Financial Institutions Business Act


    Financial Institutions Business Act

    The Financial Institutions Business Act 2008 (‘FIBA’) aims to bring together and replace a host of existing different regulations governing the business activities of various types of financial institutionsThe financial institutions that will be covered by FIBA are commercial banks, including subsidiaries and branches of foreign banks, finance companies and mortgage lending companies. 

    Last Updated: July 30, 2019

  • Requirements

    FIBA contains provisions: 

    • on obtaining licences to operate a financial institution; 
    • on the shareholding limit of individual investors in financial institutions, Thai nationals must not own less than 75% of the total issued voting shares in a commercial bank and 75% of the total number of directors must be made up of said nationals; 
    • that single shareholders must not hold more than 10% of total shares of a financial institution, without the approval of the Bank of Thailand’s (‘BOT’); 
    • that the statutory ceiling on foreign investment in Thai commercial banks was raised to 49% from 25%; 
    • that the limit on foreign directors was increased to one-half from one-quarter of total directors; 
    • that the Ministry of Finance can further extend the foreign shareholding and directorship limit, in order to rectify the status and performance of a distressed financial institution or to stabilize a financial institution; 
    • that financial institutions are generally free to set their maximum interest rates and charges for their customers, subject to limits imposed by law and/or regulation; 
    • on the BOT’s right to enforce against cases of financial institutions failure to maintain capital funds; and 
    • on the BOT’s right to enforce Basel II and prompt corrective measures to address weaknesses in troubled banks. 

    A financial institution may use services provided by third parties in undertaking its business in accordance with the rules prescribed in the notification of the Bank of Thailand.  

    The BOT has issued Notification No. FPG 8/ 2557, the regulation on outsourcing of financial institutions by virtue of provisions of the FIBA. In particular, it states that: 

    • in outsourcing any function, financial institutions must be responsible to the customers as if the financial institutions conduct the functions themselves and must comply with the supervisory framework in three important aspects: business continuity and business continuity plan; consumer protection focusing on customer data security as well as handling of customer complaints; and risk management for utilizing service providers focusing on regular assessment and monitoring of risk that may incur from selection and work process of the service providers.


    Penalties for breach of the privacy provisions of FIBA include fines and/or prison time, please see Chapter 8 for more details on the various penalties, including: 

    • any person who undertakes the commercial banking business, finance business, or mortgage lender business without a license shall be subject to imprisonment for a term of two years to ten years and a fine of THB 200,000 (approx. €5,780) to one million THB (approx. € 28,910); and 
    • any director, manager or person with power of management of a financial institution, who acts or omits to act in order to obtain any unlawful benefit for himself or other person, which causes damage to the financial institution, shall be liable to imprisonment for a term of five to ten years and a fine of THB 500,000 (approx. €14,450) to one million THB. 

    One can also bring an action to seek compensation for actual damages, if he/she experienced loss or damage from such breach. 

  • How OneTrust Helps

    OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions. 

    For additional details on Vendorpedia, read more here. 

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.