You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
September 24, 2025

Thailand Issues AI Risk Management Guidelines for Financial Service Providers

Subscribe to Updates

On September 12, 2025, the Bank of Thailand (BOT) officially released its AI Risk Management Guidelines for Financial Service Providers, building upon the draft guidelines issued in June 2025. The guidelines reflect a balanced approach, encouraging innovation while safeguarding financial stability and consumer protection.

The guidelines are targeted at all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act.

The guidelines apply to both AI systems developed in-house and those developed by third parties that are adopted for use by financial service providers.

AI Risk Management Guidelines

The two main pillars in managing AI risk are (1) governance of AI system implementation and (2) AI system development and security controls, consisting of the following key elements:

1. Governance

  • Stakeholder roles and responsibilities. Boards and senior management assume accountability for decisions and operations involving AI systems, and are responsible for defining roles and responsibilities for AI oversight. This includes establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. Organizations are expected to foster internal capabilities to use AI securely and avoid overreliance that could compromise business continuity or customer service.
  • AI system usage policy. Policies governing AI usage should align with organizational goals, regulatory obligations, and recognized responsible AI frameworks—such as the FEAT principles (fairness, ethics, accountability, and transparency). These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles.
  • Risk management throughout the AI lifecycle. Risk management should encompass the entire AI lifecycle, from establishing risk appetite to implementing continuous risk assessment and control measures tailored to specific use cases. Financial service providers should assess risks and impacts of AI usage on operations and customer services. Human oversight must be embedded in decision-making processes, with the degree of oversight calibrated to the level of risk and impact, especially when AI systems are used in strategic functions or customer interactions (e.g., loan approval or account opening). In customer interactions with AI systems, customers should be notified and have options to contact personnel of financial service providers.
  1. Development and security controls
  • Data risk. Financial service providers should have measures to assess and ensure the quality, accuracy, currentness, volume, and diversity of data used in AI model training. They should also implement data leakage prevention measures.
  • Model development risk. Financial service providers should have (1) clear evaluation metrics for assessing model accuracy and reliability through ongoing testing and monitoring, both before and after deployment, and (2) measures to ensure the explainability of AI outcomes. For generative AI applications, there should be specific measures to reduce AI hallucination risks by adopting techniques such as retrieval-augmented generation and prompt engineering. Financial service providers should also ensure explainability of AI outputs through documentation detailing model inputs, outputs, and parameters.
  • Cybersecurity risk. Financial service providers should have measures to prevent and detect emerging cyber threats targeting AI systems, based on established standards such as the OWASP Machine Learning Security Top 10.

In addition, the BOT emphasizes the importance of financial service providers strictly complying with applicable laws when adopting AI, including personal data protection laws and intellectual property laws.

Related Professionals

Industries

Fintech

Technology

Practices

Banking and Finance

Location

RELATED INSIGHTS​

July 30, 2025
Artificial intelligence (AI) model training and data scraping are essential processes in the development of modern AI systems. AI model training involves using large datasets to teach machine learning algorithms to recognize patterns, make predictions, or generate new content. Data scraping refers to the automated extraction of information from websites or digital sources, often to assemble the vast datasets required for effective AI training. As these practices become more widespread, questions about the legality of using third-party content—especially copyrighted works—have become increasingly important. In Thailand, the legal landscape for AI developers is shaped primarily by the Copyright Act, which presents unique challenges due to the absence of a fair-use exception. This article examines the copyright-related risks and legal uncertainties facing AI developers under Thailand’s current copyright law and practices, offering strategic guidance for navigating this complex environment. Copyright Risks in AI Scraping and Training Thailand’s Copyright Act does not provide a broad fair use or fair dealing exception, unlike some other jurisdictions, such as the United States. This absence has significant consequences for AI developers: No general defense for AI training: Any use of copyrighted material for AI model training is presumed to be infringing unless a specific, narrow statutory exception applies or explicit permission is obtained from the rights holder. There is no general legal basis for using copyrighted works in AI training without authorization. Increased rights clearance burden: Developers must identify and secure licenses for every copyrighted work included in their training datasets. Given the scale and diversity of data required for effective AI models, this process can be both impractical and costly. Legal ambiguity and litigation risk: The lack of clear statutory guidance or case law leaves developers in a legal gray area. There is no established precedent clarifying whether certain uses of copyrighted material for
Read More
July 24, 2025
Thai authorities have escalated efforts to block unlawful cross-border digital asset business operators. On June 19, 2025, the Ministry of Digital Economy and Society (MDES) issued a notification empowering it to ban internet access to operations or services offered by digital asset business operators who lack licenses from the Thailand Securities and Exchange Commission (SEC) under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This ban, issued under the 2023 Royal Decree on Measures for the Prevention and Suppression of Technology Crime, particularly aims to block Thai users’ access to services offered by unlicensed offshore digital asset providers via their own apps or websites or through public social media platforms. Compliance Requirements The notification requires internet service providers and social media platforms selected by MDES to immediately impose internet access restrictions on identified apps, websites, and IP addresses of illegal operators upon receiving MDES orders. Takedown Orders There are two tracks for competent officials at MDES to issue orders to operators: If the competent official is notified by the SEC of licensing noncompliance by a particular digital asset business operator, the competent official can issue a takedown order to the operator upon approval from the permanent secretary of MDES. If the competent official independently discovers, or receives a complaint from any third party other than the SEC, that a digital asset business operator may have violated licensing requirements, the competent official can ask the SEC to verify and confirm the relevant facts and noncompliance before seeking approval from the permanent secretary of MDES to issue the takedown order. Streamlined Enforcement Prior to this notification, the SEC could obtain takedown orders only from Thai courts under the 2007 Computer Crime Act to take down or block access to unlicensed digital asset platforms and apps. This was a relatively
Read More
July 24, 2025
Vietnam’s Ministry of Public Security recently released a draft version of the 2025 Cybersecurity Law, which is intended to replace both the existing 2018 Cybersecurity Law and the 2015 Law on Network Information Security (LNIS). This consolidation reflects a broader effort by the Vietnamese government to streamline and centralize the legal framework governing cybersecurity, data protection, and information security to be under the sole authority of the Ministry of Public Security, moving away from the previous sharing of responsibility with the former Ministry of Information and Communications (which ceased operations earlier this year and merged with the Ministry of Science and Technology). This shift aims to eliminate overlaps and improve enforcement efficiency. The draft law is built upon the foundation of principles and provisions of both the 2018 Cybersecurity Law and the 2015 LNIS, while also introducing a wide range of amendments and new regulations. By merging the two laws, the government seeks to reduce legal fragmentation and ensure consistency in definitions, obligations, and enforcement mechanisms across related domains like data protection, IT system classification, and cybercrime prevention. The newly introduced amendments include enhanced obligations for service providers, stricter controls on information transmission, classification of IT systems, designation and protection of nationally important information systems, and sector-specific violations and compliance requirements. Highlights of the draft law are discussed below. Definition and Obligations of Service Providers The draft law clearly defines and significantly broadens the scope of entities considered “service providers” under its jurisdiction. This now includes businesses and individuals offering products or services in cyberspace, including both infrastructure and content online services, such as: Internet service providers (ISPs) and providers of telecommunications, hosting, servers, domain names, VPNs, proxy services, and cloud computing; Providers of social networks, websites, and online gaming; Financial institutions, banks, foreign bank branches in Vietnam, e-wallet
Read More
July 23, 2025
On July 4, 2025, Thailand’s Electronic Transactions Development Agency (ETDA) issued two significant notifications that introduce new compliance requirements for ride-hailing platforms operating in the country. The notifications formally designate these platforms as high-impact digital services under section 18(3) of the Royal Decree on Digital Platform Service Businesses and impose a comprehensive set of additional operational obligations. These measures are designed to address regulatory gaps and enhance oversight of digital platforms providing public passenger vehicle or motorcycle ride-hailing services. First, the Notification on the Designation of Ride-Hailing Platforms under section 18(3) formally designates all ride-hailing platforms that have notified the ETDA of their operations as high-impact digital platform services under section 18(3) of the royal decree. Unlike high-risk marketplace platforms, which are named individually, any ride-hailing platform that has notified the ETDA of its operations is automatically subject to these new requirements. Next, the Notification on Additional Obligations for Ride-Hailing Platforms imposes further obligations on ride-hailing platforms, supplementing the general requirements under section 21 of the royal decree. These notifications will come into force 90 days from their publication in the Government Gazette. New Compliance Obligations The new regulatory framework introduces a range of operational, technical, and reporting requirements for ride-hailing platforms, particularly concerning the issues described below. Vehicle and Driver Compliance Operators must: Ensure that all vehicles used on the platform are registered as public vehicles in accordance with Department of Land Transport requirements Verify all drivers hold valid public driving licenses Collect service fees in compliance with applicable fare regulations under the Vehicle Law Digital Platform Features and User Verification Operators must implement robust digital platform features for both drivers and riders, including: Comprehensive identity verification and confirmation processes for drivers and riders, utilizing both face-to-face and non-face-to-face methods, including biometric and digital ID checks Real-time GPS
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice