Fintech 2024 Comparisons

Thailand is a pioneer in Southeast Asia in the adoption of 5G technology to improve and expand the country’s capacity for deep technology such as blockchain, artificial intelligence (AI), big data, robotics, cloud computing and machine learning. As a result of proactive development of its information and communications technology (ICT) facilities and the regulatory environment, Thailand is one of the fastest-growing fintech markets in ASEAN, and currently has one of the world’s largest consumer bases for fintech mobile banking.

According to the latest data from the Bank of Thailand (BOT), published as of the publication of this article (March 2024), the volume of e-payments in Thailand has consistently been increasing. Internet and mobile banking are the most popular e-payment channels with approximately 134.8 million accounts and more than 2.721 billion transfers and payment transactions in October 2023.

Developing Accessibility

The Thai government has been promoting fintech by developing accessibility to government platforms. The BOT has co-operated with global card network service providers to create an innovation called the “Thai QR Code”, which facilitates payments via debit cards, credit cards, e-wallet and e-payments through bank accounts using the Thai QR Code as an intermediary.

Following the COVID-19 pandemic, the people of Thailand become more familiar with QR Code and other contactless payment systems, enabling fintech to become more widespread and the use of electronic transactions has become increasingly normalised in Thailand.

In addition, the BOT together with the central banks of four other ASEAN countries (Indonesia, Malaysia, the Philippines and Singapore) jointly signed a memorandum of understanding to strengthen and expand the cross-border payment system, which includes the development of an interoperable QR code and fast payment system.

Regulation of the Digital Asset Market and Businesses

There have been several significant regulations and guidelines regarding the digital asset market and business from relevant regulators, requiring digital asset business operators to face numerous additional obligations in their business operations and marketing plans. Among these, the most impactful included the Securities and Exchange Commission of Thailand (SEC), in joint consideration with the BOT and the Ministry of Finance (MOF), enacting a notification prohibiting digital asset business operators from using digital assets as a means of payment for goods and services. This led to an abrupt decline in the use of digital assets as a means of payment. The SEC also put in place regulations imposing more restrictions on businesses – eg, the prohibition of privacy coins to prevent the use of digital assets as tools for illegal activities and limitations on the advertising of digital assets.

The SEC aims to further develop its regulatory framework to keep pace with such changes while simultaneously prioritising both investor protection and sustainable growth in the digital asset market and businesses. Among the regulations and guidelines issued in 2023 and January 2024, notable ones include:

• an exemption from the restriction on providing or facilitating staking services;
• an improvement in the criteria for debt-liked initial coin offerings (ICOs) and infra-backed (infrastructure-backed) ICOs;
• the removal of the investment cap on real estate-backed and infra-backed digital tokens, which were previously capped at THB 00,000;
• an exemption for regulated digital asset custodial wallet providers from providing custody services for digital assets issued and held for customers by such digital asset issuers themselves; and
• the replacement of the requirement to notify the SEC of advertisement details and expenses with a requirement to submit advertisements to the senior management of digital asset business operators to review such advertisements’ compliance with the relevant criteria and for approval before the publication.

In addition, some regulations are under review, pending further updates from the SEC – eg, the regulatory regime for utility tokens, the definition of digital assets, and criteria for the governance of ICO products and business operators.

Digital Transformation in the Thai Financial Sector

In addition to the surge in digital payments in Thailand, digitalisation has been systematically integrated into diverse facets of the country’s financial services industry. This evolution is evident in:

• the increasing number of service providers – and subsequent rising competition – in the digital savings or e-savings market; and
• the current development of the legal framework governing virtual banks, including the offering of digital bonds through the Digital Infrastructure Web Portal (“DIF: Web Portal”).

Furthermore, there has been progress in open data initiatives with the aim of empowering consumers to transfer their data conveniently and securely from one provider to another, thereby enabling them to access superior services.

Upcoming Framework for Virtual Banks

Due to the rapid development of digital finance, almost all business operators in Thailand, whether banks or non-banks, have been focusing on providing services via digital channels. The BOT, with the objective of promoting financial inclusion and competition in the financial market, plans to issue licences for the establishment of branchless, commercial banks, also known as “virtual banks”. The BOT has submitted a draft notification to the Ministry of Finance outlining the criteria, conditions, and procedures for establishing a virtual bank. The draft was returned to the Ministry of Finance in January 2024.

If the notification is issued within the first quarter of 2024, and the official application process is initiated, there will be ample time to evaluate the qualifications of operators who express an interest in applying for a licence. It is expected that a virtual bank could be established within the first half of 2024.

The major players in the Thai fintech industry are predominantly financial institutions and traditional non-banking financial institutions. They have been adopting technology for their services to facilitate customers’ needs and to increase market share. Other players include venture capitalists and start-ups.

The main fintech business models in Thailand are as follows.

E-money, E-wallets and E-payment

E-money, e-wallet and e-payment service providers are some of the most significant players in the Thai fintech industry. The recent rise in the number of online payments, mobile banking payments and mobile banking users has led financial institutions and non-bank financial operators (financial service providers) to adopt financial technology in their normal banking business. Their business operations and services can now be conducted or provided through their online platforms rather than physical branches.

Other than financial service providers, there are a number of new players in this area, with most entering the industry backed by venture capital and as start-ups. Other investors have decided to co-operate and partner with major social platform business operators. The purpose of co-operation is to use such platforms to reach customers.

For foreign financial service providers that might not be able to secure a full-service licence, due to certain capacity limitations or strict qualifying requirements under Thai law, partnering with legacy financial institutions or full-service licensees is an alternative solution.

Financial institutions or licensees can act as local service providers under this business model. This type of business model can also benefit foreign entities in the sense that the number of licences they are required to obtain from the government will be reduced.

Digital Assets

In 2018, the SEC recognised digital tokens and cryptocurrency as digital assets. Business operators in this sector are categorised into two groups, as follows.

Primary market

The business operator in the primary market can be either:

• an ICO issuer looking to raise funds by issuing coins; or
• an ICO portal providing token digital system services.

In 2021, one ICO issuer received SEC approval, followed by two additional issuers in 2022 and 2023. Issued digital tokens have been real estate-backed and project-backed digital tokens. For the first and third ICO projects, the token-holders are entitled to receive revenue shares from the revenue streams of the underlying assets of the tokens.

Secondary market

In the secondary digital assets market, service providers related to digital assets that are recognised by Thai regulations and supervised by the SEC are as follows:

• digital asset exchanges;
• digital asset brokers;
• digital asset dealers;
• digital asset advisory services;
• digital asset fund managers; and
• digital asset custodians.

Digital Lending

Digital lending is an important platform that financial service providers use to reach new retail customers, eliminate physical limitations, and facilitate business activities with customers. Many financial service providers, especially personal loan providers, are interested in expanding their online services.

Some financial service providers have chosen to co-operate with social platform operators in providing the digital lending services to the platform’s customers, and vice versa, rather than develop their own (online) platform and obtain licences.

Peer-to-Peer Lending Platforms

Currently, there are few players in the peer-to-peer lending market due to the lack of information and precedent cases in Thailand. Peer-to-peer lending platforms are electronic platform services that operate as matchmakers between lenders and borrowers. The platforms’ role also includes facilitating loan contracts, and carrying out fund transfers and repayments between the parties. According to the BOT, one peer-to-peer lending service operator has obtained a licence to operate its business from the MOF. Additionally, two operators are testing their systems in the BOT regulatory sandbox.

Crowdfunding

Both equity and debenture crowdfunding exist for private and public limited companies through crowdfunding portals in Thailand. In this respect, crowdfunding, where shares or debentures are issued as consideration, is deemed as a type of public offering under SEC regulations. A crowdfunding portal operator must obtain a licence from the Office of the SEC.

AI Advisers

Many business sectors have adopted AI to enhance business efficiency. In Thailand, fintech businesses also use AI to advise clients on wealth creation and management.

Currently, in Thailand the fintech industry is not directly regulated by any specific overarching legislation. However, operators need to comply with certain business-related regulations.

The key regulations related to fintech business activities are as follows.

Payment Systems (Including E-money, E-wallet and E-payment)

In order to enhance supervision of payment systems and payment services, the Payment Systems Act BE 2560 (2017) (the “Payment Systems Act”) was enacted and came into effect on 16 April 2018. Its main purpose is to regulate the following.

• Highly important payment systems, which are payment systems that are important to the security and stability of the country’s payment systems, financial systems, or monetary systems.
• Designated payment systems, which are:
1. payment systems that are networks between system users that handle fund transfers, clearing or settlement, such as retail funds transfer systems, payment card networks, and settlement systems; or
2. any other payment systems which may affect the public interest, public confidence or the stability and security of the payment systems.
• Designated payment services, which are:
1. provision of credit cards, debit cards or ATM card services;
2. provision of e-money services;
3. provision of accepting electronic payments for and on behalf of others;
4. provision of e-money transfer services; and
5. other payment services which may affect payment systems or the public interest.

Digital Assets

The Emergency Decree on Digital Asset Businesses BE 2561 (2018) (the “Digital Assets Decree”) was enacted to regulate offerings of digital assets and businesses undertaking digital asset-related activities. The Digital Assets Decree aims to enhance the standards of the digital assets market to be in line with international standards and to protect players in the market. Digital assets under this decree mean cryptocurrencies and digital tokens that are regulated by the Digital Assets Decree under the supervision of the MOF and the Office of the SEC.

Digital Lending

On 15 September 2020, the BOT issued Circular No BOT.FhorGorSor (01) Wor 977/2563 Re: Criteria, Procedures and Conditions on Digital Personal Loan Business Operations. The purpose of this BOT circular is to relax the criteria for personal loans for those without regular – or proof of – income, or for those without collateral, and to grant flexibility to personal loan providers in providing personal loans in electronic form. However, for other types of loans which are not personal loans, financial service providers still have to comply with regulations that do not specifically regulate digital lending.

Peer-to-Peer Lending Platforms

On 31 July 2020, BOT Notification No SorNorSor 14/2563 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer Lending Platform Businesses (the “Peer-to-Peer Lending Platform Notification”) was announced in the Government Gazette and became effective on the same date. This notification prescribes the criteria for peer-to-peer lending platform operators and the other participants in the platform.

A person who wishes to operate a peer-to-peer lending platform must participate in the BOT’s regulatory sandbox until completing a successful test and must be able to provide an extensive scope of services in Thailand. Once these conditions are met, the operator may apply for a licence from the MOF through the BOT. A peer-to-peer lending platform operator can only act as an online marketplace or matchmaker to facilitate Thai bhat loan agreements between lenders and borrowers. Lenders can be either individuals or juristic persons, while borrowers must be individuals.

Electronic Transactions

The Electronic Transactions Act BE 2544 (2001) (the “Electronic Transactions Act”) supports the legal validity of electronic transactions performed via electronic systems. If a transaction is performed in the form of electronic data in accordance with the rules and procedures under the Electronic Transactions Act, the transaction is deemed to be validly binding as if entered into in accordance with other laws governing transactions entered into by other platforms or means.

The criteria and restrictions for charging service fees depend on the type of business, business model and services provided to customers. The criteria for disclosing services or fees depend on the regulations related to the business or business activity that the operator carries out. Generally, the operator has to disclose details of the fees that will be charged to customers, and the threshold or criteria for setting these fees.

For example, under the Payment Systems Act, payment service providers must disclose information on service fees, as follows.

• Information on service fees to customers by notice at all locations where services are provided to service users, or by any other means that will inform service users of the service fees. Service fees must be reasonable.
• Information on any changes to service fees by notice at all locations where services are provided to service users, or by any other means that will inform service users of changes to service fees. Advance notice to service users of at least 30 days prior to the effective date of the change in service fees is required if such changes to service fees may be detrimental to service users.

Details of service fees must be submitted to the BOT electronically, as specified by the BOT, as soon as possible from the commencement date of undertaking the business and each time there is a change in service fees.

There are no significant differences between regulations governing fintech operators and regulations governing legacy players. Some fintech business operations are covered by licences already held by legacy players. Both fintech operators and legacy players shall comply with the regulations set out in 2.2 Regulatory Regime. Other relevant laws and regulations applicable to general business enterprises will also apply.

Financial Services

Under the 2019 regulatory sandbox guidelines, the “own sandbox” concept was introduced in addition to the existing regulatory sandbox under the BOT’s supervision. This initiative is for financial service providers to test new technologies incorporated into their financial services under controlled conditions.

Financial service operators that can apply for testing in the regulatory sandbox must meet the following conditions.

• Be under the BOT’s supervision.
• Offer financial services or fintech innovations using technologies which are new or differ in some way from the existing financial services or products in Thailand or use innovation to enhance the efficiency of existing products or services.
• Offer financial services which:
1. are to be developed into infrastructure or standard practices for Thailand’s financial sector and the will be co-operatively experimented with by the financial service providers; or
2. under relevant laws and regulations, are required to be tested in the BOT’s regulatory sandbox.

The participants consist of:

• financial institutions;
• companies within a group of financial institutions;
• non-banks under the BOT’s supervision;
• fintech firms; and
• technology firms that wish to experiment with financial services or fintech innovation individually or in conjunction with the other participants mentioned above.

Securities

The amended regulatory sandbox regulations that became effective in 2020 afford more flexibility to operators by increasing the types of businesses that can participate. According to the SEC, the types of business under the amended regulatory sandbox regulations cover all activities in capital markets. The additional types of businesses are as follows:

• intermediaries – ie, securities investment advisory services, private fund management businesses, derivatives agent businesses, derivatives dealing businesses, derivatives advisory services, derivatives fund management businesses, newly-added securities brokerage businesses, securities dealing businesses, securities underwriting businesses, mutual fund management businesses and securities borrowing and lending (SBL) businesses;
• post-trading service providers – ie, securities clearing houses, securities depository centres, securities registrars, and the newly added derivatives clearing houses;
• trading system service providers – ie, electronic trading platforms (ETPs), and the newly added securities trading centres and derivatives exchanges; and
• digital infrastructure providers.

Insurance

The Office of the Insurance Commission (OIC) issued a notification on insurance regulatory sandboxes in 2019. The notification allows both life and non-life insurance industry operators to conduct testing in their own sandboxes for certain cases.

On 25 March 2021, the OIC’s board of directors announced a notification on the criteria for entry into the insurance regulatory sandbox regime for projects that test innovation using technology to support insurance services, which replaced the existing notification announced in 2019. In addition, on 17 May 2021, the OIC, by virtue of the aforesaid notification, announced a notification on the criteria, procedures and conditions for entry of projects that test innovation using technology to support insurance services, which determines the details and procedures of participation in sandboxes and compliance of participants during the period of testing in the sandbox. The main purpose of the announcement of these two notifications was to relax the former criteria and provide more flexibility for participants and the relevant authority.

The jurisdiction of each regulator depends on the type of financial service provided rather than the type of technology the operator of such business adopts. The key regulators of fintech businesses concerning financial services, securities and insurance in Thailand are, respectively:

• the MOF and the BOT;
• the MOF and the SEC; and
• the OIC.

The BOT has the power to supervise, examine and analyse the financial status and performance and risk management systems of financial institutions to enhance the stability of the financial status of Thailand as a whole. Thus, fintech activities relating to financial institutions will be predominantly supervised by the BOT, including digital lending and peer-to-peer lending payment systems, e-wallets, e-money and e-payments.

The SEC is the regulatory unit supervising capital markets. Capital markets are the main mechanisms for efficient mobilisation, allocation and monitoring of the utilisation of Thailand’s economic resources. The SEC also governs businesses that crowdfund, including those in the digital asset industry (cryptocurrencies and digital tokens).

The OIC is the regulatory agency tasked with supervising and improving Thailand’s insurance ecosystem. Even though there are no regulations relating to insurtech in Thailand, certain Thai insurance companies have introduced technology to enhance their businesses and provide insurtech services. Such insurtech operations are supervised by the OIC.

The outsourcing restrictions applicable to each type of business depend on the relevant regulations. Thus, different businesses may have different restrictions on outsourcing. Business operators that conduct designated business activities under the relevant regulations are required to obtain licences or approvals, or to register with the competent official. Certain functions in the operations of such designated business that are not the main activities under the respective licences, approval or registration can be outsourced to qualified persons/to the extent that such outsourcing is not done for the purpose of circumventing the relevant requirements.

For example, financial institutions can use IT outsourcing services provided by third parties. However, the guidelines on risk management implementation of third parties must be followed. The guidelines cover risk governance, third-party risk management and reporting obligations to the BOT.

Regulations require that payment service providers, such as e-money or e-payment service providers, have protocols for the use of services performed by third parties, as follows:

• a risk management process for the services provided by other service providers or third parties and risk assessments for services that are outsourced on a regular basis;
• outsourcing agreements that indicate the rights of internal auditors, external auditors and the BOT to perform audits of business operations, and internal controls related to outsourced payment services for service providers or third parties;
• a business continuity plan or a disaster recovery plan covering the outsourced service activities; and
• risk assessments for any services provided by service providers or third parties in other countries.

A fintech service provider may be considered a gatekeeper depending on the business activities of the fintech service provider.

For example, pursuant to SEC Notification No GorThor.19/2561 regarding criteria, conditions and procedures for business operations of digital assets, exchange service providers must have a system that discloses sale and purchase data. This data includes pre-trade information and post-trade information, and records of sales and purchases of digital assets must be recorded for the purpose of potential audits.

The Computer Crime Act BE 2550 (2007) requires that a fintech service provider is:

• a person who provides services to the public with respect to access to the internet or other mutual communications via computer systems, whether on their own behalf, or in the name of, or for the benefit of, another person; or
• a person who provides services with respect to the storage of computer data for the benefit of other persons – computer traffic data must be stored for at least 90 days from the date on which the data is entered into the computer system.

However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case-by-case basis, or on a temporary basis. A fintech service provider must keep the necessary information of the service user in order to be able to identify the service user from the beginning of provision of the services. Such information must be retained for an additional period of no more than 90 days after the service agreement has been terminated.

Failure to comply with the listed requirements carries a fine of not more than THB5,000.       

In 2023, the SEC remained active in supervising digital asset markets and businesses, and a stricter approach from the SEC was seen in enforcement actions. For example, the SEC imposed penalties for violations involving the use of prohibited market manipulation activities, such as creating fake volumes in digital asset exchanges. These enforcement measures, including fines and reimbursement of investigative expenses, were taken against multiple licensed digital asset exchange business operators and the market makers themselves, as well as their legal representatives.

During the year, one digital asset exchanges operator, in particular, faced several SEC enforcement actions for multiple cases of non-compliance with the Digital Assets Decree. These included operating a non-digital asset business without the SEC’s prior approval, lacking a conflict-of-interest prevention mechanism and adequate internal controls, and seeking benefits from customer’s assets. This led to a collaborative investigation between the SEC and the Cyber Crime Investigation Bureau.

Subsequently, on 20 December 2023, the Royal Thai Police, the Anti-Money Laundering Office, and the SEC jointly held a press conference. They stated that the actions of these offenders were considered as “jointly borrowing money in a manner that defrauds the public”, an offence under the Emergency Decree on Borrowings Which Are Regarded as Public Cheating and Fraud BE 2527 (1984), among other related offences under the Digital Assets Decree. Given the complexity of the financial transactions, the extensive number of victims, and the significant loan amounts involved, the case qualifies as a special case under the Special Case Investigation Act BE 2547 (2004). Therefore, it has been referred to the Department of Special Investigation as a special case for further investigation.

There are several regulations that fintech business operators must comply with to operate their businesses. However, those relating to privacy, cybersecurity, social media and software development are not specific to fintech businesses and apply to all business activities, including those conducted in a more traditional manner.

The Personal Data Protection Act BE 2562 (2019) (PDPA), which came into full effect on 1 June 2022, was introduced in order to create a regulatory regime and specify the requirements for processing and protecting personal data in Thailand. The Thai government introduced the PDPA to enhance personal data protection and align with the EU’s General Data Protection Regulation (GDPR).

Furthermore, the Cyber Security Act BE 2562 (2019) (CSA) categorises cyberthreats into three levels, as follows:

• non-serious cyberthreats;
• serious cyberthreats; or
• critical cyberthreats.

Such threats shall be subject to investigation and the private operator may be required to:

• provide access to relevant computer data or computer systems, or other information relating to the computer system;
• monitor computers or computer systems; and
• allow officials to test the operations of computers or computer system, or seize computers or computer systems.       

Auditors may monitor industry participants for accounting purposes. Industry participants may voluntarily perform internal audits for various matters – ie, IT audits. Currently, there are no other organisations that have the power to supervise, regulate or monitor participants in the fintech industry.

The Thai Fintech Association was recently established in Thailand and registered as a non-profit organisation. The organisation has the main obligation to:

• be a centre of knowledge of fintech;
• support the public’s use and accessibility to fintech services; and
• support standardisation of the fintech industry.

At the time of writing, the Thai Fintech Association has not been granted authoritative power by the regulator, nor have regulations been passed to allow it to supervise industry participants. However, as regulators appear to be encouraging self-regulatory mechanisms in the fintech industry, the Thai Fintech Association may become a key organisation in establishing wider sector policies and standardisation.

The Thai Fintech Association, the Thai Blockchain Association, the Thai Digital Asset Association and the Thai Digital Trade Association were all established to support and be the voice of each respective ecosystem.

Certain regulations restrict a licensee from providing business services other than those covered under the relevant licence held by the business operator or business services/activities that are related to the licensed business activity.

Under the Payment Systems Act, business operators licensed to engage in e-money services may not operate other businesses, except for those which such operators are licensed to perform or business activities that support e-money business services.       

The Anti-Money Laundering Act BE 2542 (1999) (the “AML Act”) and the Counter-Financing of Terrorism and Dissemination of Weapons of Mass Destruction Act BE 2559 (2016) are the two primary laws regulating anti-money laundering in Thailand. Fintech businesses may be required to comply with these two laws since they may deal with financial activities – ie, e-payment systems, money exchanges or financial institutions (as prescribed under the AML Act (the “Specified Operators”)). If a particular fintech business is included in the scope of the Specified Operators, such fintech operator is required to verify the identities of its customers upon commencement of certain types of activities, conduct customer due diligence, and report any suspicious transactions to the relevant authority.

As most fintech companies carry out their businesses as Specified Operators, they have a duty to comply with the criteria specified under the law, as follows:

• reporting transactions to the Anti-Money Laundering Office involving the use of cash or assets in an amount exceeding that prescribed in sub-regulations, or any suspicious transactions;
• identifying customers prior to making any transactions;
• determining policies for customers, preventing money laundering, risk management policies and conducting due diligence on customers when making the first transaction; and
• recording all facts relating to any transaction that has been made.

The criteria under the AML Act result in more procedures and steps for effectuating each transactions, and fintech companies may have to establish a compliance department to comply with anti-money laundering criteria. Also, fintech companies may have to prepare systems for storing information on transactions and customer data, and ensuring the security of such systems.

Thailand has not adopted regulations specifying which business operators or activities require use of robo-advisers, although some Thai fintech operators do utilise robo-adviser technology.

Wealth advisers are encouraged to use fintech to generate financial solutions and to serve as an aide to financial planning under the SEC’s framework. According to the Office of SEC’s Notification No SorThor 31/2561 Re: Rules in Details on Wealth Advisory Service Business, operators must complete the process of client contact and services in five steps, as follows:

• exploring and understanding customers;
• constructing an investment portfolio;
• implementing the portfolio according to the asset allocation plan;
• monitoring and rebalancing the portfolio; and
• providing consolidated reports for clients’ review.

A wealth adviser must also have an electronic system that can support the actions in the third and fourth points above.

Legacy players must comply with the regulations applicable to their traditional business activities and operations, including implementing robo-advisory services. In this regard, legacy players have been very quick to adapt and use robo-advisers in their businesses over the last few years. Private sector banks use robo-adviser-based solutions in developing tools for customer satisfaction, as well as new products and services, and improvements.

The most widespread use of robo-advisers occurs with wealth management in developing custom-made trading and wealth solutions.

Records available to the public do not show cases of customer complaints related to the use of robo-advisory services.

However, securities and derivatives business operators have an obligation to carry out their business on a best-execution basis as specified in the Notification of the Capital Market Supervisory Board No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangements, Operating Systems, and Provision of Services to Clients of Securities Companies and Derivatives Intermediaries. As such, securities and derivatives business operators who use robo-advisory technology also have a duty to provide their services on a best-execution basis.

The regulations for both online and offline loan business activities are generally the same. Different regulations apply, depending on the type of loan rather than on the business operations of the operator/service provider.

For example, a supervised personal loan is a loan provided to individuals, not corporations. A supervised personal loan cannot be granted where it is more than five times the average monthly income of a borrower with an average monthly income of THB30,000 or above. PICO finance is a personal loan granted to prevent or solve informal debt issues. A PICO finance loan may not exceed THB50,000 or THB100,000, depending on the type of PICO finance operator.

However, in 2021, the BOT permitted licensed personal loan business providers to offer digital personal loan services in Thailand with the approval of the BOT. Lenders may grant digital personal loans with a maximum credit amount of THB20,000. Effective rates of interest charged, together with the relevant fees, must not exceed 25% per annum. The BOT regulations relax certain criteria for the provision of personal loans and provide some flexibility, such as with the use of alternative data for financial service providers to provide online lending services.

There are no specific underwriting processes for online lenders prescribed by regulations in Thailand. Commercial banks may develop their own underwriting standards and compliance measures. If a loan is provided for a certain industry, specific industrial underwriting standards may apply. The BOT will monitor a commercial bank’s underwriting behaviour and may announce notifications to supervise any type of lending activities to upgrade underwriting standards if it appears that the current standards in the market are too lenient.

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, there are no specific regulations for online lending or offline lending. Online lending is subject to the same regulations as offline lending.

Thus, the source of funds, the method of raising funds and restrictions thereon will depend on the business activity.

Online lending is normally for individuals in Thailand. As such, syndication of loans is uncommon. However, there are no restrictions on syndicating online loans.

There are no specific requirements for payment processors to use existing payment rails such as credit cards or electronic payment settlement agencies. However, payment processors have to apply for a licence from the MOF as recommended by the BOT, or have to register with the BOT in accordance with the Payment Systems Act.

Payment processors who implement new technology into their business operations can apply to participate in the BOT’s regulatory sandbox if they meet all qualifications (see 2.5 Regulatory Sandbox).

Under Thai law, there are specific restrictions for inward remittances. However, outward remittances must be performed through an authorised agent of the BOT (ie, any commercial bank). A remittance of funds may also require permission from the BOT if the purpose of the remittance is restricted. In such case, the person remitting the money must obtain approval through an authorised bank by submitting supporting documents to the bank prior to the transfer of funds.

Nevertheless, if the amount of such remittances is equal to or more than USD200,000, supporting documents need to be submitted to the authorised commercial bank. The list of required supporting documents is not determined by regulations from the BOT. Each authorised bank is entitled to request any documentation from the person remitting funds at their discretion on a case-by-case basis, which can vary depending on the type of transaction (eg, loan, service agreement, sub-licence agreement and purchase price).

E-money Remittances

Outward e-money remittances must be performed through an authorised e-money operator. The purpose of outward e-money remittances is generally listed as payment of goods and services to others domiciled in a foreign country.

The BOT has issued a notice from the competent officer permitting non-bank operators to apply for foreign exchange e-money (FX e-money) licences to issue e-money in foreign currencies. These licences allow non-bank operators to make cross-border remittances for their customers’ payments of goods and services. Non-bank e-money service providers are thus able to cater for the demands of customers when travelling.

In general, a fund administrator, in the form of an outsourcing company that provides the service of supporting the process of managing a fund, is not directly regulated by any agencies in Thailand. However, operators or fund managers must comply with the regulations that are applicable to the outsourcing of their administrative work. The SEC has the power to announce the qualifications and guidelines applicable to the outsourcing of administrative services of funds to third parties. For example, according to Capital Market Supervisory Board Notification No TorThor 60/2561 Re: Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations to a Third Party, the operator has to determine the policies, measurements and procedures for outsourcing to a third party to conduct work relating to the operator’s business in accordance with the criteria specified in the notification.

Nevertheless, the scope of the administrative regulation of the fund is also guided by the SEC to ensure that investors are protected, and that each fund has in place internal systems and policies that are standardised and reliable.

The contractual terms depend on the commercial issues and other regulations that may apply to a specific financial service provider. However, for outsourcing in connection with securities service providers, Capital Market Supervisory Board Notification No TorThor 60/2561 Regarding Rules, Conditions and Procedures for Outsourcing Functions related to Business Operations to a Third Party specifies required clauses that securities service providers must include in a written contract regarding obligations for services related to business operations to a third party. Under this notification, terms required in a written contract include the following.

• Duties and responsibilities of the service provider, covering at least the following:
1. liability to the intermediary as a result of the service provider acting or omitting to act intentionally or negligently;
2. measures and arrangements for the business continuity of the service provider which must include the outsourced function;
3. information security, confidentiality and privacy regarding information of the intermediary and clients; and
4. that the service provider must comply with the rules regarding the outsourced function as prescribed by the SEC, the Capital Market Supervisory Board or the Office of the SEC, including the guidelines specified by the intermediary in compliance with such rules.
• Consent of the service provider for the Office of the SEC to inspect its operation, and to examine or retrieve for viewing relevant evidentiary documentation.
• Causes, conditions and procedures for terminating the contract or suspending operation (under such contract).
• Remuneration and charged expenses.

Digital asset exchanges are trading platforms for both cryptocurrency and digital tokens. Currently, exchanges for cryptocurrency and digital tokens are subject to the same regulatory regime as applies under the Digital Assets Decree.

Cryptocurrency and digital tokens are both governed by the Digital Assets Decree; however, the regulatory regime with respect to digital asset operators is substantially similar for both cryptocurrency and digital tokens.

Nonetheless, certain cryptocurrencies and digital tokens are prohibited from being listed and traded on licensed digital asset exchange platforms; for example, meme tokens, fan tokens and NFTs.

A potential change of the regulatory structure is discussed under Regulating Digital Assets in 12.3 Classification of Blockchain Assets.

Cryptocurrency exchanges are subject to a separate regime under the Digital Assets Decree. See 7.1 Permissible Trading Platforms for more information.

The SEC prescribes the listing standards for an initial coin offering (ICO) in SEC Notification No GorJor 15/2561 re: Offering of Digital Tokens to the Public.

Requirements

According to the listing standards, among other requirements, the applicant for an ICO must be a limited company or a public limited company that is not insolvent. The applicant must show that the ICO portal has considered that the ICO is in compliance with this notification. There are also requirements regarding the underlying assets if the underlying assets of the digital tokens are real estate or infrastructure.

There are certain requirements that the offeree must comply with, and limitations on the number of digital tokens that can be offered to general investors unless it is the offering of real estate-backed or infra-backed digital tokens. The applicant must also prove to the Office of the SEC that the business models and smart contracts are enforceable and that the applicant will not take advantage of the investors.

In 2023, the SEC added additional requirements for debt-linked and infra-backed ICOs to align with the digital offering standards, which are structured similarly to those for securities under securities law.

Approval

Prior to the offering, the issuer must obtain approval from the Office of the SEC, and submit registration statements and draft prospectuses as indicated in the SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the ICO portal, that is approved by the SEC.

There are no specific order handling rules applicable to digital asset operators.

Currently, peer-to-peer energy trading platform initiatives in the energy sector are on the rise, while adoption of peer-to-peer trading platforms in other industries (including fintech) is still rather limited.

This type of platform may not fit into the existing categories of businesses eligible for licences and, therefore, the SEC may need to revise the regulations on digital assets to capture this type of platform.

The best-execution requirement is one of the duties imposed on securities and derivatives business operators under Capital Market Supervisory Board Notification No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangement, Operating Systems, and Providing Services to Clients of Securities Companies and Derivatives Intermediaries.

For digital asset transactions, there are no specific order handling rules applicable to digital asset operators.

There are no specific rules of payment for order flow applicable to digital asset operators. However, there is a general prohibition on the receipt of benefits in excess of that which should be received or rewarded in normal commercial practice.

Under the Securities and Exchange Act BE 2535 (1992), various offences are listed, aimed at protecting market integrity and preventing market abuse, including:

• insider trading – anyone who has material inside information is prohibited from the buying or selling of securities to which such inside information is related;
• market manipulations – trading of securities with an intent to manipulate the market is also prohibited; and
• misstatement – dissemination of false information with an intent to mislead is also prohibited.

The regulations do not specifically state the criteria for using algorithmic trading for each asset.

However, under the Stock Exchange of Thailand (SET) Notification Re: Procedures on Trading, Clearing and Settlement of Securities in the Exchange, specifying the criteria for the use of computer programs in creating and recording orders automatically (“Program Trading”) including algorithmic trading, an operator who wishes to use Program Trading has to obtain approval from the SET prior to such use.

The SET also provides guidelines regarding the qualifications and criteria for Program Trading that will be used in the market.

Under the SET Notification Re: Persons Involved in the Trading System BE 2555 (2012), persons having the following qualifications are required to register as market makers:

• being a member or a non-member juristic person certified as a market maker by a member whereby such juristic person shall undertake clearing and settlement through the member;
• possessing experience as a market maker or possessing personnel with sufficient knowledge and expertise to be trusted to perform the duty of a market maker;
• having in place a system or procedure that indicates readiness to act as a market maker including sufficient policies and measures for risk management;
• not being currently prohibited from undertaking registration as a market maker under Clause 12 (2) (ie, not having had their registration as an authorised officer revoked as a penalty by the SET within five years prior to the application for the appointment); and
• possessing other qualifications as prescribed by the SET.

Moreover, the Thailand Futures Exchange (TFEX) has also specified that the following qualifications are required to register as a market maker:

• being a member of the TFEX, or a (member’s) corporate client who is a member named to the TFEX as a market maker, or being any other juristic person having a clearing guarantee agreement with a TCH member;
• having the experience of being a market maker for derivatives trading or having personnel who possess credible knowledge and competency to act as a market maker;
• having sufficient system readiness or being able to demonstrate that there is in place a procedure and readiness to act as a market maker, and also having in place a risk management policy to deal with potential risks that may arise from the marker maker’s duty; and
• having stable financial status and not being subject to any risk that may the affect the market maker’s duties.
• The TFEX may stipulate such additional qualifications as it deems appropriate for persons wishing to be any of the following market makers:
• a market maker who is either a juristic person customer whose status as a market maker has been notified to the TFEX by a member or a juristic person having an agreement with a TCH member to guarantee clearing and contract settlement; or
• a market maker in futures of which the underlying goods or variable must be approved by regulator.

From a regulatory perspective, there is no distinction between funds and dealers in the algorithmic trading area.

There is no regulation under Thai law specifically governing programmers and programming. However, for programming, an algorithm has to be approved by the authority and the programmers have to be aware of the prohibited characteristics of trading as specified in the Securities and Exchange Act BE 2535 (1992) (the “SEC Act”).

There is no specific regulation governing the use of high-frequency and algorithmic trading involving DeFi.

There is no specific regulation governing operators providing financial research services.

The SEC Act specifies measures and punishments for any persons who spread rumours and information that might cause manipulations or misunderstandings in the securities market.

For example, pursuant to the SEC Act, a person who informs, disseminates or certifies any statement or information that is false or materially misleading about the financial condition, business operation, the price of securities or any other information related to a securities-issuing company in a manner that is likely to have an effect on the price of securities or the decision-making on securities investment shall be subject to punishment.

In addition, a person spreading rumours that are false may be subject to the Computer Crime Act Criminal Law BE 2550 (2007), since the act states that any person involved in importing to a computer system forged computer data, either in whole or in part, or false computer data, in a manner that is likely to cause damage to a third party or the public shall be subject to punishment.

Regarding legislation, as mentioned in 9.2 Regulation of Unverified Information, the SEC shall punish a person who spreads information that may mislead the public.

Underwriting processes differ according to the products and business operators. The relevant insurance laws (ie, the Life Insurance Act BE 2535 (1992) and the Non-Life Insurance Act BE 2535 (1992)) govern various aspects of the underwriting processes of business operators. In particular, the sale and offering of insurance products are heavily regulated.

Given the extent of insurance regulation, insurtechs normally face a number of legal obstacles. Recognising these constraints, and at the same time trying to promote innovation in the industry, the OIC, the insurance industry’s regulating entity, launched the OIC insurance regulatory sandbox and set up the Centre of InsurTech Thailand (CIT) with the aim of promoting insurtech.

There are two applicable regulatory regimes:

• the life insurance regime under the Life Insurance Act BE 2535 (1992) which covers life and annuities; and
• the non-life insurance regime under the Non-Life Insurance Act BE 2535 (1992) which covers property and casualty.

Many aspects of these acts are similar, but the licences for life insurance and non-life insurance business are separate and the same legal entity cannot engage in both types of business.

There are no overarching regulations that govern regtech generally. Whether regtech providers are subject to any regulations needs to be analysed on a case-by-case basis.

Currently, in Thailand, an area that is considered one of the most advanced in terms of regtech development is electronic authentication and verification of identity (e-KYC).

After the amendment to the Electronic Transaction Act BE 2544 (2001) No 4, authentication and verification of identity in electronic form became recognised and admitted under Thai law.

Electronic Identity Verification

The BOT has also adopted electronic authentication and verification of identity for the opening of accounts with financial institutions. Previously, financial institutions had to conduct know your customer (KYC) processes on a face-to-face basis (physical KYC). Non-face-to-face KYC has been accepted in practice since the relevant notification of the BOT was adopted. Electronic KYC can be performed by financial institutions for the opening of accounts by customers via online platforms.

In addition to electronic KYC, there is another central platform in Thailand called the National Digital ID Platform (the “NDID Platform”). This system collects customers’ information for use by any financial institutions to verify customers. The NDID Platform is thus an important system for Thai financial institutions to use to verify their customers, and many banks in Thailand have decided to use it to facilitate the KYC process.

The contractual terms of use of service provided by a third party may also be regulated depending on the type of business. Theoretically, certain functions, which are not the main activities of financial service providers (which normally require a licence, approval or registration), can be outsourced to a third party.

For instance, pursuant to BOT Notification No SorNorSor 16/2563 Re: Regulations on the Use of Services from Business Partners of Financial Institutions, in order to use the services of a business partner, the financial institution must create guidelines on risk management and customer protection. Moreover, all strategic functions must be carried out directly by the financial institutions themselves. In addition, the financial institutions also have to submit an annual report to the BOT on the use of services provided by business partners that may cause significant risks to – or have an impact on – the public at large.

In respect of IT outsourcing, financial institutions have to comply with the guidelines on risk management implementation of third parties. These cover issues such as risk governance, third-party risk management and reporting obligations to the BOT.

Non-regulated contractual terms largely depend on the commercial issues and other regulations that may specifically apply to that financial institution. Therefore, contractual terms must be negotiated and agreed on a case-by-case basis.

Many Thai financial institutions, including the BOT, have been keen on adopting blockchain technology.

In 2020, the BOT launched a new blockchain-based platform for government bond issuance. This project is a collaborative effort with the Public Debt Management Office, Thailand Securities Depository Co, Ltd, Thai Bond Market Association and several selling-agent banks.

In addition, certain commercial banks in Thailand have adopted blockchain technology in order to develop their operations, such as monitoring the correctness of financial transactions, cross-border transfers of funds, issuing bank guarantees and development of other aspects relating to financial infrastructure.

In 2022, the Letter of Guarantee on Blockchain (eLG) developed by BCI (Thailand) Co, Ltd passed the test under the BOT Regulatory Sandbox and was deemed ready for offering broad services aimed at serving not only financial institutions or governmental sectors but also various business sectors – ie, petroleum, construction or automotive businesses. Currently, there are more than 170 organisations utilising this service.

Even though the BOT and the Office of the SEC are very cautious about the sale of blockchain-based digital assets and cryptocurrency, they and other local regulators are very positive about wider uses of blockchain technology and are keen on utilising it.

The Digital Assets Decree, which governs blockchain assets under the defined term “digital assets”, separates digital assets into two types: cryptocurrency and digital tokens.

“Cryptocurrency” is defined as an electronic data unit built on an electronic system or network that is created for the purpose of being a medium of exchange for the acquisition of goods, services or other rights, including the exchange between digital assets.

A “digital token” is defined as an electronic data unit built on an electronic system or network for the purpose of specifying the right of a person to participate in an investment in any project or business, or to acquire specific goods or services. Digital tokens are further separated into two types: investment tokens and utility tokens.

Regulating Digital Assets

Currently, the SEC regulates digital assets based on the activities of the operators, with some differences depending on the types of digital assets (eg, there are some differences in requirements for underlying assets that are in the form of real estate and infrastructure) under the Digital Assets Decree.

The closest concept to “issuers of blockchain assets” are the “issuers” of digital assets under the Digital Assets Decree.

The issuer of an initial coin offering (ICO) must be a limited company or a public limited company. Similar to as discussed in 7.4 Listing Standards, prior to the offering, the issuer must obtain approval from the Office of the SEC, and submit registration statements and draft prospectuses as indicated in the relevant SEC’s notification. The offer for sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the so-called ICO portal, which has been approved by the SEC.

Regarding a potential change of the regulatory structure, see Regulating Digital Assets in 12.3 Classification of Blockchain Assets.

The closest concept to a blockchain asset trading platform under Thai law is a “digital asset exchange” under the Digital Assets Decree. A “digital asset exchange” is defined as any centre or network established for purchasing, selling or exchanging digital assets, by means of the matching or finding of parties or the provision of a system or facilities whereby those intending to purchase, sell or exchange digital assets may reach agreements or may be matched.

Digital asset exchange operators must apply for permission. This would be granted by the MOF upon the SEC’s recommendation. The appointment of directors and executives of the operator must also be in accordance with the relevant notification and such appointment will be valid upon approval by the Office of the SEC.

The exchanges are obliged to comply with all guidelines specified by the Office of the SEC, including on source of funds, protection of customers’ assets, prevention against electronic theft, KYC measures and a reliable accounting system approved by the SEC. Among other obligations, the operator must segregate the retained customers’ assets from its own assets.

Under SEC Notification Re: Rules, Conditions and Procedures for Undertaking a Digital Asset Business (No 11) (the “NFT Regulations”), digital asset exchanges are obliged to set listing rules to prohibit token issuers from listing utility tokens or certain types of cryptocurrencies that have the following characteristics.

• Meme tokens – having no clear objective or substance or underlying substance, and whose price is based on social media trends.
• Fan tokens – tokens dependant on the fame of influencers.
• Non-fungible tokens (NFTs) – a digital creation to declare ownership or grant of rights in an object or other specific right. It is unique and not interchangeable with digital tokens of the same category and type at the equal amount.
• Digital tokens that are utilised in a blockchain transaction and issued by digital asset exchanges or related persons.

According to the SEC’s draft regulations on ready-to-use utility tokens launched for public hearing in early 2023, some types of tokens may be banned from being listed on digital asset exchanges, and the provision of services in relation to such tokens, including trading by digital asset dealers and brokers, is prohibited.

Thai law is silent on how funds can be invested in blockchain assets.

Virtual currencies are not a defined term under Thai law. However, under the Digital Assets Decree, “cryptocurrency” is defined as “an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets”. Cryptocurrency is different from digital tokens in the sense that it is a medium of exchange, while digital tokens, which are another type of blockchain asset defined under the Digital Assets Decree, have the main purpose of determining the right to participate in an investment or to acquire goods or services.

See also 12.3 Classification of Blockchain Assets.

The term “DeFi” is not defined under Thai law. Thus, there is no specific regulation on DeFi platforms or transactions. However, on a case-by-case basis, if any transaction related to DeFi relates to the purchase and sale of digital tokens and cryptocurrency, or other regulated business, operators related to the DeFi business are subject to the Digital Assets Decree.

To determine whether an NFT will be regulated under Thai law, a determination of whether that NFT falls within the definition of a “digital token” under the Digital Assets Decree is needed. Certain NFTs may be considered as utility digital tokens if such NFTs grant the holder a right to obtain any goods, services or assets.

Under the SEC’s guidelines issued on 6 January 2022, there are certain types of NFTs that are exempted from NFT regulations and the Digital Assets Decree, including NFTs that are utility tokens with ready-to-use underlying products or services as of the date of offering. To further elaborate, an NFT that is exempted is that which is an asset itself, being inseparable, and does not represent any rights or the intention to be utilised as a medium of exchange (eg, an NFT that is created by storing a digital file on an Interplanetary File System (IPFS) issued for the convenience of exchange, and such digital file and the NFT must be transferred together, inseparable and cannot be modified).

In addition, the SEC has published draft regulations for public hearing on 25 January 2023 proposing the regulatory approach that certain types of ready-to-use utility tokens, including some types of NFTs, will continue to be exempted from the Digital Assets Decree, and business operators providing related services thereof will no longer fall under the digital asset business licence requirement. Such exempted NFTs must be those providing the right to receive specific products or services for utilisation or consumption purposes (ie, NFTs of artworks, images, music, stamps or videos with a specific right for the holders) and must not be used as a means of payment under the BOT’s definition.       

Thailand saw its first open banking initiative in January 2022 when the BOT, the Thai Bankers’ Association and the Government Financial Institutions Association introduced the “dStatement”, which is an exchange of financial statement data among banks to support digital loan applications.

To date, open banking implementation in Thailand remains subject to feasibility studies and the application programming interface (API) standards are yet to be finalised, but significant first steps have been taken by the BOT.

In November 2023, the BOT published a consultation paper on “Open Data for Consumer Empowerment”, which aims to build a mechanism that allows consumers to exercise their rights to conveniently and securely transfer their data stored at one provider to another so that consumers can apply for and receive better services from any provider.

All financial institutions need to comply with the Personal Data Protection Act BE 2562 (2019), which came into full effect on 1 June 2022, in order to process personal data – for example, as regards the following:

• notifying the processing of personal data;
• obtaining prior consent from the customers if the processing of their personal data does not fall under any lawful basis of processing (eg, performance of contract, legal obligation); and
• providing channels for customers to exercise rights regarding their personal data.

Fraud can occur in various businesses including financial services and fintech, and may be subject to different laws in Thailand depending on the nature of the fraud and the industry sector in which it takes place, such as digital assets, payment systems, insurance.

However, the offence of fraud under such specific regulations shares similar basic elements to the general concept of fraud in the Criminal Code BE 2499 (1956) as follows:

• Misrepresentation or deception: any person deceives another by making any false statement or concealing any fact that should have been disclosed.
• Intent to deceive: such person has a dishonest intention to seek benefits that should not be in a legitimate manner for themselves or others.
• Unlawful gain: such person, thereby:
1. obtains property from the deceived person or any third party; or
2. causes the deceived person or any third party to execute, remove or destroy any document of rights.

These elements constitute an offence of fraud, which typically leads to imprisonment and/or a fine under the Criminal Code. However, if such offence is subject to specific laws as mentioned earlier, the liability will be determined in accordance with those laws.

In addition, the recent global increase in financial fraud, characterised by greater complexity and new approaches, particularly in countries with high rates of real-time payment systems use, including Thailand. This has led to the enactment of the Emergency Decree on Technology Crime Prevention and Suppression Measures B.E. 2566 (2023) in March 2023, which was introduced as a measure to promptly address financial fraud in Thailand. The law imposes obligations on relevant government authorities and business sectors to contribute to the prevention of technological crimes and specifically provides for stricter punishments for such crimes including financial fraud.

According to a report by the BOT, the types and patterns of fraud in Thailand that are most commonly found and which have attracted the attention of government authorities include the following:

• money mule and mule accounts;
• phishing – eg, phone scams, voice phishing, or smishing;
• identity theft; and
• e-wallet hacking.