Customer Stories

• Overview

  The Thailand government has been promoting digitalization to boost its economic growth, driven by its national development plan “Thailand 4.0”. It supports innovation and adoption of digital technology in different segments through digital government policies. Following the digitalization strategy, there are initiatives being spearheaded by the central bank, such as the launch of FinTech regulatory sandbox, in financial sector. Aiming to become a “ASEAN’s Digital Hub”, the Thailand government proactively developed and expanded the capacity of its digital infrastructure. Data centers and cloud computing services are essential elements of its digital transformation plan.

  
  

  Despite of the supportiveness from the Thai government, security and privacy concern makes the cloud deployment not as easy as expected. Regulators has come up with a set of general and specific requirements over the cloud adoption. Relevant companies in Thailand are obliged to comply with the regulatory requirements. For details, please refer to General Regulatory Environment and Financial Services Sector below. Our expert team will support you throughout the whole cloud adoption process, ensuring of a smooth, secure and compliant cloud project delivery.

• General Regulatory Environment

  Regulators:
  The Personal Data Protection Commission (PDPC) supervises the personal data protection in Thailand, under the supervision of the Minister of Digital Economy and Society (MDES).

  
  

  General Privacy Laws:
  The Personal Data Protection Act (PDPA) was published on 27 May 2019, governing data protection in Thailand. The full enforcement of PDPA has been postponed to 1 June 2022.

  
  

  Data Cross-border Transfer Requirements:
  Cross-border transfers are allowed with appropriate safeguards, where 1) the recipient country should have adequate personal data protection standards which are aligned with PDPC’s guideline, or 2) the data subject has given consent; or 3) the transfer is necessary under a pre-existing contract between the data subject and data controller; or 4) the transfer is in the interests of the data subject

• Financial Services Sector

  Overview:
  Alibaba Cloud is the one of the first cloud service providers with local presence in Singapore, Malaysia, and Indonesia. With the local infrastructure and professional services, we have a proven track record in financial services industry in the Asia-Pacific markets, by enabling financial institutions in cloud adoption. To better serve financial services customers in Thailand, we launched our first data center in the country, aiming to help customers easily adopt cloud in a secure and compliant way.
  
  Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry specific regulatory requirements. From initial high-level due diligence and risk assessment, to solution design to implementation and transition, and to post-implementation assurance, Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspects, best practices in services and products configuration, automated and continuous security check tool, as well as assurance over the design and operational effectiveness of internal controls.

  
  

  Regulators:
  The Bank of Thailand (BOT), central bank of Thailand, has the power to supervise financial institutions to provide a stable financial environment in Thailand. The Office of Insurance Commission (OIC) is the regulator of Thailand’s insurance industry operating under the supervision of the Thai Minister of Finance (MOF). The Securities and Exchange Commission (SEC) is the main regulatory authority for the capital markets in Thailand.

  
  

  Regulations/Guidelines to look at when use cloud computing services:
  
  Financial Institutions (Commercial Banks, Finance Companies; and Credit Foncier Companies) :
  1.BOT No. FPG.16/2563 Regulations on the use of services from business partners of financial institutions
  2.BOT No. Sor.Nor.Sor.21/2562 Regulations on governance of information technology risks of financial institutions
  3.BOT No. FPG.7/2563 Permission for Commercial Banks to Undertake Business of Information related services to support digital banking
  4.BOT No. SorNorChor.11/2561 Policy and measures to maintain security in information systems
  5.BOT No. SorNorChor.1/2564 Regulations on information technology risk supervision according to law on payment systems
  
  Capital Market:
  1.SEC Sor Thor. 37/2559 Rules in Detail on Establishment of Information Technology System
  2.SEC Nor Por. 3/2559 Guidelines for Establishment of Information Technology Systems
  3.SEC Tor Thor. 60/2561 Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party
  4.SEC Cloud Computing Practice Guide
  
  Insurance:
  1.OIC Criteria for Supervision and Management for Information Technology Risk for Life Insurance Companies B.E. 2563 (2020)
  2.OIC Criteria for Supervision and Management for Information Technology Risk for Non-Life Insurance Companies B.E. 2563 (2020)
  3.OIC Guidelines on criteria to supervise the use of services from Information Technology Outsourcing Services Providers
  4.OIC Guidelines for security and risk control of information technology systems (Information Technology Risk Management)

  
  

  Is cloud permitted?

  Yes. The BOT, SEC, and OIC issued regulations guiding regulated entities to identify cloud specific risks. Financial institutions in Thailand should be able to demonstrate how these risks being addressed when they use cloud services.

  
  

  Additional approval needed? For financial institutions (Commercial Banks, Finance Companies; and Credit Foncier Companies), the criteria of significance should be established for cloud adoption. And for the significant workloads, commercial banks are required to notify BOT at least 15 days in advance before implementation, while finance companies and credit foncier companies must seek for approval from BOT. Insurance companies are required to notify the OIC prior to using the cloud computing services. The outsourcing requirements have been relaxed by the SEC where securities companies in Thailand only are required to notify the SEC within 15 days from the date of using cloud services.

  
  

  Is offshore outsourcing arrangement allowed? The BOT, OIC, SEC do not restrict the regulated entities from outsourcing services to service providers in a foreign country. However, there shall be consideration on change or uncertainty regarding economic, political, social and legal issues of the foreign country as well as the complexity in business continuity management of the service provider in the foreign country. The OIC especially concerns about the information access risk, where companies are required to ensure that data is readily available locally for ongoing business and customer service from business continuity management perspective.