Thailand BOT AI Risk Management Guidelines: Financial Services Compliance

What Are the BOT AI Risk Management Guidelines?

On 12 September 2025, the Bank of Thailand (BOT) released the final version of its AI Risk Management Guidelines for Financial Service Providers. These guidelines establish mandatory requirements for how banks, financial institutions, special financial institutions, and payment service providers govern and manage AI risks.

The guidelines build on principles aligned with Singapore's FEAT framework (Fairness, Ethics, Accountability, Transparency) and apply to both in-house developed AI systems and third-party AI tools.

Who Must Comply

The guidelines apply to all entities under BOT supervision:

• Commercial banks (Thai and foreign branches)
• Specialized financial institutions (Government Savings Bank, SME Bank, etc.)
• Payment service providers
• Licensed fintech companies
• Other BOT-regulated entities using [AI

Compliance](/glossary/ai-compliance) expectations are proportionate to the institution's size, complexity, and extent of AI usage.

Two Main Pillars

Pillar 1: Governance of AI System Implementation

Board and senior management oversight:

• Board must approve AI governance policies and risk appetite
• Senior management must ensure adequate resources and capabilities for AI risk management
• Clear reporting lines and escalation procedures for AI issues

AI governance framework:

• Comprehensive policies covering AI development, deployment, monitoring, and retirement
• Risk assessment methodology for AI applications
• Roles and responsibilities for AI governance across the organization
• Integration with existing risk management and internal audit functions

AI inventory and classification:

• Complete inventory of all AI systems in use
• Classification by materiality and risk level
• Regular review and update of the inventory

Pillar 2: AI System Development and Security Controls

Data governance:

• Data quality standards for AI training and operational data
• Data lineage tracking
• Protection of personal and sensitive data in accordance with Thailand's PDPA
• Bias monitoring in training data

Model development:

• Documented development processes
• Validation and testing requirements before deployment
• Model documentation including design, data sources, limitations, and assumptions
• Peer review for high-risk models

Deployment controls:

• Staged deployment with monitoring
• Integration testing with existing systems
• User training and change management
• Rollback procedures

Ongoing monitoring:

• Performance monitoring against defined metrics
• Data and model drift detection
• Regular model revalidation
• Incident detection and response

Third-party AI management:

• Due diligence on AI vendors and service providers
• Contractual requirements for data handling and model performance
• Ongoing oversight of third-party AI performance
• Exit strategies and contingency plans

Key Principles

The guidelines are built on principles that closely align with Singapore's FEAT framework:

Fairness: AI systems should not produce unfairly biased outcomes. Financial institutions must monitor for bias across demographic groups and customer segments. Credit scoring, lending decisions, and insurance pricing are specific areas of focus.

Ethics: AI should be used responsibly and in accordance with ethical standards. This includes ensuring AI applications serve legitimate business purposes and do not cause disproportionate harm.

Accountability: Clear accountability structures must exist. The board bears ultimate responsibility, with senior management ensuring day-to-day governance.

Transparency: AI decision-making should be explainable to relevant stakeholders. Customers should understand when AI influences decisions affecting them. Regulators should have access to model documentation.

Comparison with Regional Financial AI Guidelines

How to Comply

Step 1: Governance Structure

• Establish or update board-level AI oversight
• Define AI risk appetite and governance policies
• Assign AI governance responsibilities across the three lines of defense
• Integrate AI governance with existing risk management

Step 2: AI Inventory

• Catalog all AI systems in use (in-house and third-party)
• Classify each by risk level and materiality
• Prioritize governance efforts accordingly

Step 3: Lifecycle Controls

• Implement data governance standards for AI data
• Establish model development and validation processes
• Create deployment and monitoring procedures
• Define model retirement criteria

Step 4: Fairness and Transparency

• Define fairness metrics relevant to your AI applications
• Implement bias monitoring for credit scoring, lending, and pricing
• Establish mechanisms for customers to understand and contest AI decisions
• Document model decisions and their rationale

Step 5: Third-Party Management

• Review AI vendor contracts and due diligence
• Establish ongoing monitoring of vendor AI performance
• Develop contingency plans for vendor issues
• Ensure vendor compliance with PDPA and BOT requirements

Related Regulations

• Thailand PDPA: Underlying data protection requirements for all AI data processing
• Singapore MAS AI Guidelines: Comparable framework for financial AI governance
• Malaysia BNM AI Guidelines: Similar requirements in neighboring market
• Indonesia OJK AI Guidelines: Mandatory financial services AI governance
• ASEAN AI Governance Guide: Regional framework informing all financial regulators

Timeline of Regulatory Development and Key Compliance Dates

The Bank of Thailand (BOT) published its Artificial Intelligence Risk Management Guidelines through a phased consultative process that financial institutions must understand to contextualize current requirements and anticipate forthcoming obligations.

June 2025 — Consultation Paper Release. BOT published draft AI Risk Management Guidelines for public consultation, with the consultation period running from 12 June to 30 June 2025.

September 2025 — Final Guidelines Publication. On 12 September 2025, BOT released the final AI Risk Management Guidelines organized across two pillars: governance of AI system implementation, and AI system development and security controls. The guidelines align with internationally recognized responsible AI principles including FEAT (Fairness, Ethics, Accountability, and Transparency).

Comparing BOT Guidelines Against Regional Regulatory Frameworks

BOT versus MAS (Singapore). The Monetary Authority of Singapore published its Veritas Initiative assessment methodology alongside the FEAT principles (Fairness, Ethics, Accountability, Transparency) emphasizing industry self-governance. BOT's framework imposes stricter documentation requirements and establishes explicit inspection authority, reflecting Thailand's traditionally more prescriptive regulatory approach across financial services supervision.

BOT versus Bank Negara Malaysia (BNM). BNM's Discussion Paper on Artificial Intelligence in the Malaysian Financial Sector, published August 2025, share substantial structural overlap with BOT's guidelines, reflecting coordination through ASEAN Financial Innovation Network working groups. Key differences include BNM's additional emphasis on Shariah-compliant financial product considerations and cross-border data transfer provisions aligned with Malaysia's Personal Data Protection Act amendments.

BOT versus OJK Indonesia. The Otoritas Jasa Keuangan published POJK Regulation 2025 on Technology-Based Lending and Digital Financial Innovation incorporating generative technology provisions. OJK maintains separate regulatory tracks for banking, insurance, and capital markets applications, while BOT consolidates oversight through unified guidelines applicable across all licensed financial institution categories.

Practical Implementation Roadmap for Financial Institutions

Pertama Partners recommends Thai financial institutions execute seven preparatory workstreams before Phase 2 enforcement activation:

1. Governance Architecture Review — establish board-level oversight subcommittee with quarterly reporting cadence and documented escalation thresholds for model risk events
2. System Inventory and Classification — catalog all deployed systems meeting BOT's definition of artificial intelligence applications including chatbots built on Dialogflow or Amazon Lex, automated credit scoring models, fraud detection algorithms, and customer segmentation engines
3. Model Validation Framework — implement independent validation procedures covering initial deployment approval, ongoing performance monitoring using statistical drift detection through tools like Evidently, NannyML, or Fiddler, and periodic recalibration assessments
4. Data Governance Enhancement — document training data provenance, establish quality assurance procedures, and implement lineage tracking compatible with Thailand's Personal Data Protection Act enforcement standards administered by the PDPA Committee
5. Consumer Transparency Mechanisms — develop customer-facing disclosure templates explaining automated decision-making involvement in loan approvals, insurance underwriting, and investment recommendation generation