The Bank of Thailand (BOT) has released draft guidelines establishing principles for managing artificial intelligence (AI) risks in the financial sector. The draft guidelines provide a structured framework for the responsible adoption of AI technologies. Financial service providers will be able to use the guidelines as a reference to appropriately manage their risks in a manner that aligns with internationally recognized best practices. The BOT is accepting public comments on the draft guidelines until June 30, 2025. Scope and Application The draft guidelines apply to all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. These guidelines supplement existing BOT risk management guidelines covering IT risk management, third-party risk management, data governance, and market conduct. The guidelines define AI systems as systems that mimic human intelligence, including machine learning, deep learning, generative AI (such as large language models), and agentic AI. This definition specifically excludes rule-based automation systems like robotic process automation and condition matching. Key Risk Management Principles The guidelines lay out two main principles in managing AI risk. Governance: Financial service providers should define and establish clear roles and responsibilities for their personnel and AI system supervision structures to uphold FEAT (fairness, ethics, accountability, and transparency) principles as follows: Stakeholder roles and responsibilities. Financial service providers should define roles and responsibilities for boards and executives on AI risk oversight. Responsibilities include establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. AI system usage policy. The AI system usage policy should be aligned with organizational objectives, regulatory requirements, and FEAT principles. These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles. Risk management

Attorneys from Tilleke & Gibbins have updated the latest edition of Doing Business in Thailand, a Q&A-style guide from Thomson Reuters Practical Law that offers an overview of key legal considerations for companies operating in jurisdictions worldwide. The contribution outlines the country’s legal and regulatory framework for foreign investment and business operations and reflects the latest legislative developments. The chapter addresses the following core topics: Legal system: Structure of the courts and the codified nature of Thai law. Foreign investment: Business restrictions under the Foreign Business Act, sector-specific regulations, exchange control rules, and investment incentives. Business vehicles: Overview of partnerships, private and public limited companies, and other legal entities. Employment: Labor protections, employment contracts, foreign worker requirements, and termination procedures. Tax: Corporate and personal income tax, indirect taxes, and tax obligations for residents and non-residents. Intellectual property: Registration and enforcement of patents, trademarks, designs, and copyrights. Data protection: Key provisions of the Personal Data Protection Act and related compliance obligations. Competition law: Regulatory framework under the Trade Competition Act. Anti-bribery and corruption: Relevant legislation and enforcement mechanisms. E-commerce and digital business: Legal regime for online transactions and digital platforms. Marketing and advertising: Consumer protection laws and regulations affecting advertising and marketing practices. Product regulation and liability: Safety standards, liability regimes, and roles of enforcement authorities. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The insurance and reinsurance guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the guide, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.

The Bank of Thailand (BOT) is accepting public comments until May 2, 2025, on three draft notifications that will institute an enhanced supervision scheme and impose additional requirements for systemically important retail payment system (SIRPS) operators to align with international standards and encourage open infrastructure and competition. The SIRPS operators will be determined by the BOT from the “designated payment system operators” under the Payment Systems Act B.E. 2560 (2017). SIRPS Designation The BOT will announce a list of payment system operators designated as SIRPS operators and thus subject to enhanced supervision. The BOT will evaluate whether the payment system operator should be deemed a SIRPS operator when it meets the criteria in either the BOT’s quantitative or qualitative assessments, which cover the following: Quantitative assessment: The payment system’s transaction values, market share, cross-border payment network scale and value, and settlement with other financial market infrastructure. Qualitative assessment: The payment system’s function as a part of the country’s payment system infrastructure, the significance of the system users’ roles in the payment services, the substitutability of the payment system, and the impact level on the public and users in the event of an emergency or system suspension. Supervision of SIRPS Business Operations SIRPS operators will be subject to heightened supervision in three areas, in addition to various BOT regulations on designated payment system supervision, as follows: Governance: SIRPS operators will be required to have a balanced board composition with an independent director and directors with varied expertise, establish subcommittees to assist the board in supervising the operator’s compliance with its policy and strategy, and have senior executives overseeing risk and technology security separately from the executives overseeing business operations. Risk management and security: SIRPS operators will be required to have comprehensive risk management to ensure system stability and security. This

On April 12, 2025, Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in the Government Gazette, with the regulation taking effect the following day. Drafts of the amendment had been shared in recent months, and the final amendment of the decree contains some additional key revisions, such as narrowing the business operators subject to the decree’s requirements, reducing operators’ obligations, and establishing collaboration between relevant stakeholders to tackle technology crime. These key revisions to the amendment are detailed below. Business operators subject to the decree: The business operators covered under the decree now include only payment service providers under the Payment System Act and digital asset operators under the Royal Decree on Digital Asset Businesses. Digital platform services under the Royal Decree on Digital Platform Service Businesses That Are Subject to Prior Notification are no longer within the scope of the decree. Definition of technology crime: The final version of the amendment removed the expanded definition of technology crime that had been included in a previous draft, leaving the decree’s existing definition unchanged. Telecommunications provider obligations: Mobile and telecommunications service providers now have an obligation to monitor and screen for content that may be related to technology crime and suspend SIM cards when instructed to do so by the National Broadcasting and Telecommunications Commission (NBTC). Transaction and account suspension: The amendment removes the decree’s complex transaction suspension procedures and leaves room for business-specific regulators (e.g., Bank of Thailand, Securities and Exchange Commission, NBTC) to impose various technology crime suspension requirements on business operators under their supervision. The newly established Center for Prevention and Suppression of Technology Crimes can also notify financial institutions and business operators of names or digital asset wallet addresses that may be related to technology crime,