Thailand: Data Protection in the Financial Sector
1. Governing Texts
The Bank of Thailand ('BoT') requires financial institutions to follow specific procedures and standards pertaining to data protection and privacy under the Financial Institutions Business Act B.E. 2551 ('FIBA'), although these requirements are independent from other data protection and privacy legislation. The primary piece of legislation on data privacy in Thailand is the Personal Data Protection Act B.E. 2562 ('PDPA') which entered into force on 1 June 2022.
- FIBA primarily oversees activities pertaining to financial institutions in Thailand, although it also provides a regulatory framework that addresses data privacy and protection. As far as financial institutions are concerned, the FIBA provides the primary basis for policies surrounding data privacy and protection and are therefore obligated to follow its requirements.
- The PDPA is the primary piece of legislation that governs personal data protection and privacy in Thailand. Accordingly, financial institutions are also obligated to comply with the provisions and requirements of the PDPA.
- The Credit Information Business Act B.E. 2545 ('CIBA') generally regulates the disclosure of credit information held by businesses (i.e. credit bureaus) that hold or use them and specifies the rights of owners of credit information. Processing credit information by credit bureaus and financial institutions is expressly exempt from the PDPA, which means that such activities, and the rights of data subjects in this regard, will continue to be governed exclusively by CIBA.
- The Notification of the Bank of Thailand No. FPG 19/2559 Re: Regulations on IT Outsourcing for Business Operations of Financial Institutions ('Notification No. 19/2559'), which is a subordinate legislation issued under FIBA, regulates the outsourcing of IT services by financial institutions to third-party service providers and contains substantial rules related to data protection.
- The Notification of the Bank of Thailand No. SVG. 4/2563 Re: Regulations on Market Conduct (available in Thai here) ('Notification No. 4/2563') is a subordinate legislation issued under FIBA. It regulates Thai financial institutions with the objective of ensuring responsibility and fairness towards customers. It contains provisions requiring data protection measures be put in place to protect the public.
1.2. Supervisory authorities
The Ministry of Finance is responsible for enforcing FIBA. However, enforcement of the legislation and its subordinate regulations have been assigned to the BoT. The PDPA, on the other hand, is administered by the Personal Data Protection Committee ('PDPC') under the Ministry of Digital Economy and Society ('MDES').
2. Personal and Financial Data Management
2.1. Legal basis for processing
The two primary considerations for the collecting, processing, and transferring personal data, specifically by financial institutions under the FIBA regulatory framework, are obtaining customer consent and the performance of a contract. Notification No. 4/2563 provides the legal basis for Thai financial institutions, including specialised financial institutions (SFIs), nano finance service providers, and asset management companies, to collect, process, and transfer customer data. Notification No. 4/2563 outlines that when dealing with retail or SME customers that are likely to be treated unfairly, financial institutions must have certain 'management systems' in place that handle the collection, processing, and transfer of customer personal data.
With regard to the transfer of customers' personal data, Notification No. 4/2563 provides that if customer personal data is to be transferred to another entity for non-marketing purposes where failure to disclose such data would significantly affect service operations, (e.g. disclosure to outsourced service providers, government authorities as required by law, or business partners under brand partnership agreements), then customer consent may be necessary as a condition for the application for the goods and services offered by the financial institution. Furthermore, the financial institution should also inform customers of the non-marketing reasons associated with the disclosure of their data, though they are not required to disclose the recipients.
Notification No. 4/2563 highlight specific scenarios for the transfer of customer data to other entities for non-marketing purposes and what service providers should do in such circumstances:
- Where the disclosure of a customer's personal data is conducted for the purpose of performing a contract between a financial institution and their customers. In this scenario, a service provider should specify the disclosure of customers' personal data as part of its conditions for providing services, identify the purpose of the disclosure, and indicate to the customer the type of recipients their data will be given to;
- Where the disclosure of a customers' personal data is made for the purpose of complying with applicable laws. A service provider must inform the customer of the objectives of the disclosure and the type of recipient the data will be given to. A service provider, at their discretion, may specify the disclosure of customers’ personal data as part of its conditions for providing services; and
- Where the disclosure of personal data is not mandatory as part of providing services, a service provider must seek customer consent for disclosure of the data by giving them the right to accept or decline and making them aware of the purpose of the disclosure and the type of recipients the data will be given to. Furthermore, it is prohibited to include unnecessary disclosure as part of service conditions. This is a change from the previous regulation as there is a now a requirement for a specific opt-in to allow the disclosure.
If customers' personal data is to be transferred to another entity for marketing purposes, (i.e. to promote products and services offered by the financial institution), then the customer must consent to the disclosure of their personal data for such purposes, and it must not be made a mandatory condition for the patronage of goods and services offered by the financial institution. As mentioned above, consenting to the disclosure of personal data to business partners under brand partnership agreements (co-branding) does not fall under 'marketing purposes' and may be made mandatory for the application for goods and services offered by the financial institution.
Notification No. 4/2563 imposes requirements on financial institutions to notify customers regarding certain aspects of the institution's privacy policies and practices. Specifically, if the financial institution intends to disclose customers' personal data for marketing purposes, the financial institution will be required to notify customers of the following:
- the right to accept or decline the disclosure of their personal data;
- that the disclosure is not a mandatory condition for the approval of any products or services which the customer has applied to with the financial institution;
- that the request for disclosure is for marketing purposes;
- a list of recipients and type of recipients (if cannot identify the recipient specifically) of the customers' personal data. If the list of recipients has been updated, customers must be notified of the updated list and offered the chance to exercise their right to decline the disclosure, on top of being provided with a channel and a reasonable period of time to raise any objections. If a customer does not raise any objections within the specified timeframe, then it will be assumed that the customer has consented to the disclosure of data that the service provider has requested; and
- channels through which customers can conveniently inquire about a list of recipients of their personal data and/or to cancel marketing communications from all such recipients. The financial institution must be able to cancel marketing communications immediately upon request.
Notification No. 4/2563 imposes requirements for the disclosure of customers' personal data for marketing purposes. In particular, financial institutions are required to:
- notify customers of their right to accept or decline to the disclosure. The disclosure cannot be used as a condition for the approval of any products or services for which the customer has applied for from the financial institution;
- separate the request of customers' consent for marketing purposes from the those for non-marketing purposes in the application form; and
- notify customers that the request is to ask for their consent for the disclosure of data for marketing purposes and inform the customer of the list of recipients so that they can decide if they will give their consent or not.
Following the initial consent, if a service provider wishes to include additional recipients on the list, the customers who gave their initial consent to the disclosure of data must again be notified of the new list, at which point they have the right to decline the new disclosure of data. The service provider must also provide channels for the customers to raise their objections to such disclosure.
Where the recipient of any such disclosure is a financial institution, a service provider must notify the customers of the new list through appropriate channels, which can refer to other resources such as the service provider's website. Moreover, a service provider must notify their customers through the right channels and provide ways for the customers to cancel or withdraw their consent. This is a change from the previous regulation where there is a specific opt-in to allow the disclosure.
Nonetheless, commercial banks in Thailand do notify their customers of their general privacy policies according to their own internal rules and regulations.
Regarding financial institutions, Notification No. 4/2563 specifically requires Thai financial institutions to operate according to a 'three lines of defence' system in order to protect vulnerable customers. One of the lines of defence is a 'system that can effectively detect risks and irregularities to prevent any potential losses.'
Regarding IT functions of financial institutions, Notification No. 4/2563 specifies, among other things, the following:
- if the operations and storage of significant data rely materially on a computer system, potential threats to the system must be prevented, and there must be a contingency plan available in the event that the system is disrupted, hacked, or damaged. The service provider must maintain communication with customers before, during, and after the incident; and
- there must be control of data usage and data access to prevent leakage of data or the use of data for inappropriate purposes.
Other than the provisions of PDPA, the Anti-Money Laundering Act B.E. 2542 ('AMLA') requires financial institutions in Thailand to 'maintain all customer identification records, financial transactions, and a record of facts and information relating to a particular transaction (e.g. a transaction which exceeds a certain threshold or is higher than the amount prescribed by the Ministerial Regulation, suspicious transactions) for a period of five years from the date that the account was closed or the termination of relations with the customer, or from the date that such transaction occurred, whichever is longer, unless the competent official notifies that financial institution in writing to do otherwise.'
AMLA imposes legal requirements on financial institutions regarding the collection of data for the purposes of customer due diligence, KYC, and transaction reporting. Specifically, this legislation requires that:
- financial institutions must require 'customers to show identification prior to conducting any transaction on behalf of a customer, as provided by ministerial regulation';
- when conducting transactions on behalf of a client, financial institutions must require customers to 'provide all facts in connection with such transaction'; and
- financial institutions must file a report to the Anti-Money Laundering Office ('AMLO') in the event where a customer conducts a transaction that is for a significant amount of money (as defined by regulations) or the transaction appears to be suspicious.
Thailand and the United States have entered into an agreement to improve international tax compliance and to implement the Foreign Account Tax Compliance Act ('FATCA'), financial institutions in Thailand are subject to reporting to the Internal Revenue Service ('IRS') regarding the financial information and transactions of US accounts held by individual US citizens and US-Owned Foreign Entity. The main purpose of this to prevent tax avoidance by U.S. persons by opening accounts or investing in Foreign Financial Institutions.
Financial institutions are also subject to reporting requirements under the Counter-Terrorism and Proliferation of Weapons of Mass Destruction Financing Act B.E. 2559.
In a circular issued to all financial institutions on 21 December 2016 (available in Thai here), the BOT confirmed that customer data falls within the definition of 'confidential information of a financial institution' as used specifically in Section 155 of the FIBA.
Section 154 of FIBA provides the following exceptions where a financial institution may disclose confidential information:
- where it is required by a certain duty or for the purposes of investigation or for the purposes of court proceedings;
- where it is relevant to committing an offence under the FIBA;
- where confidential information is being sent to an auditor of a financial institution as well as national or foreign authorities that have the power and duty to supervise such financial institutions;
- for the purposes of the performance of duties by national and foreign authorities that have the power and duty to supervise a financial institution or business according to an agreement made between them;
- for the purposes of improving the condition and operation of such financial institution;
- for the purposes of granting credit by the financial institution;
- of a customer of the financial institution which had already been disclosed to the public;
- of a customer of the financial institution upon the consent of such customer;
- to a company in the same financial business group; and
- for the purposes of compliance with the law.
The insurance industry in Thailand is regulated by the Office of Insurance Commission ('OIC'). Furthermore, casualty and life insurance providers are subject to the Non-Life Insurance Act B.E. 2535 and Life Insurance Act B.E. 2535, respectively. The aforementioned legislation, together with subordinate legislation issued by the OIC, require insurance companies to maintain accounts and records of customer identification information along with each specific insurance policy taken out by the relevant customer. Aside from such legislation, data collection and processing in the insurance industry is subject to generally applicable laws.
In Thailand, payment service providers are specifically regulated by a framework of subordinate legislation created under the Payment System Act B.E. 2560. A payment service provider is referred to as a 'designated payment service,' and licences to provide such services are issued separately for:
- provision of credit card, debit card, or ATM services;
- provision of electronic money services;
- accepting electronic payment for and on behalf of sellers or service providers or creditors;
- provision of money transfer services by electronic means; and
- other payment services which may affect payment systems or public interests.
Furthermore, payment service providers are required to have at least one resident director who is a Thai national. In actual practice, the Foreign Business Act B.E. 2542, a general law applicable to foreign business activities in Thailand, limits foreign investment in payment service provider businesses to up to 49% of company equity, unless an exception applies. Therefore, an Foreign Business License is required for the payment service provider with more than 49% foreign shareholders, apart from the BOT license.
In addition, where financial institutions outsource IT functions to third-party service providers, Notification No. 19/2559 requires financial institutions to manage IT outsourcing risks accordingly:
- there must be a written policy surrounding the management of IT outsourcing risks, and the 'implementation of those guidelines and practices must be assessed regularly and the results must be reported to the board of senior management with delegated authority in a timely manner';
- there must be an assessment of the 'severity of possible risks of IT outsourcing, and must have in place a system to assess, control, and manage key related IT outsourcing risks, such as strategic risk, operational risk, legal risk, and IT risk. The system should be proportional with the size and volume of transaction, and complexity of the outsourced IT activities, as well as risks involved. The assessment of risks of IT outsourcing, including the use of cloud computing, should cover risks associated with the control and protection of personal data and degree of reliance on service providers that may limit any further chance or cancelation (vendor lock-in), and impact on critical systems of the financial institutions. Furthermore, for financial institutions that outsource IT activities to overseas service providers, especially activities related to data storage/processing or any arrangement with respect to data, they must also assess risks of outsourcing those activities to the overseas service providers, such as risk of being unable to access the data due to a disruption or blocking of cross-border communication network or system (information access risk) and legal risk associated with compliance with overseas regulation (cross-border compliance)';
- there must be a framework for 'monitoring the effectiveness of service providers on a regular basis, a framework for monitoring any alteration made by service providers, as well as a framework for monitoring day-to-day incidents relating to service providers'; and
- there must also be a business continuity plan in place, which covers IT outsourcing. Furthermore, 'there must be an IT disaster recovery plan to accommodate problems or incidents from IT outsourcing and to mitigate severity of impact. Financial institutions must ensure that they have information available within the country to maintain the continuity of business operations and services provided to customers'.
In the event of a data breach, a financial institution must notify the BOT, as specified in Notification of the Bank of Thailand No. FPG 21/2562 Re: Regulations on Information Technology Risk of Financial Institutions (only available in Thai here) ('Notification No. 21/2562') which states the following:
'A financial institution must inform the BoT of significant IT problems or incidents that affect its services, IT systems or reputation, as well as the event where its critical IT functions have been attacked or been threatened by cyber attacks, where those problems or incidents are the issues that the financial institution must report to its top executive. Those IT problems and incidents shall be reported to the Information System Examination Department, Payment Systems Policy and Financial Technology Group, and the BoT, immediately or as soon as they are discovered, and the causes and resolutions that have been taken may later be reported.'
The BOT's regulations, including Notification No. 21/2562, that are already applicable to financial institutions are much more stringent on data privacy protection. However, the PDPA applies other matters related to personal data, such as the categories of personal data; the collection, use, or disclosure of personal data; the legal basis for which it is collected; the rights of data subjects; and penalties. Thus, in practice, the financial institution as the data controller (including personal data) shall notify both the BOT and PDPC of any data breaches to avoid liability and penalties under the BOT regulations and the PDPA.
According to Section 155 of FIBA: 'Any person who knows or acquires confidential information of a financial institution because such person has the power of management or is an officer and discloses such confidential information in a manner likely to cause damage to other persons or the public, shall be liable to imprisonment for a term not exceeding one year or a fine not exceeding THB 100,000 (approx. €2,970), or both.'
Possible penalties for violating bank secrecy, anti-money laundering, and data protection rules include criminal, civil, and administrative penalties, including revocation of licences, depending on the nature and severity of the offence.
As previously mentioned, though the FIBA shall govern all aspects of data and information related to the financial institution, the BOT is the authorised authority who controls all aspects of financial institutions in Thailand, especially as it relates to protection of the public. However, when it comes to the personal data, the basic rules and principles in the PDPA should apply to financial institutions which both MDES and BOT are the authorised authorities.
Failure to comply with the PDPA could result in civil liabilities with punitive damages, administrative fines of up to THB 5 million (approx. €130,000), and criminal penalties which include imprisonment for up to one year, or a fine of up to THB 1 million (approx. €26,000), or both.
The PDPC has yet to issue any regulations under the PDPC that may impact financial institutions specifically.
11. Additional Areas of Interest
No further information available.