.svg)
The Bank of Thailand (BoT) is responding to the rapid growth of mobile and QR transactions by consulting on minimum standards for onboarding, monitoring and incident response in the digital payments sector
In a bid to strengthen merchant fraud management in Thailand’s fast-growing digital payments market, the BoT is seeking feedback on new merchant fraud management (MFM) guidelines and accompanying minimum standards.
The guidelines are being introduced under the Payment Systems Act B.E. 2560 (2017) and will replace earlier “know your merchant” circulars. Once finalised, operators will have 180 days to comply, including reviewing existing merchant relationships to ensure compliance with the new standards.
The BoT has pitched the new compliance proposals as a way to address rising risks from digital fraud, including fake merchants, mule accounts and both authorised and unauthorised payment fraud.
Without stronger oversight, the regulator warned, consumer confidence in the payments system could be undermined.
The consultation is open until September 11, 2025.
What are the new compliance requirements?
The new rules would apply to acquirers, payment facilitators, e-money issuers and other regulated payment service providers (PSPs).
They would require firms to establish merchant risk assessment and classification frameworks, adopt fraud management measures proportionate to risk, maintain internal controls and monitoring processes and extend oversight to master merchants and their sub-merchants.
Business operators would also be obligated to provide the BoT with evidence of their practices upon request.
The minimum standards set baseline requirements for merchant onboarding, verification, monitoring and, where necessary, termination of relationships.
Controls would be on a sliding scale, varying based on the merchant’s size and risk profile, with small merchants such as food carts subject to lighter checks than large or high-risk merchants.
For onboarding, operators would be expected to collect and verify identification, business information, beneficial ownership details and bank accounts, with additional checks for online stores such as IP addresses and website ownership.
Higher-risk merchants would be subject to enhanced scrutiny, including site visits and senior management approval.
Ongoing risk management obligations include monitoring merchant behaviour for unusual patterns such as sharp increases in sales, large refund volumes or adverse media reports.
Firms would need to apply transaction limits, investigate irregularities and, where necessary, suspend services and in some instances, terminate relationships.
Oversight of master merchants would also be tightened, with requirements to conduct risk assessments, submit reports and allow random audits of sub-merchants.
The BoT indicated that liability could extend to master merchants in cases of fraud by their sub-merchants.
The draft guidelines also introduce new standards for incident response and information exchange.
Operators would need to provide clear channels for reporting fraud, assist affected merchants and ensure fair treatment of those wrongly flagged. Significant cases would need to be escalated to senior executives or boards.
In addition, firms would be required to share relevant data with agencies such as the country’s Anti-Money Laundering Office and Royal Thai Police to support investigations.
PSPs will also be expected to promote awareness of fraud risks among merchants, using practical and accessible methods.
PromptPay prompts updated fraud oversight
Thailand’s rapid adoption of QR code and mobile payments is a major driver of the BoT’s new fraud rules.
The country’s PromptPay system is now widely used for peer-to-peer (P2P) and merchant transactions, with even small vendors such as street food vendors using it.
This has significantly expanded the number of merchants in the digital payments ecosystem, many of which had no prior relationship with banks or card acquirers.
Although this has supported financial inclusion, following the example set by schemes such as the Unified Payment Interface (UPI) in India and Brazil’s Pix, the low barriers to QR payment acceptance also create vulnerabilities.
Opening a merchant account may require little more than linking a bank account or e-money wallet to a QR code, which makes it easier for fraudsters to establish fake merchants or to channel illicit funds through mule accounts.
As QR payments replace cash, the risks of scams and transaction laundering are shifting into the payment system itself. Fraudulent merchants can exploit the speed and irreversibility of mobile transfers, exposing consumers and placing liability on PSPs.
Thailand’s efforts to link PromptPay with regional QR networks such as Singapore’s PayNow and Malaysia’s DuitNow add complexity, creating new avenues for cross-border fraud that must be carefully managed.
The BoT therefore views QR adoption as both a digital success story and a growing fraud vector.
Its draft merchant fraud management guidelines aim to guarantee that payment providers implement adequate safeguards so that a system designed for low-cost, convenient payments does not become an easy target for abuse.
