The Bank of Thailand has implemented additional regulations to supervise IT system management among e-payment service providers in order to beef up cybersecurity and keep up with upgraded technologies.
The central bank has enforced upgraded regulations on IT risk management to supervise all e-payment service providers, covering non-bank companies, in addition to the existing regulations governing financial institutions.
The additional regulations will upgrade the IT risk management standard of e-payment service providers to be in line with the standard applied for financial institutions. This move is in accordance with upgraded technologies and rising cybersecurity risks.
Siritida Panomwon Na Ayudhya, assistant governor of the payment systems policy and financial technology group, said the additional regulations cover two main areas, namely cyberhygiene, a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security and IT risk management. The central bank requires all e-payment service providers to comply with the cyberhygiene regulation.
Cyberhygiene is primarily a cybersecurity aspect covering building security baselines and infrastructure hardening, malware protection, security patch management, privilege user ID management, multi-factor authentication as well as vulnerability assessment and penetration test. The regulation will take effect in April of this year.
For IT risk management regulation, this covers significant e-payment service providers (those who are crucial to e-payment services), who connect their IT infrastructure systems with outsiders and offer financial services via Wi-Fi connections as well as business operators providing financial services of either at least 5 million accounts or 10 million transactions.
Significant e-payment service providers are also required for IT governance, IT security and IT project management regulations based on the confidentiality, integrity and availability principle. The IT risk management regulations will be effective from January 2022.
These e-payment service providers have to upgrade financial service technologies to offer greater convenience to consumers and respond to user requirements. The regulatory framework also covers business operators, whose IT systems are connected with external stakeholders, as this warrants higher cybersecurity risks.
"We hope the additional IT management regulation will help protect cybersecurity risks and build up consumer confidence. Similar regulation in the UK lowered cybersecurity risks by around 50%," said Ms Siritida.
Thailand's e-payment usage per person per year rose to 194 in 2020 from 135 in 2019 and 89 in 2018. Digital banking transactions via PromptPay, the government-initiated money transfer and payment system, have continued to surge. The number of registrations via PromptPay totals 56 million IDs.
The central bank implemented the Payment System Act in 2017 to supervise IT risk management among financial institutions. In 2020, the regulator announced the Guiding Principles for Mobile Banking Security to enhance protection from cybersecurity threats related to transactions via mobile devices.
The existing IT risk and cybersecurity management regulations cover governance, identification, protection, detection, response and recovery.
Ms Siritida said e-payment and digital banking users can basically protect themselves from cybersecurity risks by setting up a complex PIN number that is not disclosed to others.