On 21 April 2026, at Money 20/20 Asia 2026 in Bangkok, Bank of Thailand Assistant Governor Daranee Saeju publicly reaffirmed the rollout of the country’s new data-sharing framework. Coming on top of the regulation that the BOT issued on 30 October 2025, the message locks in the operational roadmap: personal deposit account data becomes shareable in late 2026, with loan, payment, insurance, tax and utility data to follow in stages in 2027 and 2028. Thailand’s version of open banking is now moving from policy design to live implementation, and Japanese banks, FinTechs and non-financial corporates with Thai operations all need to reassess whether they fall inside or outside the new perimeter.
This article — written from a Japanese lawyer’s perspective — covers (i) the architecture of the regulation, (ii) the 2026-2028 roadmap, (iii) the comparison with Japan’s 2017 Banking Act amendment (Electronic Payment Intermediary Services, or denshi-daikō-gyō) and the 2020 Financial Services Intermediary Business regime, (iv) the interaction with the Thai PDPA, and (v) action items by company type. Read together with the BOT’s other recent moves (see for instance the cash-withdrawal EDD rule), it paints a coherent picture of where Thai financial regulation is heading.
The Framework — What, When, and How Far
Legal Basis and Scope
The foundation is the Regulation on the Supervision of Mechanisms Enabling Consumers and Businesses to Exercise Their Right to Share Data, issued by the BOT on 30 October 2025 and announced in the BOT press release of 10 November 2025.
The BOT’s authority comes from the Bank of Thailand Act B.E. 2485, the Financial Institutions Business Act B.E. 2551, and the Payment Systems Act B.E. 2560. The addressees of the regulation are financial service providers supervised by the BOT — deposit-taking institutions, lenders, e-Money issuers, credit card operators and payment service providers.
Four Data Categories
Together with the BOT’s Open Data portal, the regulation contemplates four broad data categories:
- Account data (deposit accounts)
- Loan data
- Payment data (accounts, e-Money, credit cards)
- Financial status and spending-behaviour indicators
Importantly, this is not framed as “bank-to-bank data plumbing” but as a rights-based regime: the consumer or business is entitled to have their data shared on their instruction, and supervised firms must build the mechanisms that let them do so. This is the same “rights approach” taken by the EU’s PSD2 and the UK’s Open Banking regime — and structurally different from Japan’s intermediary-licensing approach.
Four Obligations on Supervised Firms
Supervised firms must, broadly:
- maintain robust risk management and data security on the sharing channel;
- provide consumer protection — transparent consent and withdrawal processes, and redress in case of misuse;
- offer a standardised digital sharing channel that is interoperable across the market;
- keep conditions and fees reasonable so that they do not effectively block the exercise of the right.
Official Roadmap
| Date | Milestone |
|---|---|
| 30 October 2025 | Regulation issued |
| 10 November 2025 | BOT press release |
| Late 2026 | Phase 1: personal deposit account data becomes shareable |
| 2027-2028 | Phased expansion to loan, payment, insurance, tax and utility data |
The 21 April 2026 Message — the “Data Island” Problem
According to Nation Thailand, 21 April 2026, the Assistant Governor framed the issue as follows.
”Data Island”
Thailand has one of Asia’s highest digital payment penetration rates, yet data is locked inside each institution and each service. As a result, even individuals and SMEs who are highly active digitally can remain “financially invisible” when they apply for credit elsewhere. Transaction histories sit in silos; consumers cannot port them.
Two Gaps
- Inclusion gap — credit histories are not portable, so individuals and SMEs with genuine transaction track records fail to get access to credit.
- Safety gap — fragmented data makes AI-driven fraud harder to detect and stop in near real time.
Guiding Principle and Initiatives
The message is anchored on the principle that data belongs to the people: individuals and businesses should be able to access, control and share their own data. Two concrete initiatives were flagged: the Your Data programme, which is building a consent-based national standard, and the Digital Loan Document initiative, in which verified transaction records substitute for paper documentation.
Intersection with the PDPA — Data Portability in Finance
Section 31 of the PDPA
The BOT regulation is best read as the financial-sector implementation of the data portability right in Section 31 of the Personal Data Protection Act B.E. 2562 (2019). The PDPA provides the horizontal right; the BOT regulation provides the sector-specific plumbing.
Consent Must Be Explicit, Specific, Informed and Freely Given
Under Section 19 of the PDPA, valid consent must be explicit, specific, informed and freely given. Japan’s Personal Information Protection Act, by contrast, generally requires “the person’s consent” but tolerates implied consent and opt-out in several practical settings. The consequence is that Thai consent UIs need to be designed more strictly than their Japanese counterparts — dropping the parent company’s global consent template into Thailand is one of the easier ways to create a compliance gap.
Sensitive Data and Cross-Border Transfers
Certain financial-status and creditworthiness signals may qualify as sensitive personal data under Section 26 of the PDPA, triggering a higher consent bar. Where data is to be shared with the Japanese parent or another offshore group entity, Sections 28-29 on cross-border transfers add a second layer of requirements (adequacy, standard contractual clauses, binding corporate rules and so on). The PDPC’s financial-sector sub-regulations are still being rolled out, so monitoring is required.
Comparison with Japanese Law
The Regulatory Centre of Gravity
In Japan, the 2017 amendment to the Banking Act introduced Electronic Payment Intermediary Services (denshi-daikō-gyō), and the Financial Services Intermediary Business enacted in 2020 (effective 2021) added a horizontal intermediary licence spanning banking, securities and insurance. Japan’s Financial Services Agency built the system primarily around registration of intermediaries — that is, a provider-side regulatory model.
The BOT regulation, by contrast, starts from the PDPA’s data portability right and uses supervisory obligations on financial institutions to make that right effective. Same topic, different anchor: Japan regulates who can participate; Thailand regulates who can move the data.
PIPA vs. PDPA
Japan’s Personal Information Protection Act does not codify a data portability right — the closest substitutes are disclosure requests and use-stoppage requests. Thailand, through Section 31 of the PDPA, codifies the right expressly, and on this specific point is further along the “data-subject-centric” path than Japan.
Practical Takeaways for Japanese Groups
The compliance know-how Japanese groups have built for denshi-daikō-gyō — API onboarding guidance, consent management, fraud controls — transfers to the Thai market as foundational work, but is not sufficient on its own. Three areas where Japan-based templates tend to under-deliver in Thailand are: stricter consent UIs, a dedicated portability-request intake, and stronger cross-border transfer governance. A “lift-and-shift” of the Japanese privacy architecture will usually leave PDPA gaps.
Impact Matrix for Japanese Companies
① Japanese Banks, Securities and Insurance Subsidiaries in Thailand
Directly in scope as BOT-supervised firms. The realistic project list for late 2026 covers core-banking system upgrades, API gateways, consent-management platforms and data standardisation. PDPA alignment (privacy notices, consent UIs, DPIAs) should be worked in parallel. If the Thai subsidiary shares data with the Japanese parent for credit modelling or marketing, the cross-border transfer framework should be revisited early.
② Japanese FinTechs, Aggregators and PFM Providers
At this stage, the regulation focuses mostly on the data holder side. The participation requirements for data recipients will depend on the next wave of sub-regulations and licensing rules. If an aggregation or personal-finance-management play is a core pillar of the business case, a dedicated regulatory-watch process should be in place before product launch.
③ Non-Financial Japanese Corporates (Manufacturing, Retail, Trading)
Not directly regulated, but indirectly connected through employee payroll data and vendor payment flows. Over time, use cases such as sharing payroll data to access employee loan or insurance products are likely. Updating the Thai subsidiary’s data governance baseline in line with the PDPA will make later decisions easier as the framework expands.
④ Japanese SaaS, HR Tech and B2B FinTech Providers
Thai deployments will need to align with the BOT’s API specifications and data standards. The architecture of Japan-origin integration platforms may need to be rebuilt for the Thai market. Designing in flexibility before the Thai standard is finalised avoids rework later.
What to Do Now — Six Action Items
- Confirm in-scope status. Which BOT-supervised category (deposit, lending, e-Money, credit card, payments) — if any — does the Thai subsidiary fall into?
- Refresh data mapping. Bring the PDPA-side personal data flow diagram up to date.
- Redesign consent UIs. Replace implied-consent patterns with PDPA-compliant explicit and specific flows; do not reuse the parent’s global template.
- Scope the technical build. API gateway, consent management platform and data standardisation are the three building blocks.
- Revisit cross-border transfer arrangements. Verify that data flows to the Japanese parent meet PDPA Sections 28-29.
- Set up continuous monitoring. BOT, PDPC, SEC and OIC sub-regulations will keep landing; designate an owner.
The International Context
The EU (PSD2), the UK (Open Banking), Australia (Consumer Data Right), Singapore (SGFinDex) and Japan (bank APIs) are at various stages of maturity along the same open finance curve. Thailand is positioning itself as the next tier behind Singapore and Hong Kong in ASEAN, and the data-sharing regulation is a symbolic step. From an FATF and Basel Committee angle, the data-sharing layer also feeds into AML and AI-fraud defences.
The BOT’s Your Data project signals an ambition that goes beyond banking — toward a broader data portability infrastructure covering tax data and utility data (electricity, water) over time. Read this alongside the Thai Digital Law series Part 6 on electronic transactions and digital assets, and the Thai AI regulation framework, and the overall direction of travel becomes clearer.
Practical Summary
- The BOT regulation has a three-phase structure: issued on 30 October 2025, Phase 1 (personal deposit account data) in late 2026, expansion across 2027-2028.
- Japan’s intermediary regime is a provider-side model; Thailand anchors its regime in the data subject’s portability right under the PDPA.
- Thai consent is held to a stricter standard; lifting the parent’s global UI template is risky.
- Japanese banks should plan core-banking and API work for late 2026; FinTechs should watch for sub-regulations; non-financial corporates should bring PDPA hygiene up to date first.
Sub-regulations, API standards and licensing details will continue to be published by the BOT, PDPC, SEC and OIC. Expect this article to need updates as those arrive.
Get in Touch
For advice on Thailand’s open banking and data-sharing regime, its interface with the PDPA, market entry as a regulated financial service provider, or cross-border data transfer design — from both a Japanese-law and a Thai-law perspective — we work in close cooperation with our partner JTJB International Lawyers’ Thai-qualified attorneys. Please feel free to contact us.
Related
- BOT 5 Million Baht Cash Withdrawal as High-Risk Transaction (effective 1 April 2026)
- Thai PDPA Practical Guide 2026
- Thailand AI Regulatory Framework 2026
- Thai Digital Law Series Part 6 — Electronic Transactions and Digital Assets
This article is for general informational purposes about Thailand’s legal system based on publicly available information as of April 2026 and does not constitute legal advice under Thai law. The BOT data-sharing regulation, its implementing sub-rules and their application remain subject to change. For specific matters, please consult a Thai-qualified legal professional. Our firm works in collaboration with JTJB International Lawyers’ Thai-qualified attorneys.