# Bank of Thailand Notification No. 25/2569: Customer Risk-Management Rules for Payment Service Providers (Three Lines of Defense and KYC)

- Canonical URL: https://www.lexcelsiam.com/observation/bot-25-2569-payment-service-customer-risk-management
- Locale: en
- Collection: /observation
- Published: 2026-06-12
- Last Updated: 2026-06-12
- Author: Lexcelsiam Regulatory Intelligence Desk (Cross-Border Legal Content Team)
- Reviewed By: Lexcelsiam Thailand Legal Review Desk (Financial Services & Payments Regulatory Review)
- Category: Financial Services
- Tags: Bank of Thailand, Payment Systems Act, KYC, CDD, mule account, e-money, payments, fintech, Thailand, 2026
- Source Documents: Bank of Thailand Notification No. 25/2569 — Royal Gazette Vol. 143, Special Part 144 Ngor, p. 36 (published 10 June 2026); Payment Systems Act B.E. 2560 (2017): https://www.bot.or.th/th/laws-and-rules/bot-takes-responsibilities-and-other-relevant-laws-and-regulations/law04.html
- Related Slugs: dbd-2026-anti-nominee-registration-measures, pdpc-cross-border-section-28-29-2566

## Executive Summary

Bank of Thailand Notification No. 25/2569, gazetted 10 June 2026, requires payment service providers to manage the risk of their services being used for fraud and mule accounts through a three-lines-of-defense structure and KYC/CDD obligations.

## Full Text

# Bank of Thailand Notification No. 25/2569: Customer Risk-Management Rules for Payment Service Providers (Three Lines of Defense and KYC)

Bank of Thailand (BOT) Notification No. 25/2569 — issued on 24 May 2026 and published in the Royal Gazette on 10 June 2026 — requires regulated payment service providers to establish a system for managing the risks arising from customers' use of their payment services. Its central objective is to prevent payment services from being used as a channel for fraud and crime, and in particular to counter mule accounts. For payment, e-money, and fintech businesses operating, or seeking to operate, under a Thai licence, the bar for customer due diligence and risk governance has risen accordingly.

## Legal Basis and Scope

The Notification is issued under the Payment Systems Act B.E. 2560 (2017). It applies to three categories of regulated payment service provider: e-money service providers, electronic payment-acceptance service providers, and electronic funds-transfer service providers. The Notification then defines the operative terms — "business operator", "payment service", "customer", and "Know Your Customer (KYC)" — fixing the obligated parties and the scope of application.

## Core Requirements

The Notification establishes a risk-governance structure built on the **three lines of defense**, with express accountability at board and senior-management level.

The first line of defense sits in the business units, which carry out customer identification and verification (KYC), ongoing customer due diligence (CDD), and transaction and behavioural monitoring. The second line comprises the risk-management and compliance functions, responsible for independent oversight and policy-setting. The third line is internal audit, providing independent assurance.

On customer due diligence, the Notification requires that customers (both individuals and juristic persons) be identified and verified at onboarding, with information that is accurate, current, and from a reliable source; that **enhanced due diligence (EDD)** be applied to higher-risk cases; and that transactions and behaviour be monitored on an ongoing basis to detect suspicious activity and the indicators of mule accounts. Where an account is identified as suspicious, the provider must take measures such as suspension, restriction, or closure, and must share information with, and report to, the relevant authorities.

## What Investors in Thailand Should Note

- **Map governance against the three lines of defense** — licensed and licence-seeking operators should confirm that their governance has three independent layers (business, risk/compliance, and internal audit) and that board and senior-management accountability is in place.
- **KYC/CDD systems and investment** — identity verification, transaction monitoring, and suspicious-behaviour detection require corresponding technology and process investment; operators should assess the cost and timeline of systems work and vendor selection early.
- **Interaction with the anti-fraud and data regimes** — the monitoring and information-sharing duties dovetail with Thailand's broader framework against online fraud and mule accounts; the collection, matching, and cross-institution sharing of customer data must at the same time satisfy the PDPA's lawful basis and cross-border transfer requirements (see related articles).
- **Cross-border payment and fintech players** — businesses serving the Thai market on a cross-border basis must meet the customer-risk-management baseline as raised by this Notification.
- **Supply-side opportunity** — demand from Thai payment institutions for KYC, anti-fraud, and regulatory-technology (RegTech) solutions will rise accordingly.

## Conclusion

Notification No. 25/2569 turns fraud and mule-account prevention from a matter of after-the-fact response into an ongoing, supervised obligation for payment institutions, governed through the three lines of defense. Operators should review their governance and KYC/CDD processes against the Notification at an early stage and confirm the applicable transition timeline. For a discussion of payment-licensing compliance and risk-governance frameworks, please contact us at business@lexcelsiam.com.

## Sources

- Bank of Thailand Notification No. 25/2569 — Royal Gazette Vol. 143, Special Part 144 Ngor, p. 36 (issued 24 May 2026; published 10 June 2026).
- Payment Systems Act B.E. 2560 (2017): https://www.bot.or.th/th/laws-and-rules/bot-takes-responsibilities-and-other-relevant-laws-and-regulations/law04.html