June 19, 2025
The Bank of Thailand (BOT) has released draft guidelines establishing principles for managing artificial intelligence (AI) risks in the financial sector. The draft guidelines provide a structured framework for the responsible adoption of AI technologies. Financial service providers will be able to use the guidelines as a reference to appropriately manage their risks in a manner that aligns with internationally recognized best practices. The BOT is accepting public comments on the draft guidelines until June 30, 2025. Scope and Application The draft guidelines apply to all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. These guidelines supplement existing BOT risk management guidelines covering IT risk management, third-party risk management, data governance, and market conduct. The guidelines define AI systems as systems that mimic human intelligence, including machine learning, deep learning, generative AI (such as large language models), and agentic AI. This definition specifically excludes rule-based automation systems like robotic process automation and condition matching. Key Risk Management Principles The guidelines lay out two main principles in managing AI risk. Governance: Financial service providers should define and establish clear roles and responsibilities for their personnel and AI system supervision structures to uphold FEAT (fairness, ethics, accountability, and transparency) principles as follows: Stakeholder roles and responsibilities. Financial service providers should define roles and responsibilities for boards and executives on AI risk oversight. Responsibilities include establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. AI system usage policy. The AI system usage policy should be aligned with organizational objectives, regulatory requirements, and FEAT principles. These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles. Risk management