Thailand has issued a Royal Decree on the Supervision of Regulated Digital Identification Authentication and Verification Service Businesses B.E. 2565 (2022) (the “Royal Decree”), aimed at regulating business operators that provide digital identification authentication and verification services (“Digital ID Services”). The Royal Decree was published in the Government Gazette in December 2022, and will take effect 180 days from the publication date, i.e., on June 21, 2023.
The key details and requirements of the Royal Decree are as follows:
Regulated Digital ID Services
Under the Royal Decree, the provision of the following Digital ID Services requires prior approval from the Electronic Transaction Development Agency:
- Identity verification service – Services for collecting and identifying information relating to the identity of a person, and verifying the connections between the person and the identity.
- Authenticator issuance and management service – Services relating to the connection between a person who has passed the identification process with an authenticator, and managing actions which are used to identify a person.
- Authentication service – A process to authenticate a person by inspecting his/her authenticator.
- Digital ID networks/systems – Provision of networks or systems used to exchange information for digital identification purposes, excluding services provided by an intermediary.
Exempted Digital ID Services
The Royal Decree also specifies a list of Digital ID Services that are exempted from supervision under the Royal Decree, as follows:
- Issuance of certificates to support the use of electronic signatures in accordance with the Electronic Transaction Act.
- Digital ID Services conducted for use within the operator’s own business only, and which do not involve the provision of such services to third parties.
- Other Digital ID Services as prescribed by the Electronic Transaction Committee.
Qualifications of Business Operators
The types of business operators qualified to operate Digital ID Services include (i) private limited companies; (ii) public limited companies; and (iii) other juristic persons as prescribed by the Electronic Transaction Committee.
The Royal Decree also prescribes the qualifications and prohibited characteristics for directors, management, and responsible persons; e.g., they shall not be bankrupt, incompetent, quasi-incompetent, etc.
The Electronic Transaction Committee may, as it deems appropriate, impose minimum capital requirements at a later stage, and may also stipulate rules and requirements on other related matters such as risk management measures, security measures, and consumer protection.