Thailand is a pioneer in ASEAN in the adoption of 5G technology to improve and expand the country’s capacity for deep technology, such as blockchain, artificial intelligence (AI), big data, robotics, cloud computing and machine learning. As a result of the proactive development of its information and communications technology (ICT) facilities and the regulatory environment, Thailand is one of the fastest-growing fintech markets in ASEAN and currently has one of the world’s largest consumer bases for fintech mobile banking.

According to the latest data from the Bank of Thailand (BOT), published as of the date of this article (January 2025), the volume of e-payments in Thailand has consistently been increasing. Internet and mobile banking are the most popular e-payment channels, with approximately 144.3 million accounts and more than 6.28 billion transfers and payment transactions until October 2024.

Developing Accessibility

The Thai government has been promoting fintech by developing accessibility to government platforms. The BOT has collaborated with global card network service providers to create the “Thai QR Code”, which facilitates payments via debit cards, credit cards, e-wallets and e-payments through bank accounts using the Thai QR Code as an intermediary.

Following the COVID-19 pandemic, Thai people have become more familiar with contactless payment systems. Therefore, electronic transactions have become increasingly common in Thailand.

In addition, the BOT, together with the central banks of four other ASEAN countries (Indonesia, Malaysia, the Philippines and Singapore), has signed a memorandum of understanding to expand the fast cross-border payments, known as Project Nexus, which aims to standardise connections between domestic instant payment systems (IPS) to enable cross-border payments within 60 seconds.

Project Nexus: Enhancing Cross-Border Payments

Project Nexus is a groundbreaking initiative managed by the Nexus Scheme Organisation (NSO) and supported by the Bank for International Settlements (BIS). The project seeks to create a scalable and interoperable network for instant cross-border payments across ASEAN and potentially beyond. Instead of requiring a payment system operator to build custom connections for every new country, the operator only needs to make a single connection to the Nexus platform.

Project Nexus has global ambitions, aiming to connect multiple domestic IPS to form a scalable global network. The project aligns with the G20 Roadmap for Enhancing Cross-border Payments, which seeks to make instant payments affordable and easy for users across participating countries. The project has already seen significant progress, with the Reserve Bank of India joining the initiative and expanding the potential user base to India’s Unified Payments Interface (UPI), the world’s largest IPS.

In summary, Project Nexus represents a significant step forward in the quest to enhance cross-border payments, leveraging innovative technology and international cooperation to create a seamless and efficient payment network.

Regulation of the Digital Asset Market and Businesses

Several significant regulations and guidelines regarding the digital asset market and business have been issued by relevant regulators, requiring digital asset business operators to be subject to numerous additional obligations in their business operations and marketing plans. Among these, the most impactful included the Securities and Exchange Commission of Thailand (SEC), in joint consideration with the BOT and the Ministry of Finance (MOF), enacting a notification prohibiting digital asset business operators from using digital assets as a means of payment for goods and services. This led to an abrupt decline in the use of digital assets as a means of payment. The SEC also put in place regulations imposing more restrictions on businesses – eg, the prohibition of privacy coins to prevent digital assets being used for illegal activities, and limitations on the advertising of digital assets. However, in 2024, the SEC issued an exemption from this restriction for the operation of digital asset businesses, specifically for the programmable payment tests under the BOT’s regulatory sandbox.

The SEC updates its rules to keep pace with digital asset-related changes, protect investors, and boost market growth. Some key 2024 regulatory updates include:

• new approaches for ready-to-use utility tokens;
• ICO governance standards, such as checks, resolutions, and advertising;
• enhanced governance of digital asset businesses, including structure, operations, and qualification criteria;
• easier shelf filing ICOs for the soft power and digital economy sectors; and
• a payment exemption for the BOT’s sandbox project.

In addition, in August 2024, the SEC proposed a draft bill amending the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) (the “Digital Assets Decree”), which marks the first draft amendment to the primary legislation governing digital assets in Thailand. This amendment aims to enhance regulatory efficiency and align with international standards, ensuring appropriate oversight based on the nature and risks of each digital asset type. Key changes to the proposed draft bill include redefining digital assets as crypto assets to set out a positive list that clearly defines the types of digital assets that fall under regulation, improving the regulatory approach for ICOs from an approval-based system to a disclosure-based system, aiming to streamline the process and enhance transparency, prohibiting digital assets as means of payment, and adjusting provisions regarding penalties and prescription for certain offences under the Digital Assets Decree. The bill is currently under development and is expected to be enacted shortly.

Digital Transformation in the Thai Financial Sector

In addition to the surge in digital payments in Thailand, digitalisation has been systematically integrated into diverse facets of the country’s financial services industry. This evolution is evident in:

• the increasing number of service providers – and subsequent rising competition – in the digital savings or e-savings market; and
• the enhancement of regulatory sandboxes, coupled with the relaxation of certain legal restrictions, aims to promote a more diverse range of digital service experiments within Thailand’s financial sector, including programmable payment and digital assets, which will enable authorities to identify appropriate measures to manage the risks associated with such financial technologies while ensuring adequate protection for users.

Furthermore, there has been progress in open data initiatives to empower consumers to transfer their data conveniently and securely from one provider to another, enabling them to access superior services.

Issuance of Legal Framework for Virtual Banks

Due to the rapid development of digital finance, almost all business operators in Thailand, whether banks or non-banks have been focusing on providing services via digital channels. In 2024, the MOF issued a notification outlining the criteria, conditions, and procedures for applying for a license to establish branchless commercial banks, also known as “virtual banks.” Concurrently, the BOT announced regulatory guidelines to accommodate the operations of future virtual bank licensees. These new frameworks aim to promote financial inclusion and enhance competition within the financial market. Five applicants were in the first round of applications, which concluded in September 2024. The names of those approved by the MOF to establish virtual banks are anticipated to be announced by mid-2025. Licensed operators will be required to prepare and commence operations within one year of the MOF’s approval.

The major players in the Thai fintech industry are predominantly financial institutions and traditional non-banking financial institutions, which have adopted technology for their services to facilitate customers’ needs and to increase their market share. Other players include venture capitalists and start-ups.

The main fintech business models in Thailand are as follows.

E-money, E-wallets and E-payment

E-money, e-wallet and e-payment service providers are some of the most significant players in the Thai fintech industry. Their business operations and services can now be conducted or provided through their online platforms rather than physical branches.

Other than financial service providers, a number of new players are entering this area, most of whom are backed by venture capitalists and as start-ups that co-operate and partner with major social platform business operators. This can also serve as an alternative solution for foreign financial service providers facing certain capacity limitations or stringent qualification requirements under Thai law.

Digital Assets

In 2018, the SEC recognised digital tokens and cryptocurrency as digital assets. Business operators in this sector are categorised into two groups, as follows.

Primary market

The business operator in the primary market can be either:

• an ICO issuer looking to raise funds by issuing coins; or
• an ICO portal providing token digital system services.

As of the end of 2024, four ICO issuers have received SEC approval in Thailand. Real estate-backed and project-backed digital tokens have been issued. For the first and third ICO projects, the token-holders are entitled to receive revenue shares from the revenue streams of the underlying assets of the tokens.

Secondary market

In the secondary digital assets market, service providers related to digital assets that are currently recognised by Thai regulations and supervised by the SEC are as follows:

• digital asset exchanges;
• digital asset brokers;
• digital asset dealers;
• digital asset advisory services;
• digital asset fund managers; and
• digital asset custodial wallet provider.

Digital Lending

Digital lending is an important platform that financial service providers use to reach new retail customers, eliminate physical limitations, and facilitate business activities with customers. Many financial service providers, especially personal loan providers, are interested in expanding their online services.

Some financial service providers have chosen to co-operate with social platform operators in providing digital lending services to the platform’s customers, and vice versa, rather than develop their own (online) platform and obtain licences.

Peer-to-Peer Lending Platforms

There are few players in the peer-to-peer lending market due to Thailand’s lack of information and precedent cases. Peer-to-peer lending platforms are electronic platform services that link lenders and borrowers. The platforms’ role also includes facilitating loan contracts and carrying out fund transfers and repayments between the parties. According to the BOT, one peer-to-peer lending service operator has obtained a licence to operate its business from the MOF. Additionally, two operators are testing their systems in the BOT regulatory sandbox as of November 2024.

Crowdfunding

Both equity and debenture crowdfunding exist for private and public limited companies through crowdfunding portals in Thailand. In this respect, crowdfunding, where shares or debentures are issued as consideration, is deemed a type of public offering under SEC regulations. A crowdfunding portal operator must obtain a licence from the Office of the SEC.

Currently, the fintech industry is not directly regulated by any specific overarching legislation in Thailand. However, operators need to comply with certain business-related regulations.

The key regulations related to fintech business activities are as follows.

Payment Systems (Including E-money, E-wallet and E-payment)

In order to enhance the supervision of payment systems and payment services, the Payment Systems Act B.E. 2560 (2017) (the “Payment Systems Act”) was enacted and came into effect on 16 April 2018. Its main purpose is to regulate the following.

Highly important payment systems are payment systems that are important to the security and stability of the country’s payment systems, financial systems, or monetary systems.

Designated payment systems, which are:

payment systems that are networks between system users that handle fund transfers, clearing or settlement, such as retail fund transfer systems, payment card networks, and settlement systems; or

any other payment systems that may affect the public interest, public confidence, or stability and security of the payment systems.

Designated payment services, which are:

• provision of credit cards, debit cards or ATM card services;
• provision of e-money services;
• provision of services for accepting electronic payments for and on behalf of others;
• provision of e-money transfer services; and
• other payment services which may affect payment systems or the public interest.

Digital Assets

The Digital Assets Decree was enacted to regulate offerings of digital assets (cryptocurrencies and digital tokens) and businesses undertaking digital asset-related activities. The Digital Assets Decree aims to ensure that digital assets market standards align with international standards and protect market players.

Digital Lending

On 15 September 2020, the BOT issued Circular No BOT.FhorGorSor (01) Wor 977/2563 Re: Criteria, Procedures and Conditions on Digital Personal Loan Business Operations. The purpose of this BOT circular is to relax the criteria for personal loans for those without regular – or proof of – income or for those without collateral and to provide flexibility to personal loan providers in providing personal loans in electronic form. However, for other types of loans which are not personal loans, financial service providers still have to comply with regulations that do not specifically regulate digital lending.

Peer-to-Peer Lending Platforms

On 31 July 2020, BOT Notification No SorNorSor 14/2563 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer Lending Platform Businesses (the “Peer-to-Peer Lending Platform Notification”) was announced in the Government Gazette and became effective on the same date.

Electronic Transactions

The Electronic Transactions Act B.E. 2544 (2001) (the “Electronic Transactions Act”) supports the legal validity of electronic transactions performed via electronic systems. If a transaction is conducted electronically in accordance with the rules and procedures outlined in the Electronic Transactions Act, it is considered legally binding, just like a transaction conducted through other methods or platforms that adhere to applicable laws.

The criteria and restrictions for charging service fees depend on the type of business, business model and services provided to customers. The criteria for disclosing services or fees depend on the regulations related to the business or business activity the operator carries out. Generally, the operator has to disclose details of the fees that will be charged to customers, as well as the threshold or criteria for setting these fees.

For example, under the Payment Systems Act, payment service providers must disclose information on service fees as follows.

• Display or communicate service fees, which must be reasonable, to customers at service locations or through other channels.
• Notify customers of any detrimental fee changes, either at service locations or through other channels, at least 30 days before they take effect.
• Details of service fees must be submitted to the BOT electronically, as specified by the BOT, as soon as possible from the commencement date of undertaking the business and each time there is a change in service fees.

There are no significant differences between regulations governing fintech operators and regulations governing legacy players. Some fintech business operations are covered by licences already held by legacy players. Both fintech operators and legacy players shall comply with the regulations set out in the 2.2 Regulatory Regime. Other relevant laws and regulations applicable to general business enterprises will also apply.

Financial Services

In 2024, the BOT introduced new regulatory sandbox guidelines developed from past concepts, aiming to enhance the progression of FinTech, extend the scope of the scope of technologies that can be tested in the sandbox, and study the appropriate regulatory approaches for these technologies. According to the past regulatory sandbox guidelines, there were two concepts of a sandbox, namely “Regulatory Sandbox” and “Own Sandbox”, and in 2024, a new sandbox concept called “Enhanced Regulatory Sandbox” was also added.

For the Regulatory Sandbox, financial service operators that can apply for testing in this sandbox must meet the following conditions.

• Be under the BOT’s supervision.
• Offer new or improved financial services or fintech innovations.
• Offer financial services which:
1. contribute to the development or standardisation of Thailand’s financial sector in collaboration with other providers; or
2. are required to be tested in the BOT’s Regulatory Sandbox.

The participants consist of:

• financial institutions;
• companies within a group of financial institutions;
• non-banks under the BOT’s supervision;
• fintech firms; and
• technology firms either test independently or in collaboration with those mentioned above.

As of January 2025, there are various financial innovations running tests under these regulatory sandboxes, eg, e-money on blockchain, cross-border payment, digital RD, peer-to-peer lending, national ID, programmable payment, TrustBiz Connext, letter of guarantee, biometric technology, QR payment, etc.

Securities

The amended regulatory sandbox regulations that became effective in 2020 afford operators more flexibility by increasing the types of businesses that can participate. According to the SEC, the types of business under the amended regulatory sandbox regulations cover all activities in capital markets. The additional types of businesses are as follows:

• intermediaries – ie, securities investment advisory services, private fund management businesses, derivatives agent businesses, derivatives dealing businesses, derivatives advisory services, derivatives fund management businesses, newly-added securities brokerage businesses, securities dealing businesses, securities underwriting businesses, mutual fund management businesses and securities borrowing and lending (SBL) businesses;
• post-trading service providers – ie, securities clearing houses, securities depository centres, securities registrars, and the newly added derivatives clearing houses;
• trading system service providers – ie, electronic trading platforms (ETPs), and the newly added securities trading centres and derivatives exchanges; and
• digital infrastructure for capital market providers.

Digital Asset Services

The SEC’s Digital Asset Regulatory Sandbox initiative, launched in August 2024, further expands the scope of innovation in the capital markets by allowing participants to test and develop digital asset services under flexible regulatory guidelines. This initiative aims to improve service efficiency, reduce operational costs, and provide investors with access to new and improved digital asset services. Participants in the sandbox are required to use innovative technologies such as smart contracts and AI to enhance their services. The sandbox supports six types of digital asset services, ie, digital asset exchanges, digital asset brokers, digital asset dealers, digital asset fund managers, digital asset advisors, and digital asset custodial wallet providers.

Insurance

The Office of the Insurance Commission (OIC) issued a notification on insurance regulatory sandboxes in 2019, allowing both life and non-life insurance industry operators to conduct testing in their own sandboxes for certain cases.

The jurisdiction of each regulator depends on the type of financial service provided rather than the type of technology the operator of such business adopts. The key regulators of fintech businesses concerning financial services, securities and insurance in Thailand are, respectively:

• the MOF and the BOT;
• the MOF and the SEC; and
• the Anti-Money Laundering Office (AMLO).

The BOT has the power to supervise, examine, and analyse the financial status, performance, and risk management systems of financial institutions to enhance the stability of Thailand’s financial status as a whole. Thus, the BOT will predominantly supervise fintech activities relating to financial institutions, including digital lending and peer-to-peer lending payment systems, e-wallets, e-money and e-payments.

The SEC is the regulatory unit supervising capital markets. Capital markets are the main mechanisms for efficient mobilisation, allocation and monitoring of the utilisation of Thailand’s economic resources. The SEC also governs businesses that crowdfund, including those in the digital asset industry (cryptocurrencies and digital tokens).

The AMLO is Thailand’s regulatory body overseeing financial transparency and compliance with AML and counter-terrorism financing (CTF) regulations. It monitors both traditional and digital transactions to prevent money laundering and financial crimes.

In Thailand, the SEC currently does not officially adopt the concept of no-action letters used in the United States. However, the SEC can provide legal advice and guidance to companies and individuals to help them comply with SEC regulations and conduct activities involving SEC regulations with confidence.

The outsourcing restrictions applicable to each type of business depend on the relevant regulations. Thus, different businesses may have different restrictions on outsourcing. Business operators that conduct designated business activities under the relevant regulations must obtain licenses, approvals, or register with the appropriate authorities. Certain functions in the operations of such designated business that are not the main activities under the respective licences, approval or registration can be outsourced to qualified persons/to the extent that such outsourcing is not done to circumvent the relevant requirements.

For example, financial institutions can use IT outsourcing services provided by third parties. However, the guidelines on risk management implementation of third parties must be followed. The guidelines cover risk governance, third-party risk management and reporting obligations to the BOT.

Regulations require that payment service providers, such as e-money or e-payment service providers, have protocols for third-party services as follows:

• risk management measures and regular assessments for outsourced services;
• outsourcing agreements allowing internal, external and BOT auditors to audit outsourced payment services;
• a business continuity or disaster recovery plan covering outsourced service activities; and
• risk assessments for cross-border services.

In December 2024, the SEC held a public hearing on outsourcing guidelines for ICO portals. Under the guidelines, ICO portals can outsource certain functions, such as customer service and token sales support, but not digital token screening. The SEC’s guidelines also require ICO portals to:

• establish and follow outsourcing policies and rules;
• outsource reasonably without ceasing business operations;
• be responsible and act in the best interests of customers, complying with laws and regulations;
• notify the SEC of outsourcing arrangements or any changes within 15 days; and
• submit an annual outsourcing summary report to the SEC.

Moreover, the SEC must approve outsourcing due diligence tasks regarding business and technology, such as smart contract source code. This ensures that outsourcing follows the SEC’s rules and keeps the ICO portal’s core functions intact. The SEC’s regulations are under development and will be enacted soon.

Depending on business activities, a fintech service provider may be considered a gatekeeper.

For example, pursuant to SEC Notification No GorThor.19/2561 regarding the criteria, conditions and procedures for business operations of digital assets, exchange service providers must have a system in place that discloses sale and purchase data. This data includes pre-trade and post-trade information, and records of sales and purchases of digital assets must be recorded for potential audits.

The Computer Crime Act B.E. 2550 (2007) requires that a fintech service provider is:

• a person who provides services to the public with respect to access to the internet or other mutual communications via computer systems, whether on their own behalf, or in the name of, or for the benefit of, another person; or
• a person who provides services with respect to the storage of computer data for the benefit of other persons – computer traffic data must be stored for at least 90 days from the date on which the data is entered into the computer system.

However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case-by-case or on a temporary basis. A fintech service provider must keep the necessary information of the service user to be able to identify the service user from the beginning of the provision of the services. Such information must be retained for an additional period of no more than 90 days after the service agreement has been terminated.

Failure to meet the specified requirements may result in a fine of up to THB5,000.   

In 2024, the SEC remained active in supervising digital asset markets and businesses, and a stricter approach from the SEC was seen in enforcement actions. For example, the MOF, at the recommendation of the SEC Board,  revoked licenses to operate digital asset exchange and broker business from one business operator. The SEC determined that the business operator exhibited financial instability, posing potential harm to customers, and had an inadequate and inappropriate management structure and personnel, which failed to ensure efficient and responsible operations in accordance with SEC regulations.

Despite the revocation of its digital asset licenses, the business operator remains a limited company and may still face legal action. Following the revocation, the SEC filed charges against the business operator, its former directors, and the CEO for disseminating or endorsing misleading information about digital asset prices, which could impact market prices or investment decisions. These charges have been submitted to the Economic Crime Suppression Division for further action.

In addition, the SEC has consistently enforced laws against the operation of digital asset businesses without a license. In mid-2024, the SEC co-operated with the Ministry of Digital Economy and Society (“DE”) to block access to the website of a digital asset trader operating and soliciting services in Thailand. This trader is accused of conducting a digital asset trading business without a license, which is in violation of the Digital Assets Decree.

There are several regulations that fintech business operators must comply with to operate their businesses. However, those relating to privacy, cybersecurity, social media and software development are not specific to fintech businesses and apply to all business activities, including those conducted in a more traditional manner.

The Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”), which came into full effect on 1 June 2022, was introduced in order to establish a regulatory regime and specify the requirements for processing and protecting personal data in Thailand. The Thai government introduced the PDPA to enhance personal data protection and align with the EU’s General Data Protection Regulation (GDPR).

Furthermore, the Cyber Security Act B.E. 2562 (2019) (the “CSA”) categorises cyberthreats into three levels, as follows:

• non-serious cyberthreats;
• serious cyberthreats; or
• critical cyberthreats.

Such threats shall be subject to investigation, and the private operator may be required to:

• provide access to relevant computer data or computer systems, or other information relating to the computer system;
• monitor computers or computer systems; and
• allow officials to test the operations of computers or computer systems or seize computers or computer systems.     

Auditors may monitor industry participants for accounting purposes. Industry participants may voluntarily perform internal audits for various matters – ie, IT audits. Currently, no other organisations have the power to supervise, regulate or monitor participants in the fintech industry.

The Thai Fintech Association was recently established in Thailand and registered as a non-profit organisation. The organisation has the main obligation to:

• be a centre of knowledge of fintech;
• support the public’s use and accessibility to fintech services; and
• support standardisation of the fintech industry.

At the time of writing, the Thai Fintech Association has not been granted authoritative power by the regulator, nor have regulations been passed to allow it to supervise industry participants. However, as regulators appear to encourage self-regulatory mechanisms in the fintech industry, the Thai Fintech Association may become a key organisation in establishing wider sector policies and standardisation.

The Thai Fintech Association, the Thai Blockchain Association, the Thai Digital Asset Association and the Thai Digital Trade Association were all established to support and be the voice of each respective ecosystem.

Certain regulations restrict a licensee from providing business services other than those covered under the relevant licence held by the business operator or business services/activities related to the licensed business activity.

Under the Payment Systems Act, business operators licensed to engage in e-money services may not operate other businesses except those that such operators are licenced to perform or business activities that support e-money business services.     

The Anti-Money Laundering Act B.E. 2542 (1999) (the “AML Act”) and the Counter-Financing of Terrorism and Dissemination of Weapons of Mass Destruction Act B.E. 2559 (2016) are the two primary laws regulating anti-money laundering in Thailand. Fintech businesses may be required to comply with these two laws since they may deal with financial activities – ie, e-payment systems, money exchanges or financial institutions (as prescribed under the AML Act (the “specified operators”)). If a particular fintech business is included in the scope of the Specified Operators, such fintech operator is required to verify its customers’ identities upon commencement of certain activities, conduct customer due diligence, and report any suspicious transactions to the relevant authority.

As most fintech companies carry out their businesses as specified operators, they must comply with the criteria specified under the law, as follows:

• reporting transactions to the Anti-Money Laundering Office involving the use of cash or assets in an amount exceeding that prescribed in sub-regulations or any suspicious transactions;
• identifying customers prior to making any transactions;
• determining policies for customers, preventing money laundering, risk management policies and conducting due diligence on customers when making the first transaction; and
• recording all facts relating to any transaction that has been made.

The criteria under the AML Act result in more procedures and steps for effectuating each transaction, and fintech companies may have to establish a compliance department to comply with anti-money laundering criteria. Also, fintech companies may have to prepare systems for storing information on transactions and customer data and ensuring the security of such systems.

Thailand’s anti-money laundering and sanctions regulations generally conform to the standards established by the Financial Action Task Force (FATF).

No authority in Thailand has officially endorsed reverse solicitation; however, it is a practice frequently adopted by foreign business operators. In this regard, it is recommended that service providers exercise heightened caution when offering services to Thai individuals by relying on this concept. Ensuring independent initiation by the client and maintaining clear documentation is crucial to avoid regulatory scrutiny and potential legal consequences.

Thailand has not adopted regulations specifying which business operators or activities require the use of robo-advisers, although some Thai fintech operators do utilise robo-adviser technology.

Wealth advisers are encouraged to use fintech to generate financial solutions and to serve as an aide to financial planning under the SEC’s framework. According to the Office of SEC’s Notification No SorThor 31/2561 Re: Rules in Details on Wealth Advisory Service Business, operators must complete the process of client contact and services in five steps, as follows:

• exploring and understanding customers;
• constructing an investment portfolio;
• implementing the portfolio according to the asset allocation plan;
• monitoring and rebalancing the portfolio; and
• providing consolidated reports for clients’ review.

A wealth adviser must also have an electronic system supporting the actions under the third and fourth points above.

Legacy players must adhere to regulations relevant to their traditional business activities, including implementing robo-advisory services, and they have quickly adapted to and incorporated these robo-advisers into their operations over the last few years.

Private sector banks use robo-adviser-based solutions to develop tools for customer satisfaction, new products and services, and improvements.

The most widespread use of robo-advisers occurs in wealth management and developing custom-made trading and wealth solutions.

Records available to the public do not show cases of customer complaints related to the use of robo-advisory services.

However, securities and derivatives business operators have an obligation to carry out their business on a best-execution basis as specified in the Notification of the Capital Market Supervisory Board No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangements, Operating Systems, and Provision of Services to Clients of Securities Companies and Derivatives Intermediaries. As such, securities and derivatives business operators who use robo-advisory technology also have a duty to provide their services on a best-execution basis.

The regulations for both online and offline loan business activities are generally the same. Different regulations apply, depending on the type of loan rather than on the business operations of the operator/service provider.

For example, a supervised personal loan is provided to individuals, not corporations. A supervised personal loan cannot be granted where it is more than five times the average monthly income of a borrower with an average monthly income of THB30,000 or above. PICO finance is a personal loan granted to prevent or solve informal debt issues. A PICO finance loan may not exceed THB50,000 or THB100,000, depending on the type of PICO finance operator.

However, in 2021, the BOT permitted licensed personal loan business providers to offer digital personal loan services in Thailand with the approval of the BOT. Lenders may grant digital personal loans with a maximum credit amount of THB20,000. Effective rates of interest charged, together with the relevant fees, must not exceed 25% per annum. The BOT regulations relax certain criteria for the provision of personal loans and provide some flexibility, such as using alternative data for financial service providers to provide online lending services.

There are no specific underwriting processes for online lenders prescribed by regulations in Thailand. Commercial banks may develop their own underwriting standards and compliance measures. When a loan is granted for a specific industry, certain industrial underwriting standards may be enforced. The BOT will observe the underwriting practices of commercial banks and may issue notifications to oversee lending activities. This is intended to enhance underwriting standards if the existing market standards are found to be too lenient.

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, there are no specific online or offline regulations. Online lending is subject to the same regulations as offline lending.

Thus, the source of funds, the method of raising funds and restrictions thereon will depend on the business activity.

Online lending is generally for individuals in Thailand. As such, syndication of fiat currency loans is uncommon. However, there are no restrictions on syndicating online loans.

There are no specific requirements for payment processors to use existing payment rails such as credit cards or electronic payment settlement agencies. However, payment processors have to apply for a licence from the MOF as recommended by the BOT or have to register with the BOT in accordance with the Payment Systems Act.

Payment processors who implement new technology into their business operations can apply to participate in the BOT’s regulatory sandbox if they meet all qualifications (see 2.5 Regulatory Sandbox).

Under Thai law, there are specific restrictions for inward remittances. However, outward remittances must be performed through an authorised BOT agent (ie, any commercial bank). Fund remittance may also require permission from the BOT if the purpose of the remittance is restricted. In such cases, the person remitting the money must obtain approval through an authorised bank by submitting supporting documents to the bank prior to the transfer of funds.

Nevertheless, if such remittances are equal to or more than USD200,000, supporting documents must be submitted to the authorised commercial bank. BOT regulations do not determine the list of required supporting documents. Each authorised bank is entitled to request any documentation from the person remitting funds at their discretion on a case-by-case basis, which can vary depending on the type of transaction (eg, loan, service agreement, sub-licence agreement and purchase price).

E-money Remittances

Outward e-money remittances must be performed through an authorised e-money operator. The purpose of outward e-money remittances is generally listed as payment of goods and services to others domiciled in a foreign country.

The BOT has issued a notice from the competent officer permitting non-bank operators to apply for foreign exchange e-money (FX e-money) licences to issue e-money in foreign currencies. These licences allow non-bank operators to make cross-border remittances for their customers’ payments of goods and services. Non-bank e-money service providers can thus cater to customers’ demands when travelling.

Digital asset exchanges are trading platforms for both cryptocurrency and digital tokens. Currently, exchanges for cryptocurrency and digital tokens are subject to the same regulatory regime as applies under the Digital Assets Decree.

The Digital Assets Decree governs cryptocurrency and digital tokens; however, the regulatory regime concerning digital asset operators is substantially similar for both cryptocurrency and digital tokens.

Nonetheless, certain cryptocurrencies and digital tokens are prohibited from being listed and traded on licensed digital asset exchange platforms, such as meme tokens, fan tokens, and NFTs.

A potential change of the regulatory structure is discussed under Regulating Digital Assets in 10.3 Classification of Blockchain Assets.

Cryptocurrency exchanges are subject to a separate regime under the Digital Assets Decree. See 6.1 Permissible Trading Platforms for more information.

The SEC prescribes the listing standards for an initial coin offering (ICO) in SEC Notification No GorJor 15/2561 re: Offering of Digital Tokens to the Public.

Requirements

According to the listing standards, among other requirements, the applicant for an ICO must be a limited or public limited company that is not insolvent. The applicant must show that the ICO portal has considered that the ICO is in compliance with this notification. There are also requirements regarding the underlying assets, such as whether the underlying assets of the digital tokens are real estate or infrastructure.

There are certain requirements that the offeree must comply with, as well as limitations on the number of digital tokens that can be offered to general investors unless it involves the offering of real estate-backed, infra-backed, or sustainability group digital tokens. The applicant must also prove to the Office of the SEC that the business models and smart contracts are enforceable and that the applicant will not take advantage of the investors.

In 2023, the SEC added additional requirements for debt-linked and infra-backed ICOs to align with the digital offering standards, which are structured similarly to those for securities under securities law.

Approval

Prior to the offering, the issuer must obtain approval from the Office of the SEC, submit registration statements, and draft prospectuses as indicated in the SEC’s notification. The offer for the sale of digital assets is permissible only after the SEC approves the registration statements and the draft prospectuses. The offer for sale must be made via the system provider, the ICO portal, that is approved by the SEC.

There are no specific order-handling rules applicable to digital asset operators.

Currently, peer-to-peer energy trading platform initiatives in the energy sector are on the rise, while the adoption of peer-to-peer trading platforms in other industries (including fintech) is still rather limited.

This type of platform may not fall under the existing categories of businesses eligible for licences, and, therefore, the SEC may need to revise the regulations on digital assets to capture this type of platform.

There are no specific payment rules for order flow applicable to digital asset operators. However, there is a general prohibition on the receipt of benefits in excess of those that should be received or rewarded under normal commercial practices.

Under the Securities and Exchange Act B.E. 2535 (1992) (the “SEC Act”), various offences are listed, aimed at protecting market integrity and preventing market abuse, including:

• insider trading – anyone who has material inside information is prohibited from the buying or selling of securities to which such inside information is related;
• market manipulations – trading of securities with the intent to manipulate the market is prohibited; and
• misstatement – dissemination of false information with an intent to mislead is also prohibited.

The regulations do not specifically state the criteria for using algorithmic trading for each asset.

However, under the Stock Exchange of Thailand (SET) Notification Re: Procedures on Trading, Clearing and Settlement of Securities in the Exchange, specifying the criteria for the use of computer programs in creating and recording orders automatically (“Program Trading”) including algorithmic trading, an operator who wishes to use Program Trading has to obtain approval from the SET prior to such use.

The SET also provides guidelines regarding the qualifications and criteria for Program Trading that will be used in the market.

Under the SET Notification Re: Persons Involved in the Trading System B.E. 2555 (2012), a person possessing the following qualifications can register as a market maker:

• be a member or a non-member certified as a market maker by a member and undertake clearing and settlement through such member;
• have market-making experience or personnel qualified to be a market maker;
• have systems or procedures and risk management policies related to market making;
• not currently be subject to a five-year prohibition from registering as a market maker by the SET; and
• meet other SET criteria.

Moreover, the Thailand Futures Exchange (TFEX) has established the following qualifications for registering as a market maker:

• be a TFEX member, a member’s corporate client named by the member as a market maker, or any other juristic person with a clearing guarantee agreements;
• have market-making experience in derivatives trading or personnel qualified to be a market maker;
• have adequate system readiness or procedures and risk management policies related to market making; and
• maintain financial stability with no risks affecting market-making duties.

TFEX may set additional criteria for persons wishing to be any of the following market makers:

• juristic person customers or juristic persons with clearing guarantee agreements; or
• market makers in futures with regulator-approved underlying goods or variables.

From a regulatory perspective, there is no distinction between funds and dealers in the algorithmic trading area.

There is no regulation under Thai law specifically governing programmers and programming. However, for programming, an algorithm has to be approved by the relevant authority, and the programmers have to be aware of the prohibited characteristics of trading as specified in the SEC Act.

Underwriting processes differ according to the products and business operators. The relevant insurance laws (ie, the Life Insurance Act B.E. 2535 (1992) and the Non-Life Insurance Act B.E. 2535 (1992)) govern various aspects of the underwriting processes of business operators. In particular, the sale and offering of insurance products are heavily regulated.

Given the extent of insurance regulation, insurtechs commonly face a number of legal obstacles. Recognising these constraints and simultaneously trying to promote innovation in the industry, the OIC, the insurance industry’s regulating entity, launched the OIC insurance regulatory sandbox and set up the Centre of InsurTech Thailand (CIT) to promote insurtech.

There are two applicable regulatory regimes:

• the life insurance regime under the Life Insurance Act B.E. 2535 (1992), which covers life and annuities; and
• the non-life insurance regime under the Non-Life Insurance Act B.E. 2535 (1992) which covers property and casualty.

Many aspects of these acts are similar, but the licences for life insurance and non-life insurance businesses are separate, and the same legal entity cannot engage in both types of business.

There are no overarching regulations that govern regtech generally. Whether regtech providers are subject to any regulations needs to be analysed case-by-case.

Currently, in Thailand, an area considered one of the most advanced in regtech development is electronic authentication and verification of identity (e-KYC).

After the amendment to the Electronic Transactions Act B.E. 2544 (2001) No 4, authentication and verification of identity in electronic form became recognised and admitted under Thai law.

Electronic Identity Verification

The BOT has also adopted electronic authentication and identity verification to open accounts with financial institutions. Previously, financial institutions had to conduct know-your-customer (KYC) processes on a face-to-face basis (physical KYC). Non-face-to-face KYC has been accepted in practice since the relevant notification of the BOT was adopted. Financial institutions can perform electronic KYC for customers to open accounts via online platforms.

In addition to electronic KYC, another central platform in Thailand is the National Digital ID Platform (the “NDID Platform”). This system collects customers’ information for use by any financial institution to verify customers. The NDID Platform is thus an important system for Thai financial institutions to use to verify their customers, and many banks in Thailand have decided to use it to facilitate the KYC process.

The contractual terms of use of service provided by a third party may also be regulated, depending on the type of business. Theoretically, certain functions that are not the main activities of financial service providers (which normally require a licence, approval, or registration) can be outsourced to a third party.

For instance, pursuant to BOT Notification No SorNorSor 16/2563 Re: Regulations on the Use of Services from Business Partners of Financial Institutions, in order to use the services of a business partner, the financial institution must create guidelines on risk management and customer protection. Moreover, all strategic functions must be carried out directly by the financial institutions themselves. In addition, the financial institutions also have to submit an annual report to the BOT on the use of services provided by business partners that may cause significant risks to – or have an impact on – the public at large.

With respect to IT outsourcing, financial institutions have to comply with third-party guidelines on risk management implementation. These cover issues such as risk governance, third-party risk management and reporting obligations to the BOT.

Non-regulated contractual terms largely depend on the commercial issues and other regulations that may specifically apply to that financial institution. Therefore, contractual terms must be negotiated and agreed upon on a case-by-case basis.

Many Thai financial institutions, including the BOT, are keen on adopting blockchain technology.

In 2020, the BOT launched a new blockchain-based platform for government bond issuance. This project is a collaborative effort with the Public Debt Management Office, Thailand Securities Depository Co, Ltd, Thai Bond Market Association and several selling-agent banks.

In addition, certain commercial banks in Thailand have adopted blockchain technology in order to develop their operations, such as monitoring the correctness of financial transactions, cross-border transfers of funds, issuing bank guarantees and developing other aspects relating to financial infrastructure.

In 2022, the Letter of Guarantee on Blockchain (eLG) developed by BCI (Thailand) Co, Ltd passed the test under the BOT Regulatory Sandbox and was deemed ready for offering broad services aimed at serving not only financial institutions or governmental sectors but also various business sectors – ie, petroleum, construction or automotive businesses. Currently, more than 170 organisations are utilising this service.

PTT PCL’s Q-Bond, launched in October 2024, uses blockchain technology to manage bond payments through “Quarix”. This is the first initiative of its kind in the BOT’s regulatory sandbox. Blockchain technology streamlines bond transactions by cutting costs, simplifying procedures, and ensuring speed, completeness, and transparency. This showcases the potential of digital transformation to modernise Thailand’s capital markets in line with global digital and FinTech advancements.

Even though the BOT and the Office of the SEC are very cautious about the sale of blockchain-based digital assets and cryptocurrency, they and other local regulators are very positive about wider uses of blockchain technology and are keen on utilising it.

The Digital Assets Decree, which governs blockchain assets under the defined term “digital assets”, separates digital assets into cryptocurrency and digital tokens.

“Cryptocurrency” is defined as an electronic data unit built on an electronic system or network that is created as a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets.

A “digital token” is defined as an electronic data unit built on an electronic system or network to specify a person’s right to invest in any project or business or acquire specific goods or services. Digital tokens are further separated into two types: investment tokens and utility tokens.

Regulating Digital Assets

Currently, the SEC regulates digital assets based on the activities of the operators, with some differences depending on the types of digital assets (eg, there are some differences in requirements for underlying assets that are in the form of real estate and infrastructure) under the Digital Assets Decree.

The closest concept to “issuers of blockchain assets” are the “issuers” of digital assets under the Digital Assets Decree.

The issuer of an initial coin offering (ICO) must be a limited company or a public limited company. Similar to as discussed in 6.4 Listing Standards, prior to the offering, the issuer must obtain approval from the Office of the SEC and submit registration statements and draft prospectuses as indicated in the relevant SEC notification. The offer for the sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the so-called ICO portal, which has been approved by the SEC.

Regarding a potential regulatory structure change, see Regulating Digital Assets in 10.3 Classification of Blockchain Assets.

The closest concept to a blockchain asset trading platform under Thai law is a “digital asset exchange” under the Digital Assets Decree. A “digital asset exchange” is defined as any centre or network established for purchasing, selling or exchanging digital assets by means of the matching or finding of parties or the provision of a system or facilities whereby those intending to purchase, sell or exchange digital assets may reach agreements or may be matched.

Digital asset exchange operators must apply for permission. The MOF would grant this upon the SEC’s recommendation. The appointment of directors and executives of the operator must also be in accordance with the relevant notification, and such appointment will be valid upon approval by the Office of the SEC.

The exchanges are obliged to comply with all guidelines specified by the Office of the SEC, including on source of funds, protection of customers’ assets, prevention against electronic theft, KYC measures and a reliable accounting system approved by the SEC. Among other obligations, the operator must segregate the retained customers’ assets from its own assets.

Under SEC Notification Re: Rules, Conditions and Procedures for Undertaking a Digital Asset Business (No 11) (the “NFT Regulations”), digital asset exchanges are obliged to set listing rules to prohibit token issuers from listing utility tokens or certain types of cryptocurrencies that have the following characteristics.

• Meme tokens have no clear objective or substance or underlying substance, and their price is based on social media trends.
• Fan tokens – tokens dependent on the fame of influencers.
• Non-fungible tokens (NFTs) are digital creations that declare ownership or grant rights to an object or other specific right. It is unique and not interchangeable with digital tokens of the same category and type at an equal amount.
• Digital tokens that are utilised in a blockchain transaction and issued by digital asset exchanges or related persons.

While some types of tokens may be banned from being listed on digital asset exchanges, and the provision of services in relation to such tokens is prohibited, the SEC, in 2024, issued exemptions for certain ready-to-use utility tokens by dividing them into two groups and providing specific approaches for each of them as follows:

Group 1 Utility Tokens include ready-to-use tokens:

• for acquiring goods or services primarily for consumption, eg, digital vouchers/coupons,  concert tickets, event passes, airline tickets, and NFTs representing artworks, music, or videos granting specific rights to the holders.
• which serve as digital representations of certificates, like carbon credits, renewable energy certificates, educational transcripts, and medical certificates. These tokens are considered non-financial products traded on specific platforms, and market mechanisms determine their value.

Group 2 Utility Tokens are designed for financial services, investment, and speculative purposes, similar to money and capital market products. They include tokens for accessing goods and services on DLT platforms, exchange tokens for paying fees or receiving discounts on digital asset exchanges, governance tokens for voting rights, and tokens for digital asset services in DeFi or CeFi.

Group 1 Utility Tokens are exempt from approval for primary market offerings and are not considered regulated businesses, but digital asset exchanges, brokers, and dealers cannot provide services related to these tokens unless they establish a separate entity. Meanwhile, Group 2 Utility Tokens are exempt from approval unless listed on a Sec-authorised digital asset exchange, and digital asset business operators can provide services related to these tokens. In any case, neither group can be used as a means of payment or for staking except for transaction verification, voting, participation in activities, or receiving ecosystem benefits.

The provision of staking services for cryptocurrencies is prohibited in Thailand. It is allowed only for specific purposes related to the use of digital tokens, as discussed in 10.5 Regulation of Blockchain Asset Trading Platforms.

In Thailand, the SEC prohibits digital asset business operators from providing or supporting deposit-taking and lending services.

Currently, there are no specific regulations regarding cryptocurrency derivatives in Thailand

The term “DeFi” is not defined under Thai law. Thus, there is no specific regulation on DeFi platforms or transactions. However, on a case-by-case basis, if any transaction related to DeFi relates to the purchase and sale of digital tokens and cryptocurrency or other regulated business, operators related to the DeFi business are subject to the Digital Assets Decree.

Thai law is silent on how funds can be invested in blockchain assets.

Virtual currencies are not defined under Thai law. However, under the Digital Assets Decree, “cryptocurrency” is defined as “an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services, or other rights, including the exchange between digital assets”. Cryptocurrency is different from digital tokens in the sense that it is a medium of exchange, while digital tokens, which are another type of blockchain asset defined under the Digital Assets Decree, have the main purpose of determining the right to participate in an investment or to acquire goods or services.

See also 10.3 Classification of Blockchain Assets.

To establish whether an NFT will be regulated under Thai law, a determination of whether that NFT falls within the definition of a “digital token” under the Digital Assets Decree is needed. Certain NFTs may be considered utility digital tokens if such NFTs grant the holder a right to obtain any goods, services or assets.

Under the SEC’s guidelines issued on 6 January 2022, certain types of NFTs are exempted from NFT regulations and the Digital Assets Decree, including NFTs that are utility tokens with ready-to-use underlying products or services as of the date of offering. To further elaborate, an NFT that is exempted is that which is an asset itself, being inseparable, and does not represent any rights or the intention to be utilised as a medium of exchange (eg, an NFT that is created by storing a digital file on an Interplanetary File System (IPFS) issued for the convenience of exchange, and such digital file and the NFT must be transferred together, be inseparable and cannot be modified).

In addition, the SEC issued regulations in August 2024 introducing the regulatory approach that certain types of ready-to-use utility tokens, including some types of NFTs, will continue to be exempted from the Digital Assets Decree, and business operators providing related services thereof will no longer fall under the digital asset business licence requirement. Such exempted NFTs must be those providing the right to receive specific products or services for utilisation or consumption purposes (ie, NFTs of artworks, images, music, stamps or videos with a specific right for the holders) and must not be used as a means of payment under the BOT’s definition.       

Thailand saw its first open banking initiative in January 2022 when the BOT, the Thai Bankers’ Association and the Government Financial Institutions Association introduced the “dStatement”, which is an exchange of financial statement data among banks to support digital loan applications.

To date, open banking implementation in Thailand remains subject to feasibility studies, and the application programming interface (API) standards have yet to be finalised. However, the BOT has taken significant first steps.

In November 2023, the BOT published a consultation paper on “Open Data for Consumer Empowerment”, which aims to build a mechanism that allows consumers to exercise their rights to conveniently and securely transfer their data stored from one provider to another so that consumers can apply for and receive better services from any provider.

All financial institutions need to comply with the PDPA, which came into full effect on 1 June 2022, in order to process personal data – for example, as regards the following:

notifying the processing of personal data;

obtaining prior consent from the customers if the processing of their personal data does not fall under any lawful basis of processing (eg, performance of contract, legal obligation); and

providing channels for customers to exercise rights regarding their personal data.

Fraud can occur in various businesses, including financial services and fintech, and may be subject to different laws in Thailand, depending on the nature of the fraud and the industry sector in which it occurs, such as digital assets, payment systems, and insurance.

Fraud under specific regulations shares fundamental elements with general fraud under the Criminal Code:

• deception – a person lies or hides a fact that should be revealed.
• dishonest intent – such a person wants benefits they do not deserve for themselves or others.
• unlawful gain – such person, thereby:
1. obtains property from the deceived person or any third party; or
2. causes the deceived person or any third party to change, remove or destroy a document of rights.

These elements constitute an offence of fraud, which typically leads to imprisonment and/or a fine under the Criminal Code. However, if such an offence is subject to specific laws, as mentioned earlier, the liability will be determined in accordance with those laws.

In addition, more complex and new financial fraud has risen globally, especially in countries with real-time payment systems, including Thailand. This has led to the enactment of the Emergency Decree on Technology Crime Prevention and Suppression Measures B.E. 2566 (2023) (the “2023 Emergency Decree”) in March 2023, which aims to address financial fraud in Thailand swiftly. It requires government and business sectors to actively prevent technological crimes and imposes harsher penalties on those committing such crimes, including financial fraud.

As of January 2025, the Thai Cabinet is considering amending the 2023 Emergency Decree to hold telecom companies and financial institutions more accountable for cybercrime losses, requiring them to share responsibility for scam victims. This is expected to be enacted in early 2025. The law will be applied on a case-by-case basis, and while it seeks to enhance consumer protection, it may not guarantee compensation for all victims. The amended 2023 Emergency Decree mandates that financial institutions and telecom operators must ensure adequate preventive systems are in place, or they will be held financially responsible if consumer losses result from their negligence. This includes the prompt removal of suspicious mobile phone messages by network operators and strict verification processes for SIM card registration and bank account openings.

The amended 2023 Emergency Decree emphasises shared responsibility among financial institutions, telecom companies, and consumers. It includes guidelines for shutting down websites that violate the law and mandates a reliable and transparent verification process. The amended 2023 Emergency Decree also introduces greater penalties for offenders and more liability for financial institutions and telecom service providers if they neglect or fail to maintain their systems properly.

According to a report by the BOT, the types and patterns of fraud in Thailand that are most commonly found and which have attracted the attention of government authorities include the following:

• money mule and mule accounts;
• phishing (eg, phone scams, voice phishing, or smishing);
• identity theft; and
• e-wallet hacking.

As mentioned in 12.1 Elements of Fraud, Thai law’s main regulations for addressing fraud are the Criminal Code and the 2023 Emergency Decree. A FinTech service provider in Thailand may be held responsible for customer losses due to fraud if they engage in criminal offences or fail to comply with the obligations set forth in the relevant laws and regulations.

However, as of the publication of this article, there is no specific regulation regarding the amount of compensation, so it shall depend on a case-by-case basis or court judgements. In any regard, relevant authorities in Thailand, including the BOT and the DE, are currently drafting legislation to enhance the security of financial institutions’ systems, aiming to close loopholes and prevent fraud on mobile banking platforms. The new regulations will require banks to fully compensate customers for any losses incurred if the banks fail to adhere to the prescribed preventive measures.