You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

April 3, 2026

Thailand’s AI and Machine Learning Governance Framework for Capital Markets

Subscribe to Updates

Thailand’s Securities and Exchange Commission (SEC) has established a comprehensive governance framework for the use of artificial intelligence and machine learning (AI/ML) in the capital markets. The framework provides guidance to capital market business operators on understanding the risks associated with AI/ML implementation and adopting appropriate practices to build public confidence in Thailand’s capital markets. While the guidelines are principle-based rather than prescriptive, they reflect the SEC’s expectations for responsible AI/ML governance and are likely to inform supervisory activities and industry standards going forward.

Scope

The framework applies to capital market business operators supervised by the SEC. This includes, for example, securities and derivatives firms, asset management companies, mutual fund and private fund managers, investment advisors and investment consultants (including robo-advisory service providers), derivatives intermediaries, and other licensed intermediaries and market operators in the Thai capital markets that deploy AI/ML in their operations.

Core Principles of the Guidelines

The framework is presented as a best-practice manual rather than prescriptive regulation, providing guidance that regulated entities may apply to their AI/ML governance and risk management as appropriate. While currently nonbinding, the guidelines signal the SEC’s expectations for the sector, particularly in relation to other binding SEC regulations such as those covering IT risk management and market conduct.

The guidelines name four core principles for AI/ML deployment:

  1. Fairness: Design and develop AI/ML with consideration for fairness, equality, and social diversity to prevent discrimination against individuals or groups.
  2. Legal and ethical compliance: Ensure AI/ML use aligns with applicable laws, ethical standards, and organizational values and policies.
  3. Accountability: Establish clear responsibility—both internally and externally—for AI/ML activities and outcomes.
  4. Transparency: Provide adequate disclosure to users about AI/ML use, including explainability of decisions and traceability of activities.

AI/ML Best Practices

The guidelines prescribe best practices across four stages of the AI/ML lifecycle, as described below.

System Design

System design translates objectives, risk controls, and usage principles into AI/ML tool selection requirements. Organizations remain responsible for outcomes regardless of whether solutions are off-the-shelf, outsourced, or internally developed. Where external vendors are used, organizations are expected to conduct due diligence, test model reliability, understand operations sufficiently to explain them to customers, and execute contracts with clear SLAs and KPIs, with ongoing performance monitoring to ensure adherence to the core principles above.

Data Preparation and Model Development

This stage covers several areas of practice:

  • Defining data requirements: On data requirements, organizations should determine the data types, size, accuracy, and time series requirements needed to enable efficient AI/ML operation.
  • Data collection and integration: For data collection and integration, documentation should be prepared showing data provenance (source) and data lineage (processing and changes throughout preparation) to ensure traceability.
  • Data labeling: Data labeling involves properly identifying data types for training, validation, and testing datasets so that AI/ML systems can accurately recognize data meanings.
  • Data quality evaluation: Data quality evaluation should take place before any datasets are used for training, validation, or testing, with data improved to meet organizational quality standards.
  • Personal data protection: For personal data protection, appropriate measures—including access controls, encryption, and anonymization—should be applied to personal or sensitive data used in AI/ML systems.

For high-risk AI/ML applications, the guidelines recommend implementing human-in-the-loop controls (where AI provides recommendations only, with no autonomous action without human participation), human-over-the-loop supervision (where AI operates independently under human oversight), or kill-switch mechanisms (emergency halt functions with clear activation conditions).

Deployment and Monitoring

Before deployment, organizations should verify accuracy, efficiency, capacity, and latency in test environments. Proper change management should be applied to minimize operational impact and ensure that changes achieve their intended objectives, and ongoing monitoring should include performance evaluation, model tuning as needed, and monitoring for new data sources, supported by automated tools with alerts for loss thresholds or accuracy issues.

User Communication

Organizations should communicate sufficient information to users to support their understanding and confidence, while withholding details that could enable exploitation. For example, disclosing the use of a chatbot is appropriate, whereas specifics of a fraud detection model would generally not be disclosed.

Governance, Documentation, and Risk Management

Beyond the lifecycle stages, the guidelines identify several organizational measures relevant to achieving the core principles in practice. These span governance structure, documentation, training, risk management, data privacy, IT audits, third-party contracts, human oversight, and transparency obligations.

On governance, organizations are expected to establish or expand frameworks to include AI/ML-specific oversight, with board-level engagement and dedicated committees with relevant expertise. Comprehensive documentation of data provenance, data lineage, model development, and testing processes should also be maintained to support audit trails.

Risk management frameworks may need updating to incorporate AI/ML-specific risk assessments, control measures, and continuous monitoring. Organizations using personal data in AI/ML should also ensure compliance with Thailand’s Personal Data Protection Act (PDPA), supported by robust technical safeguards.

Outlook

Although currently framed as best practices rather than binding rules, the Thai SEC’s AI/ML guidelines are likely to foreshadow more formalized regulatory requirements in due course. The emphasis on fairness, transparency, and accountability also reflects broader global regulatory trends in AI governance. Organizations that align with the framework proactively will be better positioned as the regulatory landscape continues to develop.

Related Professionals

Industries

Technology

Practices

Capital Markets

Location

RELATED INSIGHTS​

March 6, 2026
Thailand’s Legislation Consideration Committee of the Ministry of Interior has ruled that in-game loot boxes in online games do not constitute gambling under the Gambling Act B.E. 2478 (1935). This first-of-its-kind ruling provides useful guidance for online game operators and digital entertainment companies operating in Thailand. Background The ruling came in response to an inquiry concerning an online role-playing game operator that launched a campaign featuring a loot box mechanism. The mechanism allowed players to purchase a token in exchange for the opportunity to receive a virtual loot box containing randomized in-game items. The key features of this were as follows: The items received were digital, noncash items usable only within the game. The items could not be exchanged, redeemed, or converted into cash with the game operator. Items may differ in rarity but remain purely virtual. The central question was whether paying money to obtain randomized in-game items constituted a risk-based activity involving the chance to receive money or property of monetary value, which would constitute gambling under the Gambling Act. Committee Ruling The committee reached the following conclusions regarding the characteristics of the game’s loot-box mechanism: No cash or monetary equivalent: Players did not receive cash or property that could be exchanged for cash. The in-game items were merely usage rights within the online game ecosystem. No real-world monetary valuation: There was no determination of item value in real currency, and no mechanism for redeeming or converting items into money with the game operator. Any off-platform trading of in-game items between players is irrelevant to online game operators, as any value arising from such transactions is determined by the market rather than by the operators themselves. Service fee characterization: Payments made by players purchasing in-game loot boxes constituted fees for online game services. Accordingly, the committee concluded
Read More
March 5, 2026
Thailand’s Securities and Exchange Commission (SEC) has filed a criminal complaint against a licensed digital asset broker, its overseas trading platform, and its executives for allegedly operating an unlicensed digital asset exchange targeting Thai customers. The case marks an escalation in the SEC’s enforcement efforts against unlicensed offshore platforms that attempt to serve Thai users through local licensed entities. Criminal Complaint On February 20, 2026, the SEC filed a criminal complaint with the Economic Crime Suppression Division against a local licensed digital asset broker, its overseas global trading platform, and its executives. The SEC alleges that the parties violated the Digital Asset Business Emergency Decree B.E. 2561 (2018) by cooperatively operating a digital asset exchange business on a cross-border basis since 2023 without the required SEC license. According to the SEC, the local broker promoted the overseas platform’s services to the public through Thai-language posts on social media channels, with services available exclusively to customers residing in Thailand. Access to the global platform was provided through the local broker’s website and mobile application. Customers who registered for the local broker’s services were automatically granted access to the global platform without having to undergo a separate identity verification process. The SEC also found that the local broker provided back-office system support services to the global platform. The SEC considers these activities to constitute joint operation of an unlicensed digital asset exchange. The former executives of the local broker are being held liable as the responsible persons during the relevant period. The SEC emphasized that the complaint initiates the criminal process, and the decision to prosecute or convict the accused parties will ultimately be made by law enforcement authorities and the criminal courts. Platform Blocking The SEC has also coordinated with the Ministry of Digital Economy and Society to block public
Read More
February 27, 2026
The Bank of Thailand (BOT) has officially implemented a new regulatory framework supervising systemically important retail payment systems (SIRPS), effective February 21, 2026, with PromptPay being the first payment system designated as a SIRPS. Under this new set of regulations, the BOT may designate payment systems under the Payment Systems Act B.E. 2560 (2017) as SIRPSs based on quantitative and qualitative assessments. Once a system is designated as a SIRPS, the operator becomes subject to expanded supervisory obligations beyond the general requirements of the Payment Systems Act. Enhanced Supervisory Requirements SIRPS operators must comply with a heightened supervisory regime across three key areas, outlined below. 1. Governance SIRPS operators must maintain robust and transparent governance structures, including: Balanced board composition, with at least one-third of the board comprising independent directors who represent stakeholders in the system (such as payment service providers, consumers, and experts). Independent directors may serve for no more than two consecutive terms. Subcommittees to assist the board in overseeing compliance, policy implementation, and operational strategy. Clear separation between executives responsible for risk and information security and those overseeing day-to-day business operations. Risk Management and System SecuritySIRPS operators must implement comprehensive risk management frameworks, including: Clear service agreements between the SIRPS operator and its direct participants (payment service providers who connect directly to the SIRPS), defining roles and responsibilities among stakeholders. These agreements must include obligations for direct SIRPS participants to supervise any indirect participants they onboard to ensure compliance with service agreements and business rules. A business continuity plan covering both IT and non-IT aspects, with annual review. The SIRPS must target service availability comparable to international payment infrastructures, including the ability to recover operations within two hours of a disruption and to maintain scalable operational capacity. Tools and controls to monitor and manage material or
Read More
February 26, 2026
Thailand is preparing to offer new tools for intellectual property enforcement as the Electronic Transactions Development Agency (ETDA) recently released for public consultation a draft notification requiring social media platforms to verify user identities and conduct know-your-customer (KYC) checks on advertisers. The draft Notification of the Electronic Transactions Commission on Measures to Prevent Technological Crimes for Social Media Service Providers, which is to be issued under the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes B.E. 2566 (2023), as amended in 2025, primarily aims to combat online fraud and technology-related crimes. However, its new obligations also provide IP owners with valuable tools to identify anonymous infringers. Key Regulatory Mandates The draft notification imposes several verification requirements on social media platforms operating in Thailand. These requirements also strengthen IP rights holders’ ability to identify anonymous infringers, as platforms must: Verify user identities through registered phone numbers and link all accounts to verifiable identities. Conduct KYC checks on advertisers, including individuals, companies, and any third-party payers. Perform heightened identity checks for high-risk or repeat offenders before publishing advertisements. Promptly remove content flagged by the Anti-Technology Crime Division and prescreen advertisements for prohibited or high-risk content. How IP Owners Can Use This Notification for Enforcement The phone number–based verification requirement enables IP owners to work more effectively with enforcement authorities in tracing individuals or entities responsible for infringing content. The comprehensive advertiser KYC obligations, including mandatory disclosure of third-party payment sources, create a clear audit trail even when bad actors attempt to obscure their identity through intermediaries or shell accounts. This traceability is essential for pursuing damages and dismantling organized counterfeit operations. The ETDA is now considering adjustments to the draft notification after receiving comments during the public consultation period, which ended on February 2, 2026. Following finalization
Read More