Fintech 2025

THAILAND Law and Practice Contributed by: Wongsakrit Khajangson, Panupan Udomsuvannakul, Koraphot Jirachocksubsin and Pitchaya Roongroajsataporn, Chandler Mori Hamada

• establish and follow outsourcing policies and rules; • outsource reasonably without ceasing busi - ness operations; • be responsible and act in the best interests of customers, complying with laws and regula - tions; • notify the SEC of outsourcing arrangements or any changes within 15 days; and • submit an annual outsourcing summary report to the SEC. Moreover, the SEC must approve outsourcing due diligence tasks regarding business and technology, such as smart contract source code. This ensures that outsourcing follows the SEC’s rules and keeps the ICO portal’s core functions intact. The SEC’s regulations are under develop - ment and will be enacted soon. 2.9 Gatekeeper Liability Depending on business activities, a fintech ser - vice provider may be considered a gatekeeper. For example, pursuant to SEC Notification No GorThor.19/2561 regarding the criteria, condi - tions and procedures for business operations of digital assets, exchange service providers must have a system in place that discloses sale and purchase data. This data includes pre-trade and post-trade information, and records of sales and purchases of digital assets must be recorded for potential audits. The Computer Crime Act B.E. 2550 (2007) requires that a fintech service provider is: • a person who provides services to the public with respect to access to the internet or other mutual communications via computer sys - tems, whether on their own behalf, or in the

name of, or for the benefit of, another person; or • a person who provides services with respect to the storage of computer data for the ben - efit of other persons – computer traffic data must be stored for at least 90 days from the date on which the data is entered into the computer system. However, if necessary, a relevant competent official may instruct a service provider to store data for a period of longer than 90 days but not exceeding one year on a special case-by-case or on a temporary basis. A fintech service pro - vider must keep the necessary information of the service user to be able to identify the service user from the beginning of the provision of the services. Such information must be retained for an additional period of no more than 90 days after the service agreement has been terminated. Failure to meet the specified requirements may result in a fine of up to THB5,000. 2.10 Significant Enforcement Actions In 2024, the SEC remained active in supervis - ing digital asset markets and businesses, and a stricter approach from the SEC was seen in enforcement actions. For example, the MOF, at the recommendation of the SEC Board, revoked licenses to operate digital asset exchange and broker business from one business operator. The SEC determined that the business opera - tor exhibited financial instability, posing poten - tial harm to customers, and had an inadequate and inappropriate management structure and personnel, which failed to ensure efficient and responsible operations in accordance with SEC regulations. Despite the revocation of its digital asset licens - es, the business operator remains a limited com -

878 CHAMBERS.COM

Powered by