Thailand e-payment regulations: compliance essentials for foreign-owned SMEs

Thailand e-payment regulations for foreign-owned SMEs

Who this guide is for

Foreign-owned SMEs that sell goods or services in Thailand and accept online or in-app payments, mobile wallets, QR payments, or card-not-present transactions.

1) Key laws and regulators behind Thailand e-payment regulations

• Payment Systems Act B.E. 2560 (2017). Thailand e-payment regulations Establishes the regulatory framework for designated payment systems and designated payment services under the supervision of the Bank of Thailand (BOT). Licensing, registration, or notification applies depending on risk and activity.

• Electronic Transactions Act B.E. 2544 (2001). Recognizes the legal validity of electronic records and signatures for e-commerce and e-payment contracting.

• Personal Data Protection Act B.E. 2562 (PDPA). Governs personal data processing throughout the payment flow, including breach notification timelines.

• Anti-Money Laundering Act B.E. 2542 (and related ministerial regulations). Sets suspicious transaction reporting, customer due diligence, and record-keeping duties for reporting entities and relevant non-bank providers.

• PromptPay and Thai QR standards are overseen within the National e-Payment framework with BOT guidance on scheme participation and security.

2) Do you need a BOT license or can you rely on a licensed PSP

If you only accept payments using a bank, card acquirer, or licensed PSP, you typically do not need your own payment license. Your obligations focus on consumer law, tax invoicing, PDPA, and AML red flags within your business.

If you operate payment services yourself, you may fall under designated payment services or designated payment systems that require BOT licensing, registration, or notification. Examples include operating a payment gateway, switching, or settlement infrastructure. Capital, governance, and reporting requirements apply as set in BOT notifications.

3) Digital wallets and e-money basics

Issuing stored value to users may qualify as electronic money under BOT rules. Providers must meet prudential, safeguarding, risk management, outsourcing, and agent oversight standards defined in BOT notifications, plus ongoing reporting to BOT. If you use agents or partners for cash-in or top-up, the agent framework and controls in the BOT notification on agents apply.

4) Thai QR payments and PromptPay integration

• Joining the Thai QR ecosystem requires connectivity through licensed participants and compliance with scheme rules, fraud controls, and reconciliation standards.

• Merchants should display secure, scheme-compliant QR codes and ensure settlement reports match order systems.

5) AML and customer due diligence for e-payments

• Thailand follows a risk-based AML approach. Businesses in financial or designated non-financial sectors must implement CDD, monitor transactions, and report suspicious transactions to AMLO in accordance with the AMLA and applicable regulations. Maintain AML records for the statutory period and be ready for inspection.

• PSPs and e-money issuers should formalize risk assessments, escalation protocols, and independent testing as part of their internal control environment.

6) Data protection and security under PDPA

• Publish a clear privacy notice covering purposes, retention, sharing with PSPs and banks, and contact points for data subject requests.

• Implement appropriate technical and organizational measures across apps and APIs.

• Notify the PDPC without delay and within 72 hours of becoming aware of a breach that risks rights and freedoms of data subjects, and communicate with users when required under the PDPC notification.

7) Reporting, outsourcing, and using agents

• If you are a licensed payment operator, you must submit periodic payment information reports to BOT and comply with outsourcing and agent control requirements. Use written contracts, audit rights, and security standards for third parties.

8) Integration checklist for SMEs

Use this checklist when launching or revising payment flows with partners:

1. Map roles and approvals

2. Are you a merchant using a PSP, or operating a service that needs BOT approval.

3. Contract with licensed participants

4. Confirm PSP licensing scope and incident SLAs. Keep copies of their licenses and attestations.

5. Secure QR and card-not-present flows

6. Use scheme-compliant QR, strong authentication, and daily reconciliation.

7. AML framework

8. Implement risk-based CDD, continuous monitoring, and AMLO-aligned reporting procedures.

9. PDPA controls

10. Update the privacy notice, consent mechanisms, and breach response with the 72-hour rule.

11. BOT reporting and vendors

12. Meet BOT reporting schedules and control any agents or outsourced processors under BOT notifications.

9) How GENTLE LAW IBL can help

• BOT scoping advice to determine whether you need licensing, registration, or notification

• Regulatory liaison and drafting for BOT applications and notifications

• AML program design and independent testing aligned with Thai law

• PDPA privacy notice, DSR workflow, and breach playbook

• Payment contract reviews with banks and PSPs, including SLAs, liability, and data terms

Ready to launch or refine your e-payment service in Thailand? Contact GENTLE LAW IBL for an e-payment compliance audit: gentlelawibl.com