Due to the increasing adoption of Blockchain technology in Thailand’s financial services landscape, the Bank of Thailand (the “BOT”) has issued the Guideline for Blockchain Technology Adoption in Financial Services (the “Guideline”) for the financial service providers under its supervision (i.e. financial institutions, companies in the financial conglomerate of banks, non-banks, and payment business operators). The Guideline is the BOT’s initiative to ensure that financial service providers’ adoption of Blockchain technology is safe, reliable, and suitable for its financial services and in line with international standards.
Under the Guideline, the financial service provider is required to comply with the requirements under the Guideline to join as a member or act as an administrator of the Private Blockchain Network1 while a consultation with the BOT on a case-by-case is required if the financial service provider will adopt the Public Blockchain Network.2 We highlight four key principles of the Guideline below.
1. Blockchain Business Application
Financial service providers should conduct feasibility assessments on the adoption of Blockchain technology, understand benefits and constraints of the technology and have criteria and strategies to select a Blockchain technology or platform that suits their business prior to actual adoption, considering factors such as data privacy, the architectural design of the platform, network governance, future development of the platform, support of the technology provider, and cost efficiency.
2. Blockchain Governance
The Guideline provides a regulatory framework on projects using Blockchain technology including with regard to the necessary roles and duties of related parties, operational risk management, security measure, and supervision and audit of third-party service providers.
2.1 If the financial service provider is a user or a member of a Blockchain network
The financial service provider should ensure that its projects using Blockchain technology align with its business model and comply with the BOT’s regulations on IT risk management and have in place appropriate policies and procedures in relation to the use of Blockchain technology. The financial service provider should also monitor IT security and fraud and ensure that the risk of using Blockchain technology is at an acceptable level, and ensure the use of a third party’s Blockchain network is in compliance with the BOT’s Third-Party Risk Management Implementation Guideline.
2.2 If the financial service provider is an administrator of a Blockchain network or financial infrastructure Blockchain project
As a network administrator, the financial service provider should set out and comply with its roles and responsibilities as the administrator, e.g. by setting business strategies, cyber attack counter-measures, onboarding rules, and administering technology and architectural of Blockchain system, and stability and security of IT infrastructure system. In addition, a written IT security standard or guideline and general rules applicable to members of the Blockchain network should be put in place.
3. IT Risk Management
The financial service providers’ IT risk management should be in line with international standards and the BOT’s regulations on IT risk management. Suggested measures for doing so include: (i) access control; (ii) securing on-chain and off-chain information; (iii) data verification and backups; (iv) transaction monitoring; (v) running stress tests and an annual security test (vi) monitoring access key for using blockchain; (vii) keeping transaction records and logs; and (vii) putting in place business continuity plan and IT disaster recovery plan.
4. Legal Risk Management
The adoption of Blockchain technology must comply with all relevant laws and regulations, including laws and regulations regarding anti-money laundering and counter terrorism financing, electronic transactions, cybersecurity, digital assets businesses, and data privacy.
For example, to protect the customers’ data privacy, if the financial service provider is a user or member of a Blockchain network, it should conduct a Data Protection Impact Assessment in relation to the adoption of the network and consider whether to keep the customers’ personal data off-chain. On the other hand, if the financial service provider is an administrator, it should put in place an agreement between members and parties involved in the network, e.g. methods of and conditions for verifying the on-chain information (e.g. deriving consensus) to reduce disputes among members.
The financial service providers should also put in place an agreement between the relevant parties regarding smart contracts used on a Blockchain network, covering legality and validity of the transaction, rights and obligations of the parties, and dispute resolution procedures.
As adoption of Blockchain technology is becoming a major trend, it is worth keeping an eye on how the regulators will support and regulate this adoption. We will keep you posted if there are any further updates.
Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/disclaimers.