Ready to go cashless?
Legal experts warn that electronic payments may pose security and privacy risks without adequate legislation
The trend towards a cashless society is picking up steam as the government advances rapidly towards the use of electronic cash as part of its pursuit of a digital economy.
However, legal experts have raised concerns about security, privacy, crime and computerisation -- issues that will crop up from giving the government, central bank and designated financial institutions absolute monetary control.
They also fear that without society being able to understand the pros and cons of electronic cash, the full benefit of the cashless society may never be realised.
More importantly, with Thailand being one of the world's top 25 targets for malware attacks and Bangkok a prime target of hackers in Asia-Pacific, legal experts are worried about the security risks of contactless payment.
The government is making it compulsory for all companies to enter the national e-payment system by 2019 to transform Thailand from a cash-based society to a cashless one. PromptPay, an electronic money transfer and payment service, will be key to the transition.
Dhiraphol Suwanprateep, a partner at Baker & McKenzie law firm in Bangkok, says PromptPay is a centralised system, so electronic payments for online transactions will be easier to trace.
Tax evasion, money laundering, corruption and illegal funding of organised crimes and terrorism would be noticeable if transferred via PromptPay.
"These traceable data may help in reducing these illegal activities," Mr Dhiraphol says.
However, he says it is also arguable that if criminals continue to use cash or other anonymous payment means such as bitcoins [a form of digital currency created and held electronically], this form of illegal funding would still be untraceable.
"The biggest concern for PromptPay is that Thailand still lacks a consolidated personal data protection law in general," he stresses.
Banks and e-payment service providers are already regulated under specific banking laws and regulations.
For example, e-payment service providers are regulated under the Royal Decree regulating E-payment Service Business (2008) and the recent ETC Notification re: Requirements, Procedures, and Conditions for Undertaking Electronic Payment Service Business (2016).
These laws prescribe that e-payment service providers must keep customer data confidential throughout and after using the service, with certain exceptions -- for example, if the customers have given written consent or the disclosure is for the purpose of investigation, litigation, compliance with laws or supervision of the Bank of Thailand.
However, these laws specifically regulate banks and e-payment service providers, not everyone in general. As such, it is very important that the government enact the Personal Data Protection Bill, which was approved in principle by the cabinet in January 2015.
"It needs to be put in place alongside the PromptPay system," says Mr Dhirapol. "This is to ensure that Thailand has a consolidated and general law to protect people's personal data against inappropriate data handling and/or data breaches of the PromptPay system, where personal data of users will be centralised and susceptible to abuse."
People may feel sceptical if the government rushes the PromptPay system but delays enacting the Personal Data Protection Bill without providing any specific timeline, he says. The public needs reassurance that "everyone" (as opposed to those banks and e-payment service providers already regulated) who illegally accesses and discloses their personal data is to be punishable by law.
Thailand has laws allowing authorities such as the Revenue Department to access data and documents, particularly if fraud is suspected.
The Anti-Money Laundering Office (Amlo) has the power to gather evidence for the purpose of taking legal proceedings under the Anti-Money Laundering Act. Similarly, Amlo has the power to gather evidence for the purpose of the seizure, attachment or confiscation of property under the Counter-Terrorism Financing Act or other laws.
Mr Dhirapol says these investigating powers are quite broad in order to gather relevant evidence. When personal data is centralised under the PromptPay system, especially financial personal data, data owners who are not criminals would be loath to have their personal data be part of any investigation unless it is absolutely necessary.
This is another reason why the government must expedite the Personal Data Protection Bill while pushing PromptPay to be widely used.
As there is no such personal data protection law in place, the government must at the very least ensure that PromptPay transactions and personal data will not be illegally accessed, investigated, disclosed, misused and/or used beyond the purposes stated.
"If this can be guaranteed, the public are likely to embrace the PromptPay system and Thailand's cashless society may not remain simply a pipe dream," says Mr Dhiraphol.
Paiboon Amonpinyokeat, a partner at P&P Law Firm, says a slew of concerns lie ahead for PromptPay, especially the accuracy of the national ID card system.
There could be a great opportunity for fraud involving the use of another person's identity. There are many cases where people let others use their ID cards to open a bank account under a name other than their real ones.
"There's no country in this world implementing the PromptPay system by linking a national ID card or mobile phone number to bank accounts," says Mr Paiboon. "With no data protection law, how can people ensure that government officers will not abuse their power to access information or misuse that personal info?"
He says a low level of consumer awareness of mobile security threats is also a concern.
An industry source disclosed that the government has a master password to get access to the national identity database.
Prinya Homanake, vice-president of the Thailand Information Security Association, says the Bank of Thailand needs to conduct penetration testing and security risk assessments including an incident response plan.
Thanachart Numnonda, president of the Association of Thai ICT industry, says PromptPay comes with good intentions but Thai people have little understanding and security awareness.
Yos Kimsawate, head of the Payment Systems Office under the Thai Bankers' Association, says PromptPay is a closed system and transactions will only require a user's mobile phone or ID card number.
"Financial institutions cannot see other information contained on the card. They also cannot access the individual information," he stresses.
If the government needs to access information of a bank account owner, the state must use a legal protocol to comply with the Bank of Thailand's regulations governing personal data protection, says Mr Yos.
But liability for hacking related to PromptPay will fall on consumers in cases in which mobile phones are infected with malware and viruses or if "jailbreaking" occurs, he says.
Finance Minister Apisak Tantivorawong has insisted that signing up for PromptPay using the 13-digit number is for identification only, and financial institutions cannot see other information contained on the card.
Mr Apisak has called on the Information and Communication Technology Ministry to speed up deliberation and approval of the Personal Data Protection Act by the National Legislative Assembly in order to dispel concerns about personal privacy protection with PromptPay.
Prawit Leesathapornwongsa, a commissioner of the National Broadcasting and Telecommunications Commission, acknowledges that security and privacy remain the greatest concerns about PromptPay among consumers.
He warns that users needs to frequently update their mobile devices' security features in order to prevent malware infections.