Bank of Thailand tightens security for mobile banking

BOT notes higher risks from increasingly sophisticated cyberthreats and financial fraud

 

The Bank of Thailand has announced new regulations to bolster the security of mobile banking and payment services offered by financial institutions. 

 

BOT governor Sethaput Suthiwartnarueput signed the regulations, which were subsequently published in the Royal Gazette.

 

Mobile banking is continuing rapid expansion in Thailand, bringing with it higher risks from increasingly sophisticated cyberthreats and financial fraud.

 

The BOT says it recognises the potential for widespread damage to users and the impact on the credibility of the financial system and the nation's payment infrastructure.

The new regulations, authorised under the Financial Institutions Business Act BE 2551, mandate that financial institutions providing mobile banking services continuously monitor, manage and upgrade their security systems and services to meet international standards.  

 

This includes protection against increasingly complex cyberthreats and evolving fraud tactics, covering both the institutions’ systems and the security of users' mobile devices.
 
Key security measures outlined in the regulations include:

Restrictions on Links in Communications: Financial institutions now are prohibited from including links in SMS (text) messages and emails. While links are permitted in social-media communications, they cannot request identity verification or personal information such as usernames, passwords, one-time passwords (OTPs), personal identification numbers (PINs), ID card numbers, or dates of birth.  

 

This is designed to prevent phishing attacks, social engineering, and malware installation. Links can be included if specifically requested by the customer, but the communication must clearly state that the link is provided at the user’s request.

 

Monitoring and Response to Fraudulent Apps: Financial institutions must monitor for and promptly respond to fake applications mimicking their mobile banking apps on official app stores (for example Google Play Store or Apple App Store). They must also have procedures for dealing with fraudulent apps found outside these official platforms.

 

Device and Account Limitations: Users are limited to one mobile banking account per financial institution and can only access the service from a single mobile device.


  

Enhanced User Verification: Additional user verification, using facial comparison technology with presentation attack detection, will be required for:


Individual transfers of 50,000 baht or more.
Cumulative transfers of 200,000 baht or more within a single day.
Increases to daily transfer limits of 50,000 baht or more.
Exceptions may be made for users with disabilities or for low-risk transactions like transfers between an individual's own accounts.


 

Transaction Limits: Daily transaction limits for withdrawals and transfers via mobile banking will be set based on user risk profiles.  For example, users under 15 years old will have a maximum limit of 50,000 baht per day. 

 

Institutions can use industry standards to determine risk levels and limits, but must have a clear process for considering customer exemption requests.

 

The regulations come into effect 30 days after publication in the Royal Gazette, with the exception of Clause 5.3.72 (3.3), which takes effect 60 days after publication. The announcement is dated January 31, 2025, and signed by BOT governor Sethaput Suthiwartnarueput.

(2025/02/10-00:00)