In April 2025, an amendment to Thailand's Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes B.E. 2566 (2023) quietly rewired the country's intermediary liability framework. The Royal Decree now imposes joint liability on commercial banks, mobile network operators, and digital platform providers for losses suffered by victims of online scams when those intermediaries fail to meet prescribed duty-of-care standards. A year on, the policy is being marketed as a victim-protection breakthrough. It is also one of the most consequential — and least scrutinised — pivots in Southeast Asian internet law.
From safe harbour to co-defendant
Thailand's original 2023 emergency decree, passed amid a surge in call-centre fraud operations linked to compounds along the Myanmar and Cambodian borders, gave authorities power to freeze suspicious accounts within hours and created the Anti Online Scam Operation Center (AOC) as a one-stop hotline (1441) for victims. That regime largely preserved a conventional liability structure: criminals were the wrongdoers, and intermediaries were obliged to cooperate with takedowns and account freezes.
The 2025 amendment changes the default. Where a bank fails to detect a mule account it should reasonably have flagged, a telco fails to suspend a SIM tied to repeated fraud signals, or a platform fails to act on notified scam advertisements within a prescribed window, the intermediary can be held jointly liable for the victim's loss. Compliance with the duty-of-care standard — to be specified by sectoral regulators including the Bank of Thailand, the NBTC, and the Ministry of Digital Economy and Society — is the only escape hatch.
The scam problem is real. The policy design is not proportionate.
Nobody disputes the underlying harm. Thai authorities and AOC reporting have repeatedly placed annual scam losses in the tens of billions of baht, and the Royal Thai Police have publicly tied a large share of activity to industrial-scale fraud compounds operating outside Thai jurisdiction. Victims often recover little. Faced with that reality, lawmakers have reached for the lever closest to hand: domestic intermediaries with deep pockets and assets inside the country.
That instinct is understandable but flawed. Joint liability regimes work cleanly when the intermediary has both the information and the practical means to prevent the harm. In online fraud, the wrongdoer is typically a syndicate operating across borders, using stolen credentials, rented infrastructure, and money mules whose accounts pass every front-end KYC check. A bank cannot reliably distinguish a coerced mule account from a legitimate small business in real time. A platform cannot ground-truth every advertiser claim before it goes live. Once liability attaches to outcomes rather than process, intermediaries rationally over-block: more frozen accounts, more shuttered ad accounts, more legitimate users caught in dragnet defences. The cost is borne disproportionately by small merchants, gig workers, and first-time digital finance users — exactly the constituencies Thailand's Digital Economy strategy is trying to bring online.
The PDPA collision
The harder problem is doctrinal. Effective fraud detection requires intermediaries to share signals — suspicious transaction patterns, recycled device fingerprints, linked phone numbers — across institutional boundaries. Thailand's Personal Data Protection Act B.E. 2562 (2019), which took full effect in June 2022, treats most of that data as personal information subject to lawful-basis requirements, purpose limitation, and data subject rights.
The amendment authorises data sharing between financial institutions and the AOC for anti-fraud purposes, and the Personal Data Protection Committee (PDPC) has issued guidance attempting to reconcile the two regimes. But the boundaries remain blurry. Can a bank share a customer's transaction history with a telco to corroborate a SIM-swap pattern? Can a platform share advertiser identity data with a bank to flag a fraudulent merchant account? Each of these is operationally necessary, and each sits in a grey zone between the decree's anti-scam mandate and the PDPA's data minimisation principle. Intermediaries facing joint liability on one side and PDPA penalties on the other will, predictably, choose the path that minimises documented exposure — typically more sharing, less transparency to data subjects, and weaker audit trails.
A better design exists
The pro-innovation answer is not to deny that intermediaries should do more. It is to align incentives without collapsing the safe-harbour logic that has underwritten the open internet and the modern payments stack. Three calibrations would help:
- Process-based safe harbours, not outcome-based liability. Intermediaries that implement and audit prescribed controls — real-time mule detection models, scam-ad notice-and-action workflows, SIM-fraud signal sharing — should be presumptively protected, even when individual losses occur. The UK's APP fraud reimbursement model and Singapore's Shared Responsibility Framework both lean in this direction and offer instructive contrasts.
- A statutory data-sharing gateway with PDPC oversight. Rather than leaving each intermediary to interpret PDPA lawful bases on its own, Parliament should codify a narrow, purpose-limited gateway for anti-fraud signal sharing, with mandatory logging, independent audit, and a sunset review.
- Proportionality for smaller actors. Duty-of-care obligations should scale with user base and transaction volume, so that fintech challengers and smaller platforms are not driven out by compliance costs that only incumbent banks and global platforms can absorb.
Thailand's ambition to become an ASEAN digital economy hub depends on a legal environment that punishes fraudsters without taxing legitimate innovation. The 2025 amendment correctly identifies the problem. Its blunt liability mechanism risks solving it in ways that quietly raise the cost of being online in Thailand — for everyone except the criminals it was meant to deter.