The Bank of Thailand (BOT) has introduced new regulations to strengthen the security of mobile banking and payment services across Thai financial institutions. The regulations, published in the Royal Gazette under BOT governor Sethaput Suthiwartnarueput’s signature, address growing cybersecurity challenges in mobile banking. The initiative follows Thailand’s broader push toward secure digital identity systems, including the upcoming mandate for biometric authentication in SIM card registration.
Under the new framework, financial institutions are prohibited from including links in SMS messages and emails. While links are permitted in social media communications, they cannot request identity verification or personal information such as usernames, passwords, one-time passwords, PINs, ID card numbers, or birth dates. Links may be included if explicitly requested by customers, provided the communication clearly indicates this.
The regulations require financial institutions to actively monitor and respond to fraudulent applications that mimic their mobile banking apps, both on official app stores and external platforms. Users will be restricted to one mobile banking account per institution and can only access the service from a single mobile device. The requirement supports recent efforts by major platform providers like Google to combat fraudulent banking apps through enhanced security measures.
Additional security measures include enhanced user verification through facial comparison technology with presentation attack detection (PAD). The technology, which has seen significant advancement in recent years with companies achieving high-level PAD certifications, helps prevent sophisticated spoofing attempts and deepfake attacks. The framework also establishes daily transaction limits for withdrawals and transfers based on user risk profiles. Users under 15 years old will face a maximum limit of 50,000 baht per day, while institutions can set limits using industry standards and must maintain clear processes for handling customer exemption requests.
“The BOT recognises the potential for widespread damage to users and the impact on the credibility of the financial system and the nation’s payment infrastructure,” said BOT Governor Sethaput Suthiwartnarueput. “These new regulations are designed to enhance the security of mobile banking services and protect users from evolving cyber threats and financial fraud.”
The regulations will take effect 30 days after publication in the Royal Gazette, with one provision (Clause 5.3.72 (3.3)) implementing after 60 days. The announcement is dated January 31, 2025, coinciding with Thailand’s broader initiatives to strengthen its national digital identity infrastructure.
Sources: The Nation Thailand, Pattaya Mail, Tilleke & Gibbins
Follow Us