0:00
0:00
Bank of Thailand Tightens Mobile Banking Security Regulations
New BOT rules mandate enhanced cyber defenses, restricted communications, and stricter user verification measures to address rising cyber threats and financial fraud.
The Bank of Thailand has introduced new regulations aimed at strengthening the security of mobile banking and payment services provided by financial institutions.
BOT Governor Sethaput Suthiwartnarueput signed the rules, which were published in the Royal Gazette on January 31, 2025, under the Financial Institutions Business Act BE two thousand five hundred and fifty-one.
The regulations require financial institutions to continuously monitor, manage, and upgrade their security systems to meet international standards.
Among the key measures are restrictions on including links in SMS and email communications that request personal data such as usernames, passwords, one-time passwords, personal identification numbers, identification card numbers, or dates of birth.
Although links are permitted in social media communications, they cannot be used for identity verification unless specifically requested by the customer.
Financial institutions are also required to monitor and respond to fraudulent applications that mimic their mobile banking apps on official platforms, including the Google Play Store and Apple App Store, as well as on platforms outside these official channels.
In addition, the regulations limit users to one mobile banking account per institution and restrict access to a single mobile device.
Enhanced user verification protocols, including facial comparison technology with presentation attack detection, will be mandatory for individual transfers of fifty thousand baht or more, cumulative transfers of two hundred thousand baht or more in a single day, and increases to daily transfer limits of fifty thousand baht or more.
Daily transaction limits for withdrawals and transfers will be based on user risk profiles, with users under fifteen years old limited to a maximum of fifty thousand baht per day.
Financial institutions must also establish clear procedures for considering customer exemption requests.
The new regulations will take effect thirty days after publication in the Royal Gazette, except for Clause five point three point seventy-two, section three point three, which will come into force sixty days after publication.
BOT Governor Sethaput Suthiwartnarueput signed the rules, which were published in the Royal Gazette on January 31, 2025, under the Financial Institutions Business Act BE two thousand five hundred and fifty-one.
The regulations require financial institutions to continuously monitor, manage, and upgrade their security systems to meet international standards.
Among the key measures are restrictions on including links in SMS and email communications that request personal data such as usernames, passwords, one-time passwords, personal identification numbers, identification card numbers, or dates of birth.
Although links are permitted in social media communications, they cannot be used for identity verification unless specifically requested by the customer.
Financial institutions are also required to monitor and respond to fraudulent applications that mimic their mobile banking apps on official platforms, including the Google Play Store and Apple App Store, as well as on platforms outside these official channels.
In addition, the regulations limit users to one mobile banking account per institution and restrict access to a single mobile device.
Enhanced user verification protocols, including facial comparison technology with presentation attack detection, will be mandatory for individual transfers of fifty thousand baht or more, cumulative transfers of two hundred thousand baht or more in a single day, and increases to daily transfer limits of fifty thousand baht or more.
Daily transaction limits for withdrawals and transfers will be based on user risk profiles, with users under fifteen years old limited to a maximum of fifty thousand baht per day.
Financial institutions must also establish clear procedures for considering customer exemption requests.
The new regulations will take effect thirty days after publication in the Royal Gazette, except for Clause five point three point seventy-two, section three point three, which will come into force sixty days after publication.
