Thailand has enacted new legislation to counter cybercrime and scams. The Royal Decree on Measures for Protection and Suppression of Technology Crimes B.E. 2566 (2023) (“Cybercrime Decree”) was published in the Government Gazette on March 16, 2023, and took effect the following day. The Cybercrime Decree provides a new legal tool to interrupt the money-laundering process and aims to crack down on cybercrime perpetrators and scammers by providing stronger legal measures applying to certain types of offenders that had not been sufficiently covered by existing laws.
This new legislation grants victims the right to have commercial banks and online payment platforms freeze suspicious transactions and obligates these banks and platforms to comply with such requests. It further requires these banks and platforms—as well as other service providers—to share data for the prompt prevention and suppression of cybercrime.
The key rights, duties, and offenses established by the Cybercrime Decree are detailed below.
The Cybercrime Decree requires commercial banks and online payment platforms to temporarily freeze (for 72 hours) any related transactions of their account holders upon receipt of an alert from the account holder that he or she is the victim of cybercrime. Victims can report these illicit transactions by phone or electronic means. If by phone, the relevant bank or platform must document the call.
The victim must file a police complaint about the illicit transaction within 72 hours of the freeze being made. A police inquiry officer will then notify the bank or platform about the complaint, and the transaction freeze must be maintained for seven days from the filing of the complaint with the police. The police will then determine whether it is necessary to keep the transaction frozen for longer than seven days. If the seven days lapse without a further order to freeze the transaction, it can be unfrozen.
In addition, commercial banks and online payment platforms must freeze for seven days any suspicious illicit transactions they find, and inform the relevant authority and other related banks and payment platforms. If the authority does not reply with an order to continue freezing the transaction, the bank or platform must unfreeze the transaction after seven days have passed.
Sharing Information with Cybercrime Investigators
The Cybercrime Decree imposes a new obligation on commercial banks, online payment platforms, and telecommunications and other service providers to share with authorities, via a new designated system, information on any account or transaction suspected of being related to the commission of a cybercrime. These parties must also share such information with the Royal Thai Police, the Department of Special Investigation (DSI), and the Anti-Money Laundering Office (AMLO) for their use in protection against and suppression of cybercrime.
The Cybercrime Decree also grants new authority to the Royal Thai Police, DSI, and AMLO to issue orders compelling telecommunications and other service providers to provide cybercrime-related user registration information and computer traffic data.
The Cybercrime Decree prohibits people from allowing their bank account or telephone number to be used for commission of a crime, and it criminalizes facilitating the use of bank accounts or telephone numbers in commission of crimes. Penalties for these offenses include imprisonment for up to five years, a fine of up to THB 500,000, or both.