A recent notification from the Bank of Thailand (BOT) has introduced new know-your-customer (KYC) guidelines for e-money businesses, updating the country’s regulatory regime to accommodate the greater variety of e-money services that have come into the market. The new regulations better differentiate between the types of risk relating to each product, and are expected to help e-money service providers overcome difficulties in identifying their customers.
Notification Sor Nor Chor 1/2563 Re: Know Your Customer Regulations for Activating the Use of e-Money Services was issued by the BOT on March 13, 2020, supplementing the KYC requirements for e-money services stipulated under the Anti-Money Laundering Act B.E. 2542 (1999) (AMLA). The notification came into force on May 6, 2020.
Identification and Verification
The KYC procedures that e-money service operators must adopt are a two-stage process—first identifying, and then verifying, customers. In doing so, they must ensure that the information received is actually the customer’s information, and that the information is correct, true, and up to date.
The notification sets out specific KYC requirements for different product offerings so that e-money service providers will be able to adapt their procedures to suit the level of risk for each product. For non-transferable payments for products or services in Thailand, e-money services must follow the customer identification and verification procedural requirements in the AMLA. For transferable payments for products or services (whether in Thailand or not), e-money services must conduct additional face-to-face or non-face-to-face verification of customers.
For face-to-face verification, e-money services must confirm that the information and evidence received for verification is correct, true, up to date, and from a reliable source (e.g., the National Credit Bureau). Service operators must also prove that the information provided by the customer is the customer’s own information and proof of identity. If a smart ID card is provided as evidence, the card must be validated with a smart card reader and verified through a government electronic inspection system (e.g., National Digital ID).
When face-to-face verification is not possible, or not a preferred option, in addition to confirming and verifying the information received, operators must obtain a photograph of the customer and record it using advanced technology that adheres to accepted standards, in order to verify the customer’s identity by comparing the individual’s face with the biometric information embedded in the smart ID card. E-money payment or transfer services that have implemented measures to minimize risks in line with the AMLA’s criteria for low-risk services (such as regulated e-payment services) may confirm the information and evidence used for verification themselves, similar to the requirements for face-to-face confirmation.
For corporate customers, the procedures must enable the identification and verification of the corporate entity’s authorized person, in addition to the KYC procedures set out by the AMLA (meaning that corporate customers must provide the company name, objectives, address, phone number, etc.). This can be any procedure that meets the standards set out in the BOT’s notification—for example, an e-money service may designate an employee to be in charge of a corporate customer and validate that the information received is correct, true, and up to date. Evidence is also required to prove that the person using the e-money service for the first time is authorized to do so by the corporate entity.
As part of their internal risk-management procedures, e-money services must implement other KYC procedures for corporate customers when there are temporary technical difficulties that could prevent compliance with any of the above verification requirements.
The BOT notification also allows e-money service operators to verify customers using the national digital ID system, either alone or in conjunction with the procedures outlined above.
When a customer of one e-money service intends to activate or use another type of e-money service with the same provider, operators that have already implemented the KYC requirements in the regulations for activating or changing of the type of e-money service, and have kept the customer’s information correct and up to date, should follow authentication procedures that are secure and able to prove the customer’s genuine identity and correlation with the risk level of the relevant product or service. For example, an operator could use a biometric comparison technology to verify customers.
Other requirements under the BOT notification include implementing policies, risk management measures, and internal controls to ensure that risk management systems for KYC procedures are appropriate, concise, and aligned with the relevant product and activation channels. In addition, a secured storage system for customer information must be maintained.
E-money service providers that want to implement any other KYC process will need to obtain approval from the BOT and, if necessary, test any new technology in the BOT’s regulatory sandbox.
Compliance Steps and Exemption Requests
E-money services should be in compliance with the BOT’s KYC notification by November 2, 2020. In advance of that compliance, by July 5, 2020, existing services need to have submitted a clear operating plan to the BOT showing how they would bring their operations into compliance with the regulations. Service providers are also required to notify the BOT immediately upon achieving full compliance with the regulations.
E-money services that are unable to comply with the regulations may submit an exemption request (in writing or electronically) to the BOT, detailing the reasons for not being able to comply with the regulations. Upon receipt, the BOT will consider whether to approve the exemption.