On September 12, 2024, the Bank of Thailand (BOT) Notification Re: Virtual Bank Supervision Criteria took effect. According to this notification, virtual banks must adhere to standards for traditional commercial banks, along with additional requirements tailored to address virtual banks’ digital nature and corporate structure. Specific Requirements The concepts of supervision remain unchanged from the consultation paper titled “Criteria for Supervising Virtual Banks”. Some of the key additional provisions and details on supervision criteria relate to the following: Financial business groups: The notification identifies virtual banks as financial businesses, subject to the BOT’s regulations on financial business group supervision. If a virtual bank is a part of another financial institution’s financial business group, the virtual bank must be under a solo consolidated group. After the “initial phase” (see below), other financial institutions and companies within the financial business group are prohibited from extending credit to or engaging in transactions similar to lending activities with the virtual bank. Capital fund requirements: If other financial institutions’ investment in a virtual bank increases the capital fund in the financial system beyond a safe level and this poses a risk to other financial institutions, the BOT may order the relevant financial institution to maintain capital funds as the BOT deems appropriate. Service channels and outsourcing: Virtual banks must provide services solely through digital channels, except when necessary. For example, with the BOT’s approval, a virtual bank may use other commercial bank electronic branches via an ATM pool system, use a banking agent to serve customer needs for cash, or occasionally provide on-site services. Initial Phase The “initial phase” runs from the date that the virtual bank commences its operations until it receives the BOT’s approval to become fully operational. During this period, certain BOT supervisory requirements are relaxed as follows: Governance: Virtual banks in the initial phase may request
Thailand’s Securities and Exchange Commission (SEC) has revised its regulations on digital asset operators and exchanges to impose stricter governance standards on digital asset business operators and to align digital asset exchange rules with international standards. The new regulations are laid out in SEC Notification No. GorThor. 23/2567 on the Criteria, Conditions, and Procedures for Operating a Digital Asset Business (No. 24) and SEC Notification No. GorLorThor. 24/2567 on Determination of Prohibited Qualifications for Directors and Executives of Digital Asset Business Operators (No. 5). These were published in the Government Gazette on August 16, 2024, with most of the provisions taking effect on the same date. Governance for Digital Asset Businesses The heightened standards for digital asset business operators aim to ensure efficient business supervision and appropriate response to operational risks. The new requirements mainly address: Board of directors composition. Large-sized digital asset business operators (i.e., those with at least 10,000 customers and holding customer assets of at least THB 500 million) who do not provide digital asset custodian services must have at least five directors, at least two of whom must be independent directors. In addition, the business operators must establish an audit committee, with at least two members being independent directors, to create an appropriate “check and balance” mechanism within the organizational structure. Current digital asset business operators must comply with the requirements within 180 days of the notification’s effective date. Qualifications of authorized directors and managers. Authorized directors and managers are now required to (1) either have at least one year of working experience in the digital asset field or have participated in a digital asset course from an SEC-approved list, and (2) participate in a good corporate governance course recognized by the SEC. Current authorized directors and managers who have not previously completed a good
On August 13, 2024, Thailand’s Personal Data Protection Committee (PDPC) published a notification on the Criteria for Personal Data Deletion, Destruction, and De-identification in the Government Gazette, taking effect on November 11, 2024. Most of the content remains unchanged from the June 2024 draft of the legislation that was released for public comment. Only minor amendments have been made, as outlined below: Data controllers must respond to data subjects’ requests to delete, destroy, or de-identify personal data, including any copies or backups, without delay and within 90 days of receiving the request. This timeframe has been extended from the previous draft, which allowed only 60 days. In deleting, destroying, or de-identifying personal data, the data controller must ensure that no one is able to recover or reverse personal data to enable the direct or indirect identification of the data subject by any means that could reasonably be expected. If the data controller cannot fulfill the request within the 90-day period, it must take measures to ensure that the personal data is made difficult to collect, use, or disclose until the personal data can be deleted, destroyed, or de-identified according to the notification. In such cases, appropriate organizational, technical, and physical measures must be implemented to protect the data, meeting the criteria set forth by the notification. One newly added provision allows data controllers to delete, destroy, or de-identify a data subject’s personal data using a different method than the one requested by the data subject, provided they inform the data subject of the alternative method. However, this is not allowed when the data subject exercises this right on the grounds that the personal data has been unlawfully collected, used or processed, and there are no grounds to reject the request. In relation to the de-identification or anonymization of personal
Thailand’s Securities and Exchange Commission (SEC) amended its utility token supervisory framework by issuing seven notifications that came into effect on August 13, 2024. Ready-to-use utility tokens (tokens that can be used immediately to acquire specific goods or services), which were previously unregulated, are now subject to the supervisory scheme set forth by the seven new notifications in both primary and secondary markets. This is intended to provide an investor protection mechanism that responds to the characteristics, risks, and usage of the different types of ready-to-use utility tokens. Under the new notifications, ready-to-use utility tokens are categorized into two groups. These are detailed below. Group 1 Utility Tokens Group 1 utility tokens include ready-to-use utility tokens issued for consumption purposes or as a digital representation of a certificate. Examples include loyalty points, digital movie or concert tickets, NFTs, and carbon credits, among others. Principally, there is no change in the regulation of group 1 utility tokens under the new notifications. In the primary market, issuance of this type of token is not subject to the initial coin offering (ICO) requirements. In the secondary market, providing services related to group 1 utility tokens is not considered to be the same as operating a digital asset business with licensing requirements under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). Licensed digital asset operators (including exchanges, brokers, and dealers) are not permitted to list or trade group 1 utility tokens. To provide services in relation to group 1 utility tokens, these licensed digital asset operators must establish a separate entity to provide those services and must not use names or messages that could cause the public to misunderstand that the separate entity is engaged in a digital asset business under SEC supervision. Group 2 Utility Tokens Group 2 utility tokens