You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

December 26, 2025

Thailand Issues Mandatory Guidelines Enhancing Digital Fraud Controls

Subscribe to Updates

The Bank of Thailand (BOT) has released the Guidelines for Digital Fraud Management, which took effect on December 17, 2025, incorporating certain amendments to the draft guidelines issued in March 2025. These official guidelines aim for end-to-end digital fraud prevention, with a particular focus on mule accounts, to enhance trust and security in Thailand’s financial system.

The guidelines apply to “financial service providers,” including:

  • Financial institutions and special financial institutions under the Financial Institution Business Act; and
  • Operators of Inter-institutional Fund Transfer System e-money services and e-fund transfer services under the Payment Systems Act.

Besides commercial banks and e-money operators that offer fund-transfer services, other providers may adopt requirements based on risk proportionality and baseline standards set out in the guidelines (for instance, an e-money operator that does not offer e-fund transfer services could consider implementing a fraud monitoring and detection system according to the risk level of its service).

The guidelines establish the following key requirements:

  • Policy and oversight. Directors and senior executives of financial service providers must adopt appropriate “end-to-end” fraud management policies and KPIs to manage digital fraud, covering prevention, monitoring, detection, management, resolution, and support for affected customers. The fraud management policy must be regularly reviewed, and whenever there is a situation or change that significantly affects the efficiency of the fraud management. Any significant update to the policy must first be approved by the board of the financial service provider. The BOT also encourages providers to collaborate in establishing industry standards aligned with applicable laws and regulations to ensure consistency and best practices across the sector.
  • Fraud management processes. Financial service providers must establish a clear framework for managing digital fraud throughout the customer lifecycle—from customer onboarding to service termination—covering at least the following processes:
    • Know your customer (KYC) and customer due diligence (CDD): The KYC procedure must also include identification of account operating objectives, and the financial service provider must conduct CDD according to the Anti-Money Laundering Act B.E. 2542 (1999).  If customer behavior signals that the customer is a potential owner of mule accounts (i.e., deposit or e-money accounts used as tools to receive and transfer funds obtained through the commission of technology crime), enhanced CDD must be applied. Providers must assess and classify customers based on their risk level for being mule account owners or fraud victims, using information from KYC, CDD, and reliable sources. Risk classifications must remain current and reflect prevailing circumstances.
    • Fraud monitoring and detection: Providers must develop proactive processes to detect and monitor unusual transactions and utilize data from multiple sources (e.g., Central Fraud Registry and data obtained from other financial service providers) to identify potential mule accounts and fraud. This may involve adopting new technologies (e.g., artificial intelligence) to enhance efficacy and stay ahead of emerging fraud techniques.
    • Action and response to fraud: Providers must develop swift and appropriate measures to prevent, limit, and promptly mitigate digital fraud damage, including handling suspected mule accounts. They must also respond clearly, fairly, and swiftly to support customers affected by fraud (e.g., by offering 24/7 customer support through dedicated hotlines and electronic channels, having clear timeframes for assisting customers affected by fraud incidents, and reporting to the BOT any incidents that cause widespread customer damage or affect the financial service provider’s reputation).
  • Information sharing. Financial service providers must have mechanisms to share accurate information promptly with one another, according to the framework under the law on technology crime suppression and other relevant laws, and must appoint a responsible person to coordinate and procure information necessary for any investigations.
  • Awareness. Financial service providers must proactively raise customers’ and the public’s awareness of digital fraud to prevent and reduce potential damage. Required actions include disseminating information on an easily accessible service channel (e.g., mobile app or infographic on social media). The BOT also encourages financial service providers to have customers take awareness tests.
Related Professionals

Industries

Fintech

Technology

Practices

Banking and Finance

Location

RELATED INSIGHTS​

September 12, 2025
On September 10, 2025, Vietnam’s National Credit Information Center (CIC) reported to the Vietnam Cybersecurity Emergency Response Team (VNCERT) a suspected significant cybersecurity incident involving unauthorized access to the CIC’s credit information database. A hacker group has claimed responsibility and allegedly posted over 160 million records for sale, including sensitive personal and financial data. Implications for Banks and Financial Institutions Companies that share customers’ or potential customers’ personal data with the CIC for credit scoring or other purposes—and continue to act as a data controller for such data—may be obligated under Vietnam’s Personal Data Protection Decree (PDPD) and related regulations to: Notify A05 (Department of Cybersecurity and High-Tech Crime Prevention) and the State Bank of Vietnam without delay. Inform affected individuals if their personal data is at risk. Recommended Actions Companies that could be impacted by this data breach should take the following actions: Conduct an internal review of CIC-related data in their systems, and identify whether and how the systems have been affected by this incident. Assess whether to notify regulators and customers/potential customers. Enhance cybersecurity controls, monitor for suspicious activity, and implement additional safeguards to prevent secondary breaches.
Read More
September 11, 2025
Thailand’s Securities and Exchange Commission (SEC) has amended its digital asset regulations to permit the offering, trading, and provision of services related to tokenized environmental commodities by licensed digital asset exchanges, brokers, and dealers. This regulatory development is aimed at facilitating Thailand’s green economy and net-zero goals while diversifying the products available in the regulated digital assets market. The environmental commodities currently being traded on certain market platforms and via over-the-counter channels include: Carbon credits: Tradable certificates representing a reduction of CO₂ emitted into the atmosphere. Renewable energy certificates (RECs): Tradable proof of electricity generated from renewable energy sources. Carbon allowances: Tradable permits to emit a capped amount of greenhouse gases. The tokenization of these instruments is essentially the process of converting them into digital tokens, making it possible to list them on blockchain exchanges for trading purposes. Background Tokenized carbon credits, RECs, and carbon allowances fall under the category of utility tokens for consumption purposes or tokens representing entitlement certificates—that is, group 1 utility tokens, which are not considered financial products. The offering, trading, and provision of secondary-market services of this type of token are exempted from licensing requirements for regulated digital asset businesses under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). Under the previous regulatory framework, licensed digital asset business operators were not allowed to provide services involving such unregulated tokens, as it was deemed to be engaging in “other businesses,” which digital asset operators generally cannot engage in without prior SEC approval. Regulatory Amendment Under the amended digital asset regulations, licensed digital asset exchanges, brokers, and dealers may now apply for SEC approval to offer services related to these tokenized assets as “other businesses,” including listing them for trading on digital asset exchanges. Apart from requiring operators to comply with the general conditions
Read More
September 4, 2025
With advancements in health technology, telemedicine has taken on a wider online presence in Thailand. Under the Medical Facility Act, licensed clinics and hospitals may now diagnose, prescribe, and issue electronic prescriptions during a video call, provided they maintain patient confidentiality and proper recordkeeping. As a complementary concept, a telepharmacy allows a pharmacist to verify prescriptions, counsel patients, and dispense medication from a remote site. Hospitals, clinic chains, and some retail pharmacy groups have adopted “drive-thru” or “locker” pick-up points where drugs are bagged only after a real-time video consultation with a registered pharmacist. The clear benefits of telehealth include shorter waiting times and broader access to specialists, which is in the public interest. Drug Distribution and Advertising in Thailand The online pharmacy ecosystem creates a legal bridge in that once a teleconsulting doctor issues an e-prescription, a licensed pharmacy can lawfully dispense and deliver the medicine prescribed to the patient’s door. Nonetheless, the critical compliance component remains the advertising of medicinal drugs. It is still not allowed to advertise prescription/pharmacy-dispensed drugs to the public in Thailand. Although Thailand’s Drug Act of 1967 was written more than half a century ago, it still governs the trading of every medicinal drug that makes its way to consumers in Thailand—whether bought at a pharmacy or delivered with a few taps on a smartphone. First and foremost, the pharmacy must hold a license to sell medicinal drugs as a retailer. It is also mandatory that arrangements be made for a pharmacist to be on duty during opening hours. Drugs are classified into three main categories: prescription drugs, pharmacy-dispensed drugs, and over-the-counter (OTC) drugs. The listing of OTC drugs with their prices via an online platform is allowed, as only OTC drugs may be advertised directly to the public. However, naming or showing
Read More
September 2, 2025
Thailand’s National Space Policy Committee (NSPC) has proposed new regulations that would permit foreign satellite operators to provide services within the country. The draft announcement responds to rapid advancements in digital and space technologies that have led to new global satellite operators expanding their services worldwide, including into Thailand. These include low-Earth-orbit (LEO) satellite constellations offering high-speed internet, nonterrestrial network (NTN) technologies that integrate terrestrial and satellite communications, and direct-to-device (D2D) technologies that transmit signals directly from satellites to mobile devices without relying on terrestrial networks. The draft aims to replace the existing announcement, which was issued in 2021, to better align with current national policies on foreign satellite usage. The draft announcement was published for public consultation on August 20, 2025, with the comment period concluding on September 3, 2025. Applying for Authorization Two types of operators may apply for authorization: Thai operators who intend to use foreign satellites owned by World Trade Organization (WTO) member countries to provide satellite communication services to third parties; and Foreign operators of satellites owned by WTO member countries who intend to operate a business providing satellite communication services within Thailand. Applications for approval must be submitted to the National Broadcasting and Telecommunications Commission (NBTC) according to the NBTC’s established procedures. In considering whether to permit foreign satellites to provide services within Thailand, the relevant authority will take into account technical justifications, economic benefits, social benefits, and national security considerations. Determining Satellite Ownership The determination of which country qualifies as the owner of a satellite is based primarily on the country that holds the satellite network filing rights registered with the International Telecommunication Union (ITU). The satellite network filing includes details regarding frequency usage, orbital positions, and technical specifications of the satellite operations. It serves as a regulatory tool used by the
Read More