The Bank of Thailand (BOT) has released draft guidelines establishing principles for managing artificial intelligence (AI) risks in the financial sector. The draft guidelines provide a structured framework for the responsible adoption of AI technologies. Financial service providers will be able to use the guidelines as a reference to appropriately manage their risks in a manner that aligns with internationally recognized best practices.

The BOT is accepting public comments on the draft guidelines until June 30, 2025.

Scope and Application

The draft guidelines apply to all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. These guidelines supplement existing BOT risk management guidelines covering IT risk management, third-party risk management, data governance, and market conduct.

The guidelines define AI systems as systems that mimic human intelligence, including machine learning, deep learning, generative AI (such as large language models), and agentic AI. This definition specifically excludes rule-based automation systems like robotic process automation and condition matching.

Key Risk Management Principles

The guidelines lay out two main principles in managing AI risk.

1. Governance: Financial service providers should define and establish clear roles and responsibilities for their personnel and AI system supervision structures to uphold FEAT (fairness, ethics, accountability, and transparency) principles as follows:

• • Stakeholder roles and responsibilities. Financial service providers should define roles and responsibilities for boards and executives on AI risk oversight. Responsibilities include establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization.
  • AI system usage policy. The AI system usage policy should be aligned with organizational objectives, regulatory requirements, and FEAT principles. These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles.
  • Risk management throughout the AI lifecycle. Risk management should encompass the entire AI lifecycle, from establishing risk appetite to implementing continuous risk assessment and control measures tailored to specific use cases. When AI systems are used in strategic functions or customer interactions (e.g., loan approval, account opening), human oversight must be integrated into decision-making processes. In customer interactions with AI systems, customers should be notified and have options to disable or bypass AI features.

2. Development and security controls: Financial service providers should have risk controls covering the AI development and deployment lifecycle as follows:

• • Data risk. Financial service providers should have measures to assess and ensure the quality, accuracy, currency, volume, and diversity of data used in AI model training. They should also implement data leakage prevention measures.
  • Model development risk. Financial service providers should have (1) clear evaluation metrics for assessing model accuracy and reliability through ongoing testing and monitoring both before and after deployment and (2) measures to ensure the explainability of AI outcomes. For generative AI applications, there should be specific measures to reduce AI hallucination risks.
  • Cybersecurity risk. Financial service providers should have measures to prevent and detect emerging cyber threats targeting AI systems, based on established standards such as the OWASP Machine Learning Security Top 10.

For more details on any aspect of fintech, technology, and cybersecurity in Thailand, please contact Athistha Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], Pornpan Wichawut at [email protected], Napassorn Lertussavavivat at [email protected], or Rujaporn Paritsantik at [email protected].