There are several regulators relevant to the operation of fintech/insurtech innovations in Thailand, depending on the operating entities and scope of business activities.

Key regulators include the following:

• Ministry of Finance (MOF) – oversees the operation of financing, securities and credit financier business, and the business of financial institutions in Thailand
• Bank of Thailand (BOT) – oversees business operation of commercial banks and other financial institutions, including finance companies, ranging from moneylending and currency exchange
• Securities and Exchange Commission (SEC) – regulator in charge of securities business, including public fundraising through capital market
• Ministry of Commerce (MOC) – oversees the general business operation of a company incorporated under the laws of Thailand, whether private, public or listed
• Office of Insurance Commission (OIC) – in charge of business operation of insurance companies in Thailand
• Electronic Transaction Commission under the Prime Minister – in charge of electronic transaction business conducted in Thailand

Activities involving insurers, insurance intermediaries and the insurance business may be regulated under the Life Insurance Act B.E. 2535 (1992), as amended, and the Non-Life Insurance Act B.E. 2535 (1992), as amended, and subordinate legislation issued by the OIC.

Regulated insurance companies seeking to commence or develop fintech/insurtech activities must ensure that any new activities comply with the foregoing (as applicable) and do not breach any existing license conditions. In order to keep pace with the rapid changes, the OIC has approved the utilization of a regulatory sandbox in Thailand to enable insurers, agents, fintech/insurtech players to beta test insurtech innovations.

For financing-related activities, financial services in Thailand are a very heavily regulated sector. When offering fintech/insurtech products and services to the Thai market, the key questions that need to be answered are whether the business operator will be able to operate legally in Thailand and whether a license, registration or approval is required, such as a banking license, e-payment license, securities license, personal loan license, credit card business license, FX license, money transfer license, crowdfunding portal approval, etc.

Securities-related business is also subject to licensing requirements by the SEC.

The regulators have been positive and encourage fintech/insurtech innovation in the following ways:

• Crowdfunding – Further to the notification in relation to equity-based crowdfunding issued by the SEC, effective since 16 May 2015, which allows a qualified company to raise funds from the public by offering shares through an electronic platform provided by a funding portal approved by the SEC, the SEC is currently holding a public hearing regarding the revision to be made to the notification to further facilitate the fintech innovation. The key revised principles include (i) allowing the funding portal to use technologies, for example, blockchain, smart contract in managing shares subscription's
  money, instead of requiring the funding portal to have an escrow agent, an intermediary, or a reliable person to keep the member’s assets; (ii) allowing the funding portal to act as a secondary market by providing an e-trading platform to enable shares offered through funding portals to be traded, in order to provide more exit options for investors; and (iii) removing the current restriction that requires the company raising funds through a funding portal to use such same funding portal in the next fundraising rounds. The public hearing is open for comments until 23 August 2017.
• Payment system law – A draft new payment system law, intended to reform and unify the laws in relation to payment systems in Thailand, was approved in the third reading by the National Legislative Assembly on 10 August 2017 and is pending only the last process of being published in the Royal Gazette in order to become a law. According to this final draft, this draft involves the key payment systems important to the security of the financial system (and the payment finality concept) as well as the payment system under supervision (where new requirements include, for example, protection of float money in case of the business operator's insolvency).
• National e-Payment Master Plan – The Cabinet approved the Master Plan in principle on 22 December 2015, showing the recognition and intention to drive the transformation of Thailand's payment system to full electronic payment infrastructure both in the government and private sectors. It is hoped that the Master Plan will bring about payment infrastructure development (for example, any ID payment system), e-tax system, e-payment system for social welfare, financial inclusion, and a cashless society, the environment in which fintech businesses will likely thrive.
  • Regulatory Sandbox – On 9 May 2017, the OIC launched a new notification on insurance regulatory sandbox, which would support the development of new innovations and allow applicants to experiment on new innovations within a more flexible regulatory requirement as deemed appropriate by the OIC.
• FinTech Challenge – In July 2017, the SEC, the OIC, the BOT and other six authorities launched a contest opening up opportunities for new start-up companies to present fintech/insurtech innovations. Categories of this contest include Customer-Centric, RegTech, and Infrastructure. This initiative is introduced with an aim to support and encourage new fintech/insurtech innovations.
• Others – It is also expected that there will be continued developments in other laws and regulations relevant to the operation of fintech/insurtech businesses such as anti-money laundering law, exchange control law and data protection law.

The licenses required will depend on the specific activities contemplated. We recommend seeking the advice of local counsel.

In brief overview, key licenses for financial services operation in Thailand include:

• finance company license (for accepting deposits of money, or accepting money from the public, subject to withdrawal on demand, or at the end of a specified period, other than the acceptance of deposits of money, or acceptance of money from the public in accounts
  to be withdrawn by checks, and of employing such money in any way, such as the granting of credits, or buying and selling of bills of exchange or any other negotiable instruments)
• personal loan license (for providing loan, accepting, buying, discount purchasing, or discount purchase subrogating a bill or any ownertransferred instrument to a natural person without stipulating the objective or having the objective to acquire goods or services, and with no objective to be used in one's own business, with no property or assets as collateral; and providing loan arising from hire purchase and leasing of goods to a natural person that the business operator does not sell in normal trade, except for cars and motorcycles
• foreign exchange business license
• international money transfer agent license
• treasury center license
• securities license based on types of regulated businesses such as securities dealing, securities brokerage, securities advisory, securities underwriting, private fund management, mutual fund management, securities lending or short sale, and venture capital
• license for derivatives dealer, derivatives agent, derivatives advisor or derivatives fund manager
• license for electronic payment business, such as e-money provider, credit card network provider, EDC (electronic data capture) provider, transaction switching provider, clearing service provider, settlement service provider, substitute payment service provider, and provider of electronic payment through any device or network

As there are many licenses involved in the conduct of finance-related and security-related businesses in Thailand (depending on the specific fintech/insurtech activities contemplated), advice of local counsel on the criteria or qualifications for obtaining such licenses
should be sought. 

However, from a general standpoint, the criteria for obtaining each license shall be based on the following qualifications of the applicants:

• nationality
• types of entity
• registered and paid-up capital
• objectives of the company
• board composition
• directors and major shareholders qualification

There are no specific regulations for the use of telematics or biometrics on its own; however, insurance companies should ensure that such use is compliant with any existing regulations or conduct of business requirements. Further, depending on how such technology is used, we may need to consider whether other areas of regulation are attracted (for example, telecommunications or pharmaceuticals).

In addition, if any insurance company engages in an electronic transaction, such insurance company shall be subject to the Secure Method Royal Decree issued under the Electronic Transactions Act (the E-Transactions Act), which requires an application of information
technology security at a strict level.

Currently, there is no specific distinction between institutions that are "too big to fail" versus "too small to care." Distinction is drawn based on types of entity and types of businesses that such entity is engaged in.

Licensed insurers will need to comply with the OIC Notification re: Criteria, Processes and Conditions in Prescribing Minimum Standard for Risk Management of Life Insurance Companies B.E. 2560 (2017) and OIC Notification re: Criteria, Processes and Conditions in Prescribing
Minimum Standard for Risk Management of Non-Life Insurance Companies B.E. 2560 (2017). These new notifications have adopted the concept of enterprise risk management in accordance with the international standard of International Association of Insurance Supervisors (IAIS) and a number of new requirements, for example, establishment of risk management committee, preparation of frameworks, and reporting requirements. The notifications have been announced by the OIC and are expected to be published in the Royal Gazette by September 2017 and come into force 180 days thereafter.

As mentioned in the response to question 3, the Secure Method Royal Decree requires insurance companies that engage in e-transaction to apply the required information technology security at a strict level and to comply with the security method management stipulated therein.

If any insurance company offers an e-payment service to customers and if it is regarded as an e-payment service provider under the E-Transactions Act, it is required to comply with security methods applicable to e-payment service providers under the Bank of Thailand Notification No. SorRorKor 3/2552 Re: Policies and Measures on Security of Information Systems for Business Operations of Electronic Payment Service Providers.

There is currently no specific law governing big data. Exploitation of personal data may be done without the consent of the data subject if that use does not unlawfully injure the personal data rights of the data subject. However, any use of personal data in a way that unlawfully injures the right to personal data, intentionally or negligently, would violate the Constitution and may constitute a wrongful act (a tort) under the Thai Civil and Commercial Code.

In addition, the use of personal data by certain types of business sector is regulated under specific laws, such as telecommunications, credit bureau or financial services.
If an insurance company offers an e-payment service to customers and if it is regarded as an e-payment service provider under the E-Transactions Act, it is required to stipulate a personal data policy (that is, user data retention and confidentiality level).

The Thai Cabinet approved in principle the Personal Data Protection Bill (the PDPB) in January 2015. It is pending further consideration by relevant authorities before passing into law. The PDPB has certain restrictions with regard to the collection, use, storage, disclosure and
transfer of personal data. For example, consent must be obtained from the data owners for the collection, use, and disclosure of personal data. The transfer of personal data is subject to certain conditions unless the consent is obtained from data owners for the transfer. If the
PDPB enters into force, insurance companies would be subject to the requirements under the PDPB. 

Please note, however, that there is no specific timeline when the PDPB will be passed and it is still subject to changes.

Currently, Thailand does not have a consolidated law governing personal data protection. However, if the PDPB is passed under the current format, there are certain restrictions that could hinder the growth and usage of insurtech such as:

• an organization (including insurance companies) acting as data controller is required to ensure that personal data in its possession and control is protected from unauthorized access and use, and implement appropriate security measures
• cross-border transfer of personal data will also be subject to certain requirements and restrictions
• an organization (including insurance companies) acting as data controller should cease to retain personal data as soon as the data owners revoke their consent (unless there is any restriction on revoking consent), after the expiration of the retention period, or
  personal data that is no longer relevant or in excess of necessity

Thailand has the Computer Crime Act B.E. 2550 (2007) and its recent amendment in 2017 (Computer Crime Act) criminalizing certain activities, including the unauthorized access, use and modification of computer data and computer systems. It also empowers the officials under the act to be able to investigate offenses under the Computer Crime Act. These powers include, among others: 

• copying computer data and traffic data of such computer system for which there is reasonable ground to believe that there has been an offense committed, in the case that the computer system is not in the possession of the competent officer
• accessing a computer system or computer data storage equipment
• decoding a person's computer data
• seizing or attaching a computer system for the purpose of obtaining further details of an offense

The Thai Cabinet also approved in principle the National Cyber Security Bill in January 2015. It is pending further consideration by relevant authorities before promulgation. The Bill prescribes certain criteria to combat cyberattacks and ensure cybersecurity. Please note, however, that there is no specific timeline when the Bill will be passed and it is still subject to changes.

We have seen certain insurance companies/brokers using fintech/insurtech innovations as new channels for offering new insurance products to customers. Certain insurance companies have partnered with these fintech/insurtech operators, such as AgentMate, Savinsure, Directasia.com, etc., in offering their insurance products through this channel.

From the regulator's perspective, the OIC has launched the utilization of a regulatory sandbox in Thailand in July 2017 to enable insurers, agents, fintech/insurtech players to test their innovations. This regulatory sandbox is still at an initial stage and it remains to be seen
whether it would attract intention of fintech/insurtech developers. In addition, the OIC has also announced the new notifications on enterprise risk management, which aim to improve the standard of internal control within insurance companies in Thailand; this would be in line with the rapid changes in the insurance business sectors given the forthcoming innovations and the fierce competition among
existing and new players in the market.

From the insurers' perspectives, we have seen many players' movements in relation to introducing new innovations to the market, particularly on motor and health insurance. Insurance products have been developed to fit into the customers' daily life; for example,
motor insurance products in which the coverage can be activated and deactivated at the customer's sole intention, or health insurance products, which factor in technology to facilitate and monitor the customer's behavior on a daily basis. More innovations are expected to
be introduced, especially with the recent introduction of the regulatory sandbox regime.

There are no specific cases by the financial regulators so far.

• Lack of supporting legislation and regulations for governing the secure implementation of fintech/insurtech innovation, including consolidated data privacy protection laws. Current regulations are still unsupportive for small players in the market.
• Thai consumers still do not have much knowledge about fintech/insurtech innovations and still prefer traditional methods when transacting.
• Small user base and lack of funding and finances for fintech/insurtech innovation.
• Regulatory and compliance – Insurtech businesses may not always fall squarely within any particular regulatory regime in Thailand. The regulatory sandbox approach seeks to mitigate the uncertainty over the application of laws and regulations to new insurtech
  businesses.
• There is no proper ecosystem to support the development and improvement of insurtech innovations. The regulators are aiming to address this matter, but it would generally take time and support from many parties.
• General public has very limited knowledge and understanding on insurance business. For example, young generation of innovation developers find it has nowhere to design and fit their innovations to the insurance sector. This limits initiatives on insurtech innovations. In order to encourage insurtech innovation, a basic understanding of insurance business must be portrayed to the developers.
• The Thai insurance industry comprises several big players dominating the market. These insurers have a more profound understanding of the business and are extremely active in spotting opportunities to develop insurtech innovations. This makes it difficult for new insurtech start-up to make a breakthrough entry to the market. Even though they were able to do so, there is a possibility that they would need to partner with the insurer or eventually sell the business.

The development of fintech/insurtech technologies and innovations will continue to shape customer behavior, business models, and the structure of the financial services industry, and will become new trends that should be closely monitored. It would also urge big players in the marker to be more innovative and promote competition among all of them. From the regulators standpoint, the regulators are forced to have a better understanding of new innovations and business trends in order to catch up with the rapid changes in the business sector, so that appropriate rules and regulations can be issued and implemented in such a way that would not only help regulate new innovations, but also support the implementation that would, in turn, provide benefit to the general public as a whole. From the customers' standpoint, fintech/insurtech innovations could redefine the way in which financial services industry are conducted and it could reinvent. Traditional method of communication between the customers and business operators are likely to be reinvented. Most importantly, insurtech innovation would also serve as a key function to reconnect the customers and the business operators.

The development of fintech/insurtech would also offer more business opportunities to both young generation of developers and players within the financial service industry. It is also likely to promote cooperation within the industry, for example, joint venture. Existing players could become key investors in new fintech/insurtech start-ups. There will also be more opportunities for M&A activities in a later stage as it serves as a way to either expand or protect the ongoing business.

We expect to see insurance companies more involved in insurtech innovation in many areas, whether by themselves or through partnership with other insurtech operators, in order to create efficiency in providing insurance services to customers.

Potential areas that insurtech innovation could play roles in insurance business might include the offering of insurance products, price comparison between insurance products and policy underwriting, claims management services.

We can also expect to see competition between insurance companies to capture this new business opportunity. Insurance companies are likely to be forced to improved its products to catch up with the customers' lifestyle and for this, a close monitoring and research of the
customer's interest and behavior would be the key focus. They may also look to invest in venture capital companies focusing on insurtech start-ups and must also look for recruitments of young generation with potential to drive the organization toward the current trends.