Thailand is a pioneer in ASEAN in the adoption of 5G technology to improve and expand the country’s capacity for deep technology, such as blockchain, artificial intelligence (AI), big data, robotics, cloud computing and machine learning. As a result of the proactive development of its information and communications technology (ICT) facilities and the regulatory environment, Thailand is one of the fastest-growing fintech markets in ASEAN and currently has one of the world’s largest consumer bases for fintech mobile banking.

According to the latest data from the Bank of Thailand (BOT), published as of the time of writing of this article (January 2026), the volume of e-payments in Thailand has continued to increase consistently. Internet and mobile banking remain the most popular e-payment channels, and transaction volumes continued to climb through October 2025 (per BOT statistics). PromptPay and Thai QR Code rails continued to dominate account-to-account (A2A) payments in 2025, accounting for an estimated ~44% of e-commerce transaction value and ~41% of point-of-sale value, underscoring Thailand’s rapid shift away from cash as we enter 2026.

Developing Accessibility

The Thai government continues to promote fintech adoption through enhanced access to digital government and payment infrastructures. The BOT has collaborated with global card network service providers to create the “Thai QR Code”, which facilitates payments via debit cards, credit cards, bank-account-based e-wallets and e-payments, with the QR platform serving as a key interoperability layer.

Cashless and contactless payment systems are now firmly embedded in everyday commercial activity in Thailand, driven by widespread smartphone usage, regulatory support for electronic payments and the expansion of domestic real-time payment rails. Electronic transactions have become the default method for retail payments across many sectors, ranging from small merchants to large-scale commercial platforms. At the regional level, the BOT, together with the central banks of four other ASEAN countries (Indonesia, Malaysia, the Philippines and Singapore), has entered into co-operation frameworks to expand fast cross-border payment linkages, including through Project Nexus. These initiatives seek to standardise connections between domestic instant payment systems (IPS) and enable near-real-time cross-border transfers, supporting both consumer payments and regional trade.

In late 2025 and into 2026, Thailand also deepened bilateral QR linkages (eg, with China’s Weixin Pay/Alipay and UnionPay QR) and advanced ASEAN Regional Payment Connectivity efforts, paving the way for wider real-time cross-border retail payments in 2026, including the official launch of Thailand–China cross-border QR payment acceptance for Chinese tourists paying Thai merchants in RMB and Thai users paying in CNY via linked wallets.

Project Nexus: Enhancing Cross-Border Payments

Project Nexus is a groundbreaking initiative managed by the Nexus Scheme Organisation and supported by the Bank for International Settlements. The project seeks to create a scalable and interoperable network for instant cross-border payments across ASEAN and potentially beyond. Instead of requiring a payment system operator to build custom connections for every new country, the operator only needs to make a single connection to the Nexus platform.

Project Nexus has global ambitions, aiming to connect multiple domestic IPS to form a scalable global network. The project aligns with the G20 Roadmap for Enhancing Cross-border Payments, which seeks to make instant payments affordable and easy for users across participating countries. The project has already seen significant progress, with the Reserve Bank of India joining the initiative and expanding the potential user base to India’s Unified Payments Interface, the world’s largest IPS. These developments are expected to complement Thailand’s PromptPay/Thai QR cross-border use cases as Nexus moves from pilot phases towards initial production linkages in 2026.

In summary, Project Nexus represents a significant step forward in the quest to enhance cross-border payments, leveraging innovative technology and international co-operation to create a seamless and efficient payment network.

Regulation of the Digital Asset Market and Businesses

Several significant regulations and guidelines regarding the digital asset market and business have been issued by relevant regulators, requiring digital asset business operators to be subject to numerous additional obligations in their business operations and marketing plans. Among these, the most impactful included the Securities and Exchange Commission of Thailand (SEC), in joint consideration with the BOT and the Ministry of Finance (MOF), enacting a notification prohibiting digital asset business operators from using digital assets as a means of payment for goods and services. This led to an abrupt decline in the use of digital assets as a means of payment. The SEC also put in place regulations imposing more restrictions on businesses – eg, the prohibition of privacy coins to prevent digital assets being used for illegal activities, and limitations on the advertising of digital assets. However, in 2024, the SEC issued an exemption from this restriction for the operation of digital asset businesses, specifically for the programmable payment tests under the BOT’s regulatory sandbox. Following these sandbox initiatives, regulatory focus has evolved towards the development of a Thai baht-backed stablecoin framework (the “THB Stablecoin”), designed to operate on a one-to-one, fully backed basis, whereby each unit of the THB Stablecoin is pegged to one Thai baht. This initiative is intended for use within the financial sector and is accompanied by efforts to define the permissible scope of THB Stablecoin business activities in Thailand under the supervisory approach of the BOT, including compliance with applicable prudential, consumer protection and risk management requirements.

The establishment of a clear, proportionate and operationally workable regulatory regime for THB Stablecoin businesses is expected to support the further development of Thailand’s financial system, enhance consumer protection and mitigate potential systemic risks to the broader financial sector.

In parallel, the SEC updated governance and advertising standards and advanced a draft amendment to the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) (the “Digital Assets Decree”) to streamline initial coin offering (ICO) oversight and clarify scope, while maintaining the prohibition on payment use.

In addition, in 2025, the SEC issued an amendment to the Digital Assets Decree, which marks the first update to the primary legislation governing digital assets in Thailand. The amendment primarily aims to strengthen regulatory oversight and combat technology-related crimes by extending licensing requirements to digital asset business operators located outside Thailand that provide services to persons in Thailand, including through solicitation or targeted activities. The amended decree also enhances enforcement powers, including the ability to restrict access to non-compliant platforms.

The SEC continues to update its rules to keep pace with digital asset-related changes, protect investors and support market development. Notable recent actions include the launch of a digital asset regulatory sandbox to facilitate innovation under controlled conditions and the ongoing refinement of advertising and governance standards for digital asset businesses.

In 2026, regulatory discussions around the SEC’s potential introduction of a relaxed framework to support the tokenisation of environmental assets (eg, carbon credits and renewable energy certificates) are expected to broaden the range of permissible digital asset products on licensed exchanges, aligning financial innovation with Thailand’s net-zero goals.

Digital Transformation in the Thai Financial Sector

In addition to the surge in digital payments in Thailand, digitalisation has been systematically integrated into diverse facets of the country’s financial services industry. This evolution is evident in:

• the increasing number of service providers – and subsequent rising competition – in the digital savings or e-savings market; and
• the enhancement of regulatory sandboxes, which, coupled with the relaxation of certain legal restrictions, aims to promote a more diverse range of digital service experiments within Thailand’s financial sector, including programmable payment and digital assets. This will enable authorities to identify appropriate measures to manage the risks associated with such financial technologies while ensuring adequate protection for users.

Furthermore, there has been progress in open data initiatives to empower consumers to transfer their data conveniently and securely from one provider to another, enabling them to access superior services. The BOT’s parallel efforts include implementing a digital factoring platform using a central web service to reduce invoice fraud and broaden SME access to finance, and the continued rollout of the dStatement/open data agenda alongside PromptPay/Thai QR enhancements for SMEs and cross-border use cases.

Issuance of Legal Framework for Virtual Banks

Due to the rapid development of digital finance, almost all business operators in Thailand, whether banks or non-banks, have been focusing on providing services via digital channels. In 2024, the MOF issued a notification outlining the criteria, conditions and procedures for applying for a licence to establish branchless commercial banks, also known as “virtual banks”. Concurrently, the BOT announced regulatory guidelines to accommodate the operations of future virtual bank licensees. These new frameworks aim to promote financial inclusion and enhance competition within the financial market.

Following the application period from March to September 2024, five applicants submitted proposals to establish virtual banks. On 19 June 2025, the MOF, upon the recommendation of the BOT, approved three applicants to proceed with the establishment of virtual banks, as follows:

• ACM Holding Company Limited and its partners;
• a consortium comprising Krung Thai Bank Public Company Limited, Advanced Info Service Public Company Limited and PTT Oil and Retail Business Public Company Limited; and
• a consortium comprising SCB X Public Company Limited, WeTechnology Limited and KakaoBank Corp

The approved licensees are expected to commence operations in 2026 under an initial restricted phase focused on risk controls, IT robustness and governance, before full rollout.

The major players in the Thai fintech industry are predominantly financial institutions and traditional non-banking financial institutions, which have adopted technology for their services to facilitate customers’ needs and to increase their market share. Other players include venture capitalists and start-ups.

The main fintech business models in Thailand are as follows.

E-Money, E-Wallets and E-Payment

E-money, e-wallet and e-payment service providers are among the most significant players in the Thai fintech industry. Their business operations and services can now be conducted or provided through their online platforms rather than physical branches. As of early 2026, payments and transfers remain the largest fintech vertical by firm count, and digital wallets have continued to gain share alongside A2A/QR usage.

Other than financial service providers, a number of new players are entering this area, most of which are backed by venture capitalists, as start-ups that co-operate and partner with major social platform business operators. This can also serve as an alternative solution for foreign financial service providers facing certain capacity limitations or stringent qualification requirements under Thai law.

Digital Assets

In 2018, the SEC recognised digital tokens and cryptocurrency as digital assets. Business operators in this sector are categorised into two groups, as follows.

Primary market

A business operator in the primary market can be either:

• an ICO issuer looking to raise funds by issuing coins; or
• an ICO portal providing token digital system services.

As of the time of writing, two ICO issuers have received SEC approval in Thailand. One digital asset fundraising project was successfully completed in Thailand during 2025. Several additional digital token offerings remain under regulatory review or in pre-consultation stages with the SEC.

Secondary market

In the secondary digital assets market, the service providers relating to digital assets that are currently recognised by Thai regulations and supervised by the SEC are as follows:

• digital asset exchanges;
• digital asset brokers;
• digital asset dealers;
• digital asset advisory services;
• digital asset fund managers; and
• digital asset custodial wallet providers.

Digital Lending

Digital lending is an important platform that financial service providers use to reach new retail customers, eliminate physical limitations and facilitate business activities with customers. Many financial service providers, especially personal loan providers, are interested in expanding their online services.

Some financial service providers have chosen to co-operate with social platform operators in providing digital lending services to the platform’s customers, and vice versa, rather than develop their own (online) platform and obtain licences.

Peer-to-Peer Lending Platforms

Peer-to-peer lending platforms are electronic platform services that link lenders and borrowers. The platforms’ role also includes facilitating loan contracts and carrying out fund transfers and repayments between the parties. According to the BOT, as of October 2025, there were 12 peer-to-peer lending service operators that had obtained licences from the MOF, of which seven had commenced operations. Additionally, five operators were testing their systems in the BOT regulatory sandbox as of December 2025. Entry by regional alternative lenders and tighter data-sharing with the National Credit Bureau are expected to support the prudent scale-up of P2P volumes in 2026.

Crowdfunding

Both equity and debenture crowdfunding exist for private and public limited companies through crowdfunding portals in Thailand. In this respect, crowdfunding, where shares or debentures are issued as consideration, is deemed a type of public offering under SEC regulations. A crowdfunding portal operator must obtain a licence from the Office of the SEC.

Currently, the fintech industry is not directly regulated by any specific overarching legislation in Thailand. However, operators need to comply with certain business-related regulations.

The key regulations related to fintech business activities are as follows.

Payment Systems (Including E-Money, E-Wallet and E-Payment)

In order to enhance the supervision of payment systems and payment services, the Payment Systems Act B.E. 2560 (2017) (the “Payment Systems Act”) was enacted, and came into effect on 16 April 2018. Its main purpose is to regulate the following.

Highly important payment systems are payment systems that are important to the security and stability of the country’s payment systems, financial systems or monetary systems.

Designated payment systems are:

• payment systems that are networks between system users that handle fund transfers, clearing or settlement, such as retail fund transfer systems, payment card networks and settlement systems; and
• any other payment systems that may affect the public interest, public confidence, or stability and security of the payment systems.

Designated payment services are:

• provision of credit cards, debit cards or ATM card services;
• provision of e-money services;
• provision of services for accepting electronic payments for and on behalf of others;
• provision of e-money transfer services; and
• other payment services that may affect payment systems or the public interest.

Digital Assets

The Digital Assets Decree was enacted to regulate offerings of digital assets (cryptocurrencies and digital tokens) and businesses undertaking digital asset-related activities. The Digital Assets Decree aims to ensure that digital asset market standards align with international standards and protect market players.

Digital Lending

On 15 September 2020, the BOT issued Circular No BOT.FhorGorSor (01) Wor 977/2563 Re: Criteria, Procedures and Conditions on Digital Personal Loan Business Operations. The purpose of this circular is to relax the criteria for personal loans for those without regular – or proof of – income or for those without collateral, and to provide flexibility to personal loan providers in providing personal loans in electronic form. However, for other types of loans which are not personal loans, financial service providers still have to comply with regulations that do not specifically regulate digital lending.

Peer-to-Peer Lending Platforms

On 31 July 2020, BOT Notification No SorNorSor 14/2563 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer Lending Platform Businesses was announced in the Government Gazette and became effective on the same date.

Electronic Transactions

The Electronic Transactions Act B.E. 2544 (2001) (the “Electronic Transactions Act”) supports the legal validity of electronic transactions performed via electronic systems. If a transaction is conducted electronically in accordance with the rules and procedures outlined in the Electronic Transactions Act, it is considered legally binding, just like a transaction conducted through other methods or platforms that adhere to applicable laws.

The criteria and restrictions for charging service fees depend on the type of business, business model and services provided to customers. The criteria for disclosing services or fees depend on the regulations relating to the business or business activity the operator carries out. Generally, the operator has to disclose details of the fees that will be charged to customers, as well as the threshold or criteria for setting these fees.

For example, under the Payment Systems Act, payment service providers must disclose information on service fees as follows:

• Display or communicate service fees, which must be reasonable, to customers at service locations or through other channels.
• Notify customers of any detrimental fee changes, either at service locations or through other channels, at least 30 days before they take effect.
• Submit details of service fees to the BOT electronically, as specified by the BOT, as soon as possible after the commencement date of undertaking the business and each time there is a change in service fees.

There are no significant differences between the regulations governing fintech operators and the regulations governing legacy players. Some fintech business operations are covered by licences already held by legacy players. Both fintech operators and legacy players must comply with the regulations set out in 2.2 Regulatory Regime. Other relevant laws and regulations applicable to general business enterprises will also apply. That said, the BOT’s December 2025 Guidelines for Digital Fraud Management introduced uniform end-to-end controls across prevention, monitoring, detection and remediation for supervised payment operators, raising the compliance bar as Thailand enters 2026.

Financial Services

In 2024, the BOT introduced new regulatory sandbox guidelines developed from past concepts, aiming to enhance the progression of fintech, extend the scope of technologies that can be tested in the sandbox, and study the appropriate regulatory approaches for these technologies. In June 2025, the BOT also published draft Guiding Principles on AI Risk Management for supervised institutions and payment providers, signalling supervisory expectations around governance, data integrity, model risk and explainability, followed by continued supervisory engagement through late 2025. According to the previous regulatory sandbox guidelines, there were two sandbox concepts, namely the “Regulatory Sandbox” and the “Own Sandbox”, and in 2024, a new concept, the “Enhanced Regulatory Sandbox”, was added to enable broader, multi-party pilots (including programmable payments and e-money tokens) under tighter risk controls.

For the Regulatory Sandbox, financial service operators that can apply for testing in this sandbox must meet the following conditions:

• Be under the BOT’s supervision.
• Offer new or improved financial services or fintech innovations.
• Offer financial services which:
1. contribute to the development or standardisation of Thailand’s financial sector in collaboration with other providers; or
2. are required to be tested in the Regulatory Sandbox.

The participants consist of:

• financial institutions;
• companies within a group of financial institutions;
• non-banks under the BOT’s supervision;
• fintech firms; and
• technology firms that either test independently or in collaboration with those mentioned above.

As of the time of writing, there are various financial innovations running tests under these regulatory sandboxes, eg, e-money on blockchain, cross-border payment, digital RD, peer-to-peer lending, national ID, programmable payment, TrustBiz Connext, letter of guarantee, biometric technology, QR payment, and Thai baht-referenced e-money token pilots within the Enhanced Regulatory Sandbox. Concurrently, the SEC’s Digital Asset Regulatory Sandbox, launched in August 2024, continues to support testing across exchanges, brokers, dealers, fund managers, advisers and custodial wallet providers.

Securities

The amended regulatory sandbox regulations that became effective in 2020 afford operators more flexibility by increasing the types of businesses that can participate, and continue to be utilised through 2025–2026. According to the SEC, the types of business under the amended regulatory sandbox regulations cover all activities in capital markets. The additional types of businesses are as follows:

• intermediaries – ie, securities investment advisory services, private fund management businesses, derivatives agent businesses, derivatives dealing businesses, derivatives advisory services, derivatives fund management businesses, newly added securities brokerage businesses, securities dealing businesses, securities underwriting businesses, mutual fund management businesses, and securities borrowing and lending businesses;
• post-trading service providers – ie, securities clearing houses, securities depository centres, securities registrars, and the newly added derivatives clearing houses;
• trading system service providers – ie, electronic trading platforms, and the newly added securities trading centres and derivatives exchanges; and
• digital infrastructure for capital market providers.

Digital Asset Services

The SEC’s Digital Asset Regulatory Sandbox initiative, launched in August 2024, further expands the scope of innovation in the capital markets by allowing participants to test and develop digital asset services under flexible regulatory guidelines, including tourist wallets and programmable payment integrations co-ordinated with the BOT. This initiative aims to improve service efficiency, reduce operational costs, and provide investors with access to new and improved digital asset services. Participants in the sandbox are required to use innovative technologies such as smart contracts and AI to enhance their services. The sandbox supports six types of digital asset services, namely, digital asset exchanges, digital asset brokers, digital asset dealers, digital asset fund managers, digital asset advisers and digital asset custodial wallet providers.

Insurance

The Office of Insurance Commission (OIC) issued a notification on insurance regulatory sandboxes in 2019, allowing both life and non-life insurance industry operators to conduct testing in their own sandboxes for certain cases.

The jurisdiction of each regulator depends on the type of financial service provided rather than the type of technology the operator of such business adopts. The key regulators of fintech businesses concerning financial services, securities and insurance in Thailand are:

• the MOF and the BOT for financial services;
• the MOF and the SEC for securities;
• the OIC for insurance;
• the Electronic Transactions Development Agency (ETDA); and
• the Anti-Money Laundering Office (AMLO).

The BOT has the power to supervise, examine and analyse the financial status, performance and risk management systems of financial institutions to enhance the stability of Thailand’s financial status as a whole. Thus, the BOT will predominantly supervise fintech activities relating to financial institutions, including digital lending and peer-to-peer lending payment systems, e-wallets, e-money and e-payments (including designated payment systems and designated payment services under the Payment Systems Act).

The SEC is the regulatory unit supervising capital markets. Capital markets are the main mechanisms for efficient mobilisation, allocation and monitoring of the utilisation of Thailand’s economic resources. The SEC also governs businesses that crowdfund, including those in the digital asset industry (cryptocurrencies and digital tokens), and administers the Digital Asset Regulatory Sandbox.

The ETDA oversees digital platform and e-transaction standards and supports the forthcoming Platform Economy Act framework.

The AMLO is Thailand’s regulatory body overseeing financial transparency and compliance with anti-money laundering and counter-terrorism financing regulations. It monitors both traditional and digital transactions to prevent money laundering and financial crimes (including oversight of specified operators’ customer due diligence/reporting obligations under the AML Act (see 2.14 Impact of AML and Sanctions Rules)).

In Thailand, the SEC has not officially adopted the concept of no-action letters used in the United States. However, the SEC can provide legal advice and guidance to companies and individuals to help them comply with SEC regulations and conduct activities involving SEC regulations with confidence.

The outsourcing restrictions applicable to each type of business depend on the relevant regulations. Thus, different businesses may have different restrictions on outsourcing. Business operators that conduct designated business activities under the relevant regulations must obtain licences or approvals, or register with the appropriate authorities. Certain functions in the operations of such designated business that are not the main activities under the respective licence, approval or registration can be outsourced to qualified persons to the extent that such outsourcing is not done to circumvent the relevant requirements.

For example, financial institutions can use IT outsourcing services provided by third parties. However, the guidelines on risk management implementation of third parties must be followed. The guidelines cover risk governance, third-party risk management and reporting obligations to the BOT.

Regulations require that payment service providers, such as e-money or e-payment service providers, have protocols for third-party services as follows:

• risk management measures and regular assessments for outsourced services;
• outsourcing agreements allowing internal, external and BOT auditors to audit outsourced payment services;
• a business continuity or disaster recovery plan covering outsourced service activities; and
• risk assessments for cross-border services.

In addition, the SEC has proposed outsourcing guardrails for certain digital asset functions (eg, due diligence and smart contract review) for ICO portals.

Depending on business activities, a fintech service provider may be considered a gatekeeper.

For example, pursuant to SEC Notification No GorThor 19/2561 regarding the criteria, conditions and procedures for business operations of digital assets, exchange service providers must have a system in place that discloses sale and purchase data. This data includes pre-trade and post-trade information, and records of sales and purchases of digital assets must be recorded for potential audits.

The Computer Crime Act B.E. 2550 (2007) requires that a fintech service provider is:

• a person who provides services to the public with respect to access to the internet or other mutual communications via computer systems, whether on their own behalf or in the name of, or for the benefit of, another person; or
• a person who provides services with respect to the storage of computer data for the benefit of other persons. Computer traffic data must be stored for at least 90 days from the date on which the data is entered into the computer system.

However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case-by-case or on a temporary basis. A fintech service provider must keep the necessary information of the service user to be able to identify the service user from the beginning of the provision of the services. Such information must be retained for an additional period of no more than 90 days after the service agreement has been terminated.

Failure to meet the specified requirements may result in a fine of up to THB5,000.

In 2025, the SEC remained active in supervising digital asset markets and businesses, and a stricter approach from the SEC was seen in enforcement actions (including licence revocations and post-revocation charges).

In January 2026, the SEC also filed criminal complaints in connection with unlicensed Worldcoin-related trading activity, signalling ongoing scrutiny of offshore projects targeting Thai users.

Despite the revocation of its digital asset licences, the business operator remains a limited company and may still face legal action. Following the revocation, the SEC filed charges against the business operators of digital asset exchange platforms for operating a digital asset exchange business without a licence under the Digital Assets Decree. As a result, the SEC filed a criminal complaint against such business operators with the Economic Crime Suppression Division for further investigation and legal proceedings.

In addition, the SEC has consistently enforced laws against the operation of digital asset businesses without a licence. In mid-2024, the SEC co-operated with the Ministry of Digital Economy and Society (MDES) to block access to the website of a digital asset trader operating and soliciting services in Thailand. This trader is accused of conducting a digital asset trading business without a licence, which is in violation of the Digital Assets Decree. Authorities also intensified anti-scam operations through late 2025, seizing substantial assets linked to online fraud and mule-account networks.

There are several regulations that fintech business operators must comply with to operate their businesses. However, those relating to privacy, cybersecurity, social media and software development are not specific to fintech businesses and apply to all business activities, including those conducted in a more traditional manner.

The Personal Data Protection Act B.E. 2562 (2019) (PDPA), which came into full effect on 1 June 2022, was introduced in order to establish a regulatory regime and specify the requirements for processing and protecting personal data in Thailand. The Thai government introduced the PDPA to enhance personal data protection and align with the EU’s General Data Protection Regulation.

Furthermore, the Cybersecurity Act B.E. 2562 (2019) (“Cybersecurity Act”) categorises cyberthreats into three levels, as follows:

• non-serious cyberthreats;
• serious cyberthreats; and
• critical cyberthreats.

Such threats shall be subject to investigation, and the private operator may be required to:

• provide access to relevant computer data or computer systems, or other information relating to the computer system;
• monitor computers or computer systems; and
• allow officials to test the operations of computers or computer systems or seize computers or computer systems.

For 2026, authorities are advancing targeted amendments to the PDPA and the Cybersecurity Act, following multi-round public consultations aimed at clarifying roles, lawful bases and incident response obligations for Critical Information Infrastructure operators, with revised drafts expected after the latest consultation rounds.

Auditors may monitor industry participants for accounting purposes. Industry participants may voluntarily perform internal audits for various matters – eg, IT audits. Currently, no other organisations have the power to supervise, regulate or monitor participants in the fintech industry.

The Thai Fintech Association was recently established in Thailand and registered as a non-profit organisation. The organisation has the main obligation to:

• be a centre of knowledge of fintech;
• support the public’s use and accessibility to fintech services; and
• support standardisation of the fintech industry.

At the time of writing, the Thai Fintech Association has not been granted authoritative power by the regulator, nor have regulations been passed to allow it to supervise industry participants. However, as regulators appear to encourage self-regulatory mechanisms in the fintech industry, the Thai Fintech Association may become a key organisation in establishing wider sector policies and standardisation.

The Thai Fintech Association, the Thai Blockchain Association, the Thai Digital Asset Association and the Thai Digital Trade Association were all established to support and be the voice of each respective ecosystem.

Certain regulations restrict a licensee from providing business services other than those covered under the relevant licence held by the business operator or business services/activities related to the licensed business activity.

Under the Payment Systems Act, business operators licensed to engage in e-money business services may not operate other businesses except those that such operators are licensed to perform or business activities that support e-money business services.

The Anti-Money Laundering Act B.E. 2542 (1999) (the “AML Act”) and the Counter-Terrorism and Proliferation of Weapons of Mass Destruction Financing Act B.E. 2559 (2016) are the two primary laws regulating anti-money laundering in Thailand. Fintech businesses may be required to comply with these two laws since they may deal with financial activities – ie, e-payment systems, money exchanges or financial institutions (as prescribed under the AML Act (“Specified Operators”)). If a particular fintech business is included in the scope of Specified Operators, such fintech operator is required to verify its customers’ identities upon commencement of certain activities, conduct customer due diligence, and report any suspicious transactions to the relevant authority.

As most fintech companies carry out their businesses as Specified Operators, they must comply with the obligations specified under the law, as follows:

• reporting transactions to the AMLO involving the use of cash or assets in an amount exceeding that prescribed in sub-regulations or any suspicious transactions;
• identifying customers prior to making any transactions;
• determining policies for customers, preventing money laundering, determining risk management policies and conducting due diligence on customers when making the first transaction; and
• recording all facts relating to any transaction that has been made.

The obligations under the AML Act result in more procedures and steps for effectuating each transaction, and fintech companies may have to establish a compliance department to comply with anti-money laundering obligations. Also, fintech companies may have to prepare systems for storing information on transactions and customer data and ensure the security of such systems. The BOT’s Guidelines for Digital Fraud Management took effect on 17 December 2025, imposing end-to-end fraud controls on banks and payment service providers under the Payment Systems Act.

Thailand’s anti-money laundering and sanctions regulations generally conform to the standards established by the Financial Action Task Force.

No authority in Thailand has officially endorsed reverse solicitation; however, it is a practice frequently adopted by foreign business operators. In this regard, it is recommended that service providers exercise heightened caution when offering services to Thai individuals by relying on this concept. Ensuring independent initiation by the client and maintaining clear documentation is crucial to avoid regulatory scrutiny and potential legal consequences.

Thailand has not adopted regulations specifying which business operators or activities require the use of robo-advisers, although some Thai fintech operators do utilise robo-adviser technology.

Wealth advisers are encouraged to use fintech to generate financial solutions and to serve as an aid to financial planning under the SEC’s framework. According to SEC Notification No SorThor 31/2561 Re: Rules in Details on Wealth Advisory Service Business, wealth advisers must complete the process of client contact and services in five steps, as follows:

• exploring and understanding clients;
• constructing an investment portfolio;
• implementing the portfolio according to the asset allocation plan;
• monitoring and rebalancing the portfolio; and
• providing consolidated reports for clients’ review.

Wealth advisers must also have an electronic system supporting the actions under the third and fourth points above.

Legacy players must adhere to regulations relevant to their traditional business activities, including implementing robo-advisory services, and they have quickly adapted to and incorporated these robo-advisers into their operations over the last few years.

Private sector banks use robo-adviser-based solutions to develop tools for customer satisfaction, new products and services, and improvements.

The most widespread use of robo-advisers occurs in wealth management and developing custom-made trading and wealth solutions.

Records available to the public do not show cases of customer complaints relating to the use of robo-advisory services.

However, securities and derivatives business operators have an obligation to carry out their business on a best-execution basis as specified in Notification of the Capital Market Supervisory Board No TorThor 35/2556 Re: Standard Conduct of Business, Management Arrangements, Operating Systems, and Provision of Services to Clients of Securities Companies and Derivatives Intermediaries. As such, securities and derivatives business operators who use robo-advisory technology also have a duty to provide their services on a best-execution basis.

The regulations for both online and offline loan business activities are generally the same. Different regulations apply depending on the type of loan rather than on the business operations of the operator/service provider.

For example, a supervised personal loan is provided to individuals, not corporations. A supervised personal loan may not be granted where it is more than five times the average monthly income of a borrower with an average monthly income of THB30,000 or above. Pico finance is a personal loan granted to prevent or solve informal debt issues. A Pico finance loan may not exceed THB50,000 or THB100,000, depending on the type of Pico finance operator.

However, in 2021, the BOT permitted licensed personal loan business providers to offer digital personal loan services in Thailand with the approval of the BOT. Lenders may grant digital personal loans with a maximum credit amount of THB20,000. Effective rates of interest charged, together with the relevant fees, must not exceed 25% per annum. The BOT regulations relax certain criteria for the provision of personal loans and provide some flexibility, such as using alternative data for financial service providers to provide online lending services.

There are no specific underwriting processes for online lenders prescribed by regulations in Thailand. Commercial banks may develop their own underwriting standards and compliance measures. When a loan is granted for a specific industry, certain industrial underwriting standards may be enforced. The BOT will observe the underwriting practices of commercial banks and may issue notifications to oversee lending activities. This is intended to enhance underwriting standards if the existing market standards are found to be too lenient. Since 2024, the BOT’s Responsible Lending regulations have required affordability assessments, standardised borrower assistance (eg, persistent debt programmes), clearer advertising standards and enhanced disclosures, with closer supervisory monitoring of compliance.

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, there are no specific online or offline regulations. Online lending is subject to the same regulations as offline lending.

Thus, the source of funds, the method of raising funds and any restrictions thereon will depend on the business activity. Non-bank auto-leasing and hire-purchase operators moved under direct BOT/MOF supervision pursuant to a Royal Decree effective in June 2025, with phased compliance into 2026, potentially affecting business conduct and cost of funds even though capital sources remain business-driven.

Online lending is generally for individuals in Thailand. As such, syndication of fiat currency loans is uncommon. However, there are no restrictions on syndicating online loans.

There are no specific requirements for payment processors to use existing payment rails such as credit cards or electronic payment settlement agencies. However, payment processors have to apply for a licence from the MOF as recommended by the BOT or have to register with the BOT in accordance with the Payment Systems Act.

Payment processors that implement new technology into their business operations can apply to participate in the BOT’s regulatory sandbox if they meet all qualifications (see 2.5 Regulatory Sandbox). The BOT’s Enhanced Regulatory Sandbox continues to accept pilots for digital payments and programmable payment use cases under controlled conditions.

Under Thai law, there are specific restrictions for inward remittances. However, outward remittances must be performed through an authorised BOT agent (ie, any commercial bank). Fund remittance may also require permission from the BOT if the purpose of the remittance is restricted. In such cases, the person remitting the money must obtain approval through an authorised bank by submitting supporting documents to the bank prior to the transfer of funds.

Nevertheless, if such remittances are equal to or more than USD200,000, supporting documents must be submitted to the authorised commercial bank. BOT regulations do not determine the list of required supporting documents. Each authorised bank is entitled to request any documentation from the person remitting funds at their discretion on a case-by-case basis, which can vary depending on the type of transaction (eg, loan, service agreement, sub-licence agreement and purchase price). As of 1 December 2025, BOT Notification No 34 also permits outward remittances for digital asset payments by mutual and private funds without prior approval (subject to SEC rules), reflecting incremental liberalisation for regulated institutional flows.

E-Money Remittances

Outward e-money remittances must be performed through an authorised e-money operator. The purpose of outward e-money remittances is generally listed as payment of goods and services to others domiciled in a foreign country.

The BOT has issued a notice from the competent officer permitting non-bank operators to apply for foreign exchange e-money licences to issue e-money in foreign currencies. These licences allow non-bank operators to make cross-border remittances for their customers’ payments of goods and services. Non-bank e-money service providers can thus cater to customers’ demands when travelling. In parallel, the BOT–SEC “TouristDigiPay” sandbox enables licensed digital asset operators to convert tourists’ crypto into Thai baht for e-money wallet spending within a controlled pilot, integrating QR payments while preserving anti-money laundering/consumer safeguards.

Digital asset exchanges are trading platforms for both cryptocurrency and digital tokens. Currently, exchanges for cryptocurrency and digital tokens are subject to the same regulatory regime as applies under the Digital Assets Decree. From April 2025, extraterritorial amendments require offshore platforms that target Thai users (eg, Thai language, THB rails, local domains or staffing) to obtain Thai licences; non-compliance can trigger criminal penalties and site blocking.

The Digital Assets Decree governs cryptocurrency and digital tokens. The regulatory regime concerning digital asset operators is substantially the same for both cryptocurrency and digital tokens.

Nonetheless, certain cryptocurrencies and digital tokens are prohibited from being listed and traded on licensed digital asset exchange platforms, such as meme tokens, fan tokens and non-fungible tokens (NFTs). Following supervisory updates in 2024, “ready to use” utility tokens (Group 1 Utility Tokens) are exempt from offering approval, provided they are not intended for listing. If listing is intended (Group 2 Utility Tokens), SEC offering approval and portal filing are required, with exchanges, brokers and dealers restricted from servicing Group 1 tokens unless operated through a separate legal entity. In March 2025, the SEC expanded eligible cryptocurrencies for certain regulated transactions to include USDC and USDT, without changing the prohibition on digital asset payment use.

Cryptocurrency exchanges are subject to a separate regime under the Digital Assets Decree. See 6.1 Permissible Trading Platforms for more information.

The SEC prescribes the listing standards for an ICO in SEC Notification No GorJor 15/2561 Re: Offering of Digital Tokens to the Public.

Requirements

According to the listing standards, among other requirements, the applicant for an ICO must be a limited or public limited company that is not insolvent. The applicant must show that the ICO portal has considered that the ICO is in compliance with this notification. There are also requirements regarding the underlying assets, such as whether the underlying assets of the digital tokens are real estate or infrastructure.

There are certain requirements that the offeree must comply with, as well as limitations on the number of digital tokens that can be offered to general investors unless it involves the offering of real estate-backed, infra-backed or sustainability group digital tokens. The applicant must also prove to the Office of the SEC that the business models and smart contracts are enforceable and that the applicant will not take advantage of the investors. Further 2024–2025 measures tightened governance/advertising standards (eg, check-and-balance mechanisms, token-holder meeting rules and stricter ad content standards) and clarified treatment of ready-to-use utility tokens and new business approvals for operators.

Approval

Prior to the offering, the issuer must obtain approval from the Office of the SEC, submit registration statements, and draft prospectuses as indicated in the SEC’s notification. The offer for the sale of digital assets is permissible only after the SEC approves the registration statements and the draft prospectuses. The offer for sale must be made via the system provider, the ICO portal, that is approved by the SEC. From August 2025, digital asset exchanges, brokers and dealers may seek SEC approval to support tokenised environmental products (eg, carbon credits and renewable energy certificates), subject to enhanced screening and disclosures.

Operators are subject to record-keeping standards and custody documentation requirements, including five-year retention (with the first two years readily accessible), as well as anti-fraud and mule-account controls developed with industry associations.

Currently, peer-to-peer energy trading platform initiatives in the energy sector are on the rise, while the adoption of peer-to-peer trading platforms in other industries (including fintech) is still rather limited.

This type of platform may not fall under the existing categories of businesses eligible for licences, and therefore the SEC may need to revise the regulations on digital assets to capture this type of platform. Any such revisions would likely align with ongoing efforts to harmonise offering exemptions and secondary-market eligibility for utility tokens.

There are no specific payment rules for order flow applicable to digital asset operators. However, there is a general prohibition on the receipt of benefits in excess of those that should be received or rewarded under normal commercial practices.

Under the Securities and Exchange Act B.E. 2535 (1992) (the “SEC Act”), various offences are listed, aimed at protecting market integrity and preventing market abuse, including:

• insider trading – anyone who has material inside information is prohibited from the buying or selling of securities to which such inside information is related;
• market manipulation – trading of securities with the intent to manipulate the market is prohibited; and
• misstatement – dissemination of false information with an intent to mislead is also prohibited.

The regulations do not specifically state the criteria for using algorithmic trading for each asset.

However, under the Stock Exchange of Thailand (SET) Notification Re: Procedures on Trading, Clearing and Settlement of Securities in the Exchange, specifying the criteria for the use of computer programs in creating and recording orders automatically (“Program Trading”) including algorithmic trading, an operator who wishes to use Program Trading has to obtain approval from the SET prior to such use.

The SET also provides guidelines regarding the qualifications and criteria for Program Trading that will be used in the market.

Under SET Notification Re: Persons Involved in the Trading System B.E. 2555 (2012), a person meeting the following criteria can register as a market maker:

• being an SET member or a non-member certified as a market maker by a member and undertaking clearing and settlement through such member;
• having market-making experience or personnel qualified to be a market maker;
• having systems or procedures and risk management policies relating to market making;
• not currently being subject to a five-year prohibition from registering as a market maker by the SET; and
• meeting other SET criteria.

Moreover, the Thailand Futures Exchange (TFEX) has established the following criteria for registering as a market maker:

• being a TFEX member, a member’s corporate client named by the member as a market maker, or any other juristic person with a clearing guarantee agreement;
• having market-making experience in derivatives trading or personnel qualified to be a market maker;
• having adequate system readiness or procedures and risk management policies relating to market making; and
• maintaining financial stability with no risks affecting market-making duties.

TFEX may set additional criteria for persons wishing to be any of the following market makers:

• juristic person customers or juristic persons with clearing guarantee agreements; or
• market makers in futures with regulator-approved underlying goods or variables.

From a regulatory perspective, there is no distinction between funds and dealers in the algorithmic trading area.

There is no regulation under Thai law specifically governing programmers and programming. However, for programming, an algorithm has to be approved by the relevant authority, and the programmers have to be aware of the prohibited characteristics of trading as specified in the SEC Act.

Underwriting processes differ according to the products and business operators. The relevant insurance laws (ie, the Life Insurance Act B.E. 2535 (1992) and the Non-Life Insurance Act B.E. 2535 (1992)) govern various aspects of the underwriting processes of business operators. In particular, the sale and offering of insurance products are heavily regulated.

Given the extent of insurance regulation, insurtechs commonly face a number of legal obstacles. Recognising these constraints and simultaneously trying to promote innovation in the industry, the OIC, the insurance industry’s regulating entity, launched the OIC insurance regulatory sandbox and set up the Centre of InsurTech Thailand to promote insurtech.

There are two applicable regulatory regimes:

• the life insurance regime under the Life Insurance Act B.E. 2535 (1992), which covers life and annuities; and
• the non-life insurance regime under the Non-Life Insurance Act B.E. 2535 (1992) which covers property and casualty.

Many aspects of these acts are similar, but the licences for life insurance and non-life insurance businesses are separate, and the same legal entity may not engage in both types of business.

There are no overarching regulations that govern regtech generally. Whether regtech providers are subject to any regulations needs to be analysed case-by-case.

Currently, in Thailand, an area considered one of the most advanced in regtech development is electronic authentication and verification of identity (e-KYC).

After the amendment to the Electronic Transactions Act, authentication and verification of identity in electronic form became recognised and admitted under Thai law.

Electronic Identity Verification

The BOT has also adopted electronic authentication and identity verification to open accounts with financial institutions. Previously, financial institutions had to conduct know-your-customer (KYC) processes on a face-to-face basis (physical KYC). Non-face-to-face KYC has been accepted in practice since the relevant notification of the BOT was adopted. Financial institutions can perform electronic KYC for customers to open accounts via online platforms.

In addition to electronic KYC, another central platform in Thailand is the National Digital ID Platform (the “NDID Platform”). This system collects customers’ information for use by any financial institution to verify customers. The NDID Platform is thus an important system for Thai financial institutions to use to verify their customers, and many banks in Thailand have decided to use it to facilitate the KYC process.

The contractual terms of use of service provided by a third party may also be regulated, depending on the type of business. Theoretically, certain functions that are not the main activities of financial service providers (which normally require a licence, approval or registration) can be outsourced to a third party.

For instance, pursuant to BOT Notification No SorNorSor 16/2563 Re: Regulations on the Use of Services from Business Partners of Financial Institutions, in order to use the services of a business partner, the financial institution must create guidelines on risk management and customer protection. Moreover, all strategic functions must be carried out directly by the financial institutions themselves. In addition, the financial institutions also have to submit an annual report to the BOT on the use of services provided by business partners that may cause significant risks to – or have an impact on – the public at large.

With respect to IT outsourcing, financial institutions have to comply with third-party guidelines on risk management implementation. These cover issues such as risk governance, third-party risk management and reporting obligations to the BOT.

Non-regulated contractual terms largely depend on the commercial issues and other regulations that may specifically apply to that financial institution. Therefore, contractual terms must be negotiated and agreed upon on a case-by-case basis.

Many Thai financial institutions, including the BOT, are keen on adopting blockchain technology.

In 2020, the BOT launched a new blockchain-based platform for government bond issuance. This project is a collaborative effort with the Public Debt Management Office, Thailand Securities Depository Co, Ltd, the Thai Bond Market Association and several selling-agent banks. Since then, policymakers have advanced tokenisation and programmable payment pilots, including the BOT’s Enhanced Regulatory Sandbox for programmable payments and the Cabinet-approved Government Token (G-Token) initiative in 2025.

In addition, certain commercial banks in Thailand have adopted blockchain technology in order to develop their operations, such as monitoring the correctness of financial transactions, cross-border transfers of funds, issuing bank guarantees and developing other aspects relating to financial infrastructure.

TDX, part of the SET group, also operates a token exchange to support digital token fundraising and trading under SEC supervision.

Even though the BOT and the Office of the SEC are very cautious about the sale of blockchain-based digital assets and cryptocurrency, they and other local regulators are very positive about wider uses of blockchain technology and are keen on utilising it. Regulators are simultaneously broadening tokenisation pathways (eg, allowing services for tokenised carbon credits and renewable energy certificates subject to prior SEC approval) and running joint sandboxes such as “TouristDigiPay” for crypto-to-baht spending by tourists via e-money rails.

The Digital Assets Decree, which governs blockchain assets under the defined term “digital assets”, separates digital assets into cryptocurrency and digital tokens.

“Cryptocurrency” is defined as an electronic data unit built on an electronic system or network that is created as a medium of exchange for the acquisition of goods, services or other rights, including the exchange between digital assets.

A “digital token” is defined as an electronic data unit built on an electronic system or network to specify a person’s right to invest in any project or business or acquire specific goods or services. Digital tokens are further separated into two types: investment tokens and utility tokens.

Regulating Digital Assets

Currently, the SEC regulates digital assets based on the activities of the operators, with some differences depending on the types of digital assets (eg, there are some differences in requirements for underlying assets that are in the form of real estate and infrastructure) under the Digital Assets Decree. Since August 2024, the SEC has also differentiated “ready to use” utility tokens (Group 1 vs Group 2), with exemptions and operator restrictions calibrated to functionality and trading intent.

The closest concept to “issuers of blockchain assets” are the “issuers” of digital assets under the Digital Assets Decree.

The issuer of an ICO must be a limited company or a public limited company. Similar to as discussed in 6.4 Listing Standards, prior to the offering, the issuer must obtain approval from the Office of the SEC and submit registration statements and draft prospectuses as indicated in the relevant SEC notification. The offer for the sale of digital assets is permissible only after the registration statements and the draft prospectuses have been approved by the SEC. The offer for sale must be made via the system provider, the so-called ICO portal, which has been approved by the SEC. Updates in 2024–2025 added governance, token holder meeting and advertising standards to strengthen investor protection in ICOs.

Challenges to the Tokenisation of Real-World Assets

The tokenisation of real-world assets in Thailand is mainly challenged by regulatory classification uncertainty and structuring complexity. Market participants must carefully assess whether tokenised interests fall within the scope of digital tokens, securities, or other regulated products, which directly affects approval, disclosure and compliance requirements. Practical issues also arise in ensuring an enforceable linkage between tokens and the underlying assets, particularly in relation to custody and investor protection.

The closest concept to a blockchain asset trading platform under Thai law is a “digital asset exchange” under the Digital Assets Decree. A “digital asset exchange” is defined as any centre or network established for purchasing, selling or exchanging digital assets by means of the matching or finding of parties or the provision of a system or facilities whereby those intending to purchase, sell or exchange digital assets may reach agreements or may be matched.

Digital asset exchange operators must apply for permission. The MOF would grant this upon the SEC’s recommendation. The appointment of directors and executives of the operator must also be in accordance with the relevant notification, and such appointment will be valid upon approval by the Office of the SEC.

The exchanges are obliged to comply with all guidelines specified by the Office of the SEC, including on source of funds, protection of customers’ assets, prevention against electronic theft, KYC measures and a reliable accounting system approved by the SEC. Among other obligations, the operator must segregate the retained customers’ assets from its own assets.

Under SEC Notification Re: Rules, Conditions and Procedures for Undertaking a Digital Asset Business (No 11), digital asset exchanges are obliged to set listing rules to prohibit token issuers from listing utility tokens or certain types of cryptocurrencies that have the following characteristics:

• Meme tokens, which have no clear objective or substance or underlying substance, and whose price is based on social media trends.
• Fan tokens, which are tokens dependent on the fame of influencers.
• NFTs, which are digital creations that declare ownership or grant rights to an object or another specific right. They are unique and not interchangeable with digital tokens of the same category and type at an equal amount.
• Digital tokens that are utilised in a blockchain transaction and issued by digital asset exchanges or related persons.

While some types of tokens may be banned from being listed on digital asset exchanges, and the provision of services in relation to such tokens is prohibited, the SEC, in 2024, issued exemptions for certain ready-to-use utility tokens by dividing them into two groups and providing specific approaches for each of them as follows.

Group 1 Utility Tokens include:

• ready-to-use tokens for acquiring goods or services primarily for consumption, eg, digital vouchers/coupons, concert tickets, event passes, airline tickets, and NFTs representing artworks, music or videos granting specific rights to the holders; and
• ready-to-use tokens which serve as digital representations of certificates, such as carbon credits, renewable energy certificates, educational transcripts and medical certificates. These tokens are considered non-financial products traded on specific platforms, and market mechanisms determine their value.

Group 2 Utility Tokens are designed for financial services, investment and speculative purposes, similar to money and capital market products. They include tokens for accessing goods and services on distributed ledger technology platforms, exchange tokens for paying fees or receiving discounts on digital asset exchanges, governance tokens for voting rights, and tokens for digital asset services in DeFi or CeFi.

Group 1 Utility Tokens are exempt from approval for primary market offerings and are not considered regulated businesses, but digital asset exchanges, brokers and dealers may not provide services related to these tokens unless they establish a separate entity. Meanwhile, Group 2 Utility Tokens are exempt from approval unless listed on an SEC-authorised digital asset exchange, and digital asset business operators can provide services related to these tokens. In any case, neither group may be used as a means of payment or for staking except for transaction verification, voting, participation in activities, or receiving ecosystem benefits.

The provision of staking services for cryptocurrencies is prohibited in Thailand. It is allowed only for specific purposes related to the use of digital tokens, as discussed in 10.5 Regulation of Blockchain Asset Trading Platforms. Thai regulators reinforced this approach by banning exchange-offered lending/staking products for investors in 2023.

In Thailand, the SEC prohibits digital asset business operators from providing or supporting deposit-taking and lending services. This policy remains in effect alongside broader consumer protection measures in the digital asset market.

Currently, there are no specific regulations regarding cryptocurrency derivatives in Thailand. However, in July 2025, the SEC proposed amendments to include digital assets as regulated underlyings in the Derivatives Act B.E. 2546 (2003), which would require derivatives licensing for such products if adopted.

The term “DeFi” is not defined under Thai law. Thus, there is no specific regulation on DeFi platforms or transactions. However, on a case-by-case basis, if any transaction related to DeFi relates to the purchase and sale of digital tokens and cryptocurrency or other regulated business, operators related to the DeFi business are subject to the Digital Assets Decree.

Effective from January 2025, certain mutual and private funds were permitted to invest in digital assets under specified criteria, expanding institutional participation.

Virtual currencies are not defined under Thai law. However, under the Digital Assets Decree, “cryptocurrency” is defined as “an electronic data unit built on an electronic system or network which is created for the purpose of being a medium of exchange for the acquisition of goods, services or other rights, including the exchange between digital assets”. Cryptocurrency is different from digital tokens in the sense that it is a medium of exchange, while digital tokens, which are another type of blockchain asset defined under the Digital Assets Decree, have the main purpose of determining the right to participate in an investment or to acquire goods or services.

See also 10.3 Classification of Blockchain Assets.

To establish whether an NFT will be regulated under Thai law, a determination of whether that NFT falls within the definition of a “digital token” under the Digital Assets Decree is needed. Certain NFTs may be considered utility digital tokens if such NFTs grant the holder a right to obtain any goods, services or assets.

Under the SEC’s guidelines issued on 6 January 2022, certain types of NFTs are exempted from NFT regulations and the Digital Assets Decree, including NFTs that are utility tokens with ready-to-use underlying products or services as of the date of offering. To further elaborate, an NFT that is exempted is one which is an asset in itself, is inseparable, and does not represent any rights or the intention to be utilised as a medium of exchange (eg, an NFT that is created by storing a digital file on an Interplanetary File System issued for the convenience of exchange, and such digital file and the NFT must be transferred together, be inseparable and be unable to be modified).

The SEC’s August 2024 framework further clarified Group 1 ready-to-use utility tokens (including certain NFTs) and prohibited exchanges from listing such tokens in the absence of a separate entity, while preserving the ban on payment use.

Stablecoins are not subject to a dedicated regulatory framework in Thailand. Their regulatory treatment depends on their structure, reference assets and intended use, particularly whether they are designed to function as a means of payment.

The BOT applies a functional and risk-based approach. Stablecoins backed by the Thai baht and used as a medium of exchange may fall within the scope of the Payment Systems Act and be characterised as e-money. In such cases, the issuer or service provider is required to consult with and obtain approval from the BOT prior to commencing operations, and will be subject to requirements comparable to those applicable to e-money services, including risk management, anti-money laundering and consumer protection measures.

Other types of stablecoins, including those backed by foreign currencies or other assets, or those relying on algorithmic stabilisation mechanisms, are assessed on a case-by-case basis. Stablecoins that are structured or promoted in a manner that effectively substitutes the Thai baht may be considered unlawful under the Currency Act B.E. 2501 (1958).

At present, there are no statutory requirements or regulations specifically applicable to stablecoins, such as mandatory reserve composition or redemption at par. The BOT continues to monitor developments in this area and has indicated its openness to innovation.

As a recent development, in 2025, the SEC added USDC and USDT to the list of permitted cryptocurrencies for certain regulated transactions, while the BOT continued programmable payment testing for Thai baht-backed stablecoin use cases in the sandbox.

Thailand saw its first open banking initiative in January 2022 when the BOT, the Thai Bankers’ Association and the Government Financial Institutions Association introduced the “dStatement”, which is an exchange of financial statement data among banks to support digital loan applications.

To date, open banking implementation in Thailand remains subject to feasibility studies, and the application programming interface standards have yet to be finalised. However, the BOT has taken significant first steps.

In November 2023, the BOT published a consultation paper on “Open Data for Consumer Empowerment”, which aims to build a mechanism that allows consumers to exercise their rights to conveniently and securely transfer their data stored from one provider to another so that consumers can apply for and receive better services from any provider.

All financial institutions need to comply with the PDPA, which came into full effect on 1 June 2022, in order to process personal data – for example, as regards the following:

• notifying the processing of personal data;
• obtaining prior consent from customers if the processing of their personal data does not fall under any lawful basis of processing (eg, performance of contract, legal obligation); and
• providing channels for customers to exercise rights regarding their personal data.

Fraud can occur in various businesses, including financial services and fintech, and may be subject to different laws in Thailand, depending on the nature of the fraud and the industry sector in which it occurs, such as digital assets, payment systems or insurance.

Fraud under specific regulations shares fundamental elements with general fraud under the Criminal Code:

• deception – a person lies or hides a fact that should be revealed;
• dishonest intent – such person wants benefits they do not deserve for themselves or others; and
• unlawful gain – such person, thereby:
1. obtains property from the deceived person or any third party; or
2. causes the deceived person or any third party to change, remove or destroy a document of rights.

These elements constitute an offence of fraud, which typically leads to imprisonment and/or a fine under the Criminal Code. However, if such an offence is subject to specific laws, as mentioned above, the liability will be determined in accordance with those laws.

In addition, more complex and new financial fraud has risen globally, especially in countries with real-time payment systems, including Thailand. This has led to the enactment of the Emergency Decree on Technology Crime Prevention and Suppression Measures B.E. 2566 (2023) (“2023 Emergency Decree”) in March 2023, which aims to address financial fraud in Thailand swiftly. It requires government and business sectors to actively prevent technological crimes and imposes harsher penalties on those committing such crimes, including financial fraud.

As of April 2025, amendments to the 2023 Emergency Decree have been enacted to hold telecoms companies and financial institutions more accountable for cybercrime losses, requiring them to share responsibility for scam victims. The law will be applied on a case-by-case basis, and while it seeks to enhance consumer protection, it may not guarantee compensation for all victims. The amended 2023 Emergency Decree mandates that financial institutions and telecoms operators must ensure adequate preventive systems are in place, or they will be held financially responsible if consumer losses result from their negligence. This includes the prompt removal of suspicious mobile phone messages by network operators and strict verification processes for SIM card registration and opening of bank accounts.

The amended 2023 Emergency Decree emphasises shared responsibility among financial institutions, telecoms companies and consumers. It includes guidelines for shutting down websites that violate the law and mandates a reliable and transparent verification process. The amended 2023 Emergency Decree also introduces greater penalties for offenders and more liability for financial institutions and telecoms service providers if they neglect or fail to maintain their systems properly.

According to a report by the BOT, the types and patterns of fraud in Thailand that are most commonly found and which have attracted the attention of government authorities include the following:

• money mule and mule accounts;
• phishing (eg, phone scams, voice phishing or smishing);
• identity theft; and
• e-wallet hacking.

As mentioned in 12.1 Elements of Fraud, Thai law’s main regulations for addressing fraud are the Criminal Code and the 2023 Emergency Decree. A fintech service provider in Thailand may be held responsible for customer losses due to fraud if it engages in criminal offences or fails to comply with the obligations set forth in the relevant laws and regulations.

However, as of the time of writing, there is no specific regulation regarding the amount of compensation, so it will depend on a case-by-case analysis or court judgments. In any regard, relevant authorities in Thailand, including the BOT and the MDES, are currently drafting legislation to enhance the security of financial institutions’ systems, aiming to close loopholes and prevent fraud on mobile banking platforms. The new regulations will require banks to fully compensate customers for any losses incurred if the banks fail to adhere to the prescribed preventive measures.