Bank of Thailand (“BOT”) Notification No. 4/2568 marks a significant shift in Thailand’s financial regulatory landscape. This notification, aimed at bolstering the security of mobile banking services, introduces stricter authentication measures, transaction limits, and bank obligations to mitigate risks associated with cyber threats and financial fraud.
Key Compliance Requirements for Financial Institutions
1. Device Restriction (1 Person – 1 Device Policy)
- Each user may only register one mobile device for mobile banking access, reducing the risk of unauthorized access through stolen credentials.
2. Enhanced Authentication for High-Value Transactions
- Transactions exceeding 50,000 THB per instance or 200,000 THB per day require additional identity verification, such as biometric authentication or one-time passcodes.
3. Transaction Limits Based on User Risk Profile
- Banks must assess and set daily transaction caps based on a user’s risk profile, including:
- Underage users (below 15 years old): Daily limit of 50,000 THB.
- Higher-risk users: Stricter limits depending on transaction behavior and security assessments.
4. Mobile Banking System Security Requirements
- Banks must continuously update their security infrastructure to address evolving cyber threats.
- Institutions are obligated to monitor, detect, and mitigate fraud risks using international cybersecurity standards.
5. Exclusion of High-Risk Devices
- Financial institutions must avoid allowing mobile banking on devices deemed high-risk by cybersecurity bodies like Thailand Banking Sector Computer Emergency Response Team (TB-CERT).
- This provision will come into effect 60 days after publication in the Gazette.