Thailand’s new law expands cybercrime prevention and enforcement powers

By: Ian Johnston, Sorawat Wongkaweepairot and Nuttida Doungwirote

At a glance

Expanded reporting requirements now apply to digital asset businesses, aligning them with traditional financial institutions.
Banks and service providers must proactively block or close accounts linked to blacklisted individuals.
A new central cybercrime authority has broad powers to investigate, suspend transactions, and publish offender data, alongside new criminal offences targeting data misuse and SIM trading.

Introduction

Thailand has introduced major enhancements to its cybercrime prevention framework, with new obligations for financial institutions and criminal offences targeting the misuse of personal data. Of particular relevance to insurers, the changes increase the compliance burden on clients – especially those operating in financial and digital asset sectors – and raise the risk of inadvertent criminal exposure.

New legislation

The Royal Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2) B.E. 2568 (2025) amends the original 2023 decree. It grants sweeping powers to government agencies, establishes a new supervising authority, and introduces a compensation mechanism for victims. This marks Thailand’s most assertive legal response yet to combat sophisticated scam networks and technology-enabled financial crimes that have caused substantial losses to Thai citizens.

Key changes

Inclusion of Digital Asset Businesses

Digital asset operators are now expressly covered by the reporting regime, significantly expanding the compliance perimeter for suspicious transaction monitoring. They are required to report suspicious transactions in the same manner as banks and payment service providers.

Expanded Proactive Obligations for Financial Institutions

Financial institutions must now take pre-emptive measures against cybercrime risk, rather than relying solely on reactive reporting. This includes refusing to open accounts, suspending services or transactions, or closing accounts linked to individuals or entities on government blacklists. The scope of responsibility also extends to customer onboarding and service delivery.

Creation of a Central Supervisory Body

A newly formed government body, the Cybercrime Prevention and Suppression Operation Center, centralises and expands oversight powers for tackling cyber-enabled fraud. Important notes include that:

It receives reports from victims and can act on them in real time,
It has authority to suspend transactions involving suspected criminal activity,
It can compel banks and business operators to provide account and transaction data,
It may publish lists of suspected individuals and wallet addresses involved in cybercrime, and
It is required to issue monthly performance reports to demonstrate active prevention and enforcement.

Introduction of New Criminal Offences for Data Misuse and SIM Card Trading

Several new offences have been created targeting the misuse of data and identity tools commonly used in scams, including:

Buying or selling registered SIM cards for criminal use: up to 1 year in prison, a fine of up to THB 100,000, or both,
Using or disclosing personal data (including that of deceased persons) to commit or facilitate cybercrimes: up to 1 year in prison, THB 100,000 fine, or both, and
Buying, selling, or exchanging personal data unlawfully: up to 5 years in prison, a fine of up to THB 500,000, or both.

Implications for insurers and clients

This law marks a shift toward more aggressive government intervention in cybercrime prevention, backed by stricter penalties and broader institutional powers. Financial institutions and digital asset businesses will need to review compliance protocols and client due diligence processes.

For insurers, the focus should be on ensuring that clients – especially those handling customer data or operating in high-risk sectors – understand the scope of new offences. Activities such as data trading or inadvertent use of personal information may now fall within criminal territory, depending on how the law is interpreted and enforced.

Conclusion

Thailand’s updated cybercrime legislation underscores a growing regulatory trend in Asia: proactive enforcement, institutional escalation, and expanded criminal liability.

The challenge for insurers and their clients lies in interpreting the broad scope of these new offences and managing the associated compliance risks

Global reach, local impact

In May 2025, the firm proudly launched its Bangkok office – its second in Asia and eleventh globally – further strengthening its presence across the Asia Pacific region.

The office will be led by Partner Ian Johnston, a highly respected insurance specialist and arbitrator with more than two decades of experience in Asia. Ian brings deep expertise in energy, construction, property, and commercial disputes.

Joining Ian is our talented founding team in Bangkok, partner Sorawat Wongkaweepairot, associate Nuttida Doungwirote, and team secretary and paralegal Tamonwan Supanukanon.

We are thrilled to welcome them and look forward to building strong client relationships across Thailand and the wider region.