Call us now:
Banking regulation in Thailand no longer freezes the market. For a foreign company, an investor, or an individual settled in the country, understanding banking rules has become an operational requirement, not a legal luxury.
Since 2024, banking regulation in Thailand has accelerated with the arrival of new digital players, tighter anti-fraud controls, enhanced customer identification requirements, and the portability of financial data. The difficulty lies in the layered structure of Thai law: the framework laws remain relatively stable, but notifications issued by the Ministry of Finance and the Bank of Thailand (BOT) contain most of the recent developments in Thai banking regulation. Anyone who follows only the framework legislation misses what is truly changing in practice.
In addition, AML-CFT (Anti-Money Laundering and Combating the Financing of Terrorism) compliance aims to prevent money laundering and the financing of terrorist activities by requiring strict verification measures and financial transaction monitoring.
This article analyzes the five major regulatory developments of 2026 (virtual banks, cyber fraud, responsible lending, banking data, and AML-CFT compliance) and what they concretely imply for foreign companies and investors in Thailand.
Get expert legal guidance.
Table of Contents
A regulatory turning point, not a revolution: what has really changed in banking regulation in Thailand
The Thai regulator is now pursuing four objectives simultaneously: preserving the stability of the system, opening the market to innovation, reducing digital fraud, and protecting the end customer. Within the broader evolution of banking regulation in Thailand, this combination results in a more comprehensive, technical, and operational legal framework.
The legal framework remains dominated by the Financial Institutions Business Act B.E. 2551 (2008) and the Payment Systems Act B.E. 2560 (2017). But it is at the level of BOT notifications that the key developments are taking place. Three events accelerated this trend in 2025–2026: the finalization of the framework for virtual banks, the anti-cybercrime reform, and the regulatory launch of the “Your Data” project, further illustrating the transformation of banking regulation in Thailand.
This framework is based in particular on the Financial Institution Business Act B.E. 2551 (2008), the Payment Systems Act B.E. 2560 (2017), and the Anti-Money Laundering Act B.E. 2542 (1999), which govern banking activities, payments, and financial compliance, respectively.
Virtual banks and banking regulations in Thailand: innovation permitted under increased scrutiny
The arrival of virtual banks does not signify deregulation. The regulator’s rationale is simple: to accept new digital models only if they improve access to services without creating excessive systemic risk. Within the broader evolution of banking regulation in Thailand, the country has selected a limited number of players subject to strict conditions prior to launch, without liberalizing the market without safeguards.
The Ministry of Finance Notice of February 20, 2024 opened the application period (March–September 2024). On June 19, 2025, the Bank of Thailand announced the consortia approved by the Ministry of Finance to establish virtual banks, subject to meeting the prerequisites for operational launch.
A foreign fintech firm wants to offer credit in Thailand
A foreign company wishing to offer consumer loans via a mobile app must verify whether its activity falls under a banking license, a non-bank credit license, or a sandbox framework. Without the appropriate license, the activity is illegal even if the front-end is hosted abroad.
Cyber fraud and banking regulations in Thailand: when the bank becomes jointly responsible
In 2023, the BOT imposed several minimum measures: a ban on sending links via SMS, a limit of one login per app on a single device, notifications before each transaction, and 24-hour hotlines.
The reform went further with the Emergency Ordinance on the Prevention of Technological Crimes (No. 2) B.E. 2568 (2025). Within the evolving framework of banking regulation in Thailand, when damage results from non-compliance with the imposed standards, the bank may, depending on the circumstances and in the event of a breach of applicable regulatory standards, be required to bear all or part of the loss incurred.
An SME Victim of a Wire Transfer Fraud
A foreign company whose employee has been the victim of identity theft fraud may hold its bank liable if the bank failed to implement the required anti-fraud measures. The quality of the evidence (authentication logs, prompt reporting) is decisive.
Responsible Lending: New banking regulations in Thailand for lenders and borrowers
Since January 1, 2024 (and April 1, 2024 for persistent debts), the BOT’s responsible lending rules require fair conduct at every stage: advertising, assessment, assistance to vulnerable borrowers, and restructuring. This is not merely a code of conduct.
It is an enforceable supervisory framework, a potential source of BOT inspections and customer disputes. Within the broader context of banking regulation in Thailand, these rules mark a clear shift toward stricter oversight and accountability.
For foreign borrowers, certain aggressive practices are becoming harder to justify. This framework is part of a macroeconomic strategy for the sustainable management of household debt, which remains a key issue for financial stability in Thailand.
Your data, your rights: bank portability arrives in 2026
In November 2025, the BOT adopted the rules for the Your Data project, allowing customers to transfer their financial data to other service providers. Rollout begins in late 2026 with deposit data, then expands through 2028. This initiative builds on previous guidelines regarding data governance and the use of biometrics in financial services, reflecting the ongoing evolution of banking regulation in Thailand.
For fintechs, the stakes are strategic. Within the broader evolution of banking regulation in Thailand, business models will increasingly depend on the ability to integrate these standards without creating security vulnerabilities or violating Thai personal data laws. For customers, managing consent and tracking data flows will become second nature.
Get expert legal guidance.
AML-CFT and foreign exchange controls: vigilance does not end with account opening
AML-CFT compliance involves two distinct authorities. Within the broader framework of banking regulation in Thailand, compliance with anti-money laundering and counter-terrorist financing (AML-CFT) regulations rests primarily with the Anti-Money Laundering Office (AMLO), while the Bank of Thailand enforces sector-specific obligations applicable to financial institutions.
In 2024–2025, their joint statements emphasized heightened vigilance regarding flows linked to high-risk countries and the strengthening of anti-money laundering policies, another key development shaping banking regulation in Thailand.
For international groups, the foreign exchange control framework remains in effect. In September 2025, the BOT revised certain rules regarding baht transactions with non-residents. Bank compliance is not limited to account opening; it extends to the structuring of every cross-border transaction.
In practice, certain cross-border transactions require the submission of supporting documents to the bank, particularly for foreign investment, the repatriation of dividends, or the repayment of intra-group loans. Documentary consistency regarding the transaction remains a central element of compliance.
What foreign companies must do: a practical checklist
The right approach is preventive. An inconsistency between the business narrative and the financial flow quickly raises a red flag. In 2026, the real challenge is not the existence of regulations but their granularity, at the intersection of banking law, payments, anti-fraud, data, and AML-CFT—core dimensions of banking regulation in Thailand.
Before opening an account or launching an activity
☐ | KYC File | Prepare a coherent file on the business activity, identification of the ultimate beneficial owners (UBOs), the source of funds, the economic justification for the cash flows, and the expected transaction profile. |
☐ | Legal classification | Verify whether the business requires a banking, payment, non-bank credit license, or a sandbox framework. |
☐ | Documentary consistency | Align contracts, invoicing, and the economic rationale for transfers with what will be visible to the bank. |
☐ | Foreign exchange controls | Analyze the BOT rules applicable to baht transactions with non-residents based on the nature of the cash flows. |
During operations
☐ | Bank mandates | Update mandates, payment limits, and authentication procedures. |
☐ | Documentation | Retain evidence: in cases of fraud or freezing, the quality of the file often makes the difference. |
☐ | DPA Limit | Legal deposit insurance limit currently set at 1 million baht per depositor and per financial institution, in accordance with the Deposit Protection Agency Act B.E. 2551 (2008). |
☐ | Regulatory Monitoring | Monitor BOT notifications: the most significant changes do not come through the framework law. |
Governance and AML-CFT Compliance
☐ | Beneficial Owners | Identify and document beneficial owners in accordance with AML-CFT standards. |
☐ | AML-CFT Policy | Have an internal policy tailored to the Thai context and cross-border flows. |
☐ | Legal review | Have the banking structure audited by a local advisor: less costly than late compliance. |
Conclusion
The Thai banking landscape is not closed off. It is becoming more sophisticated. Thailand is opening its market to new players while imposing stricter regulations on fraud, data, credit, and customer identification, key trends shaping banking regulation in Thailand.
By 2026, Thai banking law is no longer just about licensing and prudential supervision. Within the broader evolution of banking regulation in Thailand, it is now about customer experience, digital security, evidence, and data governance. This evolution makes the market more predictable for well-prepared players and riskier for those who improvise.
If you need further information, you may schedule an appointment with one of our lawyers.
FAQ
The term refers to the set of laws, notifications, and administrative rules governing banks, payments, credit, AML-CFT compliance, data protection, and cross-border flows in Thailand.
Yes. A licensing framework was established by the Ministry of Finance in 2024, and applicants were selected in June 2025, subject to conditions precedent to the actual launch.
No. If the activity involves banking, payments, or credit, an appropriate authorization is required. The functional nature of the activity takes precedence over the legal form or the location of the front-end.
Yes, under certain circumstances. When the institution has failed to meet the required standards for cyberfraud prevention, it may be required to bear a portion of the loss. The quality of detection systems and customer documentation are decisive factors.
It requires the lender to act fairly before, during, and after the loan is granted: pre-contractual information, product suitability, and handling of repayment difficulties. Certain aggressive practices become enforceable.
Yes, within a regulated and phased framework. The “Your Data” project is scheduled to roll out starting in late 2026, with an extension through 2028. Customer consent will be central to this system.
The AMLO is the central authority for combating money laundering and terrorist financing. The BOT, for its part, supervises financial institutions and issues sector-specific regulations. They publish joint statements on priority risks.
Coverage is set at 1 million baht per depositor and per financial institution. This limit is lower than those in Singapore (100,000 SGD) or Hong Kong (500,000 HKD). For companies managing significant cash reserves, diversification across institutions should be considered.
Yes. Exchange controls and BOT regulations on transactions with non-residents remain in effect. The September 2025 revision updated certain rules regarding baht transactions with non-residents and the prevention of speculation.
Because banking compliance in Thailand lies at the intersection of banking law, data, AML-CFT, and cybersecurity. A preventive review costs less than a belated rectification or a freeze on an operational account.