Conventus Law

Conventus Law

by

Thailand’s draft Emergency Decree on Technology Crimes Suppression, which we covered in a client alert in January 2025 primarily addressed to telecom operators and financial institutions, is expected to have significant implications for a wide range of business operators.  The draft emergency decree has already been approved by the cabinet but may undergo further developments as it continues in the legislative process.

In this article, we will highlight the material impacts of the draft emergency decree on overseas and local fintech operators.

Expanded Definition of “Technology Crimes”

The definition of “technology crimes” now includes the following acts of forgery or alteration:

  • Forging or altering the identity of individuals and biometric characteristics by utilizing computer or communication systems or other electronic means to commit offenses.
  • Forging or altering symbols, trademarks, or seals of groups (e.g., foundations, community enterprises) or juristic persons, including acts by juristic persons using individuals or juristic persons as nominal directors or shareholders, regardless of whether such individuals or legal juristic persons reside in Thailand.
  • Forging or altering digital or online platforms, regardless of the platform’s location or legal status.

Individuals who conspire, utilize, assist, or support the commission of these offenses will face the same penalties as the principal offender.

Business Operator Definition

The scope of “business operators” is now expanded to cover various fintech and digital asset operators beyond those under the Payment Systems Act (PSA). The draft emergency decree now includes the following operators, whether they are legally authorized or not:

  • Business operators under the PSA and business operators who operate “as if” they are payment system operators
  • Business operators under the Royal Decree on Digital Asset Businesses or business operators who operate “as if” they are digital asset business operators.
  • Foreign exchange business operators.

Disclosure and Exchange of Information

Business operators must disclose or exchange information on accounts and transactions linked to technology crimes and notify a centralized system for relevant government agencies to access. In this regard, the lead regulator (e.g., Bank of Thailand, the Securities and Exchange Commission) of the business operator can mandate this within a set timeline.

Customers’ accounts related to technology crimes are publicly disclosable. Moreover, activities involving personal data sharing or processing under the draft emergency decree are exempt from the Personal Data Protection Act.

Transaction and Account Suspension

When there is a reasonable suspicion that the customer’s account is used or may be used for technology crimes or the victim reports that a deposit or e-money account of a business operator’s customer was used for a technology crime-related act, that business operator must (1) suspend the relevant customer’s account and business relationship, (2) notify other entities (i.e., financial institutions, other business operators, and telecom operators) in the transaction chain to ensure coordinated action, (3) input information into a system for disclosure or exchange, and (4) report the situation to the relevant authorities.

If an account holder is found to have multiple accounts without a valid reason, the business operator must (1) immediately suspend all related accounts, (2) notify account holders, and (3) report the situation to the relevant authorities.

Accounts can only be reinstated (1) upon notification by the relevant officer or (2) if the account holder provides face-to-face verification and evidence that the account is not related to technology crime. Failure to provide verification and clarification within 30 days will result in a presumption that the money is related to technology crime. Consequently, money will be transferred back to the original source, with the original account owner notified.

Victim Compensation

Business operators, including financial institutions and telecom operators, are required to share the burden of compensating victims of technology crimes. If a business operator is found to have neglected their duties or facilitated technology crimes, they are obligated to compensate the victims for their losses.

Penalties for Business Operators

Financial institutions, business operators, and network service providers involved in technology crimes face significant penalties. This includes fines and imprisonment for those who facilitate or support technology crimes, including employees of the business operators.

Adoption and Compliance

Once the decree is issued, there is no transition period for business operators to comply with the requirements under the decree. It is expected that this decree will be issued in the very near future.

WRITTEN BY

Tilleke & Gibbins
For further information, please contact:

Athistha (Nop) Chitranukroh – Tilleke & Gibbins, Tilleke & Gibbins
nop.c@tilleke.com

Athistha (Nop) Chitranukroh – Tilleke & Gibbins

Nop Chitranukroh, a partner at Tilleke & Gibbins, leading technology and insurance teams, with expertise in regulatory compliance and recognized as a top practitioner in insurance and TMT law.

Nop Chitranukroh is a partner and director of Tilleke & Gibbins’ corporate and commercial group. She leads the firm’s technology and insurance teams, and regularly advises clients across industries on a wide range of regulatory compliance matters relating to cybersecurity and data privacy, fintech, insurance, insurtech, and payments. She also represents multinational and local financial services, payments, and technology industry clients on a range of strategic matters, including market entry, M&As, and ongoing compliance across Southeast Asia.

Prior to joining Tilleke & Gibbins, Nop served as Thailand general counsel of an American multinational corporation, listed on the New York Stock Exchange, where she oversaw all operations within the legal department in Thailand. Nop was previously Asia-Pacific regional counsel for the same multinational finance and insurance corporation, based in Singapore. She has also served as a legal counsel at an industry-leading Irish-American financial services and software-as-a-service (SaaS) provider of payment processing software and related application programming interfaces (APIs) for e-commerce websites and mobile applications.

Widely recognized as a top practitioner in insurance and TMT legal practice in Southeast Asia, Nop is ranked as a leading lawyer in both technology and insurance industries in Thailand by Chambers Asia-Pacific, and has been identified as a Next Generation Partner in TMT by The Legal 500. She was named one of the Asia’s top 40 lawyers under 40 by Thomson Reuters’ Asian Legal Business, and in 2020, she was nominated for Data Privacy Lawyer of the Year (Asia) at the Asian Legal Awards.

Nop is a Certified Information Privacy Professional/Asia (CIPP/A) with the International Association of Privacy Professionals and serves as an advisory board member of Insurtech Asia. She has acted as a legal advisor for the Thailand Insurance Association for more than a decade.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES