Commercial bank members of the Thai Bankers’ Association (TBA) have been upgrading their digital technology to handle cyber-risks. The association has committed to compliance with the new measures, TBA chairman Payong Srivanich said at a media briefing on Friday (Mar 10), in collaboration with the central bank and the Government Financial Institutions Association (GFA), reports Bangkok Post.
Mr Payong said banks already collected customers’ biometric data, allowing for facial scans for money transfers and adjustments of credit transfer limits on mobile banking apps. He said banks would continue to collect such biometric data.
According to the new measures, a facial scan is needed for: digital money transfers of more than B50,000 per transaction; transfers of more than B200,000 per day; and to change credit transfer amounts of more than B50,000 per transaction. Banks must implement these measures by June this year.
BOT governor Sethaput Suthiwartnarueput said on Thursday (Mar 9) the central bank chose 50,000 baht and higher because the amount is a frequent target of fraudsters.
"To comply with the new cybersecurity measures, banks will have to allocate a higher investment budget for IT and digital system development," admitted Mr Payong from TBA.
"But the investment is necessary to guard against cyber-risks or it could create a higher loss for both customers and banks," he added.
Tuantong Treenuparb, senior executive vice-president for IT at Government Housing Bank and a representative of GFA, said specialised financial institutions (SFIs) have also developed biometric technology to protect customers from cyber-risks. As a result, SFIs are committed to complying with the central bank’s new cybersecurity measures, he said.
However, for some SFI clients, especially those from vulnerable segments who are not familiar with digital banking transactions, the banks will help them with financial and digital literacy to protect against digital financial fraud, said Mr Tuantong.
Siritida Panomwon Na Ayudhya, the Bank of Thailand’s assistant governor for payment systems policy and financial technology group, said some banks have collected digital facial data for more than 50% of their total deposit client base, while others were below that level.
Banks have only been collecting digital data for around two years, so it will continue as an instrument to handle cyber-risks, she said.
"In the initial stage, the central bank requires facial scans for digital money transfers and adjusting credit transfer limits," said Ms Siritida.
"The facial scans could be expanded to cover money deposits and withdrawals for the next step."
More measures to follow
The regulator also wants to close loopholes and curb fraudsters’ access to consumers by banning financial institutions from sending links via SMS and email.
Banks are also not allowed to send customers’ personal data through social media. In addition, mobile banking users can only use one username for a device.
The central bank also requires financial institutions set up a hotline call centre where customers or financial fraud victims can contact them around the clock.
On Feb 15 Deputy government spokeswoman Rachada Dhnadirek said a 14-section draft decree on the prevention and suppression of technology crime is expected to take effect soon. The drawt – seeking to combat the use of “mule” bank accounts by scammers and call-centre gangs – had already been examined by the Council of State and approved by the Cabinet.
Telecom service providers will be required to provide information about their customers within specified periods to the the Royal Thai Police (RTP), the Department of Special Investigation (DSI) or the Anti Money Laundering Office (Amlo) for examination if illegal activity is suspected.
Financial institutions and businesses that detect suspicious transactions will also have the power temporarily suspend them before alerting financial institutions or businesses that receive the transferred money.
The draft decree also imposes harsh penalties against people hired as nominees to open accounts, or who allow others to use mobile phone numbers for illegal activity. They face a three-year jail term, a maximum fine of B300,000, or both.
People who help procure bank accounts, electronic cards, e-wallets, SIM cards or who advertise this service may face up to five years in jail, a fine of B200,000-500,000, or both.
According to central bank data, from March to December 2022 there were around 50,000 cases of online shopping fraud, 20,000 cases of money transfer fraud, 18,000 cases of lending fraud, and 13,000 cases of call centre fraud. There were 58,000 cases of nominee deposit account fraud with total reported losses of B5.5 billion.
JohnC | 12 March 2023 - 08:34:18