The Bank of Thailand (BOT) has published the Draft Guidelines for Digital Fraud Management, which aim to help financial service providers tackle digital fraud and ensure safety and trust in the Thai financial system. These draft guidelines, which are available for public comment until March 18, 2025, provide a comprehensive framework for financial service providers, covering prevention, detection, management, and resolution of digital fraud, as well as support for customers affected by fraud.
The BOT tentatively plans to implement these draft guidelines on April 1, 2025, along with circular letters on the minimum required measures for tackling “mule accounts” (deposit or e-money accounts used as tools to receive and transfer funds obtained through the commission of any offense) and measures to strengthen Thailand’s customer due diligence and enhanced due diligence procedures.
Under the draft guidelines, “financial service providers” include financial institutions and special financial institutions under the Financial Institution Business Act and payment providers under the Payment Systems Act.
Commercial banks, special financial institutions, and operators of transferable e-money services must adhere to every requirement in the draft guidelines. Other financial service providers (e.g., payment providers other than operators of transferable e-money services) can implement the draft guidelines as deemed appropriate to their services, products, and service channels.
Digital Fraud Management Requirements
The draft guidelines establish the following key requirements:
- Policy and oversight. Directors and senior executives of financial service providers must set and adopt appropriate “end-to-end” fraud management policies and KPIs to manage digital fraud, covering prevention, monitoring, detection, management, resolution, and support for affected customers.
- Fraud management processes. Financial service providers must establish a clear framework for managing digital fraud throughout the customer lifecycle, from customer onboarding to service termination, according to industry standards at a minimum and covering at least the following processes:
- Know your customer (KYC) and customer due diligence (CDD): Providers must implement risk assessment processes to identify potential mule accounts, continuously monitor customer transaction behaviors, and regularly review and update customers’ risk levels. In addition, authentication processes must suit the (1) risk level of the transaction, (2) products and services, and (3) service channel.
- Fraud monitoring and detection: Providers must develop proactive processes to detect and monitor unusual transactions and utilize data from various sources to identify potential mule accounts and fraud. This may involve adopting new technologies (e.g., artificial intelligence) to enhance efficacy and stay ahead of emerging fraud techniques.
- Action and response to fraud: Providers must develop swift and appropriate measures to prevent, limit, and promptly mitigate digital fraud damage (e.g., by providing alerts to customers), including handling suspected mule accounts. They must also respond clearly, fairly, and swiftly to support customers affected by scams (e.g., by offering 24/7 customer support through dedicated hotlines and electronic channels, having service level agreements with timeframes to assist customers affected by fraud incidents, and reporting to the BOT any incidents that cause widespread customer damage or affect the financial service provider’s reputation).
- Information sharing. Financial service providers must have mechanisms to share accurate information in a timely manner with one another and with relevant external agencies (e.g., Anti-Money Laundering Office, Royal Thai Police) to enhance collective fraud management efforts, and must appoint responsible persons to coordinate and procure information necessary for any investigations.
- Awareness. Financial service providers must proactively raise customers’ and the public’s awareness of digital fraud to prevent and reduce potential damage. Required actions include implementing a practical method on an easily accessible service channel (e.g., mobile app or infographic on social media) at least once a month, and having customers take awareness tests when using mobile banking and transferable e-money services.
