BOT 4/2568 Is Live — Is Your Mobile Banking App Ready?
Thailand's toughest mobile banking security rules are now in effect. One device per user, biometric gates on high-value transfers, a total ban on clickable links, and 24/7 fraud response are just the headline mandates. We break down every requirement and show you how to close the gaps before your next BOT examination.
What is BOT Notification 4/2568?
Notification 4/2568, issued by the Bank of Thailand in early 2025, establishes the most prescriptive set of mobile banking security controls Thailand has ever seen. It was a direct response to the explosion of financial fraud, banking malware, SIM-swap scams, and phishing campaigns targeting Thai consumers. Read together with the refreshed IT Risk Management Guidelines (November 2023), it creates an end-to-end security baseline that every licensed bank, e-money issuer, and payment provider must implement.
Reference: BOT Notification No. 4/2568 (Effective 2025)
Who Falls Under BOT 4/2568?
Every BOT-regulated entity that puts a mobile app in customers' hands is in scope — there are no carve-outs.
The Six Pillars of BOT 4/2568
Notification 4/2568 and the IT Risk Management Guidelines together enforce strict controls across six domains. Here is what each one demands.
1-Person-1-Device Binding
Each user may register only one mobile device per banking account per institution. Apps must refuse to run on jailbroken or rooted devices and on phones with severely outdated operating systems, shutting down the primary attack vector for remote access trojans (RATs).
Biometric Verification & Transfer Limits
Facial recognition with liveness detection is required for any single transfer above ฿50,000 or when daily totals exceed ฿200,000. Vulnerable groups — minors under 15 and the elderly — are capped at ฿50,000 per day.
Anti-Phishing Communication Rules
Banks are banned from embedding clickable links in SMS or email — full stop. Links via social media are permitted only when the customer explicitly requests them. Soliciting sensitive data (usernames, passwords, OTPs, PINs, National IDs) through any channel is prohibited.
Anti-Malware & Overlay Protection
Mobile apps must detect malware in real time and block overlay attacks — fake screens layered on top of the legitimate UI. Institutions must also monitor official and third-party app stores for counterfeit versions of their apps.
24/7 Fraud Response & Real-Time Alerts
A dedicated round-the-clock hotline for fraud victims is mandatory. Systems must flag suspicious transactions in near real-time, freeze funds during investigation, and support mule-account interdiction.
Encryption & Access Management
AES 256-bit encryption is required for data at rest and in transit. The IT Risk Management Guidelines further mandate rigorous Identity and Access Management (IAM) controls for bank employees to prevent insider threats.
What We Test in Your Mobile App
Our assessment validates every critical control mandated by BOT 4/2568 and the IT Risk Management Guidelines — nothing is left unchecked.
What Happens If You Fall Short
Non-compliance with BOT mobile banking security requirements exposes your institution to financial liability, service disruption, and intensified regulatory scrutiny.
Shared Financial Liability
The Emergency Decree on Technology Crime Prevention (2025) introduced a shared liability model — institutions that fail to act (e.g., not freezing a flagged mule account) become financially liable for victim losses in proportion to their negligence.
Service Restrictions or Suspension
The BOT can restrict or fully suspend your mobile banking services until every identified security gap is remediated and independently verified.
Mandatory Immediate Remediation
If a BOT examination uncovers critical vulnerabilities, you may be ordered to push emergency app updates or take the service offline — with no grace period.
Heightened Supervisory Oversight
Expect more frequent examinations, mandatory progress reports on shorter cycles, and tighter compliance deadlines across the board.
Supporting Laws & Regulations
BOT 4/2568 does not operate in isolation — it sits within a broader legal framework that reinforces its mandates.
Emergency Decree on Technology Crime Prevention (No. 2, B.E. 2568)
Effective April 13, 2025. Enables immediate blocking of suspicious transactions, cross-institutional data sharing to track fraud networks, and a shared liability model where negligent institutions compensate victims in proportion to their failure to act.
BOT IT Risk Management Guidelines (Refreshed Nov 2023)
Governs backend security standards including AES 256-bit encryption for data at rest and in transit, and stringent Identity and Access Management (IAM) protocols for bank staff to mitigate insider threats.
Financial Institution Business Act B.E. 2551 (2008)
The foundational statute granting the Bank of Thailand authority to issue and enforce binding regulations across all commercial banks and financial business groups operating in Thailand.
How We Validate BOT 4/2568 Compliance
We map every mandate in BOT 4/2568 to a concrete security test, so you know exactly where you stand before the regulator does.
BOT 4/2568 Readiness Checklist
Use this checklist to gauge where your organization stands against each specific mandate of Notification 4/2568.
Official References
Consult the original regulatory documents for full requirements.
Related Security Services
Complement your BOT compliance with these specialized security assessments.
Frequently Asked Questions
Everything you need to know about BOT Notification 4/2568 and mobile banking security compliance.
Close Your BOT 4/2568 Compliance Gaps
Get a targeted security assessment mapped to every mandate in Notification 4/2568 — before your next BOT examination.
Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.