.

The regulations do not specifically state the criteria for using algorithmic trading for each asset.

However, under the Stock Exchange of Thailand (SET) Notification Re: Procedures on Trading, Clearing and Settlement of Securities in the Exchange specifying the criteria for the use of computer programs in creating and recording orders automatically (“Program Trading”) including Algorithmic Trading, an operator who wishes to use Program Trading has to obtain approval from the SET prior to such use.

The SET also provides guidelines regarding the qualifications and criteria for Program Trading that will be used in the market.

Under the SET Notification Re: Persons Involved in the Trading System BE 2555 (2012), persons having the following qualifications are required to register as market makers:

  • being a member or a non-member juristic person certified as a market maker by a member whereby such juristic person shall undertake clearing and settlement through the member;
  • possessing experience as a market maker or possessing personnel with sufficient knowledge and expertise to be trusted to perform the duty of a market maker;
  • possessing a system or procedure that indicates readiness to act as a market maker including sufficient policies and measures for risk management;
  • not being currently prohibited from undertaking registration as a market maker under Clause 12 (2) (ie, never having had registration as an authorised officer revoked as a penalty by the SET within five years prior to the application for the appointment); and
  • possessing other qualifications as prescribed by the SET.

Moreover, the Thailand Futures Exchange (TFEX) has also specified that the following qualifications are required to register as a market maker:

  • being a member of the TFEX, or a (member’s) corporate client who is a member named to the TFEX as a market maker, or being any other juristic person having a clearing guarantee agreement with a TCH member;
  • having the experience of being a market maker for derivatives trading or having personnel who possess credible knowledge and competency to act as a market maker;
  • having sufficient system readiness or being able to demonstrate that there is a procedure and readiness to act as a market maker, and also having a risk management policy to deal with potential risk that may arise from the marker maker’s duty; and
  • having stable financial status and having no risk that may the affect market maker’s duty.

The TFEX may stipulate such additional qualifications as it deems appropriate for persons wishing to be any of the following market makers:

  • a market maker who is either a juristic person customer whose status as a market maker has been notified to the TFEX by a member or a juristic person having an agreement with a TCH member to guarantee clearing and contract settlement; or
  • a market maker in Thai baht or US dollar futures.

From a regulatory perspective, there is no distinction between funds and dealers in the algorithmic trading area.

There is no regulation under Thai law specifically governing programmers and programming. However, for programming, an algorithm has to be approved by the authority and the programmers have to be aware of the prohibited characteristics of trading as specified in the Securities and Exchange Act BE 2535 (1992) (the “SEC Act”).

There is no specific regulation governing operators providing financial research services.

The SEC Act specifies measurement and punishment for any persons who spread rumours and information that might cause manipulations or misunderstandings in the securities market.

For example, pursuant to the SEC Act, a person who informs, disseminates or certifies any statement or information that is false or materially misleading about the financial condition, business operation, the price of securities or any other information related to a securities-issuing company in such a manner that is likely to have an effect on the price of securities or the decision-making on securities investment shall be subject to punishment.

In addition, a person spreading rumours that are false may be subject to the Computer Crime Act Criminal Law BE 2550 (2007), since the act states that any person involved in importing to a computer system forged computer data, either in whole or in part, or false computer data, in a manner that is likely to cause damage to a third party or the public shall be subject to punishment.

Regarding legislation, as mentioned in 9.2 Regulation of Unverified Information, the SEC shall punish a person who spreads information that may mislead the public.

Underwriting processes differ according to the products and business operators. The insurance laws (ie, the Life Insurance Act BE 2535 (1992) and the Non-Life Insurance Act BE 2535 (1992)) govern various aspects of the underwriting processes of business operators. In particular, sale and offers of insurance products are heavily regulated.

Given the extent of insurance regulation, insurtechs normally face a number of legal obstacles. Recognising these constraints, and at the same time trying to promote innovation in the industry, the OIC, the insurance industry’s regulating entity, launched the OIC insurance regulatory sandbox and set up the Centre of InsurTech Thailand (CIT) with the aim of promoting insurtech.

There are two applicable regulatory regimes:

  • the life insurance regime under the Life Insurance Act BE 2535 (1992) which covers life and annuities; and
  • the non-life insurance regime under the Non-Life Insurance Act BE 2535 (1992) which covers property and casualty.

Many aspects of these acts are similar, but the licences for life insurance and non-life insurance business are separate and the same legal entity cannot engage in both types of business.

There are no overarching regulations that govern regtech generally. Whether regtech providers are subject to any regulations needs to be analysed on a case-by-case basis.

Currently, in Thailand, an area that is considered one of the most advanced in terms of regtech development is electronic authentication and verification of identity (e-KYC).

After the amendment to the Electronic Transaction Act BE 2544 (2001) No 4, authentication and verification of identity in electronic form became recognised and admitted under Thai law.

Electronic Identity Verification

The BOT has also adopted electronic authentication and verification of identity for the opening of accounts with financial institutions. Previously, financial institutions had to conduct know your customer (KYC) processes on a face-to-face basis (physical KYC). Non-face-to-face KYC has been accepted in practice since the relevant notification of the BOT was adopted. Electronic KYC can be performed by financial institutions for the opening of accounts by customers via online platforms.

In addition to electronic KYC, there is another central platform in Thailand called the National Digital ID Platform (the “NDID Platform”). This system collects customers’ information for use by any financial institutions to verify customers. The NDID Platform is thus an important system for Thai financial institutions to use to verify their customers, and many banks in Thailand have decided to use it to facilitate the KYC process.

The contractual terms of use of service provided by a third party may also be regulated depending on the type of business. Theoretically, certain functions which are not the main activities of financial service providers (which normally require a licence, approval or registration) can be outsourced to a third party.

For instance, pursuant to BOT Notification No SorNorSor 16/2563 Re: Regulations on the Use of Services from Business Partners of Financial Institutions, in order to use a service of a business partner, the financial institution must create guidelines on risk management and customer protection. However, strategic functions must be carried out directly by financial institutions themselves. In addition, financial institutions also have to submit an annual report to the BOT on the use of services provided by business partners that may cause significant risks to or impacts on the public at large.

In respect to IT outsourcing, financial institutions have to comply with the guidelines on risk management implementation of third parties. These cover issues such as risk governance, third-party risk management and reporting obligations to the BOT.

Non-regulated contractual terms largely depend on the commercial issues and other regulations that may specifically apply to that financial institution. Therefore, contractual terms must be negotiated and agreed on a case-by-case basis.

Many Thai financial institutions, including the BOT, have been keen on adopting blockchain technology.

In 2020, the BOT launched a new blockchain-based platform for government bond issuance. This project is a collaborative effort with the Public Debt Management Office, Thailand Securities Depository Co, Ltd, Thai Bond Market Association and several selling-agent banks.

In addition, certain commercial banks in Thailand have adopted blockchain technology in order to develop their operations, such as monitoring the correctness of financial transactions, cross-border transfers of funds, issuing bank guarantees and development of other aspects relating to financial infrastructure.

In 2022, the Letter of Guarantee on Blockchain (eLG) developed by BCI (Thailand) Co, Ltd, passed the test under the BOT Regulatory Sandbox and was ready for broad services aiming to serve not only financial institutions or governmental sectors but also various business sectors – ie, petroleum, construction or automotive businesses. Currently, there are more than 170 organisations utilising this service.

Even though the BOT and the Office of the SEC are very cautious about the sale of blockchain-based digital assets and cryptocurrency, they and other local regulators are very positive about blockchain technology and are keen on utilising it.

The Digital Assets Decree, which governs blockchain assets under the defined term “digital assets”, separates digital assets into two types: cryptocurrency and digital tokens.

“Cryptocurrency” is defined as an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services or other rights, including the exchange between digital assets.

A “digital token” is defined as an electronic data unit built on an electronic system or network for the purpose of specifying the right of a person to participate in an investment in any project or business, or to acquire specific goods or services. Digital tokens are further separated into two types: investment tokens and utility tokens.

Regulating Digital Assets

Currently, the SEC regulates digital assets based on the activities of the operators with some differences depending on the types of digital assets (eg, there are some differences in requirements for underlying assets which are in the form of real estate) under the Digital Assets Decree.

The closest concept to “issuers of blockchain assets” are the “issuers” of digital assets under the Digital Assets Decree.

The issuer of an initial coin offering (ICO) must be a limited company or a public limited company. Similar to as discussed in 7.4 Listing Standards, prior to the offering, the issuer must obtain approval from the Office of the SEC, and submit registration statements and draft prospectuses as indicated in the relevant SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the so-called ICO portal, which has been approved by the SEC.

Regarding a potential change of the regulatory structure, see Regulating Digital Assets in 12.3 Classification of Blockchain Assets.

The closest concept to a blockchain asset trading platform under Thai law is a “digital asset exchange” under the Digital Assets Decree. A “digital asset exchange” is defined as any centre or network established for purchasing, selling or exchanging digital assets, by means of the matching or finding of parties or the provision of a system or facilities whereby those intending to purchase, sell or exchange digital assets may reach agreements or may be matched.

Digital asset exchange operators must apply for permission. This would be granted by the MOF upon the SEC’s recommendation. The appointment of directors and executives of the operator must also be in accordance with the relevant notification and such appointment will be valid upon approval by the Office of the SEC.

The exchanges are obliged to comply with all guidelines specified by the Office of the SEC, including on source of funds, protection of customers’ assets, prevention against electronic theft, KYC measures and a reliable accounting system approved by the SEC. Among other obligations, the operator must segregate the retained customers’ assets from its own assets.

Under SEC Notification Re: Rules, Conditions and Procedures for Undertaking a Digital Asset Business (No 11) (the “NFT Regulations”), digital asset exchanges are obliged to set up their listing rules to prohibit token issuers from listing utility tokens or certain types of cryptocurrencies that have the following characteristics.

  • Meme tokens – having no clear objective or substance or underlying substance, and whose price runs on social media trends.
  • Fan tokens – tokenised by the fame of influencers.
  • Non-fungible tokens (NFTs) – a digital creation to declare ownership or grant of right in an object or other specific right. It is unique and not interchangeable with digital tokens of the same category and type at the equal amount.
  • Digital tokens which are utilised in a blockchain transaction and issued by digital asset exchanges or related persons.

According to the SEC’s draft regulations on ready-to-use utility tokens, some types of tokens may be banned from listing in digital asset exchanges, and the provision of services in relation to such tokens, including trading by digital asset dealers and brokers, is prohibited.

Thai law is silent on how funds could invest in blockchain assets.

Virtual currencies are not a defined term under Thai law. However, under the Digital Assets Decree, “cryptocurrency” is defined as “an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets”. Cryptocurrency is different from digital tokens in the sense that it is a medium of exchange, while digital tokens, which are another type of blockchain asset defined under the Digital Assets Decree, have the main purpose of determining the right to participate in an investment or to acquire goods or services.

See also 12.3 Classification of Blockchain Assets.

The term “DeFi” is not defined under Thai law. Thus, there is no specific regulation on DeFi platforms or transactions. However, on a case-by-case basis, if any transaction related to DeFi relates to the purchase and sale of digital tokens and cryptocurrency, or other regulated business, operators related to the DeFi business are subject to the Digital Assets Decree.

To determine whether an NFT will be regulated under Thai law, a determination of whether that NFT falls within the definition of a “digital token” under the Digital Assets Decree is needed. Certain NFTs may be considered as utility digital tokens if such NFTs grant the holder a right to obtain any goods, services or assets.

Under the SEC’s guidelines issued on 6 January 2022, there are certain types of NFTs that are exempted from NFT regulations and the Digital Assets Decree, including NFTs that are utility tokens with ready-to-use underlying products or services as of the date of offering. To further elaborate, an NFT that is exempted is that which is an asset itself, being inseparable, and does not represent any rights or the intention to be utilised as a medium of exchange (eg, an NFT that is created by storing a digital file on an Interplanetary File System (IPFS) issued for the convenience of exchange, and such digital file and the NFT must be transferred together, inseparable and cannot be modified).

In addition, the SEC has published draft regulations for public hearing on 25 January 2023 proposing the regulatory approach that certain types of ready-to-use utility tokens, including some types of NFTs, will continue to be exempted from the Digital Assets Decree, and business operators providing related services thereof will no longer fall under the digital asset business licence requirement. Such exempted NFTs must be those providing the right to receive specific products or services for utilisation or consumption purposes (ie, NFTs of artworks, images, music, stamps or videos with a specific right for the holders) and must not be used as a means of payment under the BOT’s definition.

Thailand saw the first open banking initiative in January 2022 when the BOT, the Thai Bankers’ Association and the Government Financial Institutions Association introduced the dStatement, which is an exchange of financial statement data among banks to support, at an initial phase, digital loan applications.

In February 2022, in its Consultation Paper on Financial Landscape, the BOT formally pledged to explore open banking.

Later, in March 2022, the BOT launched a public hearing on Application Programming Interface (API) Standards for the financial sector.

To date, open banking implementation in Thailand remains subject to feasibility studies and the API Standards are yet to be finalised, but significant first steps have been taken by the BOT.

All financial institutions need to comply with the Personal Data Protection Act BE 2562 (2019), which came into full effect on 1 June 2022, in order to process personal data – for example, as regards the following:

  • notifying the processing of personal data;
  • obtaining prior consent from the customers if the processing of their personal data does not fall under any lawful basis of processing (eg, performance of contract, legal obligation); and
  • providing channels for customers to exercise rights regarding their personal data.
Chandler MHM Limited

17th and 36th Floors, Sathorn Square Office Tower
98 North Sathorn Road
Silom, Bangrak
Bangkok 10500

+66 2009 5000

+66 2009 5080
Author Business Card

Law and Practice in Thailand


Chandler MHM Limited recognises the importance of technology in today’s constantly evolving technology-dependent world and the impact it has on business. The firm’s priority is to help clients navigate the legal and regulatory challenges in the technology sector. The team, which is based in Thailand, has extensive experience advising technology companies, and advises clients across a broad spectrum of technology-related areas, including cybersecurity, data privacy, e-commerce, esports, fintech and health tech. Chandler MHM Limited has a strong, on-the-ground presence in Asia and globally.